How the Fair Credit Reporting Act Affects Audits and Other Investigations

By David Sinason, Carl Pacini, and William Hillison

In Brief

The Downside of Fairness

Federal agencies and the courts have advised employers to use experienced outside investigators to ensure compliance with internal controls and implement monitoring and auditing systems designed to detect criminal conduct by employees. The Fair Credit Reporting Act (FCRA), as interpreted by the FTC, undermines the effectiveness of outside investigations, due to various requirements. In sum, FCRA requirements stifle the ability of outside investigators to thwart employee misconduct by providing the opportunity for wrongdoers to cover their tracks. The FCRA also puts limits on certain procedures performed by auditors, especially those related to complying with SASs 54 and 82.

Presently, it is unclear when a particular audit procedure becomes an investigation subject to the FCRA. Until the FCRA is clearly interpreted or amended by Congress, auditors and investigators may confront unreasonable restrictions on certain activities, increased liability exposure, or both.

Employers often hire outside experts such as independent auditors and forensic accountants to investigate allegations of employee misconduct. Such misconduct includes embezzlement, theft, expense padding, financial statement manipulation, bribery, and money laundering.

When investigating alleged misconduct, employers and outside experts must balance the need to combat financial and other losses with the rights of the suspect. Employers that conduct such investigations have faced charges of defamation, invasion of privacy, intentional infliction of emotional distress, and wrongful termination actions filed by employees accused of occupational fraud and abuse. Now employers and outside experts, including auditors and forensic accountants, could face a new hurdle: potential liability for failure to comply with the Fair Credit Reporting Act (FCRA).

In early 1999, the Federal Trade Commission (FTC), the federal agency that interprets and enforces the FCRA, indicated that various notice, disclosure, and consent requirements contained in the FCRA apply to many types of employee misconduct investigations undertaken by auditors, forensic accountants, lawyers, and other third parties. The various FCRA requirements discourage companies and accountants from undertaking third-party investigations and interfere with their effectiveness at a time when the SEC and other federal agencies virtually mandate corporate compliance programs. One important requirement established by federal Organizational Sentencing Guidelines is that firms “take reasonable steps to achieve compliance ... by utilizing monitoring and auditing systems designed to detect criminal conduct by employees.” This requirement and firms’ efforts to combat employee fraud in all its forms are all but undermined by the FTC’s broad application of the FCRA.

Background on the FCRA

The Fair Credit Reporting Act (FCRA), which took effect in 1971, was enacted to protect consumers from inaccurate or misleading credit reports and from unauthorized disclosure of information in the reports. Heretofore, consumers had no way to discover such problems, because the users of credit reports had no legal obligation to provide them to consumers or disclose that they were being used. Also, credit agencies were not mandated to discard obsolete information or, if inaccurate information was found, to send corrected reports to users.

Consumer reports historically were used to evaluate and minimize the risk of loss in three kinds of events: extending credit, underwriting insurance, and employment decisions. The reports used in credit decisions are usually confined to a person’s credit history and information from public records, such as liens and judgments. Reports for insurers and employers usually contain data on an individual’s personal characteristics, general reputation, character, lifestyle, criminal record, driving record, and employment history.

The FCRA was generally assumed to be limited to credit-decision issues and remained unchanged until the mid-1990s, when many disgruntled consumers began filing complaints with the FTC about the release of personal, confidential information. The FTC proposed amending the FCRA to enhance consumer privacy and protection, and in 1996 Congress responded by enacting the Consumer Reporting Reform Act, which amended the FCRA.

Prior to the 1996 reforms, employers faced only minimal restrictions in accessing and using consumer reports. The revised FCRA imposes significant procedural restrictions on employers’ access to and use of consumer reports obtained from consumer reporting agencies. Unfortunately, many employers and outside third parties continue to assume that the FCRA applies only to credit reports.

Since September 30, 1997, employers have had to obtain written permission from an employee or potential employee to procure a “consumer report” or “investigative consumer report” from a “consumer reporting agency.” Notice and disclosure requirements must be met for both types of reports, but the requirements are more stringent for an “investigative consumer report.”

