Question 23: “Describe your pre-employment background verification policy for all personnel who access our systems or data. Provide the policy document.”

Question 24: “Provide sample BGV completion reports for 5 randomly selected employees onboarded in the last 12 months.”

Question 25: “What is your data retention policy for background verification records? How does it comply with India’s DPDPA?”

Question 26: “Provide evidence of your BGV vendor’s SOC 2 Type II and ISO 27001 certifications with current audit dates.”

Your VP of Delivery forwards the questionnaire to your VP HR with a two-word Slack message: “Help. Urgent.” You have 10 business days. If you fail this audit, you lose a Rs. 8 crore annual contract.

Two Types of Audits That Expose BGV Gaps

Client audits happen when your enterprise customers evaluate your compliance as their vendor. Banks, insurance companies, global MNCs, and GCCs increasingly audit their vendors’ people practices — including background verification. These audits are triggered by: annual vendor reviews, new regulatory requirements (RBI’s KYE guidelines, DPDPA implementation), contract renewals, security incidents in the industry, or change of compliance leadership at the client.

Regulatory audits happen when bodies like RBI, SEBI, IRDAI, or (under DPDPA) the Data Protection Board examine your internal compliance. For BFSI companies, RBI’s inspection teams specifically check employee screening documentation during their annual supervisory visits.

Both types look for the same three things: a documented process, evidence of consistent execution, and defensible decision-making.

What Auditors Actually Ask For (The Checklist)

1. Written BGV Policy Document (Question 23 territory)

Not “we do background checks.” A formal policy with: scope (who gets screened), check packages by role tier, adverse action procedures, consent and DPDPA compliance framework, vendor management provisions, and a signature from a senior leader (CEO or CHRO) with a date.

If you built the policy using the framework from our “How to Build a BGV Policy” guide, you already have this. If you didn’t, you have 10 days.

2. Evidence of Consistent Execution (Question 24 territory)

Auditors will request 5-10 randomly selected employee files and check: was BGV initiated for each hire? Was it completed before or within 15 days of joining? Are all required checks present based on the employee’s role tier? Are completion dates, report statuses, and any discrepancies documented?

This is where most companies fail. They have a policy, but execution is inconsistent. The Bangalore hires from Q1 were all verified. The Hyderabad batch from Q3 was “rushed” and three candidates were never screened. The auditor finds the gap. The client flags a finding.

3. Discrepancy Handling Documentation

For any BGV that returned red or amber: what was the finding? Was the candidate given an opportunity to respond (as required by your adverse action procedure and DPDPA)? Who made the final decision? What was the documented rationale? Is there an approval trail?

This is the most frequently under-prepared element in Indian companies. Most HR teams handle discrepancies over Slack messages and verbal conversations. When the auditor asks “show me the adverse action documentation for the three red-flag hires from last year,” the answer should not be “let me check with Meera.”

4. Vendor Compliance Evidence (Question 26 territory)

Your BGV vendor’s SOC 2 Type II report (ensure it’s Type II, not Type I — auditors know the difference), ISO 27001 certificate (check expiry date), ISO 27701 certificate (for DPDPA alignment), and the Data Processing Agreement between your company and the vendor (must explicitly cover DPDPA obligations, subprocessor management, and breach notification).

5. Data Retention and Deletion Evidence (Question 25 territory)

How long are BGV records retained? (Recommended: 3 years for standard roles, 8 years for BFSI per RBI Master Circular on KYE.) Where are they stored? (Your vendor’s infrastructure — confirm their certifications cover data storage.) Who has access? (Role-based access control documentation.) Can you demonstrate DPDPA-compliant deletion? (Evidence that records exceeding the retention period have been purged.)

6. Consent Documentation

Can you produce the signed/digital consent form for any randomly selected employee? Is the consent DPDPA-compliant (free, specific, informed, unconditional, unambiguous per Section 6)? Does it specify the purpose, the checks being conducted, the vendor processing the data, and the candidate’s rights?

The Master Audit File (Build This Today)

Create a single folder — physical or digital — containing:

1. Signed BGV policy document (dated, with CEO/CHRO signature)
2. Vendor SOC 2 Type II and ISO 27001/27701 certificates (verified as current)
3. Data Processing Agreement with vendor
4. 10 sample BGV completion reports (anonymized, covering different role tiers)
5. 3 sample discrepancy resolution cases (anonymized, showing the full adverse action trail)
6. Consent form template (DPDPA-compliant version)
7. Data retention and deletion log (showing purge dates for expired records)
8. Vendor quarterly performance review reports (TAT, amber rate, SLA compliance)

Update this folder every quarter. Set a calendar reminder. When the audit request arrives, you respond in hours instead of scrambling for days.

The Cost of Failing an Audit

Client audit failure: Contract non-renewal (Rs. 2-10 crores annually for enterprise contracts), remediation requirements with timeline pressure, and reputational damage with other clients who hear about the failure through industry networks.

Regulatory audit failure: For BFSI: monetary penalties under RBI directions (up to Rs. 1 crore for serious compliance failures), restrictions on business expansion, and public disclosure of enforcement actions. Under DPDPA: penalties of up to Rs. 250 crores for significant data protection failures.

Prevention (building and maintaining the audit file) costs approximately 2-3 hours per quarter. Remediation after a failed audit costs weeks of executive time, potential fines, and relationship damage.

SpringVerify’s SOC 2 Type II and ISO 27001 certifications (current and audited), comprehensive audit trail with downloadable reports, DPDPA-compliant consent workflows, and retention management make audit preparation significantly simpler — because the documentation is generated automatically as part of the verification process, not assembled retroactively.

Key Takeaways:

•Client audits (especially from GCCs and banks) are the #1 reason companies discover their BGV process has gaps

•Build a master audit file with 8 specific documents and update it every quarter — don’t scramble when the questionnaire arrives

•Consistent execution evidence is where most companies fail — random employee file pulls expose inconsistency immediately

•Discrepancy handling documentation is the most under-prepared element — Slack messages are not audit evidence

•Prevention costs 2-3 hours per quarter; a failed audit costs contract losses worth crores and weeks of executive time

The post BGV Audit Readiness: Client & Regulatory appeared first on SpringVerify Blog.

