On October 2, 2012, the US Immigration and Customs Enforcement (ICE) released the first-ever official guidance document for evaluating electronically generated and stored I-9 records during an audit. Obtained by LawLogix last week, the 4-page document from ICE headquarters provides guidance to Homeland Security Investigations (HSI) special agents and auditors on what information they should collect from employers using electronic I-9 systems as well the minimum electronic audit trail requirements for use in determining I-9 related fines. See the link at the end of this post to download a scanned copy of the letter and attachments.
This guidance comes at just the right time for those organizations that have been feeling the government’s “I-9 squeeze,” with increasing ICE audits on the one side and increasing DOJ investigations (for discrimination concerns) on the other. Not to the mention the fact that we still have a new 2-page I 9 form waiting in the wings and frequently changing E-Verify rules. It’s no wonder so many organizations are now seriously considering a total I-9 compliance overhaul.
Have you recently begun looking for an electronic I-9 system to replace your error-prone paper process? Or are you currently using an electronic I-9 system which is lacking in compliance safeguards? Then read-on to learn how ICE may be evaluating your system in the very near future!
The Current State of Affairs
It’s already been 2 years since ICE finalized the regulations for electronically storing and/or generating I 9 records. Since that time, an increasing number of employers have adopted electronic I-9 systems as a means to reduce those silly paperwork errors, manage their I-9 program through reports and charts, and/or integrate with E-Verify to save time and prevent mismatches. So far, so good.
However, during that same time period, we have also seen a steady increase in the number of administrative I-9 audits – where employers are asked to deliver their I-9 records to ICE within 72 hours for inspection. But what happens when an employer using an electronic I-9 system is served with the dreaded Notice of Inspection (NOI)? Do they simply “print out” their electronic I-9s for ICE or is there more to it than that? And what about all of those requirements in the regulations that talk about recordkeeping, audit trails, and security? Does ICE really care about those?
Up until recently, there were many possible answers to those questions (depending largely upon the specific ICE agent in charge of the investigation). ICE has 26 Special Agent in Charge (SAC) principal field offices throughout the US, and the level of electronic I-9 scrutiny has varied widely. In an effort to standardize their protocols, ICE has now created the basic framework for evaluating I-9 systems along with specialized training for agents in the field. Let’s take a closer look!
The “New” Electronic I-9 Audit Process
So, you’ve just been served with an NOI requesting all of your current I-9s for 10 different locations. Lucky you! After contacting your outside counsel and strategizing, you’re now faced with an interesting question: how do I provide I-9s which are electronically stored in my system? If your local ICE agent is following the new procedure, there is much you will be asked to produce.
1. Audit Trails
When it comes to electronic I-9 compliance, it’s all about the audit trail. As we’ve described rather extensively in the past, the regulations require that whenever an electronic I-9 is created, completed, updated, modified, altered or corrected, an electronic I-9 system must create a secure and permanent record that establishes the date accessed, who accessed it, and what action was taken. Why is this important? In a nutshell, it’s the only way that ICE can validate the integrity of the process and spot issues of tampering or deception. It’s the ultimate investigative tool for ICE, which means it should be the number one issue for employers when considering an electronic I-9 system.
But what exactly is ICE looking for in an audit trail? And how do I measure my current system against these requirements? Although specific examples have not been provided, ICE has summarized the type of “actions” which must be recorded in the audit trail throughout the life of an I-9. So for example, when an I-9 is created, the system must capture the initiation of the record and association with an employee. As the I-9 is completed, the system must record the entering of personal information, the employee attestation, signatures and dates, and the inputting of documents. Later, if the I-9 is updated (section 3) or modified in any way, the system must document “any changes made” (a broad statement indeed!)
So what does this all mean? The take-away here is that ICE views the audit trail as their I-9 road map – showing them all that transpired for a given employee. While the exact level of detail requested may vary, it seems clear that the audit trail will continue to be a key factor in determining whether an employer is in compliance or should be assessed “civil fines” on a very broad and potentially devastating level.
