Adversarial Machine Learning for Fraud Detection - How Can Organizations Benefit from the Pioneering Work of the NSA and Facebook?
TOM FIELD: This is Tom Field with Information Security Media Group. We're here today to talk about background checks. And speaking with us is Les Rosen, attorney and president of Employment Screening Resources in Novato, California.
Les, thanks for joining us today.
LES ROSEN: Oh, my pleasure.
FIELD: Give me a little bit more on your background. I mean, I know that you've done an awful lot with background checks, but you've authored some important material on this as well.
ROSEN: Well, certainly, Tom, I appreciate that. I am the author of the Safe Hiring Manual, which is the first comprehensive book on pre-employment background checks. I have written a number of articles on the topic, and I had the opportunity to be the chairperson of the steering committee that founded the national association for the background screening industry, called the National Association of Professional Screeners and sort of as its first chair. So I've been involved in this whole area of doing background checks for a little over 10 years now.
FIELD: Now, let's talk about financial institutions in particular. How widespread are background checks today in financial institutions?
ROSEN: Well, as we know, since financial institutions are regulated and then, of course, depending upon who your regulator is, it's very widespread because our regulators will require that. A financial institution that's regulated by the FDIC, for example, needs to be concerned with not hiring individuals who have certain offenses that are covered under Section 19. And those are people that a financial institution is prohibited from hiring. And in 2005, the FDIC issued a guidance called pre-employment background screening, guidance on developing an effective pre-employment background screening process available on the web where the FDIC clearly encourages financial institutions to engage in background screening.
So, it's very widespread, and in order to comply with Section 19 you find that most banks, at a minimum, are doing fingerprint checks of new applicants, and most organizations are doing much more in the nature of verifying past employment, verifying education, verifying credentials, and trying to do everything they can to make sure that they're not hiring that bad apple that's going to cause an identity theft or some sort of fraud or somehow cause problems for a financial institution.
FIELD: A question I always hear is: Who should be subject to a background check? And is anyone exempt from it?
ROSEN: Well, the general rule of thumb is that you should really know who you're hiring, and presumably, if you're in a financial institution, not hiring people that don't do anything of value, and the short answer is you - to some degree, you really need to background screen everyone. Now, that's not a self-serving answer as a member of the background history, but it's a very practical answer. Every single person that you hire has some access to financial information, to perhaps cash or assets, to confidential and private information often remained secure -- even positions that may be somewhat lower in the chain of command can still hurt you. And there's always the problem of work place violence and the whole host of issues that regular employers have.
You add to that that, as a financial institution, folks are trusting you with their money and with their private information. So, there is a responsibility.
Now, that does not mean that every single person has to be screened at the same level. An institution may well decide to screen a person at a higher level, at the executive level or the VP level, more intensely than they might someone who is an entry-level teller. And the basic rule in human resource is that similarly situated people ought to be treated in a similar fashion. So, it's perfectly acceptable to do a more intense screening for higher level employees. But the trick is that all tellers should be screened the same; all executive vice presidents should be screened the same, so there's some consistency.
But the general rule of thumb is if you're hiring someone and they're in your organization and they could somehow hurt you in the sense of somehow a theft or dishonesty, well, you need to know who's there. And by the way, that also extends not only to your W-2 employees, but it also extends to independent contractors, people who come to you from a staffing agency. And frankly, that level of due diligence also applies to vendors, people that are coming into your institution at night in order to do cleaning; what do they have access to? Who are they? So, due diligence and risk management is something that has to be thought out through the whole organization.
FIELD: Good point. Les, what are the primary areas that you're generally asked to research when engaged in a background check?
ROSEN: Well, the first area of concern to most financial institutions is whether or not a person has a criminal record. And obviously, depending upon who regulates you, will depend upon what type of criminal records are prohibited and what you need to consider. The FDIC tells us - gives us a certain list of folks you cannot have. A lot of banks will search criminal records by names on the fingerprint, which typically means going down to a local police department or a local sheriff's office and running the print. And obviously federally regulated banks, the FDIC, do have access to the FBI database.
Some banks, however, will do local criminal checks either because they want the checks to come back faster or because fingerprinting is too expensive and not as convenient.
In addition to the criminal records, the next area of concern is whether or not a person is truthful and honest and accurate about their employment. And we know from a number of surveys in the HR world that employers can expect that up to 40% of your applicants will be submitting applications and resumes that belong in the fiction section of a bookstore.