The candidate posted the entire exchange on LinkedIn. The post got 4,700 reactions and 800+ comments, mostly from HR professionals expressing outrage. The company’s Glassdoor rating dropped from 4.1 to 3.6 in a month. Their offer acceptance rate fell 15% the following quarter — candidates were Googling the company and finding the LinkedIn post.

Cost of the error: one premature rejection email sent 12 hours too early.

Why Disputes Will Happen — And Why Your Process Determines the Damage

BGV reports are not infallible. Previous employers misclassify resignations as terminations (especially in “managed exits” common at Indian IT companies). Universities transpose degree years. Court databases return false positives for common names like Rahul Kumar or Priya Sharma. Field agents visit the wrong address.

When a candidate disputes a finding, one of three things is true: the candidate is lying and the report is correct, the report is wrong and the candidate is truthful, or the truth is more nuanced than either version (the “managed exit” scenario).

Without a defined dispute process, you’re gambling every time.

Why This Is Now a Legal Obligation (Not Just Best Practice)

Under DPDPA Section 12, every Data Principal (which includes your candidates) has the right to correction and erasure of their personal data. If your BGV report contains information the candidate believes is inaccurate, they have a statutory right to challenge it. You have a legal obligation to have a process for receiving, investigating, and resolving these challenges.

This isn’t optional courtesy — it’s compliance.

The Six-Step Dispute Resolution Framework

Step 1: Accept the Dispute Formally (Within 24 Hours)

When a candidate disputes a finding — by email, phone, WhatsApp, or through their recruiter — acknowledge receipt within 24 hours. Provide: a specific point of contact (name, email, phone — not a generic inbox), a reference number for tracking, and a defined timeline for resolution (“We will investigate and respond within 7-10 business days”).

Template: “Dear [Name], We have received your dispute regarding [specific finding] in your background verification report (Ref: [number]). Your concern is being investigated. [Contact Name] will be your point of contact. You can expect a resolution update by [date, 7-10 business days]. We take accuracy seriously and appreciate your patience.”

Step 2: Pause Adverse Action (Immediately)

This is the step Priya skipped, and it cost her company dearly. Do NOT proceed with rejection or offer withdrawal while a dispute is pending. If you’ve already sent a rejection, contact the candidate immediately to inform them the decision is under review. The legal principle: adverse action taken before a dispute is investigated is procedurally unfair and challengeable.

Step 3: Investigate Through Your Vendor (Days 1-5)

Direct your BGV vendor to re-verify the specific disputed finding using an alternative channel. If the original verification was phone-based → request document-based re-verification. If the original was through a junior HR contact → request re-verification through a senior HR contact or direct manager. If it was a court record match → request full-name + father’s-name + DOB cross-reference to eliminate false positives. If the employer is Infosys, TCS, or Wipro → many large Indian IT companies now use automated verification portals. Check if the vendor accessed the portal vs. a potentially inaccurate phone response.

Step 4: Accept and Evaluate Candidate Evidence (Days 1-7)

If the candidate provides supporting documents — resignation acceptance email, full-and-final settlement statement, relieving letter, corrected degree certificate, court order showing case dismissal — these must be evaluated alongside the vendor’s re-verification findings.

Don’t dismiss candidate-provided evidence because it contradicts the vendor’s report. The vendor is not always right. Especially in the “termination vs. resignation” scenario — in Indian IT, many exits are negotiated. The company records it as “involuntary separation” for their internal dashboards while the employee genuinely resigned with a negotiated notice period.

Step 5: Communicate the Resolution (Day 7-10)

Regardless of outcome, inform the candidate in writing: what finding was disputed, what evidence was reviewed (vendor re-verification + candidate documents), what conclusion was reached, and what action follows (original finding upheld → adverse action proceeds with documentation | finding corrected → report updated and adverse action withdrawn).

If the original finding was incorrect: update the record, apologize sincerely, and — if the candidate was already rejected — reopen the offer process. Yes, this is awkward. It’s less awkward than a LinkedIn post that damages your employer brand for a year.

Step 6: Document Everything and Feed Back

Every dispute, every piece of evidence, every resolution. This documentation serves three purposes: legal defense if the candidate escalates further, process improvement data (are certain check types generating repeated disputes? Is a specific vendor consistently inaccurate?), and vendor accountability (if 5% of your vendor’s reports are disputed and 40% of disputes result in corrections, your vendor has an accuracy problem).

When the Dispute Reveals the Vendor Was Wrong

This happens more often than vendors admit. If re-verification proves the original report was incorrect, you should: require the vendor to issue a corrected report within 48 hours, document the error for your quarterly vendor review, and if the error rate exceeds a threshold (e.g., more than 3 errors per 100 checks), invoke your SLA remediation clause.

An inaccurate BGV report that causes a wrongful rejection is not just embarrassing — it’s a compliance failure under DPDPA and a potential legal liability for your company.

SpringVerify’s detailed discrepancy reports include the specific data points verified, sources used, and methodology — making dispute investigation faster and more transparent for HR teams, candidates, and legal reviewers.

Key Takeaways:

•DPDPA Section 12 gives candidates a legal right to dispute BGV findings — your process is a legal obligation, not courtesy

•ALWAYS pause adverse action while a dispute is pending — one premature rejection email can cost you 15% of your offer acceptance rate

•Investigate disputes through alternative verification channels — the original method may have produced the error

•The “termination vs. resignation” dispute is the most common in India — the truth is usually a negotiated exit that both sides describe differently

•Track dispute resolution data to hold your vendor accountable — if 40% of disputes result in corrections, your vendor has a problem

The post Handling Candidate Disputes During BGV appeared first on SpringVerify Blog.

The hiring manager’s Slack message from 4:52 PM: “Can she start Monday?”

