Background verification is no longer a clerical step at the end of hiring. It’s a risk-management function, and the gaps in it now carry legal, financial, and reputational consequences that didn’t exist a few years ago
In the first half of FY26, business intelligence firm AuthBridge recorded a resume discrepancy rate of 5% across its checks, rising to 5.6% for gig workers. Among white-collar hires, employment verification alone showed an 11.15% discrepancy rate. That means roughly one in nine professional candidates had something in their work history that didn’t hold up.
The mistakes that let those discrepancies through are rarely dramatic. They’re process gaps: a consent form that doesn’t meet the new legal bar, a check skipped to save time, a red flag waved through under pressure to close a role. Each one is small. Together, they’re how a bad hire walks through the door with a clean report.
1. Treating Verification as a Post-Offer Formality
When verification runs only after the offer is signed, the process loses most of its leverage. By then, the role is announced internally, the candidate has resigned elsewhere, and HR is under pressure to onboard. Adverse findings at that stage force an awkward choice: withdraw an offer the business has already committed to, or quietly let the discrepancy slide.
The fix isn’t to verify earlier in every case. It’s for sequence checks by risk. Run the fast, government-sourced checks (identity, EPFO-linked employment) before or alongside the offer, and reserve slower ones for the gap between offer and joining. The point is that no verification result should ever arrive too late to act on. A verification step that can’t change a decision isn’t a control. It’s paperwork.
2. Skipping or Weakening Candidate Consent
A background check without specific, documented consent is now a direct legal exposure, not a best-practice lapse. Under the Digital Personal Data Protection (DPDP) Rules 2025, notified by MeitY in November 2025, an employer running a background check qualifies as a Data Fiduciary and must obtain explicit, purpose-specific consent before collecting candidate data.
A one-line clause buried in an offer letter no longer clears the bar. Any background check consent clause embedded in an offer letter predating November 2025 does not meet DPDP Rules 2025 standards. The consent notice has to state the specific purpose, and the candidate must be able to withdraw it.
The penalty structure is what changes the math. The highest penalty, up to ₹250 crore, applies to a Data Fiduciary’s failure to maintain reasonable security safeguards. Crucially, the employer stays accountable even when verification is outsourced to a vendor. “Our BGV partner handles consent” is not a defence.
What a defensible consent process now looks like:
| Element | What It Requires |
| Standalone form | Separate from the offer letter, not a buried clause |
| Specific purpose | Each check type is named, not a blanket authorisation |
| Right to withdraw | Stated clearly, with a process to honour it |
| Vendor agreement | A documented data-processing agreement with the BGV provider |
| Retention timeline | Defined deletion period, typically 180 days for non-hired candidates |
Most of the DPDP framework’s substantive obligations roll out in phases through May 2027, but the Data Protection Board is already operational, so the consent step is the one to fix first.
3. Verifying Employment History and Stopping There
Employment is the single most-failed check, so it’s tempting to treat it as the whole job. The data says otherwise. An EY study released in May 2025, based on more than one million pre-employment screenings across over 90 mid-to-large organisations, found that 85% of discrepant profiles failed on employment checks, 5% had discrepant educational claims, and 3% had pending civil or criminal cases.
Employment dominates, but the other categories are where the serious risks hide. In the IT sector, the same study found that 32% of candidates submitted fake documents from companies that didn’t exist or where the named employer denied issuing them, and 45% were found to be moonlighting through dual employment or active GST registrations tied to their PAN.
What you verify should scale with the role:
- Every hire: Identity, address, and EPFO-linked employment history.
- Most professional roles: Add education and previous-employer confirmation.
- Regulated or sensitive roles: Add criminal record checks, professional licences, and credit checks where the role touches finance.
- Healthcare and finance specifically: Verify credentials against the issuing institution directly. The EY data showed fabricated qualifications concentrated heavily in these sectors.
A clean employment check on a candidate with a forged degree is still a failed verification. It just fails silently.
