> ## Documentation Index > Fetch the complete documentation index at: https://docs.encoreos.io/llms.txt > Use this file to discover all available pages before exploring further. # FCRA & TCPA Compliance Tracking > Version: 1.0.0 Last Updated: 2026-02-10 Status: Active Module: HR **Version:** 1.0.0\ **Last Updated:** 2026-02-10\ **Status:** Active\ **Module:** HR > **Cross-References:** > > * [Background Check Types](../../src/cores/hr/types/background-checks.ts) - FCRA adverse action types > * [SMS Consent Types](../../src/cores/hr/types/sms-consent.ts) - TCPA consent definitions > * [ATS Background Check Architecture](../architecture/) - Integration patterns *** ## Overview This document defines the mandatory compliance requirements and sign-off gates that must be satisfied before enabling Background Check (Checkr) and SMS notification features in production. Each gate requires documented approval from the designated authority before the feature can be activated for an organization. ### Current Verification Status (2026-03-03) | Area | Implementation | Sign-Off | Target | | -------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------- | ---------------------------------------------------------- | | **F-01–F-12 (FCRA)** | Spec and DB/RLS in place (HR-09-P5.2); Checkr live integration not yet enabled. Tables: `hr_background_checks`, `hr_background_check_webhook_audit`. | All ☐ Pending | Gate 1 target: when HR-09-P5.2 ships (Q2 2026) | | **T-01–T-12 (TCPA)** | Spec and DB/RLS in place; `hr_sms_consent_logs`, consent types, PHI detection pattern. SMS delivery via existing `send-sms-notification` edge function. | All ☐ Pending | Gate 2 target: when SMS feature enabled for orgs (Q2 2026) | **Pre-requisite for Gate 1:** HR-09-P5.2 (Background Check Integration) must be implemented and deployed before Checkr can be enabled for any organization. Until then, all F-\* requirements remain "implementation ready, sign-off pending." *** ## 1. FCRA Compliance Requirements (Background Checks) The Fair Credit Reporting Act (FCRA) governs how consumer reports (background checks) are obtained, used, and disclosed in employment decisions. ### 1.1 Pre-Screening Requirements | # | Requirement | Implementation | Status | Sign-Off | | ---- | --------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------- | --------- | ---------------- | | F-01 | **Written Disclosure** — Provide applicant a standalone written disclosure that a background check may be obtained | `fcra_disclosure_document_url` field on `hr_background_checks` | ☐ Pending | \_\_\_\_\_\_\_\_ | | F-02 | **Written Authorization** — Obtain written consent from the applicant before ordering the report | Consent captured via Candidate Portal (HR-09-P5 Phase 5.3) with timestamped record | ☐ Pending | \_\_\_\_\_\_\_\_ | | F-03 | **Certification to CRA** — Certify to the Consumer Reporting Agency (Checkr) that all FCRA requirements have been met | Checkr API invitation flow includes employer certification | ☐ Pending | \_\_\_\_\_\_\_\_ | | F-04 | **State-Specific Disclosures** — Include any state-specific disclosure addenda (e.g., CA, NY, WA) | Organization-level document configuration in settings | ☐ Pending | \_\_\_\_\_\_\_\_ | ### 1.2 Adverse Action Process The FCRA mandates a two-step adverse action process when a background check result may negatively impact an employment decision. | # | Requirement | Implementation | Status | Sign-Off | | ---- | ------------------------------------------------------------------------------------------------------------------------------------------------------------ | --------------------------------------------------------------------------------------------------------------------------------- | --------- | ---------------- | | F-05 | **Pre-Adverse Action Notice** — Send the applicant a copy of the report, a summary of rights, and a pre-adverse action letter before making a final decision | `adverse_action_notice_sent_at` + `adverse_action_notice_document_url` fields; `FCRAAdverseActionStatus = 'notice_sent'` | ☐ Pending | \_\_\_\_\_\_\_\_ | | F-06 | **Waiting Period** — Allow a reasonable waiting period (typically 5 business days) for the applicant to dispute | `dispute_window_closes_at` field with configurable window; system blocks final action until window expires | ☐ Pending | \_\_\_\_\_\_\_\_ | | F-07 | **Dispute Handling** — Process applicant disputes by re-investigating through the CRA | `dispute_submitted`, `dispute_reason`, `dispute_resolved_at` fields; `FCRAAdverseActionStatus = 'dispute_pending'` → `'resolved'` | ☐ Pending | \_\_\_\_\_\_\_\_ | | F-08 | **Final Adverse Action Notice** — If decision stands after dispute window, send final adverse action notice with CRA contact info and rights summary | `final_adverse_notice_sent_at` + `final_adverse_notice_document_url`; `FCRAAdverseActionStatus = 'final_notice_sent'` | ☐ Pending | \_\_\_\_\_\_\_\_ | | F-09 | **Record Retention** — Retain all FCRA-related documents per federal (1 year) and state requirements | `fcra_retention_until` field; retention policy enforcement | ☐ Pending | \_\_\_\_\_\_\_\_ | ### 1.3 Ongoing Obligations | # | Requirement | Implementation | Status | Sign-Off | | ---- | --------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------- | --------- | ---------------- | | F-10 | **Data Security** — Properly dispose of consumer report information | Soft-delete with `fcra_retention_until` expiration; no PII in logs | ☐ Pending | \_\_\_\_\_\_\_\_ | | F-11 | **Audit Trail** — Maintain complete audit trail of all background check actions | `hr_background_check_webhook_audit` table; immutable webhook logs | ☐ Pending | \_\_\_\_\_\_\_\_ | | F-12 | **Permissible Purpose** — Only obtain reports for permissible employment purposes | Application-level enforcement: checks tied to `hr_applications` with active status | ☐ Pending | \_\_\_\_\_\_\_\_ | *** ## 2. TCPA Compliance Requirements (SMS) The Telephone Consumer Protection Act (TCPA) regulates automated text messages and requires explicit consent before sending SMS communications. ### 2.1 Consent Collection | # | Requirement | Implementation | Status | Sign-Off | | ---- | --------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------- | --------- | ---------------- | | T-01 | **Express Written Consent** — Obtain clear, conspicuous written consent before sending any automated SMS | `hr_sms_consent_logs` table with `consent_given`, `consent_text`, `ip_address` fields | ☐ Pending | \_\_\_\_\_\_\_\_ | | T-02 | **Consent Text Disclosure** — Consent language must clearly describe the types of messages, frequency, and data rates | `DEFAULT_CONSENT_TEXT` constant; customizable per organization | ☐ Pending | \_\_\_\_\_\_\_\_ | | T-03 | **Consent Per Message Type** — Separate consent for each category of messages | `SMSConsentType` enum: `background_check_notifications`, `interview_reminders`, `offer_updates`, `general_hr` | ☐ Pending | \_\_\_\_\_\_\_\_ | | T-04 | **Voluntary Consent** — Consent cannot be a condition of employment or application | UI displays consent as optional checkbox; application proceeds regardless | ☐ Pending | \_\_\_\_\_\_\_\_ | ### 2.2 Opt-Out Mechanisms | # | Requirement | Implementation | Status | Sign-Off | | ---- | ------------------------------------------------------------------------------------------ | ---------------------------------------------------------------------- | --------- | ---------------- | | T-05 | **STOP Keyword** — Honor "STOP" replies to immediately cease messages | `opt_out_methods: 