A “consumer report” [15 U.S.C. Sec. 1681 (a)(d)] means “any written, oral, or other communication of any information by a consumer reporting agency bearing on a consumer’s creditworthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living, which is used or expected to be used ... for the purpose of serving as a factor in establishing the consumer’s eligibility for ... employment purposes.” An “investigative consumer report” [15 U.S.C. Sec. 1681 (a)(e)] is a “consumer report or portion thereof in which information on a consumer’s character, general reputation, personal characteristics, or mode of living is obtained through personal interviews with neighbors, friends, or associates of the consumer ... or with others with whom he is acquainted ....” Excluded from these definitions is any “communication of ... information among persons related by common ownership or affiliated by corporate control.” This means that internal investigations conducted by an employer do not fall within the ambit of the FCRA. A “consumer reporting agency” [15 U.S.C. Sec. 1681 (a)(f)] is “any person which, for monetary fees, ... regularly engages in whole or in part in the practice of assembling or evaluating consumer credit information or other information on consumers for the purpose of furnishing consumer reports to third parties.”

To obtain a consumer report an employer must provide notice to the employee that it plans to procure a consumer report for employment reasons. Two elements comprise the notice requirement:

The employer is also responsible for certifying to the consumer or credit reporting agency that such notice or disclosure was given and permission obtained.

Additional safeguards apply if an employer intends to obtain an investigative consumer report. The employer must “clearly and accurately” disclose to the employee that the report will include “information on the employee’s character, general reputation, personal characteristics, and mode of living.” The notice must be mailed or delivered within three days of the date on which the report was requested. Upon written request by the employee, an employer must make “a complete and accurate disclosure of the nature and scope of the investigation requested.”

Any employer who uses, even in a minor way, a consumer report or investigative consumer report for firing, not hiring, not promoting, transferring, reassigning, or any other adverse employment action must provide an unedited copy of the report to the employee. A copy of the report and notification of rights under the FCRA must be given to the employee before any adverse action. This gives the employee the opportunity to rebut any allegations of misconduct.

The law does not set the amount of time an employer must wait before taking any adverse action. In one case, five business days was found to be reasonable (see FTC Staff Opinion letter to Eric Weisberg dated June 27, 1997, at When adverse action is taken, the employer must provide a notice of the action, disclose information about the reporting agency providing the report, and inform the employee that the reporting agency did not make the adverse decision.

The legal quicksand thickened for employers and outside third parties when the FTC broadly interpreted the 1996 amendments, making the FCRA applicable to consumer reports and investigative consumer reports of job applicants or employees, including those containing no credit-related data.

The Vail Letter

Congress has granted the FTC “such procedural, investigative, and enforcement powers, including the power to issue procedural rules” to enforce compliance with the FCRA [15 U.S.C. Sec. 1681(s)]. The FTC does not, however, have the authority to issue interpretative regulations under the FCRA. The FTC also issues informal opinion letters about the FCRA that provide advice on interpretation. Although such advisory opinion letters are not legally binding, courts can use them in interpreting the FCRA.

In early 1999, Judi Vail, an attorney in Washington State, requested clarification from the FTC about whether the FCRA notice and other requirements apply in a sexual harassment investigation. In April 1999, the FTC responded in a letter (the “Vail letter,” which can be found at that the procedural regulations of the amended FCRA apply to sexual harassment investigations conducted by an outside third party. In fact, in a more recent staff opinion letter (see letter to Sylvia Sum dated September 15, 1999, at, an FTC attorney advised that a law firm that regularly researches the criminal records of job applicants for its clients is a consumer reporting agency. Hence, the FTC construes outside investigators as consumer reporting agencies under the FCRA if they prepare consumer reports or investigative consumer reports.

