Background checks: finding the right balance for compliance

Background checks are a common practice in the hiring process, particularly when compliance is a priority. They help ensure the people joining your company are trustworthy and capable of upholding your company’s standards, including confidentiality, integrity and adherence to the code of conduct. However, the ‘just enough’ approach to background checks can help you find the right balance between thoroughness and effectiveness, ensuring you meet compliance requirements without overextending your resources.

The purpose of background checks
The primary goal of background checks is to ensure the individuals you hire have the integrity and reliability needed to maintain the company’s standards. This includes:

  • Maintaining confidentiality: ensuring new hires can be trusted with sensitive company information.
  • Upholding working practices: verifying they will adhere to the company’s code of conduct and work practices.
  • Mitigating risk: reducing the risk of potential issues related to an individual’s past behavior, particularly in roles involving sensitive data.

Types of background checks: what’s necessary?

  • Reference checks: for many roles, especially where customer requirements or specific risks don’t mandate more stringent checks, reference checks can be a sufficient method of ensuring a candidate’s suitability. Reference checks offer flexibility and provide valuable insights into a candidate’s past work behavior and integrity. By speaking with previous employers or colleagues, you can get a sense of how the candidate has handled responsibilities, maintained confidentiality and worked within a team.
    • Versatility: reference checks are adaptable and can be tailored to focus on aspects most relevant to the role.
    • Efficiency: these checks are generally quicker and less invasive, making them suitable for most roles where extreme vetting isn’t necessary.
  • Police checks: in some cases, police checks might be necessary, particularly if the role involves handling sensitive data or working in environments where the risk is higher. Police checks can reveal any criminal history that might indicate a risk in hiring a particular candidate. While these checks provide a deeper level of scrutiny, they aren’t always necessary unless there’s a specific reason or customer requirement.
    • When to use police checks: consider police checks if the role has a significant impact on the company’s security or if handling highly sensitive information is involved.
    • Customer requirements: if your customers require police checks as part of their compliance standards, it’s essential to include these in your hiring process for relevant roles.

Implementing 'just enough'
When it comes to Type 1, you can get away with a defined approach to background checks; eg. confirming the provider you will use, or establishing a template for reference checks. For Type 2, you should be able to demonstrate at least a reference check was conducted for new hires.

➡️ Doing less tip #1: assessing risk and customer requirements
Start by assessing the risk associated with the role and understanding any specific customer requirements. If the role is lower risk or if customer contracts don’t specifically require police checks, reference checks might be sufficient.

➡️ Doing less tip #2: balancing thoroughness with effectiveness
The key to effective background checks is balancing thoroughness with effectiveness. While police checks provide deeper scrutiny, they should be reserved for roles where they are truly necessary. For many positions, reference checks provide a practical, versatile, and just enough approach to ensuring the integrity of new hires.

Better practices
To lift your compliance game with background checks you may consider:

  • Map out any specific requirements of your enterprise customers, and potential regulations in regions or industries you operate in to have established requirements. In some cases, enterprise customers will require additional checks for personnel directly accessing their data or providing their services.
  • Define a risk-based approach that may apply more basic reference checks to lower-risk roles, eg. sales and marketing, and more rigorous police and credit checks to higher-risk roles, eg. developers and operations personnel with privileged access to systems.
  • Use automation to ensure background checks are effectively completed on time and tracked. Compliance platforms - like Vanta and Drata - have solutions built to help manage this.
  • If, for whatever reason the checks aren’t completed before the new hire's onboarding date, it’s best to limit their access to sensitive systems and data until it is completed. That manages the risk and helps demonstrate compliance, despite the delay.


In a nutshell
Background checks are a critical part of the hiring process, particularly in ensuring compliance and maintaining the integrity of your company. By applying the ‘just enough’ approach, you can tailor your background checks to meet the specific needs of each role—reserving more intensive checks, like police checks, for when they’re necessary, and relying on reference checks as a versatile and efficient alternative. This approach not only helps you manage resources effectively but also ensures your company remains compliant and secure in its hiring practices.