The Fair Credit Reporting Act: responsibilities of Auditors, forensic accountants, and investigators.
Fraud does not discriminate and is found in all types of organizations. The Association of Certified Fraud Examiners (ACFE) estimates in its 2010 Report to the Nations on Occupational Fraud and Abuse that workplace fraud costs U.S. businesses about 5% of annual revenue--more than $750 billion per year. Employers should be aware that acts of deceit can occur even before a person is hired, in the form of misrepresentations on resumes, false transcripts, and counterfeit degrees and certifications. The National Association of Professional Background Screeners indicates that up to 40% of resumes contain material lies or omissions about education, past employment, or qualifications.
When investigating alleged employee misconduct, care must be taken to balance the need to combat losses from various types of fraud with a suspect's legal rights. Employers and outside accountants have been sued for defamation, false light invasion of privacy, intentional and negligent infliction of emotional distress, negligent retention, negligent hiring, wrongful termination, and FCRA violations by employees and prospective employees accused of fraud and abuse. Moreover, an employer who uses a third party to assist in background investigations can be liable for FCRA violations committed by that third party (Briley v. Burns Int'l. Safetohire.com, Inc., 98 Fed Appx. 481, 6th Cir., 2003).
The Federal Trade Commission (FTC), the federal agency that interprets and enforces the FCRA, indicates that various notice, disclosure, and consent requirements contained in the FCRA apply to many types of employee screenings and investigations. These requirements are so onerous that they tend to discourage firms and accountants from undertaking third-party investigations, even though the SEC, the Department of Justice, and other federal agencies virtually mandate corporate compliance programs. One important requirement established by the Federal Sentencing Guidelines is that firms should "take reasonable steps to achieve compliance ... by utilizing monitoring and auditing systems designed to detect criminal conduct by employees." This requirement, combined with employers' efforts to combat employee fraud in all its myriad forms, is exacerbated by the legal minefields created by the FCRA.
FCRA Background and Evolution
The FCRA, which took effect in 1971, was enacted to protect consumers from inaccurate or misleading credit reports and from unauthorized disclosure of information in the reports. Historically, consumer reports were used to evaluate and minimize the risk of loss for three types of events: 1) extending credit, 2) underwriting insurance, and 3) employment decisions. The reports used in credit decisions are usually confined to credit history and information from public records, such as liens and judgments. Reports for insurers and employers include data on an individual's personal characteristics, general reputation, character, lifestyle, criminal record, driving record, and employment history.
The public generally assumed that the FCRA was limited to credit decisions, and the act remained unchanged until the mid-1990s, when many disgruntled consumers began filing complaints with the FTC about the release of personal and confidential information. To enhance consumer privacy and protection, Congress enacted the Consumer Credit Reporting Reform Act in 1996, which amended the FCRA. Prior to the 1996 reforms, employers faced only minimal restrictions in accessing and using consumer reports. The revised FCRA imposes significant procedural restrictions.
In 2003, Congress passed the Fair and Accurate Credit Transaction s Act (FACTA), which again amended the FCRA. The FCRA now exempts most employee misconduct investigations performed by outside third parties from the notice, consent, and disclosure requirements if certain conditions are met. These conditions are described below.
Notice, Consent, and Disclosure Requirements
Since September 30,1997, employers have had to obtain written permission from an employee or potential employee in order to procure a consumer report or investigative consumer report from a consumer reporting agency. Notice and disclosure requirements must be met for both types of reports, but the requirements are more stringent for an investigative consumer report.
Exactly what are "consumer reports" and "investigative consumer reports"? A consumer report is a written or oral communication by a consumer reporting agency that contains information such as "creditworthiness, credit standing, ... character, general reputation, personal characteristics, or mode of living," which may have some bearing on suitability for employment (15 USC section 1681a[d]). An investigative consumer report includes more personal information, such as a consumer's character, reputation, and personal characteristics gathered from neighbors, friends, associates, and others (15 USC section 1681 a[e]). Excluded from these definitions is any "communication of ... information among persons related by common ownership or affiliated by corporate control, if it is clearly and conspicuously disclosed to the consumer that the information may be communicated among such persons" and the consumer may object to such communication (15 USC section 1681a[d] [A][iii]). This means that many internal investigations conducted by an employer do not fall within the realm of the FCRA.
A consumer reporting agency (15 USC section 1681a[f]) is "any person which, for monetary fees ... regularly engages in whole or in part in the practice of assembling or evaluating consumer credit information or other information on consumers for the purpose of furnishing consumer reports to third parties." Auditors, forensic accountants, and other investigators should note that the term consumer reporting agency is sometimes broadly interpreted. One court found that a staffing agency was a consumer reporting agency because it assembled and evaluated consumer reports relating to job candidates (Adams v. National Engineering. Service Corp., 620 F. Supp. 2d 319, D. Conn., 2009), Therefore, entities involved in investigative work, such as forensic accounting firms, law firms, or private investigators, would be considered consumer reporting agencies because they assemble or evaluate information on individuals on a regular basis at the request of clients.