Legal experts agree that by extension, FCRA procedural regulations apply to all types of investigations of employee misconduct undertaken by a third-party investigator for an employer (for further discussion, see Amy Payne, “Protecting the Accused in Sexual Harassment Investigations: Is the Fair Credit Reporting Act an Answer?” Virginia Law Review, Vol. 87, April 2001, pp. 381–413; and Michael Fried, “Helping Employers Help Themselves: Resolving the Conflict Between the Fair Credit Reporting Act and Title VII,” Fordham Law Review, Vol. 69, October, 2000, pp. 209–241).

Two main types of consumer reporting agencies, depository and investigative, come within the FCRA’s definition of consumer reporting agency. Depository agencies include retail credit bureaus and other agencies that routinely collect data on individuals without regard to whether the information will be requested by a report user. An investigative agency, such as an auditing or forensic accounting firm, obtains necessary and relevant information when a business or employer requests it. For example, an employer may engage a forensic accounting firm to investigate an embezzlement by employees. According to the FTC, an outside agency, such as a law firm, private investigator, auditing firm, or forensic accounting firm, is a consumer reporting agency because it assembles or evaluates information on individuals on a regular basis at the request of its clients.

The FTC opinion also establishes that the work undertaken by an auditing or forensic accounting firm for an employer on employee misconduct will frequently qualify as a consumer report or investigative consumer report. Moreover, the FCRA makes no distinction between whether information on an employee is obtained from internal records or from outside the employer’s workplace. Thus, the FCRA applies even when an investigation conducted by an outside third party is limited to internal data. An FTC staff opinion letter (see letter to Carolann Hinkle dated July 9, 1998, at indicates that if an outside agency merely verifies information provided on an application by contacting various records’ custodians, such activity gives rise to a consumer report. If an outside agency (or consumer reporting agency) conducts a reference check or performs other activities that are likely to uncover information as to a person’s character and general reputation, this would give rise to an investigative consumer report.

In September 1999, the FTC issued a second advisory opinion (see the Medine letter at in response to concerns raised about practical problems that exist in applying the FCRA to third-party investigations. The FTC stood by the Vail opinion in the Medine letter. Moreover, the FTC has stated that its expansive interpretation of the FCRA with regard to investigative consumer reports and consumer reports is merited because of important privacy and procedural rights the FCRA provides to employees when an employer retains an outside agency to conduct an employee misconduct or other type of investigation.

How the Vail Letter Affects Employee Misconduct Investigations

Many employers look to outside, independent third parties for assistance in various types of investigations involving employees. Many of these investigations entail occupational fraud and abuse, such as check kiting, forgery, embezzlement, stealing firm assets, expense padding, bid rigging, or bribery, where an actual allegation or indication of fraud has emerged. Other investigations, such as traditional financial statement audits, involve CPAs undertaking those audit procedures necessary to provide reasonable assurance that a client’s financial statements are not materially misstated due to fraud. Both types of investigations, but especially fraud investigations, can result in a consumer report or investigative consumer report triggering application of the FCRA.

Applying the FCRA to investigations conducted by accounting firms or fraud investigators is likely to discourage companies from undertaking such investigations. Also, it could interfere with their effectiveness when they are performed. For example, employers may have lost their ability to conduct unannounced investigations of suspected theft, embezzlement, or other forms of misconduct.

According to the FTC’s present position, the employer must not only inform the individual to be investigated about the investigation before a report is produced, but must first obtain that person’s written consent. Moreover, the employer must provide the employee an unedited copy of any report that serves as a basis for any adverse employment action.

Consequently, the employer may be forced to suffer unnecessary delays while the employee conceals or obscures evidence of any wrongdoing. For instance, the employee may destroy or alter key information, or tamper with potential witnesses. Thus, FCRA’s disclosure requirements may have a chilling effect on an interviewee’s response to questions concerning the employee under investigation, because witnesses may fear retaliation from the investigated employee.

Additionally, an employee may refuse to give the employer permission to obtain a consumer report or investigative consumer report. One option available to an employer is to take adverse action, including termination or refusal to hire, when permission is not granted. In a staff opinion letter (see letter to Corrie Fischel, Esq., dated October 1, 1999, at, the FTC states that the FCRA does not address this situation. The law does not prohibit an employer from taking adverse action against an employee who refuses to grant permission; nor does it authorize it. However, an employer should consult legal counsel before pursuing this course of action, due to potential liability exposure under other laws.

