Before you close, verify FCRA compliance, revenue stickiness, cybersecurity posture, and technology scalability with this industry-specific acquisition framework.
Acquiring a background screening company offers compelling recurring revenue and defensible client relationships, but the diligence process is uniquely demanding. Buyers must navigate a complex federal and state regulatory landscape anchored by the Fair Credit Reporting Act, assess the quality and stickiness of contractual employer and staffing agency relationships, evaluate proprietary versus third-party data infrastructure, and quantify cybersecurity exposure tied to handling sensitive personally identifiable information at scale. This checklist organizes the five most critical diligence workstreams—compliance history, revenue quality, technology infrastructure, data vendor relationships, and key personnel risk—into actionable items with clear red flags to help buyers avoid costly surprises and price deals with confidence.
Background screening is one of the most regulated service businesses you can acquire. A single pattern of FCRA non-compliance can generate class action exposure that dwarfs the purchase price. Verify the compliance program is documented, audited, and defensible before proceeding.
Request all FCRA-related consumer disputes, adverse action complaints, and regulatory correspondence from the past five years.
Patterns of consumer disputes signal systemic process failures that create ongoing class action liability.
Red flag: Multiple unresolved consumer disputes or any active FCRA litigation filed against the company.
Review written adverse action procedures, permissible purpose documentation, and consumer disclosure templates.
Deficient adverse action processes are the most common trigger for FCRA class action lawsuits.
Red flag: Absence of documented adverse action workflows or outdated disclosure forms that predate recent CFPB guidance.
Audit compliance with state ban-the-box laws, salary history bans, and EEOC individualized assessment requirements across all active client jurisdictions.
State-level violations create independent liability exposure beyond federal FCRA risk.
Red flag: No state compliance monitoring process in place or clients operating in high-risk jurisdictions without updated screening workflows.
Confirm whether the company holds a Consumer Reporting Agency registration or license in all states that require it, including California, New York, and Minnesota.
Operating without required state CRA licenses creates immediate regulatory exposure post-acquisition.
Red flag: Missing state registrations or lapsed licenses discovered during diligence with no remediation plan.
The value of a background screening company is built on recurring, contractual employer relationships with low churn. Diligence must separate true recurring contract revenue from transactional volume and identify concentration risk that could collapse revenue post-close.
Obtain a full client revenue schedule segmented by contract versus transactional revenue for the trailing 36 months.
Contractual recurring revenue justifies higher multiples; transactional volume tied to hiring cycles does not.
Red flag: Less than 60% of revenue under active contracts or significant revenue volatility tied to one or two client hiring surges.
Identify the top 10 clients by revenue and calculate each client's percentage of total trailing twelve-month revenue.
Concentration above 20% in a single client creates material post-acquisition revenue risk.
Red flag: Any single client representing more than 25% of revenue without a multi-year contract with renewal provisions.
Calculate gross and net revenue retention rates for each of the past three years, segmented by client vertical.
Net retention above 100% signals upsell capability; churn above 10% annually indicates client satisfaction problems.
Red flag: Annual churn rate exceeding 10% or net revenue retention consistently below 95% across the client base.
Review all master service agreements for pricing terms, volume minimums, auto-renewal clauses, and change-of-control provisions.
Change-of-control clauses can allow clients to terminate contracts immediately upon acquisition close.
Red flag: Multiple enterprise contracts containing change-of-control termination rights without amendment or client consent secured.
A background screening company's technology platform directly determines scalability, client switching costs, and future capital requirements. Handling sensitive PII at volume also creates cybersecurity obligations that must be fully assessed before closing.
Review the technology stack architecture, identifying proprietary versus licensed components, hosting environment, and system uptime history.
Outdated or heavily manual platforms require costly replacement capital that should reduce purchase price.
Red flag: Legacy on-premise systems with no API capabilities, high manual processing rates, or recurring downtime incidents affecting client deliverables.
Audit all active ATS and HRIS integrations including Workday, Greenhouse, iCIMS, and BambooHR, and assess integration depth and stability.
Deep ATS integrations create switching costs that protect revenue; shallow integrations are easily displaced by competitors.
Red flag: No native ATS integrations or integrations built on undocumented custom code with no third-party support contracts.
Request the most recent cybersecurity assessment or penetration test results, SOC 2 certification status, and incident response documentation.
A PII data breach post-close creates regulatory liability, client attrition, and reputational damage that falls on the buyer.
Red flag: No formal cybersecurity assessment in the past 18 months, absence of SOC 2 certification, or undisclosed prior data incidents.
Confirm data retention and destruction policies comply with FCRA seven-year limits and applicable state privacy statutes including CCPA.
Improper PII retention creates ongoing regulatory exposure and inflates data breach liability scope.