Priya has no framework. She makes a judgment call. Her colleague in the Chennai office got a similar report last month for a different candidate and made the opposite call. Neither knows about the other’s decision. When the company gets audited by their enterprise client next quarter, this inconsistency will become a finding.

The Problem With Ad-Hoc Report Interpretation

Most Indian HR teams read BGV reports the way they read emails — quickly, reactively, and without a decision framework. This creates three risks: inconsistent decisions on identical fact patterns, legal vulnerability when a rejected candidate challenges, and talent loss when good candidates are held too long over minor issues.

The Decision Framework by Flag Type

Employment Discrepancies (Most Common, Most Nuanced)

Tenure mismatch of 1-3 months: Almost never disqualifying. Candidates approximate dates. “I joined in January” might mean January 15 or February 1. If the employer name and role match, document the minor variance and proceed.

Tenure mismatch of 6+ months: Investigate. This could be deliberate inflation (adding 6 months to meet a “minimum 3 years experience” requirement) or an honest error (confusing probation start with confirmed employment date). Give the candidate 5 business days to explain with supporting documents (offer letter, payslips). EPFO data can often resolve this instantly.

Fabricated employer (company doesn’t exist or candidate never worked there): Automatically disqualifying. No exceptions. This is not a memory error — it’s deliberate fraud. Initiate adverse action immediately.

Undisclosed concurrent employment: Evaluate against your employment policy. If your contract prohibits dual employment (as most Indian IT companies’ contracts do post-Wipro), this is a policy violation. Document and escalate to VP HR + Legal.

Education Discrepancies

Different graduation year (1-2 years off): Minor. Universities sometimes report different years for enrollment vs. convocation vs. degree certificate date. Not disqualifying unless the discrepancy creates a material false experience claim.

Different degree or institution: Material. Claiming an MBA from IIM Bangalore when the actual degree is a PGDM from an unrecognized institute in Noida is not a memory error. Disqualifying for any role where the specific credential was a hiring factor.

Completely fabricated degree: Automatically disqualifying. Zero tolerance. If a candidate fabricated a degree, everything else on their resume is suspect.

Criminal Record Findings

Active case (under investigation or trial): Do NOT automatically reject. Article 14 of the Indian Constitution enshrines equality before law, and the principle of “innocent until proven guilty” applies. Evaluate: the nature of the charge (financial fraud vs. traffic accident), relevance to the role (a cheating case matters for a finance role, less for a warehouse role), and stage of proceedings. Consult Legal before making any decision.

Conviction for a relevant offense: Generally disqualifying when the offense is directly relevant — financial fraud conviction for a finance role, sexual offense conviction for a role with vulnerable population access, violent crime conviction for a customer-facing role.

Acquitted case: Cannot be used as a basis for rejection. An acquittal in Indian law (Section 232, CrPC / now BNSS) means the person is legally innocent. Using an acquitted case to reject a candidate exposes you to legal challenge and potential damages.

Minor offenses (traffic challans, petty violations): Not relevant for most roles. Rejecting a software developer because of a traffic challan in Koramangala is disproportionate and legally indefensible.

Address Verification Issues

Cannot verify (candidate moved): Not disqualifying. Ask for updated address and re-verify. This is a logistics issue, not a character issue.

Address doesn’t exist (wrong pin code, fabricated): Investigate further. Usually an error (wrong pin code, old address they forgot to update). Occasionally a genuine red flag (fabricated address to hide actual location — especially concerning for roles involving travel or customer visits).

The One-Page Decision Matrix

Print this. Pin it in every HRBP’s workspace. Use it during the Monday hiring review.

Action codes: Proceed = move forward, document the finding. Investigate = pause, give candidate 5 business days, consult Legal if criminal. Reject = initiate adverse action process per company policy.

What to Do With “Mixed” Reports

The most common real-world scenario isn’t “everything green” or “everything red.” It’s Priya’s scenario: mostly green, one amber, one concerning finding. For mixed reports:

1. Evaluate each finding independently using the matrix above
2. If any single finding is “Critical” → reject regardless of other greens
3. If all findings are “Minor” → proceed with documentation
4. If any finding is “Major” → investigate before proceeding, regardless of timeline pressure

The hiring manager’s deadline is not a valid reason to skip the investigation step. A 5-day delay is recoverable. A negligent hire is not.

SpringVerify’s reports classify discrepancies by severity level (minor/major/critical) and provide specific detail on what was claimed vs. what was found — enabling HR teams to apply this decision matrix immediately rather than interpreting raw data.

Key Takeaways:

•Build a printed decision matrix by flag type and severity — eliminate ad-hoc judgment

•Employment tenure mismatches under 3 months are almost never disqualifying; fabricated employers always are

•Acquitted criminal cases CANNOT be used to reject candidates — this is legally settled in Indian law

•For “mixed” reports: evaluate each finding independently, and any single Critical finding overrides all greens

•Pin the decision matrix where every HRBP can see it — consistency is your legal defense and audit survival tool

The post Red Flags in BGV Reports: How to Read and Act appeared first on SpringVerify Blog.

The answer, in too many quick commerce companies, is: someone who passed an Aadhaar check and nothing more.

Why Quick Commerce Is a Different Verification Universe

Delhivery hires at scale but with 2-7 day onboarding windows. Blinkit, Zepto, Swiggy Instamart, and BigBasket hire at scale with same-day-to-next-day onboarding. Their business model requires a rider to go from “application” to “first delivery” in under 24 hours. Any friction in onboarding means unfilled delivery slots, which means undelivered orders, which means lost revenue and angry customers.

This creates the hardest verification problem in Indian hiring: screen thoroughly enough to prevent the Zepto nightmare while onboarding fast enough that the Koramangala dark store doesn’t run out of riders during the dinner rush.

The Two-Layer Model That Works

Layer 1: Instant Verification Before First Delivery (5-15 Minutes)

Nothing less than these four checks should gate platform access:

Aadhaar eKYC with facial match and liveness detection. Confirms identity and prevents impersonation. A selfie compared against the Aadhaar photo, with liveness detection to prevent static photo fraud. Takes 30 seconds.

