Background checks in banks and conflicts with ban-the-box laws

Wednesday 20 November 2024

Philip M Berkowitz
Littler Mendelson, New York
pberkowitz@littler.com

Introduction

In the United States, numerous federal, state and local laws require banks to run criminal background and credit checks on employees and applicants for employment. These include the Federal Deposit Insurance Act (FDIA), the Securities and Exchange Act, the Secure and Fair Enforcement for Mortgage Licensing Act (SAFE Act), the Truth in Lending Act (TILA) and various Financial Industry Regulatory Authority (FINRA) rules.

The requirements

Thus, for example, section 19 of the FDIA imposes an affirmative duty upon an insured depository institution to make a ‘reasonable inquiry’ regarding an applicant’s criminal history, which consists of taking steps appropriate under the circumstances, consistent with the applicable law, to avoid hiring or permitting participation in its affairs by a person who has a conviction or who has agreed to enter into a pretrial diversion or similar programme in connection with a prosecution for a covered offence. 

On 30 July 2024, the FDIC updated its regulations, effective 1 October 2024, to create several categories of exceptions or exemptions to the prohibition on individuals with criminal histories from participating in banking. Among other things, it excludes or exempts from the section 19 prohibition certain older offences; offences for which an order of expungement, sealing or dismissal has been issued in regard to the conviction for such offence; designated lesser offences; misdemeanour criminal offences involving dishonesty if the offence was committed more than one year before the date on which an individual files a ‘consent application’ with the FDIC; and a criminal offence involving dishonesty that also ‘involve[s] the possession of controlled substances’.

The SAFE Act, which applies to national and state banks, branches of foreign banks, credit unions and other financial institutions, requires that mortgage loan originators, who originate residential mortgage loans, be subject to a Federal Bureau of Investigation (FBI) criminal background check and an independent credit report from a consumer reporting agency. Regulation Z of the TILA, which generally applies to ‘loan originators’ involved in consumer credit transactions secured by a dwelling, also requires background checks, including credit checks in terms of all loan originators. 

Further, Rule 17a-3(a)(12) of the SEA requires members and broker dealers to make and keep current certain books and records with respect to ‘associated persons’ of the firm containing information regarding the associated person, including a record of any arrests and indictments for any felonies or certain enumerated misdemeanours, and the disposition of such arrests and indictments.[1] 

FINRA-regulated entities must also comply with FINRA Rule 3110(e), which requires each member to run a comprehensive criminal record and credit check on FINRA-registered employees and applicants for a FINRA-registered position to verify the accuracy and completeness of the information contained in the applicant’s initial or transfer Form U4. Additionally, firms must perform a search of ‘reasonably available public records’ to verify the completeness and accuracy of the details included in an individual’s Form U4.

In addition to these industry-specific requirements, one must consider requirements imposed by the US Department of the Treasury’s Office of Foreign Assets Control (OFAC). OFAC screening is meant to enforce economic sanctions against certain countries and individuals. All ‘US persons’ must comply with OFAC’s regulations and sanctions, and federal banking regulators evaluate bank compliance programmes to ensure that all banks subject to their supervision comply with OFAC sanctions. As part of such a regulatory review, regulators will typically inquire as to whether employees are checked against the OFAC list.

There is more. PEP screening refers to politically exposed persons, also known as ‘senior foreign political figures’, as defined under regulations issued by the US Department of the Treasury’s Financial Crimes Enforcement Network. PEPs have been known to utilise banks as a medium for illegal activities and the screening is meant to diminish the risk of money laundering. Under the Bank Secrecy Act, and as set forth in the Federal Financial Institutions Examination Council’s (FFIEC) Bank Secrecy Act/Anti-Money Laundering Examination Manual, banks operating in the US are required to have procedures in place for identifying PEPs and implementing appropriate controls and procedures to monitor the accounts and transactions of PEPs. 

We also must not forget the Fair Credit Reporting Act (FCRA), which applies to all employers running the various checks. Under the FCRA, employers must obtain the consumer’s written authorisation to conduct a background check if the employer outsources any portion of the background investigation process, formally referred to as a ‘consumer reporting agency’. It requires that a company provide an applicant subject to screening with a ‘clear and conspicuous disclosure […] in a document that consists solely of the disclosure, that a consumer report may be obtained for employment purposes’.

Ban-the-box laws

Contrary to these multiple and varied requirements sit ‘ban-the-box’ laws, which many states have implemented to restrict or narrow the ability of employers to run criminal background or credit checks. Examples of particularly onerous local laws are those in effect in New York State and New York City. The New York Fair Chance Act (FCA) prohibits employers from conducting a criminal background check or examining a potential employee’s arrest or conviction record until after the employer has made a conditional employment offer. 

Any decision to deny employment based on a criminal record must be consistent with Article 23-A of the New York Corrections Law, which requires that there be a direct relationship between one or more of the previous criminal offences and the employment sought or held by the individual and if granting or continuing employment would involve an unreasonable risk to property or the safety or welfare of individuals or the general public. 