The FCRA requires that whenever a consumer reporting agency prepares a consumer report, it must 'follow reasonable procedures to assure maximum possible accuracy of the information concerning the individual about whom the report relates" (15 USC section 1681e[b]). Reasonable procedures are those that a reasonable, prudent person would undertake under the given circumstances. Heightened standards exist when collecting information for employment purposes. Such information must be from public records and be of a type that likely will have an adverse effect upon the ability to obtain employment.
To obtain a consumer report, an employer must provide written notice to the employee that it plans to procure a consumer report for employment reasons. The employer must also secure the individual's express consent in writing before obtaining the report. The employer may require such employee authorization as a condition of being hired or continuing employment (Kelchner v. Sycamore Manor Health Center, 135 Fed. Appx., 3d Cir., 2005).
An employers disclosure to an employee to procure an investigative consumer report must be made in close proximity to the report. The employer is also responsible for certifying to the forensic accountant or investigator that such disclosure was given and permission obtained. The disclosure must be mailed or delivered within three days of the date on which the report was requested. Upon an employee's written request, an employer must make a complete disclosure of the nature and scope of the investigation (15 USC section 1681d[b]).
Any employer who uses a consumer report or investigative consumer report for firing an employee or refusing to hire, promote, or take some other adverse employment action, must provide an unedited copy of the report to the employee, along with a copy of notification of rights under the FCRA. This gives the employee the opportunity to rebut any misinformation or inaccuracies. Moreover, if an employee disputes the accuracy or completeness of the initial investigation, the consumer reporting agency must reinvestigate the matter free of charge and record the status of the disputed information within 30 days (15 USC section 1681i).
Employee misconduct. Employee misconduct investigations are exempt from the FCRA notice, consent, and disclosure requirements under certain conditions. The following conditions must be met in order to fall within the exemption:
* A communication is made to an employee in connection with an investigation of suspected misconduct relating to employment; compliance with federal, state, or local laws and regulations; the rules of a self-regulatory organization; or any preexisting written policies of the employer.
* The communication is not made for the purpose of investigating a consumer's creditworthiness, credit standing, or credit capacity.
* The communication is not provided to any person except the employer or agent of the employer; any federal, state, or local officer, agency, or department; or any self-regulating organization with authority over the employer or employee (15 USC section 1681a[x]).
After any adverse action in an employee misconduct investigation, the employer must disclose a summary to the employee.
The exemption provided for employee misconduct still leaves legal uncertainty for accountants, forensic accountants, and other outside investigators, because the law does not define what is meant by "suspected misconduct relating to employment." The FCRA is silent about whether the exemption applies to preemployment investigations and employers whose workplace rules are not covered by an employee handbook. In addition, the law does not state whether an exemption from FCRA requirements applies to reference checks that go beyond dates of employment at prior employers. It is possible that the FCRA exemption could be construed as applying to investigations into employee misconduct only at the entity requesting an investigation. Various unanswered questions about the misconduct exemption make it advisable for employers and outside third parties to comply with the FCRA notice, consent, and disclosure requirements, or risk legal liability.
Applying the FCRA to investigations conducted by accounting firms or fraud investigators may discourage companies from undertaking such investigations and could interfere with their effectiveness when they are performed. Because of the advance notification requirement, employers could lose their ability to conduct unannounced investigations of inventory theft, embezzlement, or other forms of misconduct.
In some misconduct and other types of investigations, the employer must not only inform the individual involved about the investigation before a report is produced, but also must first obtain that person's written consent. Moreover, an employer must provide employees with an unedited copy of any report that serves as a basis for any adverse employment action, except in exempt misconduct investigations.
Consequently, an employer could suffer unnecessary delays that allow the employee time to conceal or obscure evidence of wrongdoing. For example, an employee may destroy or alter key information or tamper with potential witnesses. FCRA notice, consent, and disclosure requirements may have a chilling effect on an interviewee's response to questions concerning an employee under investigation, because witnesses may fear retaliation from the investigated employee.
Penalties for FCRA Violation
The FCRA has two separate statutory provisions that address civil liability. One provision (15 USC section 1681n) provides for civil liability for any person who willfully fails to comply with any requirement under the FCRA. A second provision (15 USC section 1681o) establishes a civil cause of action against any person who fails to comply with any FCRA requirement.