4. Collecting Sensitive Data Without Adequate Safeguards
Verification involves collecting some of the most sensitive data an employer ever touches: identity proofs, addresses, criminal records, and salary history. Under the DPDP framework, how that data is stored and secured is now a regulated obligation, not an IT preference.
The exposure is specific. The ₹250 crore ceiling attaches to a failure to maintain reasonable security safeguards around personal data. A spreadsheet of candidate Aadhaar numbers on a shared drive, BGV reports sitting in an unsecured inbox, or data retained indefinitely after a candidate was rejected, each is a potential breach point.
Three practices that materially reduce the risk:
- Data minimisation. Collect only what the stated purpose needs. If the role doesn’t require a credit check, don’t collect financial data.
- Defined retention and deletion. Set a deletion timeline and follow it. Non-hired candidate data shouldn’t sit in your systems for years.
- Vendor due diligence. If a third party runs your checks, a documented data-processing agreement and proof of their security controls are part of your compliance record, because the liability is still yours.
For a fuller view of how data privacy intersects with hiring technology, TPB’s guide to how AI is used in HR covers the DPDP implications of automated screening tools.
5. Applying Inconsistent Standards Across Candidates
When the depth of verification varies by who’s doing the hiring, which department is filling the role, or how senior the candidate is, two problems follow. The first is fairness: a candidate screened harder than a peer in the same role has a legitimate grievance. The second is risk: inconsistent standards are precisely how a risky hire slips through, because the looser path is always the one a determined fraudster targets.
The fix is a documented verification policy mapped to role tiers, applied the same way every time. Junior roles get a defined baseline. Senior and sensitive roles get an expanded set. The standard attaches to the role, not the recruiter’s discretion or the hiring manager’s urgency. Consistency is also a compliance asset. A documented, uniformly applied policy is far easier to defend than a case-by-case approach that looks arbitrary in hindsight.
6. Waving Through Red Flags and Discrepancies
Verification teams under volume pressure can drift toward completing checks rather than interrogating them. A discrepancy gets logged, a box gets ticked, and the report moves on. But not every discrepancy is equal, and the dangerous ones are easy to rationalise away.
Indian BGV reports typically use a traffic-light system that exists precisely to force this judgment:
| Status | Meaning | Action |
| Green | Clear, no discrepancy | Proceed |
| Amber | Minor discrepancy, possibly innocent | Investigate before deciding |
| Red | Material fraud or misrepresentation | Serious review, often offer withdrawal |
An amber finding is where most mistakes happen. A name spelled differently across documents or an employment date off by a week is often harmless. But a job title that doesn’t match the salary claimed, a degree dated before the institution offered that course, or an address that passes a digital check but fails physical verification, those need a human looking closely. The discipline is simple to state and hard to maintain under pressure: investigate every amber before clearing it, and never let throughput override an unexplained gap.
7. Relying on Unverified or Informal Sources
A reference number the candidate provides, a LinkedIn profile, or a social media presence can feel like confirmation. None of them is. The candidate-provided reference is the weakest link in Indian verification because an entire informal industry exists to defeat it.
The structural fix is to stop trusting candidate-supplied channels for anything that matters. For employment, EPFO and UAN records are the strongest counter, because they’re government-maintained and reflect actual PF contributions rather than what a candidate claims. An EPFO check can surface moonlighting that no reference call would ever reveal: if records show contributions from one employer continuing while another begins, the overlap is visible regardless of what the resume says.
One caveat changed the workflow in 2025. Through a circular dated 27 March 2025, the EPFO restricted employers to viewing only a member’s present employment details on the portal, to protect members from misuse of their past employment data. Manual UAN portal checks now show the present, not the full history. Verification that depends on portal viewing alone misses exactly the gaps a candidate is most likely to hide, which is one reason API-based and source-verified checks have become the standard for serious BGV.
For roles where designation matters, EPFO confirms tenure but not job title, so direct employer verification still has a place, just not through a number the candidate handed you.