Red flag: No documented data retention schedule or evidence that consumer PII is stored indefinitely without a deletion protocol.
Background screening margins depend heavily on the cost and reliability of upstream data vendors including county court search networks, credit bureaus, MVR providers, and drug testing labs. Favorable vendor contracts and direct data relationships are meaningful value drivers.
Obtain and review all data vendor agreements including county court search networks, TransUnion or Equifax credit bureau access, MVR providers, and drug testing administrators.
Vendor contract terms, pricing, and exclusivity directly determine gross margin and competitive positioning.
Red flag: Month-to-month vendor agreements with no volume pricing, or key data source contracts that expire within 12 months of close.
Calculate data vendor costs as a percentage of gross revenue and benchmark against industry norms of 30–45% of revenue.
Thin margins driven by high vendor costs signal limited pricing power and susceptibility to vendor price increases.
Red flag: Data vendor costs exceeding 55% of revenue or gross margins consistently below 40% with no clear path to improvement.
Assess whether the company has direct county court researcher relationships or relies entirely on national aggregator networks.
Direct county relationships provide faster turnaround, broader coverage, and lower unit costs than aggregator pass-through pricing.
Red flag: Complete dependence on a single national court search aggregator with no direct county relationships or backup search options.
Review drug testing program administration agreements and confirm chain-of-custody compliance with DOT and non-DOT collection site networks.
Drug testing revenue carries separate compliance obligations; collection site network gaps limit geographic service capability.
Red flag: Drug testing revenue with no formal MRO agreement or collection site coverage gaps in key client operating markets.
Background screening businesses often succeed or fail based on the relationships and institutional knowledge held by a handful of individuals. Quantify owner dependency and assess whether the compliance and account management team can sustain operations through and beyond the transition.
Map the owner's direct involvement in client relationships, identifying which enterprise accounts interact exclusively with the founder.
Owner-held client relationships that cannot be transitioned create immediate post-close churn risk.
Red flag: The seller is the primary contact for clients representing more than 40% of revenue with no documented transition plan.
Review employment agreements, non-solicitation clauses, and compensation structures for the compliance officer and top account managers.
Departing compliance staff post-close creates regulatory vulnerability; losing account managers accelerates client attrition.
Red flag: No non-solicitation agreements with key account managers or the compliance officer planning to exit within 90 days of close.
Assess whether operational processes including onboarding, dispute handling, and report fulfillment are documented in written SOPs.
Undocumented processes dependent on tribal knowledge cannot scale and create operational risk during ownership transitions.
Red flag: Core screening workflows exist only in the minds of one or two employees with no written procedures or training materials.
Evaluate the depth of the sales pipeline and whether new business development is driven by the owner or a dedicated sales function.
Owner-dependent sales pipelines collapse post-close when founders disengage from the business.
Red flag: 100% of new client wins in the past 24 months sourced directly by the owner with no sales team or referral channel.
Find Background Screening Company Businesses For Sale
Vetted targets with diligence packages — skip the cold search.
Request all consumer dispute logs from the past five years, adverse action notice templates, permissible purpose authorization forms, and any correspondence with the CFPB, FTC, or state attorneys general. Also ask for the internal compliance manual or written FCRA policy. If none of these documents exist in organized form, treat that absence itself as a significant red flag signaling an immature compliance infrastructure.
Ask for architecture documentation showing whether the platform is cloud-hosted or on-premise, what ATS and HRIS integrations exist and how they were built, system uptime logs for the past 24 months, and the development roadmap. Then get an independent technical assessment from a software architect familiar with SaaS or workflow automation platforms. Replacement of a core screening platform can cost $500K to $2M and take 18 months, which should directly reduce your offer price.
Best-in-class background screening companies maintain annual gross revenue churn below 5%, with net revenue retention above 100% due to hiring volume growth among retained clients. Ask for a cohort-based churn analysis showing revenue at the start and end of each of the past three years for clients active at that period's beginning. Cross-reference this against the client revenue schedule and individual contract terms to verify the seller's reported retention figures.
Yes, background screening companies are generally SBA-eligible service businesses, and SBA 7(a) loans are a common financing structure for acquisitions in the $2M to $10M range. SBA lenders will scrutinize the quality of recurring revenue and whether it is truly contractual, the company's FCRA compliance history and any open litigation, the cybersecurity and data handling posture given PII exposure, and whether the business can service debt without the owner. Expect lenders to require a seller note of 5 to 10 percent of the purchase price and a transition period of at least 12 months with the seller.
More Background Screening Company Guides
More Due Diligence Checklists
Stop cold-searching. Find signal-scored Background Screening Company targets with seller motivation already identified.
Create your free accountNo credit card required
For Buyers
For Sellers