Picture the deposition. Plaintiff's counsel asks your compliance officer to produce evidence that you vetted your employment verification vendor for FCRA compliance. Your officer opens the vendor file. Inside: a rate sheet, an MSA with boilerplate indemnification, and a sales deck. No permissible-purpose audit. No chain-of-custody documentation. No reinvestigation SLA.
That is not a hypothetical. It is the fact pattern showing up repeatedly in §1681e(b) litigation, where courts ask CRAs to prove "reasonable procedures" and CRAs produce nothing but procurement paperwork. In 2026, with FCRA class-action filings continuing to rise, the gap between how CRAs buy verification services and how courts evaluate verification liability is getting harder to survive.
This checklist is the due diligence record your compliance program is missing. Print it out, send it to every verification vendor in your supply chain, and keep the responses on file. If you already have a vendor relationship, run the checklist retroactively. For a broader primer on the verification process itself, see The CRA's Complete Guide to Employment Verification.
Why CRAs Inherit Their Verification Vendor's FCRA Controls
The liability chain is straightforward. Under §604, a consumer reporting agency may furnish a consumer report only when a permissible purpose exists. When a CRA outsources employment verification to a third-party vendor, the CRA remains the furnishing party. The vendor's failure to validate permissible purpose is the CRA's failure.
§607(b) compounds the exposure. It requires anyone who furnishes information to a CRA to follow reasonable procedures for accuracy and integrity. A verification vendor is a furnisher. If that furnisher has no written accuracy policies, no training program, and no output auditing, the CRA cannot credibly claim it followed reasonable procedures by pointing to a vendor contract.
§615 completes the chain. When a verification result contributes to an adverse employment decision, the consumer has a right to the underlying information, including all outreach attempts, employer responses, and timestamps. If your vendor cannot produce that record in a consumer-disclosure format, you cannot meet your §615 obligations. The liability stays with you.
The Structural Gap
Most CRAs evaluate verification vendors on three criteria: turnaround time, completion rate, and price per verification. Those are operational metrics. None of them tells you whether the vendor can survive an FCRA audit or produce a defensible record in litigation.
FCRA class-action trends show increasing plaintiff focus on documentation gaps, specifically the absence of traceable verification processes. The most defensible position in these cases is not a perfect record. It is a complete one. A vendor that delivers fast, cheap results with no audit trail is a liability dressed up as a cost center.
The 5-Category Vendor Vetting Checklist
Use the following 27 items as a printable RFP instrument or annual vendor review form. Every item is a yes/no question. Send it to your vendor's compliance officer, not their sales team.
1. Permissible Purpose Controls (§604)
☐ Does the vendor capture and log the permissible-purpose code for every verification request before initiating outreach? WHY: §604(a)(3) requires permissible purpose before furnishing. If the vendor cannot show which purpose code applied to each request, the CRA cannot demonstrate per-file §604 compliance.
☐ Can the vendor produce a per-request permissible-purpose log (code, requesting party, timestamp) within 24 hours of a regulatory inquiry? WHY: Audit readiness requires retrievability, not just storage.
☐ Does the vendor's intake workflow validate that a permissible purpose exists before accepting the order, rather than relying on CRA self-certification after the fact? WHY: A vendor that accepts any order without intake validation shifts all §604 exposure to the CRA.
☐ Is the vendor's permissible-purpose validation process documented in a written policy the CRA can attach to its own compliance program? WHY: Regulators expect CRAs to show their vendor's controls, not just assert they exist.
☐ Does the vendor's system prevent re-use of a single permissible-purpose authorization across multiple unrelated verification requests for the same subject? WHY: One consumer authorization does not create standing permissible purpose for future requests.
2. Chain of Custody and Audit Trail (§1681e(b))
☐ Does the vendor produce immutable, timestamped records for every outreach attempt, including channel used, time of attempt, and outcome? WHY: §1681e(b) "reasonable procedures" includes documented verification processes, not just final results.
☐ Are all phone calls to employer HR departments recorded and transcribed, with recordings retained and accessible to the CRA? WHY: Verbal confirmation with no recording is unverifiable assertion. Disputes under §1681e(b) require original-source records, not a verifier's notes.
☐ Does the vendor preserve the original-source response (the actual employer statement) separately from the formatted verification result? WHY: Chain of custody requires tracing the final report field by field back to what the employer actually said.
☐ Are audit records stored in a tamper-evident format with system-level attestation that records have not been altered? WHY: Immutability is not the same as storage. Editable logs provide no compliance value.
