7 Compliance Considerations when Implementing a Continuous Monitoring Program

As someone who has lamented the lack of meaningful innovation in the background screening industry for some time now, I am very excited about the prospect of a true continuous monitoring solution for incarceration events. Let’s face it, the screening industry has been trying to move their clients to recurring screening (or “continuous monitoring”) for well over a decade, and it finally looks like we’ve reached the tipping point—where technology can match the promise. And, with more and more industry giants like Uber and Lyft implementing continuous monitoring programs, the marketplace is ready to engage.

I firmly believe that continuous criminal monitoring will add immeasurable value to any credit reporting agency (CRA) platform; its rise can truly change this industry. These real-time incarceration alerts are an early indicator of risky employee behavior that could potentially threaten a business and its employees. Incarceration alerts equip employers with the knowledge needed to proactively mitigate business risks that stem from an employee’s criminal activity.

As we all know, even with the promise that accompanies such innovation, there comes a certain degree of questioning—especially in a highly regulated industry. This need for thorough evaluation on behalf of CRAs and their legal counsel is understandable and prudent. I think it’s fair to assume that many CRAs will seek a maximum level of understanding as it relates to implementing a continuous monitoring program while remaining compliant with  the Fair Credit Reporting Act (FCRA) Equal Employment Opportunity Commission (EEOC) guidance, and applicable state laws.

The bottom line is that continuous monitoring programs not only can make CRAs more competitive and successful, but they can make American workplaces and communities safer.

With that in mind, I have compiled seven key compliance questions that CRAs should consider when implementing a continuous monitoring program. Please note that I am not an attorney; this is not legal advice. As always, I urge you to consult with legal counsel as you explore any solution that is subject to regulation.

1. Do my customers need to amend their hiring and employment policies?

Most likely, yes. The question then surrounds what specific language they will need within such policies that articulates the organization’s data use. Their legal counsel should advise them in light of their jurisdictional regulations. For example, they may be advised to list the types of criminal activities being monitored, or they may need to document the spectrum of disciplinary options employees will be subject to in the event of a concerning record.

2. How and when do my customers need to seek authorization and consent?

The FCRA states that end users (employers) have a responsibility to seek the subject’s consent prior to the commencement of a background check. And while there are various state laws that dictate the language required on such an authorization form, most employers do not find difficulty in managing that responsibility.

Now, many jurisdictions allow employers to the insert evergreen language in their authorization form that allows them to conduct background checks throughout the tenure of one’s employment. However, there are also a number of jurisdictions that specifically preclude this practice. For instance, the State of California requires that an employer seek authorization from the subject of a report each time a background check in conducted. In other jurisdictions, an employer must seek new authorization after a pre-determined amount of time has passed since the last date of consent.

Given the variance in state and local laws across the nation, employers are again encouraged to understand the unique requirements of the jurisdiction(s) in which they operate and to develop policies and procedures that comply with the specific laws that govern that region. This may include the development of an additional consent form that is specific to continuous monitoring, administered at regular intervals, to comply with applicable rules.

3. How do CRAs ensure maximum possible accuracy?

The FCRA directive has been burned into CRAs’ minds by our regulators, our legal representation, and an array of litigants. CRAs have an obligation to ensure that the information that they provide customers, who, in turn, use it to make employment decisions, is accurate at the time of reporting. Given the weight of such information, it would be important for CRAs to understand the following:

  • Do incarceration records provide the proper identifiers necessary to comply with the FCRA and for employers to take action on—whether that action is probation, suspension, or termination?
  • Is the status of an incarceration subject to change with such rapidity that what I report today is likely to change before an employer takes action? For instance, if I report an incarceration event today and employer uses that record to make an employment decision—but the charges are dropped or amended to lesser charges tomorrow. Can that present significant risk for both myself and my end user?

For both of these considerations, industry best practices advise employers to always investigate the alert. This is very important. Criminal activity, including incarceration, should always be investigated, pursuant to well-articulated, pre-existing policies and procedures, to verify whether the behavior underlying the arrest justifies disciplinary action.

The EEOC and the legal community generally agree – an employer cannot act or base employment decisions solely upon arrest or incarceration records. However, a record alert may trigger an independent investigation into the details and circumstances surrounding the event. Upon completion of an independent investigation, the employer may make its disciplinary decisions regarding the subject employee.

4. Can employers limit the information they see?

Yes. Certain employers are only interested in a specific subset of criminal activity. For instance, a financial services company may not be as concerned about a DUI arrest as they would be if an employee engages in criminal activity related to theft or dishonesty. A bus company, on the other hand, has a vital interest in knowing that one of their drivers was booked for DUI. Therefore, employers are able to customize their alerts if they so choose, only receiving a notification when their employees are booked under certain charges.

5. Can an employer take action on an incarceration record?

As discussed in #3, employers should make sure that they are extending proper due process to a monitored employee that is flagged. Is an arrest sufficient to cover the spectrum of employment decisions that can be made–such as suspension with or without pay, discipline, or termination? Again, always investigate the alert. These flags serve as risk indicators. They’re pointers. No employment decision should be made without a thorough, independent investigation.

6. What notifications do I need to provide?

When an employer finds criminal activity on a pre- or post-hire background check that causes them to reject a candidate or take disciplinary action including termination of employment, they must follow the FCRA-mandated adverse action process. This process provides applicants/employees the opportunity to review and dispute information in the report if they so choose. Employers’ legal teams should determine how this regulation applies to a continuous monitoring platform, and what notifications are necessary should the employer ultimately suspend, discipline, or terminate a particular employee.

7. Do CRA end-user agreements need to be modified?

As a CRA, it will probably be important to update end-user agreements with your continuous monitoring customers to include a detailed product description, along with any new terms and conditions, limitations, etc. In the spirit of disclosure and transparency, CRAs should engage with their legal teams to accommodate such amendments.


Now that I’ve laid out some key considerations, I’m be curious to know what CRAs think. How do we keep moving this conversation forward? As I mentioned earlier, I am a believer. Continuous monitoring is a true game-changer for the screening industry. Let’s just make sure we’re dotting our compliance “i”s and crossing our compliance “t”s to ensure this solution can be as effective as I know it will be.


Disclosure: This article does not contain legal advice and should not be construed as such. The practices described serve as suggestions to be reviewed with legal counsel and considered within the broader context of your specific operations, local laws and regulations. Please consult legal counsel before implementing any continuous monitoring programs, policies or procedures.

Nick Fishman, President, Fishman Group Consultants


Nick Fishman, President, Fishman Group Consultants

Nick is a successful entrepreneur specializing in business-to-business start-ups. He co-founded EmployeeScreenIQ in 1999 and served as Chief Marketing Officer and Executive Vice President, overseeing all sales and marketing activities, including business development, digital strategy and brand building initiatives. Over 16 years, the business scaled to more than 100 employees serving 3,000+ customers throughout the world, ranging from Fortune 500 to mid-market organizations. Today Nick is a leading background screening industry thought leader, expert witness, and business consultant. He is also founder and editor of ScreeningBlog—a resource for all things background screening—featuring the latest industry trends, innovations, and events.

Other Posts By This Author