+1.866.723.2287

Legislation

Vermont is the latest state to restrict credit reports in employment decisions

Effective July 1, 2012, Vermont will be the eighth state to regulate the use of credit-related information for employment purposes. Although similar in many ways to laws already enacted in California, Connecticut, Hawaii, Illinois, Maryland, Oregon and Washington, Vermont’s requirements under Act No. 154 exceed those of other state laws as they prohibit even exempt employers from using an applicant or employee’s credit history as the “sole factor” in employment decisions. Additionally, Vermont exempt employers who take adverse action based in part on a credit history must return the report to the individual or destroy it altogether. Neither the Fair Credit Reporting Act (FCRA) nor any of the other similar state laws imposes such a requirement.

Generally, the Act prohibits employers from inquiring into an applicant’s or employee’s credit report or credit history, and further bans employers from discriminating against or making employment decisions (e.g. hire, fire, alter the compensation or any other term or employment condition) based on a credit report or credit history. Notably, credit history in this context includes credit information obtained from any third party that reflects or pertains to an applicant’s or employee’s “borrowing or repaying behavior, financial condition or ability to meet financial obligations,” even if that information is not contained in a “credit report.”

The trend in restricting credit report use for employment purposes will continue as several other states and the federal government are considering comparable legislation. Soon to follow most likely will be New Jersey. In May 31, 2012, the Senate approved S455 that would prohibit employers from seeking credit checks on employees or applicants under most circumstances. A parallel bill (A2840) was introduced by the Assembly on May 11, 2012, and a similar bill (A704) in December 2011.

|Employment Decisions, Legislation|

The White House casts “Consumer Privacy Bill of Rights”

Over two years in the making, and backed by online ad powerhouses such as AOL, Microsoft, Yahoo, and even Google, the Bill of Rights announcement on February 22, 2012 pulls together consumer privacy initiatives of both the Federal Trade Commission (FTC) and the Commerce department. Intended to lead to new legislation that fills the gaps of current U.S. privacy laws, the bill promotes a set of standards for the fair handling of private information based on a set of principles that date back to the early 1970s known as the Fair Information Practices.
The Consumer Privacy Bill of Rights applies to personal information, which means any data, including aggregations of data that is identifiable to a specific individual, and to a specific computer or other device. According to the Administration, this bill will establish codes of conduct and call for strong enforcement, ultimately increasing interoperability between the U.S. consumer data privacy framework and that of its international partners. Below are the bill’s highlights.
  • Individual control. Consumers have a right to exercise control over what personal data companies collect from them and how they use it.
  • Transparency. Consumers have a right to easily understandable and accessible information about privacy and security practices.
  • Respect for context. Consumers have a right to expect that companies will collect, use, and disclose personal data in ways that are consistent with the context in which consumers provide the data.
  • Security. Consumers have a right to a secure and responsible handling of personal data.
  • Access and accuracy. Consumers have a right to access and correct personal data in usable formats, in a manner that is appropriate to the sensitivity of the data and the risk of adverse consequences to consumers if the data is inaccurate.
  • Focused collection. Consumers have a right to reasonable limits on the personal data that companies collect and retain.
  • Accountability. Consumers have a right to have personal data handled by companies with appropriate measures in place to ensure that they adhere to the Consumer Privacy Bill of Rights.
|Legislation|

New California law requires efforts to ensure supply chains are free of slavery

Effective January 1, 2012, California SB657, known as The California Transparency in Supply Chains Act of 2010, will mandate retail sellers and manufacturers doing business in California with annual gross receipts exceeding $100 million to conspicuously and clearly disclose their efforts and policies for ensuring that their supply chains are free from human trafficking and slavery.

The targeted companies are required to make these disclosures on their websites; if a company does not have a website, the information must be provided in writing within 30 days of a consumer request. Although the Act does not mandate any specific language, the disclosure must be easily understood and explain the procedures, if any, that the company has in place, in reference to:

    • Evaluating and addressing the human trafficking and slavery risks in its product supply chains (disclosure must state whether or not the company is using a third-party to assess these risks);
    • Requiring direct suppliers to certify that the materials used in the products comply with slavery and human trafficking laws in the countries in which they are doing business;
    • Conducting supplier audits to evaluate compliance with company standards on trafficking and slavery (disclosure must state whether or not the audits are independent and unannounced);
    • Maintaining accountability standards and procedures for employees or contractors who fail to meet company standards regarding slavery and human trafficking;
    • Training employees and managers who have direct responsibility with supply chain management on the mitigation of human trafficking and slavery risks.