☐ Does the vendor track and log every personnel or system touchpoint: who received the order, who initiated outreach, who recorded the result, and when? WHY: Chain of custody means documented handoff at every stage, not just start and end timestamps.
☐ What is the vendor's record retention period, and does it meet or exceed the CRA's applicable requirements? WHY: Best practice is a minimum of 5 years for background screening records under most state-level CRA regulations.
For a deeper look at what a complete audit trail should contain, see How AI-Powered Employment Verification Creates a Complete Audit Trail.
3. Dispute Response Readiness (§611)
☐ Can the vendor re-contact the original employer within the §611 30-day reinvestigation window and return a documented reverification result? WHY: If the vendor cannot reverify on demand, the CRA cannot meet its §611 obligation.
☐ Does the vendor maintain the original employer contact information (specific HR rep, direct line, verification method) so reverification reaches the same source? WHY: Reinvestigation that contacts a different person at the same company does not satisfy the standard.
☐ Does the vendor's system automatically flag a verification record for reverification when a consumer dispute is received, triggering a new outreach workflow? WHY: Manual tracking of dispute triggers is error-prone and increases the risk of missed deadlines.
☐ Can the vendor provide a written reinvestigation report documenting what was re-confirmed, by whom, and when? WHY: The §611 reinvestigation record is a compliance artifact that must be producible in litigation or regulatory review.
☐ What is the vendor's average turnaround time for dispute-triggered reverification, and does that leave the CRA sufficient margin within the 30-day window? WHY: A vendor with a 10-day average reverification turnaround leaves the CRA 20 days, which may be insufficient for complex cases.
4. Adverse Action Workflow Support (§615)
☐ Does the vendor's platform support pre-adverse action notification triggers, alerting the CRA when a result may require adverse action? WHY: §615 requires pre-adverse notice before a final adverse decision. If the vendor does not flag results, the CRA must build its own trigger logic.
☐ Can the vendor export the complete verification record in a format suitable for consumer disclosure under §615? WHY: Consumers have the right to a copy of the information used in an adverse decision. The CRA must produce the full record, not a summary.
☐ Does the vendor's system support document delivery to the consumer subject, or provide structured data for the CRA's own adverse action workflow? WHY: The CRA is responsible for the adverse action notice, but the vendor must provide documentation in usable form.
☐ Does the vendor maintain a log of which verification results were flagged as potentially adverse, retrievable for compliance review? WHY: Adverse action documentation is a frequent audit target. The CRA needs to show the information was accurate and traceable.
☐ Does the vendor's contract explicitly address its obligations when a verification result is challenged as part of an adverse action dispute? WHY: Contractual clarity protects the CRA from being left without recourse if a result is contested.
5. Vendor-as-Furnisher Obligations (§607(b))
☐ Does the vendor maintain written policies and procedures for accuracy and integrity of information it provides to CRAs? WHY: "We follow FCRA" is not a procedure. The vendor's written policies should be reviewable by the CRA.
☐ Does the vendor conduct regular FCRA training for all staff and AI systems, with training documentation available on request? WHY: Untrained staff cannot credibly support a "reasonable procedures" defense.
☐ Does the vendor maintain a certified list of all subprocessors, with confirmation they are contractually bound to FCRA-equivalent standards? WHY: Subcontractors are in the chain of custody. Their compliance posture is the CRA's problem.
☐ Does the vendor have a documented process for investigating and correcting inaccurate information it has previously furnished, within §611 timelines? WHY: A vendor that cannot correct errors within the reinvestigation window creates a structural compliance gap.
☐ Has the vendor undergone an independent compliance audit or PBSA accreditation review within the last 24 months, and will it share findings? WHY: Third-party validation is the strongest form of due diligence. Refusal to share results is itself a red flag.
☐ Does the vendor carry E&O insurance coverage that explicitly covers FCRA-related claims arising from verification errors? WHY: E&O coverage signals the vendor takes FCRA exposure seriously and provides the CRA with recourse for class-action exposure.
How to Run This Checklist on Your Current Vendor
Who receives it. Send the checklist to your vendor's compliance officer or general counsel, not the account manager or sales rep. Sales teams are incentivized to say yes. Compliance teams are incentivized to be accurate.
How to frame it. Include the checklist in an RFP or annual review letter with language like this:
"As part of our ongoing FCRA compliance program, we are conducting a structured review of all verification vendors in our supply chain. Please have your compliance officer complete the attached 27-item questionnaire and return responses within 15 business days. We will treat responses as representations of your current operational controls and may request supporting documentation for any affirmative response."