PAN verification. Cross-references identity and catches duplicate applications under different identities.

Criminal database check. Instant search against digitised court records covering 3,500+ courts and 20 Cr+ records. Not comprehensive (misses non-digitised district courts) but catches the majority of cases.

Driving license verification (for two-wheeler/four-wheeler riders). Confirms valid license status and checks for suspensions.

Total Layer 1 time: 5-15 minutes. Cost: Rs. 150-250. Result: the rider can start their first delivery.

Layer 2: Comprehensive Verification Within 72 Hours

These checks run in parallel with the rider’s first working days:

Full court record check across home state AND current state district courts. This catches cases that the instant database might miss — particularly from smaller, non-digitised courts in states like UP, Bihar, and Jharkhand.

EPFO employment history. Reveals previous employers, tenure, and any active concurrent employment (moonlighting across multiple gig platforms).

Digital address verification with GPS-tagged video call. Confirms the rider lives where they claim.

Police verification where required by state regulation (Karnataka is moving towards mandating this).

If Layer 2 surfaces a disqualifying result — active criminal case, identity mismatch, fraudulent documents — the rider is immediately deactivated. Industry data suggests a 3-5% deactivation rate at this stage, meaning 150-250 riders per 5,000 monthly onboards are removed after starting.

The Volume Math for the CFO

A quick commerce company onboarding 5,000 riders per month:

Against the cost of one safety incident:

•Legal costs: Rs. 25-75 lakhs

•Regulatory fines: Rs. 10-50 lakhs

•Customer acquisition cost to recover lost trust: Rs. 1-5 crores

•Brand damage: incalculable but career-ending for leadership

One unverified rider incident can cost 3-10x the entire annual BGV budget.

The Regulatory Direction

Multiple states are introducing or considering verification mandates:

Karnataka has draft gig worker legislation that includes background verification provisions for platform workers who enter customer premises.

Maharashtra has signaled similar requirements through labour department discussions.

The Central Government’s Code on Social Security 2020 establishes a framework for gig worker welfare that will likely expand to include safety verification requirements.

Companies building verification infrastructure now will be compliant by default. Companies scrambling to build it after regulation arrives will face implementation gaps, political pressure, and premium vendor pricing.

SpringVerify’s WhatsApp-based instant verification completes Layer 1 in under 15 minutes — Aadhaar facial match with liveness, PAN cross-reference, and criminal database check — without requiring the rider to download an app or visit an office. Layer 2 checks run automatically in the background.

Key Takeaways:

•Quick commerce workers enter customer homes at all hours — this is the highest-trust, highest-risk hiring category in India

•Two-layer verification: instant checks (5-15 min) before first delivery, comprehensive checks within 72 hours

•One safety incident costs 3-10x the entire annual BGV budget — the math isn’t close

•State-level regulation mandating delivery worker verification is coming — build the infrastructure now

•Layer 1 must complete in under 15 minutes via mobile (WhatsApp, not a web portal) to not break rapid onboarding

The post Quick Commerce Workforce Verification appeared first on SpringVerify Blog.

The results destroyed the deal timeline.

The acquired startup’s VP of Collections had an active criminal case for financial fraud in a Rajasthan district court — filed two years before the acquisition. Their Head of Risk had been terminated from a previous NBFC for compliance violations — a fact he’d concealed from both companies. The CFO held an undisclosed directorship in a competing lending company.

None of this surfaced during due diligence. Because nobody checked the people.

The Workforce Blind Spot in M&A

Traditional M&A due diligence treats employees as a line item: headcount, payroll cost, key person dependencies, ESOP liabilities. It almost never includes re-verifying the backgrounds of the humans who will become your employees, access your systems, interact with your clients, and represent your brand.

The assumption: “The acquired company already screened their own people.” That assumption is wrong more often than buyers want to admit.

Startups frequently skip BGV entirely — especially pre-Series A. The 50-person startup you’re acquiring for their engineering talent may have hired half their team through referrals with no verification beyond a phone call with a friend.

Companies in financial distress hire desperately. Acquisition targets (especially distressed assets) often scaled rapidly with minimal screening because they needed bodies, not vetted professionals.

Different geographies, different standards. The company you’re acquiring in Jaipur may have different (or no) screening standards compared to your headquarters in Mumbai.

What Can Go Wrong (Beyond the Jaipur Story)

Inherited criminal liability. An acquired employee with an undisclosed criminal record who commits an offense creates liability for the acquirer — especially if you failed to re-verify post-acquisition. Under Indian employment law, the new employer inherits duty-of-care obligations.

Credential fraud at senior levels. The VP of Engineering who claimed an IIT Bombay degree but attended a tier-3 college. She’s now your VP of Engineering. When your enterprise client’s next audit surfaces it, you’ll wish you’d spent Rs. 3,000 on an education check.

Non-compete violations. Acquired employees who were already violating non-competes with their previous employers. The acquisition makes headlines on YourStory and Economic Times. Those previous employers suddenly take notice.

Regulatory disqualification. In BFSI acquisitions, SEBI-debarred individuals or RBI-blacklisted persons in the acquired workforce can trigger regulatory action against the combined entity.

Undisclosed conflicts of interest. MCA directorship searches reveal board members or senior managers with active roles in competitors, vendors, or entities that create direct conflicts.

The Re-Screening Protocol

Tier 1: Within 30 Days of Close (Critical)

All director-level and above in the acquired entity — no exceptions:

•MCA directorship search (conflicts, disqualification under Section 164 of Companies Act)

•SEBI debarment list screening

•Comprehensive criminal check (court records across all states of residence)

•Education verification for highest claimed degree

•EPFO-based employment history validation

•Media and adverse news screening

All employees with access to financial systems, customer data, code repositories, or client relationships:

•Identity verification (Aadhaar + PAN)

•Criminal database check

•EPFO employment verification

Estimated cost for Tier 1 across a 150-person acquired company: Rs. 2-4 lakhs. Against an Rs. 85 crore acquisition, this is 0.003% of deal value.