Penalties for Violating the FCR

The FCRA provides that users of information, such as employers, and those who qualify as consumer reporting agencies, such as outside third parties, may be sued in a civil action by a consumer (i.e., employee). The FCRA has two separate statutory provisions that address civil liability. One provision [15 U.S.C. Sec. 1681(o)] establishes a civil cause of action against any person who is negligent in failing to comply with any requirement imposed under the FCRA. A second provision [15 U.S.C. Sec. 1681(n)] provides for civil liability on the part of any person who willfully fails to comply with any requirement under the FCRA.

Any outside third party or employer who negligently fails to comply with the FCRA may be liable for actual damages and attorney’s fees. More than one federal court has ruled that actual damages include recovery for emotional distress and humiliation. Actual damages may also include out-of-pocket expenses for attorney’s fees incurred by a plaintiff prior to litigation of claims under the FCRA.

Moreover, any outside third party or employer who willfully fails to comply with any requirement under the FCRA may be liable for actual damages, attorney’s fees, and punitive damages. A consumer (or employee) must show that the defendant knowingly and intentionally violated the FCRA but need not show malice or evil intent to be entitled to damages [15 U.S.C. Sec. 1681(n)]. Although courts have not typically awarded large sums of actual damages, punitive damage awards are within the discretion of a court. Punitive damage awards are not necessarily tied to the amount of any actual damages. In fact, federal courts have ruled that punitive damages may be awarded in the absence of actual damages. Factors considered in the determination of punitive damages include the remedial purpose of the FCRA, harm intended to be avoided or corrected, the manner in which the defendant conducted its business and dealt with the plaintiff, and the defendant’s income and net worth. This latter consideration means that outside third-party businesses with significant net income and net worth could be liable for substantial amounts of punitive damages.

Another provision of the FCRA [15 U.S.C. Sec. 1681(g)] provides that any person (including an employer) who obtains information on a consumer or employee under false pretenses is subject to criminal penalties, including fines or imprisonment. Criminal penalties can also be imposed on any employee of a consumer reporting agency (which includes outside third parties) who knowingly and willfully provides information about a person from the consumer reporting agency’s files to anyone not authorized to receive it. Finally, the FTC itself may bring both criminal and civil actions against parties who violate the FCRA.

What Can Employers, Auditors, and Forensic Accountants Do?

Despite the FCRA’s imposing requirements, employers and outside third-party investigators still have options. An FTC staff opinion letter authored by David Medine dated August 31, 1999, offers several suggestions.

A significant, troubling requirement is that the employee or potential employee authorize the investigation in advance. The FTC has indicated, however, that employee consent can be routinely obtained at the start of employment. Alternatively, a company can avoid alerting an employee that she is suspected of lawbreaking by asking all current employees to sign a consent or release form and providing them any required notice at the same time. The consent or release form must be specific and accurate and include a list of the employees’ rights and remedies. It is unclear whether making execution of a release a condition of employment would invalidate the release in a judicial proceeding. Arguably, an employee could claim that such a requirement constitutes duress. Routine notice and consent, however, would not satisfy FCRA requirements when a consumer reporting agency prepares an investigative consumer report containing interviews. The FCRA requires additional notice and disclosure when an investigative consumer report is obtained.

Reporting is another place that can present problems. Because a consumer report or investigative consumer report that serves as an input for any adverse employment action may be read by the affected employee, employers should review their best practices regarding methodology, records retention, and reporting procedures. An outside investigator can help by drafting its report in a way that does not name parties that provide negative information about the suspect employee. The downside is that a plaintiff in a wrongful termination action could challenge such a report, because deleting names and other critical information opens employers and outside third parties to claims that the investigation is incomplete. In any event, investigative reports should be factual, complete, and balanced. Opinions, slurs, and biases have no place in these reports.