The law is complicated. Employers who review an applicant’s criminal history before making a final offer of employment must implement a two-tiered screening process, wherein all non-criminal pre-employment screenings, such as a review of the applicant’s employment and educational history, must be completed and passed by the applicant before a conditional offer of employment is made. Thereafter, employers may, after making a conditional offer of employment, request and review the applicant’s criminal history, which may only be considered in compliance with the individualised assessment, notice and consideration requirements of the FCA.

Further, before taking any adverse employment action based on the inquiry, the FCA requires the employer to provide a written series of questions to the applicant to demonstrate that the employer is considering only the legitimate factors identified in Article 23-A in assessing their eligibility for employment. The employer must perform a written analysis and provide a copy to the applicant, including supporting documents that form the basis for an adverse action and the reasons for taking any adverse action. The employer must also allow the applicant no less than three business days to respond and must hold the position open for the applicant.

By its terms, however, the FCA does not apply if federal, state or local law, or a self-regulatory organisation (SRO) requires the employer to conduct criminal background checks for employment purposes or to bar employment in regard to a particular position based on criminal history. Accordingly, financial services companies are exempt from compliance with the FCA and New York City’s Stop Credit Discrimination in Employment Act (SCDEA) with respect to their FINRA-registered employees or applicants for a FINRA-registered position.

Similarly, the SCDEA generally prohibits employers from requesting or using a potential or existing employee’s credit history, including credit reports, credit scores and other information regarding a person’s credit, bankruptcies, judgments or liens, when making hiring, promotion, firing and other employment decisions.

The SCDEA does not, however, restrict an employer who is required by state or federal law or regulation, or by an SRO, to use an individual’s consumer credit history for employment purposes. This exemption applies only to those positions regulated by SROs; employment decisions regarding other positions must comply with the SCDEA.

New York is by no means the only state whose laws include exemptions for individuals employed by or seeking employment with financial institutions. But the laws can be tricky to interpret. Some ban-the-box statutes include explicit exclusionary language for individuals who are employed by a bank or financial institution. These include statues issued in Colorado, Illinois, Maryland, Oregon, Vermont, Washington and, as noted above, New York, and other municipal and local jurisdictions.

Other states, though, identify other exclusions (such as those mandated by federal or state law) that do not explicitly identify financial institutions, but likely apply to individuals who may be employed by them. These jurisdictions include California, Connecticut, Delaware, the District of Columbia, Florida (referring to a bona fide occupational qualification), Hawaii, Maine, Massachusetts, Minnesota, Nevada, New Jersey, Rhode Island, Texas, Vermont, Wisconsin and various other municipal and local jurisdictions.

Recommended practices

Unfortunately, the exemptions are not always crystal clear. And financial institutions, already under heightened scrutiny with respect to their compliance procedures, have to balance competing obligations imposed by federal and state banking regulators on the one hand, and local anti-discrimination lawmakers on the other. This is not a simple task. Financial services companies must take care to sort through these competing rules, to avoid liability from regulators on both ends of these issues.

Consequently, employers cannot avoid the onerous task of familiarising themselves with these restrictions, legislative and regulatory updates, and the degree to which they may apply to their hiring and periodic updating of employee background checks. Recommended practices include notifying applicants and employees of the background and credit check requirements and informing them of the restrictions mandated by the applicable state in regard to this process.

Employers should prepare a background check disclosure form that explains the information that may be gathered and indicating the sources of the information. The form must include an authorisation signed by the candidate or employee permitting the employer to obtain the background check and providing other representations, including an acknowledgment that, where permitted, the employer may rely on the authorisation to order additional background reports without asking for authorisation again during their employment and from different credit reporting agencies.

The employer must also provide the employee with the statutorily required summary of rights under the FCRA, which include, among other things, the right to be informed if the results are used against the individual; the right to know what is in the file; the right to one free disclosure every 12 months from nationwide credit bureaus; the right to request a credit score; the right to dispute incomplete or inaccurate information; and the right to place a ‘security freeze’ on their credit report, which prohibits a consumer reporting agency from releasing information in the credit report without the individual’s express authorisation.

Finally, employers must keep careful records, via a log sheet supplemented by contemporaneous records, of the background checks performed, identifying each individual, the particular background check, when it was conducted, the verification process, a record of references and other similar information.

There are no shortcuts to compliance. Well-run financial services organisations will stay in touch with employment counsel familiar with these compliance-related requirements, provide periodic internal training to relevant personnel and prepare form documents that comply with the various applicable federal, state and local laws, regulations and guidance.

 

[1] ‘Associated person’ means any partner, officer, director or branch manager of such broker or dealer (or any person occupying a similar status or performing similar functions), any person directly or indirectly controlling, controlled by or under common control with such broker or dealer, or any employee of such broker or dealer. See 17 C.F.R. 240.17a-3 (12)(i)(G). These records must be kept for all employees other than employees ‘whose functions are solely clerical and ministerial’. 17 C.F.R. 240.17a-3(h)(4).