Tier 2: Within 60 Days (Comprehensive)

All remaining employees:

•Identity verification

•Criminal database check

•EPFO employment history

•Education verification for roles requiring specific qualifications

Flag any discrepancies for deeper investigation before integration milestones.

Tier 3: Ongoing Integration

All new hires in the acquired entity follow your standard BGV policy immediately. No grandfather clauses. No “we’ll get to it later.”

Making It Politically Survivable

The political sensitivity is real. You’re telling 150 new colleagues: “We’re checking your backgrounds.”

Frame it as standardization, not suspicion. “As part of integration, all employees across both organizations are being brought under a unified compliance framework.” Run the same checks on a random sample of 20-30 existing employees from the acquiring company simultaneously to demonstrate fairness.

Get executive sponsorship. The CEO or CHRO of the acquiring company should communicate the re-screening directly, positioning it as a governance upgrade — not a trust deficit.

Offer support. Some acquired employees may have legitimate concerns — e.g., address changes they haven’t updated, or employment records from defunct companies. Provide a helpline and a clear dispute resolution process.

SpringVerify’s bulk processing capability (CSV upload for 150+ candidates), EPFO-first employment verification, and comprehensive criminal screening across state courts make re-screening operationally feasible within the 30-60 day window that M&A integration timelines demand.

Key Takeaways:

•M&A due diligence almost never includes employee re-verification — this blind spot has destroyed deal timelines

•Re-screening 150 acquired employees costs Rs. 2-4 lakhs — 0.003% of a typical mid-market deal value

•Screen all directors and data-access employees within 30 days of close; all others within 60 days

•MCA directorship search and SEBI screening are critical for BFSI acquisitions — regulatory disqualification is deal-breaking

•Frame re-screening as compliance standardization, run checks on your own people simultaneously, and get CEO sponsorship

The post BGV During M&A: Workforce Due Diligence appeared first on SpringVerify Blog.

They’d hired a proxy. The person who interviewed was not the person sitting in the home office in Electronic City writing code.

The investigation revealed a Telegram group offering “interview-as-a-service” for Rs. 35,000 per engagement, with a guarantee: if the candidate doesn’t clear, the next attempt is free.

Welcome to India’s Proxy Interview Industry

Proxy interviews existed before COVID. Remote hiring turned them from a rare oddity into a scalable, marketed service. Services across India now charge Rs. 20,000-50,000 to provide a “professional interviewer” who impersonates the actual candidate through video calls. Some offer packages: proxy for all rounds, coaching between rounds, and a “support buddy” who feeds answers via WhatsApp during the first month of work.

NASSCOM flagged this as a growing concern in Indian IT as early as 2022. Multiple Reddit threads from Indian recruiters describe discovering proxies weeks or months into employment. One thread documented a Hyderabad-based proxy ring that serviced over 200 candidates in a single year — each paying Rs. 30,000-40,000 for interviews at TCS, Infosys, and Wipro vendor positions.

How It Actually Works

The basic version: Candidate A (average skills, wants the job) pays Candidate B (strong skills, wants the money) to take the video interviews. Candidate A joins the company. The deception relies on one fact: most companies never compare the face on the interview video with the face on the identity document.

The sophisticated version: Real-time answer feeding. The proxy sits off-camera and feeds technical answers through an earpiece or a second screen while the actual candidate speaks on camera. Harder to detect because the right person is visible — just not the right brain.

The AI-enhanced version (emerging): Deepfake filters that overlay the candidate’s face on the proxy’s video feed. A proxy in Koramangala talks while the candidate’s face in Whitefield moves on screen. Still rare, but technically feasible with consumer-grade tools.

Detection Methods That Actually Work

1. Liveness verification during onboarding. Compare a live facial capture during digital onboarding with the photo on the Aadhaar used for identity verification AND with a screenshot from the recorded interview. Three-point face match. If the person joining doesn’t match either the ID or the interview, it’s caught immediately. This single step defeats 95% of proxy attempts.

2. Interview recording + onboarding face match. Record at least one video interview (with candidate consent — mention it in your interview scheduling email). During onboarding, compare faces. SpringVerify’s Aadhaar-based facial match with liveness detection provides the technical infrastructure for this comparison.

3. Multi-point identity verification. Aadhaar face match + PAN verification + a live selfie during onboarding. Three independent identity confirmations that are extremely difficult to defeat simultaneously.

4. In-interview signals to watch for. Eyes consistently looking to the left or right (reading from a hidden screen). Audio latency or echo suggesting a relay setup. Reluctance to turn on camera or share screen. Technical depth that varies dramatically between rounds (different proxies for different rounds). Asking to reschedule when you request a surprise technical round.

5. First-week verification tasks. A short technical task in the first week that mirrors interview assessment complexity. If someone solved a system design problem eloquently in the interview but struggles with basic implementation in week one, investigate.

What to Do If You Suspect a Proxy

Don’t accuse immediately. Request a video call with camera on, citing “onboarding documentation needs.” Compare the face to interview recordings. If there’s a mismatch, escalate to HR and Legal before confronting the employee.

Document evidence. Screenshot comparisons, interview recordings, liveness check results. You’ll need this for termination proceedings.

Review your employment contract. Most contracts include a clause on misrepresentation of credentials. Identity fraud during hiring typically constitutes grounds for immediate termination, but consult your legal team on the specific process.

Report to the proxy service if you can identify it. While there’s no specific law criminalizing proxy interviews, identity fraud and impersonation have provisions under the Indian Penal Code (Section 419: cheating by personation).

SpringVerify’s identity verification suite — Aadhaar-based facial match with liveness detection, multi-document verification, and onboarding-stage identity confirmation — is specifically designed to close the proxy gap that document-only verification leaves wide open.