Six disqualifying red flags. If your vendor's response includes any of these, treat it as a material compliance gap: (1) no per-request permissible-purpose logging, (2) no call recordings or original-source preservation, (3) no capability for §611 reverification within 30 days, (4) no written accuracy policies under §607(b), (5) no tamper-evident record storage, (6) refusal to share audit or accreditation findings.
If your vendor fails three or more items, you have two options. First, issue a remediation plan with a 90-day cure period and re-evaluate. Second, begin parallel vendor evaluation immediately. For CRAs relying on manual verification workflows, the risk compounds because human-dependent processes are harder to audit at scale.
What Changes When Your Vendor Uses AI Agents Instead of Humans
The verification industry is splitting into two documentation models. Call them structural and behavioral.
Behavioral documentation depends on a human caller doing the right thing: taking accurate notes, logging timestamps, recording the call if policy requires it. When a human forgets to press record or transcribes an employer's response incorrectly, the gap is invisible until litigation surfaces it. Behavioral documentation works at low volume. It degrades at scale.
Structural documentation is produced by system architecture, not individual behavior. When an AI agent places a verification call, the recording, transcript, timestamps, and outreach log are generated automatically. There is no "forgot to log" failure mode. The audit trail is a byproduct of the system doing its job.
The market reflects this split. Equifax's The Work Number takes a database-first approach, pulling payroll records rather than contacting employers directly. Truework combines instant database access with manual outreach for cases that fall outside its network. Argyle connects to payroll platforms via API for real-time income and employment data. InformData aggregates across multiple verification sources to serve CRA clients. Neeyamo focuses on global employment verification, covering international employers that U.S.-centric vendors often miss.
Superunit operates differently. Its AI agents call, email, and fax employer HR departments directly, and every interaction is recorded, transcribed, and stored with immutable timestamps by default. The audit trail is not a feature that gets toggled on. It is the architecture. For CRAs evaluating vendors against this checklist, the structural documentation model means categories 2 (chain of custody) and 3 (dispute readiness) are satisfied by system design rather than by staff compliance. Superunit has processed over 70,000 verifications with a 0.82 business day average turnaround across 45 CRA and lender customers.
That distinction matters for your checklist. When you send these 27 questions to a vendor that uses human callers, you are asking whether their people follow protocol. When you send them to a vendor with structural documentation, you are asking whether their system produces protocol-compliant output by default. The second question has a more verifiable answer.
Frequently Asked Questions
Is the CRA or the verification vendor liable for an FCRA violation? The CRA bears primary liability under §604 and §1681e(b). A CRA cannot delegate its FCRA obligations by outsourcing verification to a third party. The vendor may have independent §607(b) obligations as a furnisher, but the CRA is the entity that furnishes the consumer report and is therefore the entity plaintiffs and regulators will hold accountable.
What is permissible purpose under FCRA §604? Permissible purpose is the legal basis that must exist before a CRA furnishes a consumer report. For background screening, the most common basis is §604(a)(3)(B), which covers employment purposes. The purpose must be established and documented before the verification begins, not retroactively certified.
How long should employment verification records be retained? The FCRA does not specify a universal retention period. State consumer reporting laws often impose longer requirements. Best practice for CRAs in background screening is a minimum of 5 years for all verification records, with dispute records retained until fully resolved plus the applicable statute of limitations period.
What does "reasonable procedures" mean for a verification vendor? Courts and regulators evaluate "reasonable procedures" under §1681e(b) based on documentation, not intentions. Written accuracy policies, staff training records, output auditing processes, and error-correction workflows all contribute to the standard. A vendor that cannot produce these artifacts has a weak defense in accuracy disputes.
Can AI-based verification meet FCRA chain-of-custody requirements? Yes, provided the AI system produces immutable, timestamped records of every outreach attempt, preserves original-source employer responses, and maintains tamper-evident storage. AI-based systems can exceed human-caller documentation standards because the audit trail is generated structurally rather than depending on individual behavior.
Next Steps
If your vendor file contains a rate sheet and nothing else, this checklist is where you start. Download it, send it to your vendor's compliance officer, and keep the completed responses as part of your FCRA compliance program.
For a full comparison of verification platforms evaluated on CRA-specific criteria, see Best Employment Verification Software for CRAs (2026). To book a walkthrough of how Superunit's structural audit trail maps to this checklist, schedule a demo.