Practical Guide · RFP Template

The background check RFP your buying committee actually needs

Most screening vendor RFPs are written by procurement and answered by sales. The result is a process that optimises for price and ignores methodology, audit defensibility, and data handling. This guide provides structured questions for every stakeholder in the buying committee, with a scoring framework that surfaces the differences between vendors before the contract is signed.

Reading time: 12 minutes Type: Practical guide with downloadable framework Last updated: April 2026
Key facts
Key takeaways
! Most BGV RFPs over-index on price per check and miss methodology, evidence quality, and escalation protocols entirely.
4 Four stakeholder groups evaluate BGV vendors differently. A useful RFP must include questions from all four perspectives.
The scoring framework below weights verification methodology and audit defensibility higher than unit price for offshore programmes.
? Specific red flags in vendor responses reveal whether they operate the verification or simply resell a platform.

Why a structured RFP matters

“The RFP that only asks about price will only tell you about price. Everything that matters in a BGV programme, the methodology, the evidence chain, the escalation logic, stays hidden until the first audit.”

Background verification vendor selection typically involves four distinct stakeholder groups, each with different priorities and evaluation criteria. Procurement focuses on cost, commercial terms, and contract structure. Talent acquisition cares about turnaround times, candidate experience, and red flag management. TPRM and compliance needs audit defensibility, regulatory alignment, and evidence documentation. Information security evaluates data handling, encryption, access controls, and certification posture.

The problem: most RFPs are authored by procurement alone. The questions focus on pricing tiers, volume discounts, and contract length. TA submits a few questions about SLA speed. Compliance and InfoSec are consulted late in the process, if at all. The result is a vendor selection that optimises for the cheapest check rather than the most defensible programme.

For companies hiring across multiple offshore corridors (India, Philippines, Poland, Mexico, and similar markets), the stakes are higher. Verification methodology varies dramatically by country. A vendor that performs well in one market may rely entirely on database lookups in another. A structured RFP that asks the right questions across all four stakeholder lenses surfaces these differences before the contract is signed, not twelve months later during an audit.

4
Stakeholder groups
Must align before a BGV vendor decision holds
67%
RFP questions
Typically focus on price and SLA alone
2.4×
Re-evaluation cost
When methodology gaps are found post-contract

What most BGV RFPs get wrong

Before presenting the question framework, it helps to understand the four most common mistakes in screening vendor RFPs. Each one creates a blind spot that only becomes visible after the programme is live.

Mistake 1: Over-indexing on unit price Comparing vendors on price per check without controlling for verification depth is like comparing hotels on room rate without checking whether the room has walls. A $4 check resolved by database lookup and a $12 check resolved by institutional contact are not the same product. The RFP must define what "verified" means before comparing what it costs.
Mistake 2: Ignoring verification methodology "How do you verify education credentials?" is a good question. "Do you contact the university registrar directly, or do you rely on database matches?" is a better one. Most RFPs ask the first and accept a vague answer. The second forces the vendor to describe their actual operating model, which is where meaningful differences between providers appear.
Mistake 3: Not testing for audit defensibility An RFP that does not ask for sample evidence chains or audit trail documentation will not reveal whether the vendor's reports survive regulatory scrutiny. Ask to see a completed report, including the source of each verification, the method used, the contact name, and the timestamp. If the vendor cannot produce this, their "verified" status is backed by a database ping, not institutional confirmation.
Mistake 4: Treating all markets as identical A vendor may have strong institutional verification capabilities in India but rely on database-only checks in the Philippines or Colombia. The RFP must ask about methodology and coverage on a per-corridor basis. "What is your verification approach?" is insufficient. "What is your verification approach for education checks in Vietnam, specifically?" reveals whether the vendor has local capability or is subcontracting to an aggregator.

RFP questions for procurement teams

These questions address commercial structure, pricing transparency, and contract flexibility. They are designed to surface hidden costs and ensure the pricing model aligns with how your programme will actually operate.

# Question What a strong answer includes
P1 Provide a full pricing breakdown by check type (education, employment, criminal, address, reference) and by country. Include any setup fees, platform fees, or minimum commitment charges. Line-item pricing per check type per corridor. No bundled or blended rates that obscure per-check costs.
P2 How does pricing change at different volume tiers? Provide specific thresholds and per-check rates for each tier, rather than "volume discounts available." Named tier thresholds (e.g., 0 to 500, 501 to 2,000, 2,001+) with exact per-check pricing at each level.
P3 What costs are incurred when a check cannot be completed? Is there a charge for insufficient or unable-to-verify results? What about re-verification requests? Clear policy on incomplete checks. No charges for vendor inability to verify. Re-verification pricing stated separately.
P4 Describe your invoicing model. Is billing per check initiated, per check completed, or per candidate? What is the payment cycle, and are there early payment terms? Billing on completion, not initiation. Monthly invoicing with 30-day terms. Transparent reconciliation reports.
P5 What is the minimum contract term? What are the termination provisions, including notice period, transition support, and data return obligations? 12-month term or shorter. 60 to 90 day notice period. Documented data return and destruction process at termination.
P6 If our hiring volumes fall below the contracted minimum, what happens? Describe any minimum commitment penalties or volume shortfall clauses. No punitive shortfall clauses. Flexible minimums that adjust with documented volume changes.
P7 What management reporting is included in the base pricing? Provide examples of standard operational reports (TAT, completion rates, discrepancy rates by corridor). Monthly operational dashboards included at no additional cost. Sample reports provided with the response.