Key Takeaways:

•Proxy interview services are a marketed industry in India, operating openly on Telegram for Rs. 20,000-50,000

•Three-point face match (interview recording + Aadhaar photo + live onboarding selfie) defeats 95% of proxies

•Record at least one interview round with candidate consent — this is your comparison baseline

•First-week technical tasks that mirror interview complexity are a behavioral proxy detection layer

•Identity fraud during hiring constitutes grounds for termination under most employment contracts — document everything

The post Proxy Interviews & Identity Fraud in Remote Hiring appeared first on SpringVerify Blog.

What Belongs in a BGV SLA

TAT Guarantees by Check Type (Not a Single Blanket Number)

Most vendors offer “average TAT of 48 hours.” That’s meaningless. Negotiate separate commitments:

The “Maximum TAT” column is your P95 equivalent — the vendor commits that 95%+ of checks complete within this window.

Amber Rate Caps

Set maximum amber rates per quarter, benchmarked against industry best practice:

•Overall amber rate: below 5% (IDfy publicly claims 2-4%; use this as your benchmark)

•Employment verification amber: below 8%

•Education verification amber: below 10%

If the vendor exceeds these caps for two consecutive quarters, it triggers a mandatory remediation plan with monthly reviews.

Data Breach Notification (DPDPA-Aligned)

Under DPDPA, you as the Data Fiduciary must notify the Data Protection Board of breaches “without delay” (Section 8(6)). Your vendor must notify YOU within 24 hours of discovering a breach affecting your candidate data. Not 72 hours. Not “as soon as practicable.” Twenty-four hours. This timeline determines whether you can meet your own legal obligations.

Include: initial notification within 24 hours, detailed incident report within 72 hours, root cause analysis within 15 business days, and remediation confirmation within 30 days.

Uptime and Availability

If your TA team in Bangalore uses the vendor platform daily from 9 AM, downtime matters. Negotiate: 99.5% monthly uptime, scheduled maintenance only during 12 AM – 5 AM IST (not during working hours), and unplanned downtime exceeding 4 hours in any month triggers service credit.

Penalty and Credit Structure (SLAs Without Teeth Are Wishes)

TAT penalties: If more than 10% of checks in a quarter miss the Maximum TAT, the vendor provides a 5% service credit on that quarter’s invoice.

Amber rate penalties: If amber rate exceeds the cap for two consecutive quarters, 10% service credit plus mandatory remediation plan.

Breach notification delay: If notification exceeds 24 hours, 15% credit on the quarter’s invoice plus right to audit the vendor’s security practices.

Nuclear option: If TAT SLAs are missed for three consecutive quarters, you have the right to terminate with 30 days’ notice regardless of contract term.

Sample SLA Clause Language

“Provider commits that 95% of Identity Verification checks shall be completed within 24 hours of initiation, and 95% of Employment Verification (HR Outreach) checks shall be completed within 10 business days. Should Provider fail to meet these targets for more than 10% of checks in any calendar quarter, Client shall receive a service credit equal to 5% of that quarter’s total invoiced amount, applied to the following quarter’s invoice.”

Copy that. Adjust the numbers. Hand it to your vendor.

What Vendors Will Push Back On (And Your Response)

“We can’t control university response times.” Your response: “That’s why we set the education amber cap at 10%, not 0%. We’re building in tolerance. If you can’t hit 10%, your follow-up process needs improvement.”

“Penalty structures aren’t industry standard.” Your response: “If you’re confident in your service quality, penalties should never trigger. This protects us both — it gives you a clear target and gives us recourse.”

“72 hours for breach notification is more realistic.” Your response: “Under DPDPA, we must notify the Board ‘without delay.’ If you take 72 hours, we can’t meet our own legal obligations. This isn’t negotiable.”

SpringVerify’s standard SLAs include TAT guarantees by check type, proactive escalation protocols, and performance dashboards that both parties can monitor in real-time — because a 4.9-star rating across 5,800+ reviews comes from consistently meeting commitments, not just making them.

Key Takeaways:

•Negotiate TAT commitments by check type with both Target and Maximum columns — blanket numbers are meaningless

•Set amber rate caps with quarterly review triggers — use IDfy’s public claims (2-4%) as your benchmark

•Data breach notification must be 24 hours to enable your DPDPA compliance — this is non-negotiable

•Include specific penalty percentages and a nuclear termination clause for sustained underperformance

•Copy the sample SLA clause language, adapt the numbers, and hand it to your vendor tomorrow

The post SLA Framework for BGV Vendors: What to Negotiate appeared first on SpringVerify Blog.

She finally switched. It took 6 weeks. The nightmare never materialized.

When to Switch (The Honest Checklist)

Don’t switch because a competitor’s sales rep had better slides. Switch when measurable problems persist:

•Amber rate above 10% for two consecutive quarters

•TAT SLAs missed by more than 20% consistently

•No integration with your current HRMS (Darwinbox, Keka, Zoho People, GreytHR)

•Pricing has crept up through surcharges (address verification extras in places like Gorakhpur or Siliguri, priority fees, re-verification charges) that weren’t in the original contract

•Legal team has flagged DPDPA data handling concerns the vendor won’t address

•Account management responsiveness has degraded below acceptable standards

If three or more apply, you have a vendor problem, not a bad quarter.

The 12-Step Migration Checklist

Phase 1: Preparation (Weeks 1-2)

1. Document current state. Export from your current vendor: check packages by role tier, TAT benchmarks by check type, cost per check (including all surcharges), amber rates by check type and geography, current integration setup with your HRMS, and volume data (monthly check count by type).

2. Extract pending cases. Get a complete status report for every in-progress verification. These will need to be completed by the old vendor even after you transition.

3. Review your contract. Most BGV contracts have 30-60 day notice periods. Check for: minimum volume commitments (and penalties for under-delivery), auto-renewal clauses, data deletion obligations upon termination, and intellectual property provisions around custom workflows.

Phase 2: New Vendor Setup (Weeks 2-4)

4. Configure check packages. Replicate your exact tier structure on the new platform. Don’t “optimize” packages during migration — change one thing at a time.