2. Name of Software Provider and Operating Procedures
Upon service of an NOI, special agents or auditors must request the name of the software product being used and any internal business practices and protocols related to the I-9 system. ICE will then examine these documents to get a better sense of how the system works. Practically speaking, this shouldn’t be too difficult to produce, but it does highlight two important considerations when choosing a vendor. First, make sure the vendor is able to provide you with a good description of their system in the event of an audit. ICE is not in the business of evaluating systems, so you’ll want something that is straight-forward and to the point. Second, ICE is in the business of evaluating employers, so it’s crucial that you develop your standard operating procedures (in conjunction with counsel) to explain how you use the system to fulfill your obligations under the law.
3. The indexing system identifying how the I-9 data is linked to each employee
Employers storing electronic I-9s are required to maintain an “indexing system” which would enable ICE to search for and retrieve I-9s and related documents by an employee’s name or some other identifier. While the vast majority of systems out there have very capable indexing systems, employers need to be careful of those systems that lack safeguards to prevent duplicate I-9s or employees from being created. In the event of an audit, the last thing you want to be doing is sifting through your database to determine which “John Smith” is the actual real I-9 that you need to produce.
In addition, employers are advised to scrutinize those “all in one” software applications which combine payroll, tax, or employment verification with the I-9 process. While all of these data points are related to on-boarding, the best practice is to keep this information separate (both at the database and application level) to avoid potential audit and/or discrimination issues.
4. Documentation of the system used to capture the electronic signature and attestation of the individual signing the form
While the regulations are rather vague as to what constitutes an electronic signature, the most important safeguard (from ICE’s perspective) is to ensure that the person named on the form was the one who actually signed the form. To make this assessment, ICE may closely examine the electronic signature process to make sure the “significance” has not somehow been lost. For example, if your electronic I-9 signature consists of a simple checkbox (“Click here to sign”), how can you be sure the employee understands that he or she was actually signing a federal form under penalty of perjury? These are the types of questions you want to avoid by making sure your electronic signature methodology is “ICE-proof” long before an audit.
5. At least one printed completed electronically generated I-9 form
This may seem like a no-brainer, but it’s important to note that the regulations require an electronic I-9 system to “reproduce legible and readable hardcopies” of your electronically completed and retained I-9 forms. A good system will easily meet this requirement by enabling you to download a PDF version of the electronic I-9 form, with all of the data points fitting nicely into their assigned boxes. If only handwritten I-9s worked this way!
However, just like in other I-9 areas, there are potential traps for the unwary. While filling in a PDF may seem straightforward, be careful of vendors who populate these forms “on the fly” rather than retaining them when the form is actually completed. As part of an investigation, ICE will look to see whether you used the correct version of the I-9 (at the time of completion), and the last thing you want is to have your I-9 system generate I-9 forms for all employees on the most recent version of the form!
6. Access to the system for a demonstration
Although one may wonder why this would be necessary (assuming all of the I-9s have been presented to ICE), I believe this reflects a growing concern about systems that may over-automate the I-9 process or “cheat” in ways that may surprise you. For example, some vendors have turned the entire I-9 process into a series of “wizard-like” screens which are mixed in with other “on-boarding” functions (recruiting, background investigation, drug screening, etc). Other systems have added new fields which are not on the I-9 form (a big no-no), moved fields from section 2 into section 1, and other “creative” re-imaginings of the form in order to improve the user experience. Although these may seem reasonable to the uninformed, these alterations can easily lead to compliance mistakes or inadvertently change the meaning of the form.
Conclusion
Although there are still many unanswered questions, I applaud ICE for releasing this very important document and shedding some light on the evaluation of electronic I-9 systems. As you’re reading through the memo and supporting documents, it’s important to keep in mind that these are “minimum” guidelines for ICE Special Agents – meaning it’s highly possible (and perhaps probable) that you may be required to produce even more information which proves your system is following the regulations. In light of this (no-doubt) evolving guidance, employers are well advised to partner with a vendor that takes the most conservative approach to audit trails (and the regulations) in designing their software. Because at the end of the day, an employer should never be put in the position of having to defend their software vendor for being “mostly compliant.”
To request a copy of the ICE memo and guidance, please click here.