While the Act has gained significant attention by California companies, its expansive jurisdictional provisions make it applicable to many large retail sellers and manufacturers that are organized or domiciled outside of California, as the $100 million gross receipts threshold for compliance is based on worldwide sales revenue. And since the threshold is relatively low and set in dollar amounts, it can be as triggered by earning less than 1% of that revenue in the state, owning some property or having even one employee or contractor here (see CA Revenue and Taxation Code Section 23101 for a full definition of “doing business in California.”)

California SB657 is a disclosure law and does not require companies to do things differently, but its deceptive simplicity brings into focus the importance of proactive risk management. And for many companies, it is a call to action to move beyond this law’s mere disclosure compliance and implement or strengthen their risk management programs not only for brand equity protection but also in recognition of their corporate social responsibility.

In our products portfolio, SI offers specialized background investigations for vendor/third-party engagements which include elements and search strategies designed to find, among other criteria, indications or records of slavery and human trafficking in supply chains.

The Act is a disclosure law and does not impose any substantive regulation on supply chain activities. Nor, unlike the “conflict minerals” provisions of the Dodd-Frank regulatory reform law, 9 does it impose any affirmative obligations on companies to perform diligence regarding the existence of slavery or human trafficking in their supply chains. Nonetheless, as a matter of corporate social responsibility as well as public image, companies may wish to consider whether it is appropriate to adopt policies or procedures to mitigate the risk that slavery or human trafficking exist in their supply chains.

|Legislation|

Department of Justice drops controversial non-disclosure proposal

The DOJ, in a letter dated November 3, 2011, said that it is dropping its proposed regulation that would allow federal law enforcement agencies in certain cases to tell Freedom of Information Act (FOIA) requesters that the government has no records on a subject, when it actually does. The DOJ indicated that it is now looking at other options to preserve the integrity of sensitive records but allow for public openness.

The letter noted that the DOJ has actually been issuing such denial responses for nearly 25 years, since Attorney General Edwin Meese issued the directive. The DOJ defended this approach and maintained that it did not constitute “lying” as some have suggested, and contended that its proposed regulation was an effort to systematize Meese’s order in federal regulations and to obtain public comments.

While expressly contemplated by statute and, according to the DOJ, necessary to protect vital law enforcement and national security interests, the practice went on for years with much less transparency. Under Meese’s guide, the government could tell FOIA requesters that it had no records if merely confirming their existence would be a tip-off that there was a criminal investigation. Denials of record existence also were permitted in situations legally referred to as “exclusions,” i.e., when federal law enforcement agencies needed to protect the identities of informants and when the FBI was asked for records about foreign intelligence, counterintelligence or international terrorism.

|Legislation|

“Ban the box” legislation gains momentum

Across the country, municipalities and states are enacting legislation called “ban the box” which generally prohibits employers from asking job candidates about their criminal histories on applications. The legislation also makes it unlawful for a covered employer to take any adverse action against an individual on the basis of an arrest or criminal accusation that did not result in a conviction. The states of California, Connecticut, Hawaii, Massachusetts, Minnesota, and New Mexico have enacted some form of the legislation along with more than 26 cities and counties in Illinois, Maryland, Michigan, Ohio, Oregon, Pennsylvania, Rhode Island, Tennessee, Texas, Wisconsin and Washington. (A complete list of municipalities that have “banned the box” is posted at
http://www.nelp.org/page/-/SCLP/2010/BantheBoxcurrent.pdf?nocdn=1).

However, except for Hawaii and Massachusetts, the legislation has been limited to public employers, or public employers and vendors and contractors serving public entities. The city of Philadelphia, which is the most recent addition to this growing list, is the first municipality to pass a law that covers private employers with 10 or more employees. Below are some jurisdictional highlights of the enacted legislation:

  • Hawaii and Massachusetts private and public employers cannot consider felony convictions that are more than 10 years old. And in Massachusetts, employers are not permitted to consider misdemeanor convictions that are more than five years old.
  • Hawaii and the cities of Chicago, Hartford, and Cincinnati allow an employer to ask about an applicant’s criminal record only after a conditional offer of employment has been extended.
  • Chicago, San Francisco, and Boston require a public employer denying employment on the basis of a conviction to justify its decision based on EEOC’s guidelines which include the nature and gravity of the crime, the time that has passed since the conviction, and the relativity of the crime to the position.

Proponents of “ban the box” are confident that the legislation will be a significant factor in lowering recidivism rates, as it will allow applicants to demonstrate their skills and qualifications prior to disclosing criminal histories. And many experts say that such laws will expand beyond the borders of the United States in the very near future.

|Employment Decisions, Legislation|

More states are restricting credit reports for employment purposes

Connecticut has joined five other states (Hawaii, Illinois, Maryland, Oregon, and Washington) that, with some exceptions, prohibit the use of credit reports in employment decisions. Effective October 1, 2011, S.B. 361 will ban many employers from using credit information in determining whether to deny employment to an applicant, terminate an employee, decide compensation, or evaluate other terms and conditions of employment. Financial institutions, as well as employers who are required to obtain credit reports under federal or state law, are excluded from the Act’s provisions

There are certain exceptions to the S.B. 361 prohibitions. Employers may request or use credit reports when such information is related to a “bona fide purpose that is substantially job-related.” The bona fide purpose exception generally applies to positions involving money handling or other sensitive job duties. If an employer requests or uses credit information for a bona fide purpose, it must disclose its intent to do so in writing to the employee or applicant.

