Educational Series

Revised FCRA Summary of Rights form released

Did you know that a revised version of the Fair Credit Reporting Act (the “FCRA”) Summary of Rights form was released a few months ago?

If the answer is “no,” don’t worry. The form was not published in the Federal Register and appeared under the radar without an announcement.

The FCRA mandates that employers are required to provide a disclosure and obtain written authorization from any applicant or employee prior to conducting a background check. If the employer decides to take an “adverse action” against the applicant or employee based on the results of the background check, the employer must provide the individual with a copy of the background check and the Summary of Rights form under the FCRA.

The revised form does not require a lot of adjustments for employers. Some of the government addresses found on the last page were changed and all references to Maine’s laws were removed. Earlier this year, the state repealed its mini-FCRA to adopt the federal FCRA.

View the new Summary of Rights form.

FTC launches new resource for identity theft victims

The FTC has launched IdentityTheft.gov, a new resource that makes it easier for identity theft victims to report and recover from the crime. A Spanish version of the site is available at RobodeIdentidad.gov.

The new website provides an interactive checklist that explains the recovery process and helps victims understand the steps that should be taken upon learning that their identity has been stolen. It also provides sample letters and other helpful resources. In addition, the site offers specialized tips for specific forms of identity theft, including medical and tax-related, and contains advice for people who have been notified that their personal information was exposed in a data breach.

Identity theft has been the top consumer complaint reported to the FTC for the past 15 years, and in 2014, the Commission received more than 330,000 complaints from consumers who were victims.

Going global: international background checks

As the business world increasingly goes global, even small or medium-sized companies may have international outposts or employees located beyond the U.S. border. In addition, with security – both physical and digital – an important issue, employers want to know everything they can about their employees.

Many employers are turning to international background checks. But a criminal record or a credit report like those used in the United States can get lost in the translation.

First up: cultural norms. What may seem perfectly routine and acceptable in the United States may confuse or offend those in other countries. For example, things like credit checks and drug tests are virtually unheard of abroad and cultural differences may yield what might by American standards be unusual answers in a personality test. A second important consideration: the law. Just as the U.S. has the Fair Credit Reporting Act (FCRA) and other regulations setting the boundaries of background checks, foreign jurisdictions have their own laws of the land. The French Labor Code, for example, requires that its “works council” review employment screening procedures prior to an employer’s use.

One huge legal complication can be found in the area of privacy law. The European Union imposes restrictions on obtaining information about employees or applicants, the way in which such information can be used, and how the information can be shared or transmitted. To alleviate some of the liability concerns, the U.S. has entered into a Safe Harbor framework with the European Commission, which requires compliance with seven principles of data security. And while the EU leads the pack, other countries (like Australia, Canada, Hong Kong, and Japan) also pose challenges with their strict regulation of privacy.

Having an applicant sign a consent form to release information may be of little help as several EU countries also recognize a presumption against enforcement of such agreements on the basis that employees and applicants have limited bargaining power in the employment context. Alternatively, employers may have better luck by having applicants do the work themselves, providing their own background information to avoid implicating data privacy laws. Of course, this raises authentication and accuracy questions.

The collection of criminal information can also present logistical challenges. Many countries do not have an organized court system, and records, if available, may have to be searched on a regional or town-by-town basis, or at multiple agencies (like the police, the court venue and a government agency, for example). Certain countries offer what is known as a “police certificate” which will confirm the information about an applicant found in police records. Some countries, like Poland, have banned the collection of criminal records altogether; Spain prohibits the possession of records but an applicant could, in theory, show an employer his or her record.

If the screening is being conducted by a consumer reporting agency located in the United States, the FCRA requirements also come into play. International background checks are not impossible, but they do pose a number of legal and cultural risks that can be tackled with the right planning and professional assistance from an experienced background screening company.

Beware of loopholes in reporting on securities brokers

When considering the track record of a securities broker or dealer, investors should be cognizant of loopholes in background reporting.

The Financial Industry Regulatory Authority (FINRA) oversees the regulation of brokers and operates BrokerCheck, an online database that contains disciplinary records of registered brokers. But a review by the Wall Street Journal found that BrokerCheck is sorely lacking a wealth of information about registered brokers, some of which can be found in the records of state regulators. At least 38,400 brokers have regulatory or financial red flags that appear only on state records, according to the WSJ’s investigation; of those brokers, at least 19,000 had clean BrokerCheck records. One significant area omitted by FINRA: internal reviews.

The WSJ identified 4,346 brokers with one or more internal reviews reported on their state records but not on BrokerCheck. Other regulatory red flags not spotted on FINRA’s database: personal bankruptcies filed more than 10 years ago, judgments and liens that have been satisfied, and certain employment terminations.

FINRA’s records do include complaints against brokers, regulatory actions, terminations for cause, and personal bankruptcies filed within the last decade, which the agency says is consistent with the Fair Credit Reporting Act. But in light of the gaps – and a proposal from FINRA to the Securities and Exchange Commission to expand the obligations of financial institutions with regard to the background screening of applicants (https://scherzer.co/sec-considers-background-check-rule-proposed-by-finra/) – investors should consider checking state regulatory records to form a more complete picture of a broker’s history.

In response to the WSJ’s inquiry, FINRA launched a review of its database and said the agency is studying the current rules about the information disclosed on BrokerCheck. The agency is also attempting to patch a separate loophole by coordinating its efforts with state insurance regulators. Following reports that insurance and securities regulators struggle to share data – and that individuals take advantage of the gap by continuing to sell insurance products despite losing a securities license, for example – FINRA vowed to take action. Beginning this month, the agency said it will provide a monthly report of its disciplinary actions against securities brokers not only to state securities regulators but state insurance regulators as well.