Employers can sidestep the FCRA altogether by conducting in-house investigations. However, if the accused is an executive or senior manager, an in-house investigation may be problematic. Many employers, particularly small and medium-size businesses, do not have professional staff, other than internal auditors or corporate counsel, with the experience, knowledge, and expertise to conduct legally defensible workplace investigations. Employers have been found liable for taking adverse action in reliance upon broad or insufficient investigative summaries.

Internal auditors and in-house counsel may jump through the FCRA hoops in conducting an investigation of employee misconduct but may run afoul of other laws. For example, Title VII of the Civil Rights Act limits the use of criminal and financial information in making employment decisions. Moreover, employers must be mindful of the federal bankruptcy law’s restrictions on employment discrimination. A lack of familiarity with a single state or federal law on the part of corporate counsel or internal auditor could subject the employer to liability.

Another option available to employers is to ignore the FTC’s position. As noted, FTC staff opinion letters are not legally binding. In Robinson v. Time Warner Inc. [187 F.R.D. 144 (S.D.N.Y. 1999)], a federal court, albeit in language not critical to its decision, took note of this point in rejecting an employee’s claim that he was entitled to a copy of a report prepared by the company’s lawyer after conducting an investigation of his racial discrimination claim. Attorneys and internal auditors who pay no heed to the FTC’s opinions do so at their peril. Such a course of action opens them and their clients or employers up to possible lawsuits by subjects of their investigations who later claim they have been the subject of adverse action without having a chance to respond.

When Does the FCRA Apply to Audit Activities?

The FCRA realistically places restrictions on certain activities of auditors, particularly those undertaken to comply with SAS 82, Consideration of Fraud in a Financial Statement Audit, and SAS 54, Illegal Acts by Clients. In many instances, auditors look for unusual transactions, suspicious situations, or violations of internal control that often necessitate further investigation. Such further investigation may entail assembling or evaluating information on the client’s employees that bears on character, general reputation, personal characteristics, mode of living, or credit standing. Moreover, assembling or evaluating these types of information may ultimately be used for employment purposes (as defined by the FCRA). Thus, the client would have to obtain the employee’s consent prior to an auditor starting any work that could become part of a consumer report under the FCRA. Also, any information an auditor collects that could serve as input to an adverse employment decision would have to be disclosed to the affected employee.

This line of thought raises some difficult questions, including:

Unanswered Questions

Many other unanswered questions are raised by the FTC’s broad interpretation of the FCRA as applied to activities of independent auditors and forensic accountants. Unfortunately, they will remain unanswered until Congress amends and clarifies the FCRA or a court provides a clear ruling that indicates whether the FTC’s interpretation has the force of law.

In April 2001, legislation was introduced in Congress to amend the FCRA. Specifically, HR 1543 would exclude from the definition of consumer report any communication made to an employer in connection with an investigation of suspected misconduct related to employment if the communication is provided only to the employer or its agent or any federal, state, or local government official. The bill was referred to the House Committee on Financial Services. It has not yet been reported out of committee. It is noteworthy that in the “findings” section of HR 1543 it is stated that “the FCRA undermines the ability of employers to use outside experienced investigators or individuals to investigate allegations of ... criminal activity, including theft, fraud, embezzlement ... and other types of misconduct related to employment.”

David Sinason is Associate Professor, Department of Accounting, College of Business, Northern Illinois University, Dekalb, Ill;
Carl Pacini is Assistant Professor, Department of Accounting, Finance and Business Law, Florida Gulf Coast University, Fort Myers, Fl., and
William Hillison is Arthur Andersen Professor of Accounting, College of Business, Florida State University, Tallahassee, Fl.

This Month | About Us | Archives | Advertise| NYSSCPA

The CPA Journal is broadly recognized as an outstanding, technical-refereed publication aimed at public practitioners, management, educators, and other accounting professionals. It is edited by CPAs for CPAs. Our goal is to provide CPAs and other accounting professionals with the information and news to enable them to be successful accountants, managers, and executives in today's practice environments.

©2002 CPA Journal. Legal Notices

Visit the new