Any employer who willfully fails to comply with any FCRA requirement may be liable for actual damages, attorney's fees, and punitive damages. Humiliation and distress can constitute actual damages under the FCRA even if the consumer has suffered no out-of-pocket damages. Moreover, federal courts have ruled that punitive damages may be awarded in the absence of actual damages. Willful FCRA violators with significant income and net worth could be liable for substantial amounts of punitive damages.
Any employer or outside third party who negligently fails to comply with the FCRA may be liable for actual damages and attorneys' fees. Actual damages may include emotional distress, humiliation, injury to creditworthiness, and injury to reputation.
Another provision of the FCRA states that any person who obtains information under false pretenses is subject to criminal penalties, including fines and imprisonment (15 USC section 1681 q). Moreover, any person who obtains information under false pretenses or knowingly without a permissible purpose shall be civilly liable for damages (15 USC section 1681n[b]).
Advice for Employers, Auditors, and Forensic Accountants
Although the FCRA has fairly imposing requirements, employers and third parties still have options. Addressing the issue of advance employee consent, one appellate court ruled that employee consent can be routinely obtained prior to employment as a condition of hiring. Alternatively, a company can avoid alerting a specific employee suspected of misconduct by asking all current employees to sign an FCRA consent form and providing any required notice at the same time. The consent form must be specific and accurate and include a list of employee rights and remedies. The FCRA requires additional notice and disclosure when an investigative consumer report is obtained. When employee misconduct is involved, the employer or outside investigator should rely on advice from legal counsel as to whether the situation falls within the FCRA exemption for misconduct investigations.
Reporting is another area that can present problems. Because these reports may be read by the affected employee, employers should review Riles regarding record retention and reporting procedures. In any event, investigative reports should be factual, complete, and balanced. Opinions, slurs, and biases have no place in these reports.
Employers can sidestep the FCRA altogether by conducting in-house investigations. If the suspect is an executive or senior manager, however, an in-house investigation may be problematic. Many employers, particularly small businesses, do not have staff with the experience, knowledge, and expertise to conduct legally defensible workplace investigations. Employers have been found liable for taking adverse action based on their own investigations.
While in-house staff might comply with the FCRA when conducting employee misconduct investigations, they could run afoul of other taws. For instance. Title VII of the Civil Rights Act limits the use of criminal and financial information in making employment decisions. Moreover, employers must be mindful of restrictions on employment discrimination under federal bankruptcy law. If staff are unfamiliar with a single state or federal law, it could subject the employer to liability.
When Does the FCRA Apply to Audit Activities?
The FCRA appears to place limits on certain activities of auditors, particularly those undertaken to comply with Statement on Auditing Standards (SAS) 99, Consideration of Fraud in a Financial Statement Audit, and SAS 54, Illegal Acts by Clients. In many instances, auditors look for unusual transactions, suspicious situations, or violations of internal control that necessitate further investigation. Such investigation may entail assembling or evaluating information on the client's employees that bears on personal characteristics, lifestyle, or credit standing. Thus, the client would have to obtain the employee's consent prior to an auditor starting any work that could become part of a consumer report under the FCRA, unless an exemption for misconduct applies. In addition, any information an auditor collects that could serve as input to an adverse employment decision would have to be disclosed to the affected employee, unless exempted.
This line of thought raises some tough questions:
* At what point does an audit activity become an investigation? If auditors undertake an investigation or investigative activities each time they analyze a suspicious event or transaction, they could be in the uncomfortable position of either violating the FCRA, by not providing prior notice and receiving consent, or failing to comply with auditing standards, because of a failure to fully investigate a suspicious situation.
* If various audit procedures are deemed investigations, will unreasonable restrictions be placed on an audit? In the course of an audit, auditors routinely review personnel folders. If an auditor uncovers suspicious information during this routine audit procedure and initiates an investigation, the client and auditor could potentially violate the FCRA.
Various unanswered questions remain about the application of the FCRA to auditors and forensic accountants. Some of these questions pertain even to employee misconduct investigations. Parties involved in preemployment screening and employee misconduct investigations are advised to gain a basic understanding of the FCRA and rely upon the sound advice of legal counsel with regard to the law's application to specific workplace situations.
Carl Pacini, JD, PhD, CPA/CFF, CFSA, is an associate professor of accounting at Pennsylvania State University-Abington, Abington, Pa. Katherine Barker, PhD, CPA, CFE, is an assistant professor of accounting in the college of business at the University of South Florida-St. Petersburg, St. Petersburg, Fla.
|Printer friendly Cite/link Email Feedback|
|Author:||Pacini, Carl; Barker, Katherine|
|Publication:||The CPA Journal|
|Date:||Dec 1, 2010|
|Previous Article:||The IFRS theme park: an alternate learning approach.|
|Next Article:||Regulatory and legal implications of stealth restatements: can companies bury the bad news?|