ROSEN: It's incredible, and you see it all the time. The top lies that we see, or exaggerations perhaps, is people will promote themselves. They'll tell you they were a manager, when in fact it turns out they never managed anyone. They'll inflate their salary in order to bargain for a greater salary. Or they try to hide employment gaps, and they'll give you dates of employment that aren't quite accurate. Sometimes a person just wants to hide employment gaps just to help him get a job; other times it's slightly more sinister. We've seen numerous cases where people have hidden employment gaps because they were in custody. They were in jail, basically, and they didn't want that to be known.
So verifying past employment and knowing where a person has worked, particularly knowing that they have worked at another bank, and if they did well at that bank, is critical for a financial institution.
Another area we see quite commonly is verification of education or credentials or a license, again to make sure that someone is being honest and truthful in the information that they've giving you. And those are areas that frankly banks need to be very concerned about in all financial institutions, is whether or not an applicant is on any type of financial sanctions, terrorist, or disbarment lists. And there are, of course, the five disbarment and sanctions lists that are recommended by the FDIC, the board of governors, the FDIC list, and National Credit Union Administration list, the Office of the Comptroller of the Currency, and the Office of Supervision -- they all have sanctions and disbarment lists, and those can easily be checked either online or through agencies that can check all five databases at once.
And finally, basically, the OFAC which is the Office Foreign Asset Control, which is the primary terrorist database for the United States, along with numerous other databases that are available as well. Those are all things that are fairly quick to do, easy to do, relatively inexpensive compared to the risk involved, and perfectly legal as long as banks and financial institutions understand that this is a legally regulated area under the Fair Credit Reporting Act. So, banks simply need to make sure that all of their forms are proper and that they're working with the Fair Credit Reporting Act and having consent and disclosure.
FIELD: Okay. Now, Les, what are some of the common traps that you want to avoid when doing a background check?
ROSEN: Well, the - some of the big traps we see are: Number one, if a financial institution is not in legal compliance, that is going to increasingly cause issues. Lawyers are becoming more aware of the federal FCRA, the Fair Credit Reporting Act, and as well as state laws. And so it's very important to dot your Is and cross your Ts. It's not complicated. It just requires some attention to make sure you're doing it right. If you're working with a regular background firm, the background firm should be able to assist you. Any labor attorneys should be able to assist you as well. So that's an area of concern.
Another area of concern that we're seeing with employers, as well as financial institutions, is over reliance on criminal databases. And it's very important that for banks and financial institutions to understand that when it comes to searching criminal records - and if you're not using a fingerprint system, then you need to do an on-site check county by county and to be very careful of using the so-called national databases that are sold as very inexpensive tools, but they're not really a national criminal database; it's a national compilation of available criminal information that has lots of holes in it. It's valuable because there's a lot of data, but it's not complete.
The other area that we see that is going to become a problem in the future for all employers in fact is the interplay of discrimination laws with employment screen. The EEOC, which administers the nation's discrimination rules and fair housing and fair employment rules in various state agencies has become very concerned recently with the plight of people who are ex-offenders, who have done the crime but paid their time and now are unable to get jobs in society.
Now, of course, if you're regulated, such as regulated by the FDIC, where the FDIC tells you there are certain crimes that - where you cannot hire the person, then under federal law you cannot hire that person. But where we're going to see some action in the next few years in this area are individuals with lesser offenses who are being shut out from the work place who may claim that they're the subject of discrimination. So what we ask employers is very carefully do consider any criminal violation you find. And unless it's prohibited by a statute where the law says you can't hire the person, be aware of the EEOC analysis that basically says the person has a criminal record, in order not to hire the person you must establish whether or not there is a business justification for that type of person with that type of criminal record not working for you. And very simply, the EEOC says to take a look at the nature and gravity of the crime, the nature of the job, and how long ago the crime occurred.
So if a person, for example, was convicted of a - let's say driving under the influence a few years ago, but there is not driving for the financial institution. Well, would that be an eliminating factor? Well, probably not. But that's going to be an issue for banks to be very careful, that other than situation where the law says a criminal conviction is a disqualifier, do not automatically assume that anyone with a criminal record cannot be employed.
FIELD: Now, this is a question that always comes up, I always hear it from the institutions, is to in source or to outsource, and they're always sort of tossing that around. What are the key areas that they ought to consider when making that decision about whether to keep it in house or to go to outside expertise?