'stop_keyword'`; webhook processing for inbound STOP | ☐ Pending | \_\_\_\_\_\_\_\_ | | T-06 | **Opt-Out Confirmation** — Send a single confirmation message acknowledging opt-out | Edge function sends one final message upon STOP processing | ☐ Pending | \_\_\_\_\_\_\_\_ | | T-07 | **Opt-Out Record** — Maintain timestamped record of all opt-outs | `opted_out_at`, `opt_out_method` fields on `hr_sms_consent_logs` | ☐ Pending | \_\_\_\_\_\_\_\_ | | T-08 | **Re-Opt-In Process** — If user texts START after opting out, re-enable with fresh consent | New consent log entry created; previous opt-out record preserved | ☐ Pending | \_\_\_\_\_\_\_\_ | ### 2.3 Message Content Requirements | # | Requirement | Implementation | Status | Sign-Off | | ---- | -------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------- | --------- | ---------------- | | T-09 | **Organization Identification** — Every message must identify the sending organization | Message templates include org name prefix | ☐ Pending | \_\_\_\_\_\_\_\_ | | T-10 | **Opt-Out Instructions** — Every message must include opt-out instructions | SMS footer includes "Reply STOP to opt out" | ☐ Pending | \_\_\_\_\_\_\_\_ | | T-11 | **No PHI in SMS** — Messages must not contain Protected Health Information | PHI detection via `detectPhiInMessage` utility; `sms_phi_detection_mode` setting | ☐ Pending | \_\_\_\_\_\_\_\_ | | T-12 | **Business Hours** — Send messages only during appropriate hours | `sms_business_hours_start/end` in `ce_module_settings` | ☐ Pending | \_\_\_\_\_\_\_\_ | *** ## 3. Sign-Off Gates ### Gate 1: Background Check Feature Activation **Required before:** Enabling Checkr integration for any organization\ **Target date for sign-off:** Q2 2026 (when HR-09-P5.2 ships) | Prerequisite | Authority | Date | Signature | | ---------------------------------------------------------------- | -------------------- | ------------ | ---------------------------- | | All F-01 through F-04 requirements verified | Compliance Officer | `YYYY-MM-DD` | \_\_\_\_\_\_\_\_\_\_\_\_\_\_ | | Adverse action workflow tested end-to-end (F-05 through F-08) | Legal Counsel | `YYYY-MM-DD` | \_\_\_\_\_\_\_\_\_\_\_\_\_\_ | | Audit trail and retention policies confirmed (F-09 through F-12) | Data Privacy Officer | `YYYY-MM-DD` | \_\_\_\_\_\_\_\_\_\_\_\_\_\_ | | Checkr webhook signature verification tested | Engineering Lead | `YYYY-MM-DD` | \_\_\_\_\_\_\_\_\_\_\_\_\_\_ | | State-specific disclosure review for operating states | Legal Counsel | `YYYY-MM-DD` | \_\_\_\_\_\_\_\_\_\_\_\_\_\_ | **Gate Decision:** ☐ Approved / ☐ Conditional / ☐ Blocked **Conditions (if any):** \_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_ *** ### Gate 2: SMS Feature Activation **Required before:** Enabling SMS notifications for any organization\ **Target date for sign-off:** Q2 2026 (when SMS feature enabled for orgs) | Prerequisite | Authority | Date | Signature | | ---------------------------------------------------------- | -------------------- | ------------ | ---------------------------- | | All T-01 through T-04 consent mechanisms verified | Compliance Officer | `YYYY-MM-DD` | \_\_\_\_\_\_\_\_\_\_\_\_\_\_ | | Opt-out flow tested end-to-end (T-05 through T-08) | Legal Counsel | `YYYY-MM-DD` | \_\_\_\_\_\_\_\_\_\_\_\_\_\_ | | Message content requirements validated (T-09 through T-12) | Compliance Officer | `YYYY-MM-DD` | \_\_\_\_\_\_\_\_\_\_\_\_\_\_ | | PHI detection rules reviewed and tested | Data Privacy Officer | `YYYY-MM-DD` | \_\_\_\_\_\_\_\_\_\_\_\_\_\_ | | Carrier registration (10DLC/A2P) completed | Engineering Lead | `YYYY-MM-DD` | \_\_\_\_\_\_\_\_\_\_\_\_\_\_ | **Gate Decision:** ☐ Approved / ☐ Conditional / ☐ Blocked **Conditions (if any):** \_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_ *** ### Gate 3: Per-Organization Activation **Required before:** Enabling features for each new organization/tenant | Prerequisite | Authority | Date | Signature | | ------------------------------------------------------------ | ------------------ | ------------ | ---------------------------- | | Organization-specific disclosure documents uploaded | Org Admin | `YYYY-MM-DD` | \_\_\_\_\_\_\_\_\_\_\_\_\_\_ | | State-specific addenda configured for org's operating states | Compliance Officer | `YYYY-MM-DD` | \_\_\_\_\_\_\_\_\_\_\_\_\_\_ | | SMS consent text reviewed and customized | Legal Counsel | `YYYY-MM-DD` | \_\_\_\_\_\_\_\_\_\_\_\_\_\_ | | Org admin trained on adverse action workflow | Compliance Officer | `YYYY-MM-DD` | \_\_\_\_\_\_\_\_\_\_\_\_\_\_ | **Gate Decision:** ☐ Approved / ☐ Conditional / ☐ Blocked *** ## 4. Enforcement in Code The following technical controls enforce compliance gates: | Control | Location | Description | | ---------------------------- | ----------------------------------- | -------------------------------------------------------------------------------------------------------------- | | `HiringChecklist` component | HR-09-P5 | Blocks hire completion until background check is `complete_clear` and offer is `signed` | | SMS consent gate | `hr_sms_consent_logs` | SMS sending functions verify active consent before dispatch | | PHI detection | `detectPhiInMessage` | Blocks or warns on PHI content based on `sms_phi_detection_mode` | | Adverse action state machine | `FCRAAdverseActionStatus` | Enforces sequential progression: `none` → `notice_sent` → `dispute_pending` → `resolved` → `final_notice_sent` | | Webhook audit immutability | `hr_background_check_webhook_audit` | RLS restricts writes to `service_role` only | | Consent record immutability | `hr_sms_consent_logs` | Insert-only policy; no updates or deletes by application users | *** ## 5. Periodic Review Schedule | Review | Frequency | Next Due | Owner | | --------------------------------- | ------------- | ------------ | -------------------- | | FCRA process audit | Quarterly | `YYYY-MM-DD` | Compliance Officer | | TCPA consent mechanism review | Quarterly | `YYYY-MM-DD` | Legal Counsel | | State law update check | Monthly | `YYYY-MM-DD` | Legal Counsel | | PHI detection pattern update | Semi-annually | `YYYY-MM-DD` | Data Privacy Officer | | Carrier compliance review (10DLC) | Annually | `YYYY-MM-DD` | Engineering Lead | *** ## Official Sources | Source | URL | | ---------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | FTC: Using Consumer Reports — What Employers Need to Know | [https://www.ftc.gov/business-guidance/resources/using-consumer-reports-what-employers-need-know](https://www.ftc.gov/business-guidance/resources/using-consumer-reports-what-employers-need-know) | | CFPB: Summary of Consumer Rights (FCRA Regulation V, Appendix K) | [https://www.consumerfinance.gov/rules-policy/regulations/1022/K](https://www.consumerfinance.gov/rules-policy/regulations/1022/K) | | FCC: Rules and Regulations Implementing the TCPA | [https://www.fcc.gov/document/rules-and-regulations-implementing-telephone-consumer-protection-act-22](https://www.fcc.gov/document/rules-and-regulations-implementing-telephone-consumer-protection-act-22) | Full list of authoritative external references (HR, CL, PM, RH, GR, IT, PF): root [AGENTS.md](../../AGENTS.md) § Authoritative External References. *** ## Version History ### 1.0.0 (2026-02-10) * Initial compliance tracking document * Defined FCRA requirements F-01 through F-12 * Defined TCPA requirements T-01 through T-12 * Established three sign-off gates (feature activation, SMS activation, per-org activation) * Mapped enforcement controls to codebase *** **Last Updated:** 2026-02-10\ **Next Review:** 2026-05-10