OFAC getting more common in contract terms and background checks

Do you know what OFAC is about? OFAC is the acronym of the U.S. Department of Treasury’s Office of Foreign Assets Control, and its function is to administer and enforce sanctions against countries or individuals (like terrorists or narcotics traffickers) with actions ranging from trade restrictions to the blocking of assets.

For U.S. companies, the agency’s enforcement applies to banks, insurers, and others in the financial industry that may be involved in covered dealings, which include engaging in transactions prohibited by Congress such as trade with an embargoed country or with a specially designated national (SDN).

Violations of regulations, which extend to all U.S. citizens, can result in substantial fines and penalties. Criminal penalties can reach up to $20 million and imprisonment up to 30 years; civil fees can range from up to $65,000 to $1,075,000 per violation, depending on the activity at issue.

OFAC has significantly stepped up its enforcement efforts that have resulted in sizable settlement agreements with U.S. entities, and thus companies increasingly are incorporating sanctions compliance language based on OFAC regulations into contracts and agreements, as well as including OFAC checks in their employment-purpose background screening or in connection with business transaction due diligence.

Contract terms requiring a party to affirm that it is not the subject of any OFAC sanctions status, that no OFAC investigations are in process, or that it does not engage in transactions with countries like Iran or North Korea, are becoming standard. Some deals also include a provision attesting that a company is not owned by an individual on the list of SDNs, that the company is not based or located in an embargoed country, or to assure that the monies used to make an investment or purchase were not provided by a sanctioned country or individual. Of course, it is also important to conduct background checks to confirm these representations at the start of the contract and at reasonable intervals thereafter.

The use of compliance language does not insulate a company from OFAC liability. While such a provision may create a contract-based remedy to recover monetary damages based on a fine or settlement with the agency, the clause cannot eliminate liability. Like any other governmental regulator, OFAC is not bound by private contract and can take action even with such terms in place.

Learn more about OFAC.

The FFIEC issues “shellshock” vulnerability alert to financial institutions

The Federal Financial Institutions Examination Council (the “FFIEC”) issued an alert advising financial institutions about a material security vulnerability in the Bourne-again shell (Bash) system software widely used in servers and other computing devices that could allow attackers to access and gain control of operating systems. The vulnerability, nicknamed “shellshock,” could expose organizations and individuals to potential fraud, financial loss, or access to confidential information. Any financial institution that provides secure services with Linux or nix variants running a vulnerable version of the Bash shell could be at risk no matter what their vendor mix. Given the widespread use of Bash and the evolving nature of the risk, the FFIEC said that regulators expect financial institutions to perform a risk assessment and address the shellshock vulnerability not only in their own systems, but also with their third-party service providers.

FINRA wants to increase awareness of its BrokerCheck and make more information public

FINRA’s online investor tool for researching the professional backgrounds of firms and brokers, the BrokerCheck, is accessible to all members of the public from the front page of its website. In a revised proposal, which includes changes made in response to comments regarding a prior proposal to amend FINRA Rule 2267 (Investor Education and Protection), firms would be required to include a readily apparent reference and hyperlink to the BrokerCheck on each website that is available to retail investors, and in online retail communications with the public that include a professional profile of, or contact information for, an associated person, subject to specified conditions and exceptions.

FINRA is also seeking comments (until September 2, 2014) on a proposal to make publicly available, through FINRA’s website, a repository of Form 211 information. Firms are required to complete this form to demonstrate compliance with the specific information review requirements under SEA Rule 15c2-11 prior to initiating a quotation in a non-exchange-listed security.

Supreme Court ruling extends SOX whistleblower protection to private contractors

On March 4, 2014, the Supreme Court in a split decision ruled that employees of private companies servicing public companies are covered by the whistleblower protections of Sarbanes Oxley Act of 2002 (“SOX”)

[U.S., No. 12-3, 3-4-14]. In this case, two employees of a private company contracted by a publicly-traded mutual fund alleged that they were terminated in retaliation for raising fraud issues about the fund. With this decision, the Supreme Court has expanded the universe of companies regulated by the SOX whistleblower provision from about 5,000 public companies to potentially millions of private ones, including the smallest of businesses. Employers of every size and type have to be prepared for potential SOX whistleblower retaliation claims if they are a contractor or subcontractor of a publicly traded company.

FINRA has some common sense advice for avoiding investment scams

  1. Guarantees: Be suspect of anyone who guarantees that an investment will perform a certain way. All investments carry some degree of risk.
  2. Unregistered products: Many investment scams involve unlicensed individuals selling unregistered securities, ranging from stocks, bonds, notes, hedge funds, oil or gas deals, or fictitious instruments, such as prime bank investments.
  3. Overly consistent returns: Any investment that consistently goes up month after month, or that provides remarkably steady returns regardless of market conditions, should raise suspicions, especially during turbulent times. Even the most stable investments can experience hiccups once in a while.
  4. Complex strategies: Avoid anyone who credits a highly complex investing technique for unusual success. Legitimate professionals should be able to explain clearly what they are doing. It is critical that you fully understand any investment that you are considering, including what it is, what the risks are and how the investment makes money.
  5. Missing documentation: If someone tries to sell you a security with no documentation, such as a no prospectus in the case of a stock or mutual fund, and no offering circular in the case of a bond, he/she may be selling unregistered securities. The same is true of stocks without stock symbols.
  6. Account discrepancies: Unauthorized trades, missing funds or other problems with your account statements could be the result of a genuine error or they could indicate churning or fraud. Keep an eye on account statements to ensure that activity is consistent with your instructions, and know who holds your assets. For instance, is the investment adviser also the custodian? Or is there an independent third-party custodian? It can be easier for fraud to occur if an adviser is also the custodian of the assets and keeper of the accounts.
Go to Top