6 Steps for Better Background Checks

Stopping the Insider Threat Starts With Screening Your Job Applicants Employee background checks - they're the first line of defense against the insider threat. And increasingly financial institutions are performing these investigations - or outsourcing them - as a means of screening applicants for jobs involving access to sensitive information of transactions.

"Everyone is doing background checks, including criminal and credit background checks, regardless of what industry a company operates in," says Garen E. Dodge, head of the employment and labor practice with Wiley Rein & Fielding, a Washington, D.C.-based law firm. The key driver behind the trend: Greater attention to internal security, with companies looking to cover liability issues due to privacy concerns. "Protecting the interests of customers, shareholders and the institution is something to consider when developing your institution's hiring practices," Dodge says.

Some banking institutions use their own human resources departments to check references; others use a third-party service provider to perform the checks. Either way, institutions must ensure compliance with state laws and the requirements under the federal Fair Credit Reporting Act (FCRA).

Scott Smith, Executive Vice President of American Background, a national firm that performs background checks for financial institutions, says he see some screening 100 percent of their employees, while others take a more targeted approach and assess each position by risk potential. "Certain positions have very high turnovers, so organizations, in attempting to balance the business case versus the cost of background checks, will assess the level of risk a certain job position holds and the level of information that the person will have access to," he says.

Some points to consider in assessing risk and deciding about a background check:

  • What level of personal information will the employee have access to?
  • How closely will they be supervised, and will they have unsupervised access to sensitive information or transactions?
  • What authority will they have to commit financial transactions or change account records?
  • Should positions with high access or authority require more stringent background checks?

Following are six best-practices to consider when conducting background checks:

1) Start with Verifying the Resume

The first thing that must be stressed - people will lie on their resumes.

"This can range from what their grade point average was, or the job titles they held, or even the degrees they've earned," says Eric Cole, an independent information security and insider threat expert.

The best way to mitigate this deception, Cole says, is to have a disclaimer in your employment application that the applicant must attest that the information on their resume is true to the best of their knowledge. If they won't agree, that's your first warning sign. Proceed with caution.

2) Broaden the Reference Checks

Any authorization to perform background checks should include the candidate's okay to speak to anyone at their previous jobs -- not just supervisors or managers.

"That way you have a wider variety of people to speak with at previous jobs," Cole says. "When you have their permission to speak with anyone who they worked with, this helps uncover the candidate's moral and ethical thought processes."

Uncovering these processes includes questions about any changes in behavior when the person worked at the company. "Were there major changes in finances? For example, a person who had been driving an older model car suddenly shows up driving a sports car -- that would clearly indicate a point that you'd want to know more details about," says Cole.

One weakness in this process: Previous employers are often reluctant to provide candid information about a previous employee for fear of being sued. Attorney Dodge recommends that an institution have a release that an applicant signs during the interview process, allowing the institution to ask information from previous employers. "The release should say 'I waive my rights to sue a previous employer and allow them to give them the right to give information about my job performance'," says Dodge. This type of release helps uncover the real reasons why an applicant left a previous position, he adds.

3) Heed the Early Warning Signs

Among financial institutions, there is a greater ability than in other industries to share information about applicants who have previous employment issues at other institutions. BITS, the financial institutions' consortium, offers an early warning service (See: Early Warning Service) that helps financial institutions thwart employee fraud. The service identifies employees who were released by another financial services organization because they knowingly caused or attempted to cause financial loss.

"This early warning is something we support as a first line of defense in hiring high quality personnel," says Doug Johnson of the American Bankers Association.

4) Put Senior Staff to Greater Scrutiny

When filling a senior level position, many times it is done through promotion, but there are those times when such a job is open to outside applicants. The level and depth of the background check done for senior level and "C-suite" positions goes much deeper, says Peter Wolgrom, a Director at Control Risks, a consulting firm performing financial institution background checks. The senior level background check is supplemented with discreet source inquiries from former employers, industry experts, competitors ... "And anyone who would be able to provide a truer picture of that person, where they've been and what they've done," Wolgrom says. "This includes integrity-related questions and inquiries about their management style."

5) Conduct Regular Updates

Increasingly, pre-employment background checks are standard. But what about updating those checks during the employee's tenure?

"A person's financial status could change," Wolgrom points out. "Maybe they filed for bankruptcy, or they are going through a nasty divorce and their finances are deteriorating. An institution would want to know about sizeable financial problems, or financial duress -- especially when they're availed to customer information or money management within the institution."

The same goes for criminal convictions or businesses that employees have started that may conflict with the institution's interests.

Updated background checks should be performed every few years, Wolgrom says.

6) In-Source or Outsource?

The use of an outside firm to perform your institution's background checks is a decision based on several factors including:

  • Employee turnover;
  • Institution size;
  • HR's ability to perform adequate background checks on applicants.

The industry that has grown up to perform background checks has matured over the past 20 years and now has approximately 1200 companies offering background check services, according to American Background's Smith. These entities range in size from $200 million corporations down to the individual -- usually a retired county clerk performing background checks for local businesses to supplement retirement income.

The cost of performing background checks range greatly, depending on the depth of the information requested. A relatively comprehensive background check can cost $50 per check. "But if you're a relatively large institution, or you're experiencing a high turnover rate in certain areas, that can become a significant cost to your institution," Smith says.

The business challenge of background checks includes looking at it as a risk assessment. "It can become a large cost of doing business," Smith says. "The best way to control cost is to do true risk assessment based on the individual job positions, so you can vary the cost of performing background checks, based on the level of risk that employee would pose to your institution."

There may be the higher-level positions where a $200 background check is warranted, and other lower impact positions where a $25 background check will suffice.

"Each position should be checked based on the level of the risk that the position presents to your institution," Smith says.

About the Author

Linda McGlasson

Linda McGlasson

Managing Editor

Linda McGlasson is a seasoned writer and editor with 20 years of experience in writing for corporations, business publications and newspapers. She has worked in the Financial Services industry for more than 12 years. Most recently Linda headed information security awareness and training and the Computer Incident Response Team for Securities Industry Automation Corporation (SIAC), a subsidiary of the NYSE Group (NYX). As part of her role she developed infosec policy, developed new awareness testing and led the company's incident response team. In the last two years she's been involved with the Financial Services Information Sharing Analysis Center (FS-ISAC), editing its quarterly member newsletter and identifying speakers for member meetings.

Around the Network