As in Connecticut’s S.B. 361, employers in the other states that have passed employment-related credit report restriction laws need to ensure that their hiring, retention, and promotion practices fall within the guidelines of their legislation.

|Employment Decisions, Legislation|

New FINRA rule for reporting requirements

FINRA’s Rule 4530, modeled after NASD Rule 3070 and NYSE Rule 351, went into effect on July 1, 2011. The rule requires all member firms to:

  • report to FINRA certain specified events and quarterly statistical and summary information regarding written customer complaints, and
  • file with FINRA documents of certain criminal actions, civil complaints and arbitration claims.

A member firm has 30 calendar days to report to FINRA violations of any securities, insurance, commodities, financial or investment laws, rules, regulations or standards of conduct committed by the firm or its associated persons.  The 30-day period begins when the firm has concluded, or reasonably should have concluded, that a violation has occurred. Below is a summary of the provision.

  • Firms are not required to report every instance of non-compliant conduct, but they must report conduct that has widespread or potential widespread impact to the firm, its customers or the markets, or conduct that arises from a material failure of the firm’s systems, policies or practices involving numerous customers, multiple errors or significant dollar amounts.
  • Violative conduct by an associated person must be reported only when it has widespread or potential widespread impact to the firm, its customers or the markets; conduct that has a significant monetary result on a member firm(s), customer(s) or market(s); or multiple instances of any violative conduct.
  • The “reasonably should have concluded” standard is applied on a good faith basis (by the firm) if a reasonable person would have concluded that a violation has occurred; if a reasonable person would not have concluded that a violation occurred, then the matter is not reportable. Firms must establish who, within the firm, is responsible for making such determinations. Stating that a violation was of a nature that did not merit consideration by the responsible person is not a defense to a failure to report such conduct.
  • The reporting obligation and internal review processes set forth under other rules – eg., FINRA Rule 3130 – are mutually exclusive.
  • While internal review processes may point to a firm’s determination that a specific violation has occurred, they do not by themselves lead to the conclusion that the matter is reportable – e.g., FINRA would not view a discussion in an internal audit report regarding the need for enhanced controls in a particular area, standing alone, as determinative of a reportable violation.  An internal audit finding would serve only as one factor, among others, that a firm should consider in determining whether a reportable violation occurred.
  • Certain disciplinary actions taken by a firm against an associated person must be reported under a separate provision, rather than under the internal conclusion provision.

In addition to the above “internal conclusions” obligations, the new rules for “other reportable events” as per NASD Rule 3070 and NYSE Rule 351, have been modified somewhat in Rule 4530. For example, more customer disputes may have to be reported, as the new rule will now include attorney’s fees and interest penalties in customer settlements or awards with damages against a broker of $15,000 or more and against a firm of $25,000 or more, thus lowering the calculations threshold for reporting requirements.

|Legislation|

Subcommittee approves legislation to protect consumers against data theft

On July 20, 2011, the Energy and Commerce Subcommittee on Commerce, Manufacturing, and Trade approved legislation to protect consumers from cyber attacks and identity theft. The Secure and Fortify Electronic Data Act (H.R. 2577), or SAFE Data Act now moves to the full Energy and Commerce Committee for consideration.

The Act would require all businesses that maintain personal information to implement security programs, which, among other mandates, would include a protocol to notify affected individuals of an information security breach. Preempting over 45 existing state information security and breach notification laws, the Act would task the Federal Trade Commission with developing the security rules.

According to its author, Chairman Bono Mack, the Act will enhance protection of personal information by establishing uniform national standards for data security and data breach notification. The preemption provision also would provide certainty for businesses in addressing information security breaches that now are subject to the multitude of state requirements.

Some legislators and advocates have criticized the proposed law as too narrow, as it would require breach notifications only when an individual’s name, telephone number or credit card number is compromised along with a Social Security number, driver’s license number or other government-issued ID. With some state laws requiring notification when, for example, a credit card number, financial account number, Social Security number, or biometric data alone (without the individuals name) is compromised, the practical notification threshold under current state breach notification laws may be significantly lower than that proposed by the Safe Data Act.

|Educational Series, Legislation|

Challenges of international background investigations

Many transactions today, whether they involve an employment hiring decision or a new business relationship, are cross-border or have an international component. The need for effective risk management both in the U.S. and abroad has vastly expanded in recent years with the passing of legislation and increased enforcement actions. Behind just about every business decision, there is a widening range of stakeholders — from regulators to shareholders to board members — who expect that the due diligence process will minimize unlawful activities.