5. Integration testing. Connect your Darwinbox/Keka/Zoho People instance to the new vendor. Run 3-5 dummy candidates through the full workflow. Test: check initiation from inside your HRMS, candidate notification and document collection, result delivery back into your HRMS, and report generation and download.

6. Migrate consent templates. Your DPDPA-compliant consent form must work in the new vendor’s system. Review with Legal — consent language may need minor adjustments.

7. Map escalation contacts. Know exactly who to call when something goes wrong. Get mobile numbers, not just email addresses. For your first 30 days, you need a direct line to someone senior.

Phase 3: Parallel Testing (Weeks 4-6)

8. Run 25-30 real checks through both vendors simultaneously. This is the most important step. Pick candidates that represent your actual mix: 60% metro, 25% tier-2, 15% tier-3/rural. Compare side by side: TAT, report quality, amber rate, candidate experience (ask candidates which process was smoother), and fully-loaded cost.

9. Team evaluation. Have your TA team and HRBPs compare both dashboards. Usability matters more than features. The platform your team finds intuitive wins.

10. Legal review. Your General Counsel reviews: new vendor’s data processing agreement, subprocessor list, consent workflow compliance, and data breach notification commitments.

Phase 4: Cutover (Weeks 6-8)

11. Full transition. All new checks go to the new vendor. Keep the old vendor active only for cases still pending from the parallel period.

12. 30-day post-cutover review. Compare first month on new vendor against last month on old vendor: TAT (by check type), amber rate, team satisfaction (NPS survey), candidate feedback, and actual vs projected cost.

The DPDPA Migration Complication

When you switch vendors, candidate data must be handled carefully under DPDPA:

Data collected by Vendor A cannot transfer to Vendor B without fresh candidate consent. This means active cases mid-check may require re-consent if the new vendor needs the original documents.

Vendor A must delete candidate data per your retention policy after transition. Get written confirmation of deletion. DPDPA Section 8(7) requires Data Processors to delete data when the purpose is fulfilled.

Document the transition. The Data Protection Board may someday ask: how did you ensure data security during the vendor transition? Your answer should be a documented migration protocol, not a shrug.

SpringVerify’s onboarding team assigns a dedicated migration specialist for switching companies — handling parallel testing setup, HRMS integration, consent workflow migration, and data transition documentation. The 6-week timeline is standard for their migration process.

Key Takeaways:

•Vendor switching takes 6-8 weeks with proper planning — the “nightmare” reputation is vendor FUD

•Parallel testing with 25-30 real checks is the single most important step — it replaces opinion with data

•DPDPA requires specific data handling during transitions: no bulk data transfer, deletion confirmation from old vendor

•Review your current contract for notice periods, auto-renewal, and minimum volume penalties before notifying

•The 30-day post-cutover review is where you prove the switch was worth it — measure everything

The post BGV Vendor Switching: Migration Checklist appeared first on SpringVerify Blog.

Last year, Priya tried something different. She brought a spreadsheet.

The ROI Formula That Changes the Conversation

BGV ROI = (Total Cost Avoided) / (Total BGV Spend) x 100

The numerator has four components. Every single one has a number attached to it.

Component 1: Bad Hire Cost Avoidance

The widely cited figure is 2.5-5x annual CTC. Here’s the India-specific math for a Rs. 12 LPA hire at a mid-size Bangalore company:

•Salary paid during failed tenure (avg 4 months before the problem surfaces): Rs. 4,00,000

•Recruitment cost to replace (20% of CTC through a Naukri premium listing or recruiter): Rs. 2,40,000

•Onboarding and training investment wasted: Rs. 75,000

•Productivity loss during 45-day vacancy (team covering + delayed projects): Rs. 1,50,000

•IT provisioning wasted (laptop, licenses, access setup): Rs. 40,000

Total cost of one bad hire: Rs. 9,05,000.

For a Rs. 25 LPA senior hire, the number crosses Rs. 15 lakhs. For a CXO at Rs. 60 LPA, it can exceed Rs. 1 crore when you factor in strategic decision damage and client relationship impact.

Component 2: Fraud Prevention Value

Industry data from IDfy shows a 15-20% discrepancy rate in Indian resumes. If 15% of your candidates have discrepancies, and 30% of those discrepancies would have resulted in a measurably bad hire if undetected:

For every 100 hires screened, BGV prevents approximately 4-5 bad hires.
At Rs. 9,05,000 per prevented bad hire x 4.5 = Rs. 40,72,500 in avoided cost per 100 hires.

Component 3: Litigation Cost Avoidance

One wrongful hire lawsuit in India — for fraud, negligent hiring, data breach by an unvetted employee, or sexual harassment by someone with a prior record — costs Rs. 5-25 lakhs in legal fees alone. A single case settled out of court to avoid media attention can run Rs. 15-50 lakhs.

If BGV prevents even one lawsuit per year, the legal cost avoidance alone may exceed the entire annual BGV budget.

Component 4: Attrition Reduction

A study published in People Matters India found that companies with thorough pre-hire screening report 15-25% lower early-stage attrition. Each avoided attrition event saves recruitment + onboarding costs.

For a 500-person company with 25% annual attrition (125 departures/year), even a 5% reduction = 6 fewer replacements. At Rs. 2.5 lakhs per replacement (recruitment + onboarding), that’s Rs. 15 lakhs saved annually.

The Full Calculation

For a 500-employee company hiring 200 people per year:

Even discounting by 50% for conservatism: ROI is 2,272%. Even discounting by 75%: ROI is 1,136%.

There is no scenario where reasonable assumptions produce an ROI below 500%.

A caveat Vikram will appreciate: These calculations assume industry-average discrepancy rates. Ask your BGV vendor for your company’s specific discrepancy rate — if it’s lower, the prevented-bad-hire number adjusts down. If it’s higher (which it often is for companies that previously screened lightly), the ROI goes up.

How Priya Should Present This to Vikram

Don’t call it a “BGV budget request.” Call it a “fraud and attrition loss prevention investment.” Use your company’s actual numbers: actual CTC ranges (not industry averages), actual attrition rate from your Darwinbox/Keka reports, actual discrepancy rate from your SpringVerify dashboard.