ROSEN: Well, the key thing to keep in mind in any type of outsourcing decision is whether or not a particular task is so core to your function that you need necessarily to keep in house or whether it's a task that, although critical, is not your primary expertise, so that other people can do it much more quickly and cheaply and very efficiently.
With pre-employment background screening, it's one of those areas where most employers will typically outsource. There's a point at which the extremely large employers might bring it back in-house because they would have the financial resources and the expertise and the incentive to do it. But most employers find that these type of human resource functions are often done on an outsourced basis because an outsource company has the resources, the specialized knowledge, the software, and the preexisting expertise.
So that not only applies to background screening; it may apply to benefits; it could apply to a whole host of things that, although could be done in house, the question that you always have to ask is do we want to divert ourselves from our mission to do something that someone else can do very easily or is this so central and core to our mission that we're going to spend the time, energy and resources to do it. And quite frankly, when most institutions on each type of human resource services are to consider the pros and the cons, it typically ends up being outsourced, at least most of it. Some financial institutions will keep part of it in house.
They may want to do the employment verification themselves. And the reason is they may want to talk about supervisors, although they may well outsource other aspects of it. So sometimes it's - it depends on the actual task and what the bank wants to do. It's not that it's all-or-nothing; some banks will actually divide that up and keep some in house and send some out to outside.
FIELD: I know this is a huge topic. I know we could talk about it all day and that there are tons of questions. But if I had to ask you for a single piece of advice that you might offer to an institution that's just started to engage in background checks, what advice would you give to them?
ROSEN: Well, the first advice I would give the financial institution is to very carefully analyze what you - what you're doing and not doing. There's two traps of which to be wary. The first trap is if you do nothing. Then you can easily find yourself the subject of a negligent hiring lawsuit or a lawsuit based upon some act of misconduct. After all, if you hire someone who either knew or should have known to exercise reasonable discretion and was dishonest or not fit for the job or violent or had a prior history of theft and they come into your institution and they steal someone's identify, they steal cash, they create a hostile workplace. They hurt a customer or a coworker. Well, you're going to have, as they used to say in the Lucy Show, a lot of explaining to do. You'll have to explain to a jury why you couldn't be bothered to make some reasonable inquiry into who you're hiring.
So the first bit of advice for financial institutions is to make sure that you're doing something and to clearly understand that you have an obligation to exercise due diligence in your hiring.
On the other hand, you don't want to go too far. One example of that is: some institutions will debate whether or not they should run personal credit reports on applicants. And credit reports is one area that's quite controversial. A credit report is a type of consumer report. It's a type of background report that recently has been receiving a lot of attention from the EEOC because it's potentially discriminatory, the issue being does a person's credit record have anything to do with whether or not they'll do a good job at a bank. And so there are a lot of arguments about that. A credit report used for employment does not have a credit score because a credit score is not relevant to employment. But some people might argue that if a person has a credit history where they don't pay their bills or they have huge debts, working at a bank may tempt them to steal money.
There's one study that shows the opposite, that a person with a poor credit history tends to do a better job, perhaps because they need the job. So you want to be very careful about the tools that you're using as well. So you don't want to do too little and you don't want to do too much. You want strike the right balance.
Most importantly, you want to be able to demonstrate that you have a well-thought-out process, that you involved counsel so that the legal aspects are taken care of; and that as a risk management decision, you're doing what is appropriate to protect your institution, to protect your reputation, to protect your workers, and protect your customers.
FIELD: That's wonderful insight. I really appreciate your time today and for your insights. Again, I think you've just given us some great background on background checks.
ROSEN: My pleasure, and I'm always happy to be of help.
FIELD: This is Tom Field. We've been talking with Les Rosen, attorney and president of Employment Screening Resources. For Information Security Media Group, I want to thank you for joining us today. I'm Tom Field. Thank you very much.
Follow Tom Field on Twitter: @SecurityEditor
Three weeks after attackers launched a wiper malware attack against Sony Pictures Entertainment and...
Three weeks after attackers launched a wiper malware attack against Sony Pictures Entertainment and...
Phishing Leads to Email Compromise, Exposing PHI
Rios Explains Infusion Pump Vulnerabilities that Led to Alerts
FireEye's Costanzo Calls for 'Re-Imagining' Security
Research-Boosting Legislation Calls for Changing Privacy Rule
OWASP's Soi on Securing the Application Lifecycle
Analysts Ponder Who Could Be Targeted Next
Gartner's Girard on Key Security Challenges in Mobility
Expert Explains Key Credentials for Healthcare InfoSec Pros