International background investigations, which are essential for a comprehensive approach to due diligence, present special challenges since each country has its own laws, customs, and procedures. Language barriers, name variations and transliterations, limited information and technology, broad definitions of crimes, and proliferation of fraudulent educational and accreditation institutions, are just some of the factors that add to the complexity of these investigations.

As a general rule, in most European countries, criminal records are not available to the public. In Asia, public accessibility to most court filings is limited. In South America, public records vary greatly from country to country. South Africa provides some disclosure of police records and warrants to the public, along with   civil filings. Canada’s public records availability differs by province, and only a few permit criminal records release. India and Australia have the most searchable records, similar to the U.S.

For employment purposes, the Fair Credit Reporting Act (FCRA) imposes certain obligations for international background screening performed by a U.S. Consumer Reporting Agency (CRA), including mandating reasonable procedures to ensure the accuracy of the information it reports. If a public record such as a criminal conviction is found, the CRA must ascertain that the information is correct, up-to-date, and reported in a way that does not violate data or privacy protection rules.

In 2000, an agreement between the U.S. Department of Commerce and the European Commission established privacy and data protection guidelines, the “Safe Harbor Principles,” to enable U.S. companies to satisfy a requirement under European Union law for adequate protection of personal information transferred from the European Economic Area (the 25 member states of the European Union plus Iceland, Liechtenstein and Norway.) In addition to these principles, the Gramm-Leach-Bliley Act (GLBA) requires financial institutions and businesses that receive personal information to establish safeguards for the handling and disclosure of that information. And the Fair and Accurate Credit Transactions Act (FACTA), a federal legislation, also contains provisions to help reduce identity theft and obligates the proper disposal of personal consumer information.

The cost of an international background investigation typically is higher than domestic searches, and varies with each country, the type of information that needs to be obtained and the purpose of the investigation. When performed by a reputable firm with qualified foreign contacts, an international background investigation can reduce negligent hiring liability, and prevent a catastrophic investment or reputational damage.

|Educational Series, Legislation|

Dodd-Frank Act amendment for credit scores took effect July 21, 2011

The Federal Reserve Board and the Federal Trade Commission (FTC) issued final rules to implement the credit score disclosure requirements of the Dodd-Frank Wall Street Reform and Consumer Protection Act. If a credit score is used in setting material terms of credit or in taking adverse action, the statute requires creditors to disclose credit scores and related information to consumers in notices under the Fair Credit Reporting Act (FCRA).

The final rules amend Regulation V (Fair Credit Reporting) to revise the content requirements for risk-based pricing notices, and to add related model forms that reflect the new credit score disclosure requirements. These rules also amend certain model notices in Regulation B (Equal Credit Opportunity), which combine the adverse action notice requirements for Regulation B and the FCRA.

For employers, this means that if a consumer report that includes a credit score is used to determine eligibility for employment, the employer will be required to disclose to the subject the usage of the credit score in an adverse employment decision and to provide information about the credit score, including the score itself, up to four key adverse factors in the score, and the identity of the agency that provided the score.

For credit transactions, creditors, including banks, credit unions, credit card issuers, and utilities, that extend credit on terms that are less favorable than those offered to other consumers because of information contained in a credit report, or if other adverse action is taken, will have to provide to the subject a “risk-based pricing notice” which discloses the credit scores and related information. Such notice will include: 1) the numerical credit score used by the creditor in making the decision; 2) the range of possible scores under the model used by the creditor; 3) the key factors that adversely affected the credit score; 4) the date on which the credit score was created, and 5) the name of the entity that provided the score.

In certain cases, such as for applications for a mortgage, auto loan, or another type of credit, a lender will have to furnish to the subject a “credit score notice” that lists the credit score and how the score compares to other consumers’ scores regardless of the credit terms offered. If no credit score is available for a consumer, the lender’s notice will identify the particular credit bureau which reported this information. Additionally, if a consumer’s annual percentage rate (APR) on an existing credit account is increased based on a review of a credit report, the creditor will have to provide an “account review notice.

The Board and the FTC have stated that it is imperative to have the regulations and revised model forms in place as close as possible to July 21, 2011. This will help ensure that consumers receive consistent disclosures of credit scores and related information, and facilitate uniform compliance when Section 1100F of the Dodd-Frank Act becomes effective.

|Dodd-Frank, Legislation|
© 2012- SCHERZER INTERNATIONAL | ALL RIGHTS RESERVED
Go to Top