8. Delaying Checks Until After Onboarding
Verification that finishes after the employee has joined and started working creates a problem with no clean exit. If a material discrepancy surfaces in week three, the employer is now terminating an active employee rather than declining a candidate, which carries different legal weight, notice obligations, and the operational disruption of unwinding access, equipment, and team integration.
The damage compounds in roles with early access to sensitive systems or data. A finance hire who turns out to have a concealed fraud history has, by the time a delayed check catches it, potentially already touched the systems the check was meant to protect. The principle is straightforward: complete verification before the start date wherever the role’s risk justifies it, and where a check genuinely can’t conclude in time, restrict the employee’s access until it does. A conditional joining, with access gated on a clean report, is far easier to manage than a termination.
TPB’s coverage of offer letter requirements under the new Labour Codes explains how to make a clean background check a stated condition of joining, which keeps this option legally clean.
9. Never Revisiting Verification for Sensitive Roles
A background check is a snapshot. For most roles, the snapshot taken at hiring is enough. For roles involving finance, security, compliance, or access to critical systems, a one-time check at joining leaves a widening blind spot over the years that follow.
This is already a regulatory expectation in parts of the Indian market. Periodic re-verification of existing employees is treated as mandatory under RBI guidelines for senior BFSI staff, and it’s widely recommended for finance, data, and C-suite roles across sectors. The logic holds beyond banking: a clean record in 2022 says nothing about a civil suit filed in 2025 or a conflict of interest that developed after joining.
A workable re-screening approach:
- Define which roles warrant periodic re-verification, tied to access and risk, not seniority alone.
- Set a cadence, commonly annual or biennial, and build consent for it into the employment terms so it isn’t a fresh negotiation each time.
- Scope it to what changes: criminal record, conflicts of interest, and active legal proceedings, rather than re-running a full hiring-stage check.
The cost of periodic re-screening is small against the exposure of a sensitive role going unchecked for a decade.
In the End…
The pattern across all nine mistakes is the same. None of them is a failure of effort. They’re failures of process, sequencing, consent, consistency, judgment, sourcing, timing, and follow-through. And they share a consequence: a verification process that looks complete on paper while leaving the employer exposed in practice.
The market has shifted under HR’s feet on two fronts at once. Fraud has industrialised, with AI-generated documents and shell-company references that defeat casual checks, while the discrepancy data keeps climbing in high-growth sectors. And the legal floor has risen, with the DPDP framework turning sloppy data handling into a quantifiable liability. The employers who manage this well treat BGV as a designed system: risk-tiered, consent-clean, consistently applied, and revisited where the stakes justify it.
Start with the two that carry the steepest downside. Fix your consent process to meet the DPDP standard, and move your fastest checks earlier so no finding ever arrives too late to act on. The rest builds from there.
FAQs
What is the most common background verification mistake employers make in India?
The most common mistake is treating verification as a post-offer formality. When checks run only after the offer is signed, any adverse finding arrives too late to act on without significant business disruption.
Does the DPDP Act 2025 apply to background checks?
Yes. Under the Digital Personal Data Protection Rules 2025, an employer running a background check qualifies as a Data Fiduciary and must obtain explicit, purpose-specific consent before collecting candidate data. A clause buried in an offer letter no longer meets the legal standard.
How often should background verification be repeated for existing employees?
For roles involving finance, security, compliance, or access to critical systems, periodic re-verification is recommended, commonly on an annual or biennial basis. RBI guidelines already mandate re-verification for senior BFSI staff.
Can employers still check a candidate’s full employment history on the EPFO portal?
No. As of a March 2025 circular, EPFO restricted employers to viewing only a member’s present employment details on the portal. API-based and source-verified checks are now the standard for complete employment history.
What should employers do if a background check returns an amber finding?
An amber result should always be investigated before the candidate is cleared. Minor discrepancies like a name spelling difference may be harmless, but gaps such as a mismatched job title or a degree pre-dating the course offering need human review before the report moves forward.