The most compelling single data point: “Last year, SpringVerify found discrepancies in X% of our candidates. That means X out of every 100 hires would have joined with unverified backgrounds. At Rs. 9 lakhs per bad hire, we prevented Rs. Y in losses.”

Vikram doesn’t argue with his own company’s data.

SpringVerify’s reporting dashboard provides company-specific discrepancy rates, check-type breakdowns, and TAT analytics — giving Priya the exact data she needs for the January conversation.

Key Takeaways:

•BGV ROI is calculable: bad hire cost avoidance + fraud prevention + litigation avoidance + attrition reduction, divided by total spend

•One bad hire at Rs. 12 LPA costs approximately Rs. 9 lakhs; at Rs. 25 LPA, over Rs. 15 lakhs

•Even with 75% conservative discounting, BGV ROI exceeds 1,000%

•Present it as “loss prevention investment,” not “compliance cost” — use your company’s own discrepancy data

•The CFO doesn’t argue with his own company’s numbers — ask your vendor for your specific discrepancy rate

The post How to Calculate BGV ROI: CFO-Ready Framework appeared first on SpringVerify Blog.

Meera’s question to her VP HR: “Do I let this candidate go over a university that won’t pick up the phone?”

This scene plays out thousands of times daily across Indian companies. And most HR teams handle it on gut feeling.

What Amber Actually Means (And What It Doesn’t)

In the RAG (Red-Amber-Green) system:

Green = Verified. Information matches. Proceed.
Red = Discrepancy confirmed. Candidate’s claim doesn’t match verified data.
Amber = Could not conclude. Insufficient data to confirm or deny.

Here’s the critical insight: amber is not “partially bad.” Amber is “the system failed to finish.” This could be because the previous employer’s HR in Pune never responded despite 5 follow-ups, the Deemed University in Tamil Nadu shut their verification desk for exam season, the candidate’s family in a village in UP wasn’t home during 3 physical address visit attempts, or the court record database returned multiple results for a common name like “Rahul Sharma” and couldn’t conclusively match.

Why Amber Is Your Biggest Operational Problem

Red cases are easy — investigate, follow adverse action process, decide. Green cases are easy — proceed. Amber cases paralyze everyone.

Pipeline impact: At a 10% amber rate across 500 annual hires, that’s 50 candidates stuck in limbo. At an average 10-day amber resolution period, you’re carrying 14 unresolved cases at any point. If even 20% of those candidates drop out, you’ve lost 10 hires — roughly Rs. 20-30 lakhs in re-recruitment costs.

Cost multiplication: Many vendors charge Rs. 200-400 for each re-verification attempt. At 50 amber cases with 2-3 attempts each, that’s Rs. 20,000-60,000 in re-verification fees — money spent generating zero usable result.

Inconsistency risk: Without a framework, one HRBP in your Bangalore office proceeds with amber candidates while another in Hyderabad holds them for weeks. Same company, opposite decisions, massive legal liability.

The Resolution Framework

Tier by check type AND role criticality:

Criminal check amber for a finance role at an NBFC: Do NOT proceed. Attempt alternative verification — different court database, physical court visit in the specific district, or police verification request. If unresolvable after 15 business days, escalate to Legal for documented risk assessment before making a decision.

Education check amber for a 12-year experienced developer at your Bangalore office: Proceed with conditional onboarding. A degree from 2012 matters far less when the candidate has 12 years of verifiable (via EPFO) employment history. Document the decision and the rationale.

Employment check amber (HR non-response) for any role: Run EPFO/UAN check immediately as alternative verification. If EPFO confirms the tenure, mark as resolved — government data trumps an unresponsive HR department. If EPFO data is unavailable, attempt a direct manager reference check via LinkedIn.

Address check amber (candidate not found at address): Switch methods. If physical verification failed, try digital video-based verification. If the candidate moved, request updated address and re-verify. Address amber is almost always a logistics problem, not a character problem.

Real resolution examples:

Case 1: Amber on employment at a Hyderabad startup that shut down in 2023. Resolution: EPFO check confirmed 18 months of PF contributions from the company’s establishment code. Marked green.

Case 2: Amber on education from a Deemed University in Rajasthan. University verification desk unresponsive for 21 days. Resolution: Candidate provided original marksheet + DigiLocker verification for linked documents confirmed authenticity. Marked green with documentation.

Case 3: Amber on criminal check for “Suresh Kumar” in Delhi district courts — 4 results for the same name. Resolution: Full name + father’s name + date of birth cross-reference eliminated all matches. Marked green.

Set maximum hold periods:

No candidate should sit in limbo indefinitely. Define ceilings: 10 business days for Tier 1-2 roles, 15 business days for Tier 3 roles, 20 business days for Tier 4 (executive) roles. After the maximum period, the hiring decision must be made with available information — documented and approved by the designated authority (HRBP for standard, VP HR for sensitive).

Track your vendor’s amber rate:

This is one of the most important vendor metrics you’re probably not monitoring. Industry average is 8-15%. Best-in-class vendors like IDfy claim 2-4%. If your amber rate exceeds 10% for two consecutive quarters, your vendor’s methodology needs serious scrutiny — or you need a new vendor.

SpringVerify’s low amber rate is achieved through multiple verification channels (digital + physical + government databases), automated follow-up sequences, and EPFO-first employment checks that resolve the most common amber scenario — unresponsive previous employers — instantly.

Key Takeaways:

•Amber means “the system couldn’t finish” — treat it as a process problem, not a candidate red flag

•EPFO checks resolve the #1 amber cause (unresponsive employers) instantly with government data

•Build a resolution framework tiered by check type and role criticality — not ad-hoc judgment

•Set maximum hold periods: 10/15/20 days by role tier — no candidate sits in limbo indefinitely

•Track your vendor’s amber rate quarterly — above 10% sustained means the vendor’s methods need scrutiny

The post Amber/Insufficient Cases in BGV: Resolution Guide appeared first on SpringVerify Blog.