Procurement questions should represent roughly 20% of total evaluation weight for offshore programmes. Price matters, but it should not dominate the scorecard.

RFP questions for talent acquisition

These questions focus on the candidate-facing experience, turnaround time commitments, and how the vendor handles exceptions. TA teams need confidence that the screening programme will not bottleneck their hiring pipeline or create negative candidate experiences.

# Question What a strong answer includes
T1 Provide turnaround time commitments by check type and by country. Distinguish between standard TAT and the TAT for cases that require escalation or institutional follow-up. Country-specific TAT ranges (not global averages). Separate commitments for standard and escalated cases. Percentile-based targets (e.g., 90th percentile TAT).
T2 How does the candidate submit information and documents? Describe the intake experience, including mobile compatibility, language support, and the number of steps required. Mobile-first intake. Multilingual support for corridors served. Fewer than 10 minutes to complete. Clear status communication to the candidate.
T3 When a discrepancy or red flag is identified, what is your escalation process? Who is notified, in what timeframe, and what information is provided in the initial alert? Defined escalation SLA (e.g., within 4 hours of identification). Named point of contact. Initial alert includes the nature of the discrepancy, the sources checked, and recommended next steps.
T4 How can our recruiters track the status of individual checks in real time? Describe the tracking interface, notification triggers, and any API or ATS integration capabilities. Real-time dashboard with per-check status. Configurable notifications (email, webhook). API available for ATS integration. No manual status request process.
T5 What happens when an institution is non-responsive? Describe your follow-up cadence, the escalation path, and at what point you mark a check as "unable to verify." Documented follow-up cadence (e.g., 3 attempts over 7 days across multiple channels). Escalation to alternative contacts or field verification before marking unable to verify. Clear documentation of all attempts.
T6 How do you handle candidate disputes? If a candidate challenges a verification result, what is the process for re-investigation, and what is the typical resolution timeframe? Formal dispute process with defined SLA. Candidate can submit supporting evidence. Re-investigation contacts the original source again. Resolution documented and communicated to both client and candidate.
T7 Provide your SLA framework, including the metrics tracked, the penalties for SLA misses, and how SLA performance is reported and reviewed. Named SLA metrics (TAT, completion rate, accuracy rate). Contractual service credits for sustained misses. Monthly SLA reporting with root cause analysis for underperformance.

TA questions should represent roughly 20% of total evaluation weight. Speed matters, but only when paired with evidence that the speed does not come at the cost of verification depth.

RFP questions for TPRM and compliance

These questions target audit defensibility, regulatory compliance, and evidence quality. They are the questions that most RFPs leave out entirely, and the ones that matter most when a regulator or auditor samples your verification records.

# Question What a strong answer includes
C1 For each check type, describe the evidence chain that appears in the final report. Specifically: does the report name the source, the verification method, the contact person at the institution, and the date of confirmation? Sample report showing named sources, method (phone, email, portal, field), contact person with designation, date and timestamp. Every check type documented independently.
C2 What percentage of your education verifications are resolved by database match alone, without direct institutional contact? Break this down by country for each corridor in our programme. Country-by-country breakdown with specific percentages. Honest acknowledgment of database limitations per corridor. Explanation of how non-covered institutions are handled.
C3 Describe your data retention policy. How long are verification records, candidate documents, and audit trails retained? What happens to data at the end of the retention period? Defined retention periods aligned with local regulatory requirements per jurisdiction. Documented destruction process. Client notification before destruction. Export capability for client records.
C4 Do you subcontract any portion of the verification work to third parties? If so, name the subcontractors, the check types they handle, the countries they cover, and how you ensure their work meets your quality standards. Full disclosure of subcontracting arrangements. Named partners. Documented quality controls applied to subcontracted work. Client right to approve or reject subcontractors.
C5 How do you ensure compliance with local data protection regulations in each corridor (e.g., India's DPDP Act, Philippines' DPA, GDPR for EU candidates)? Describe your legal basis for processing and any cross-border transfer mechanisms. Jurisdiction-specific compliance documentation. Named legal bases per country. Standard contractual clauses or equivalent mechanisms for cross-border transfers. DPO or equivalent contact identified.
C6 Provide an example of how your verification report would appear to an external auditor. Walk through the evidence chain for a single employment check, from initiation to closure, including any discrepancies found and how they were resolved. Step-by-step evidence trail with timestamps. Discrepancy identification, follow-up actions, and resolution documented. Analyst name or ID recorded. Audit trail accessible to client on request.
C7 What is your quality assurance process for completed reports? Do you sample and review reports before they are delivered, and if so, what is the sampling rate and what criteria are reviewed? Defined QA sampling rate (e.g., 10 to 15% of reports). Named review criteria (evidence completeness, source documentation, discrepancy resolution). QA metrics tracked and reported.
C8 Describe a situation where a regulatory audit sampled your client's verification records. What was the outcome, and what evidence did you provide to support the client's compliance posture? Specific example with outcome described. Types of evidence provided. Any remediation required and how it was addressed. Willingness to participate directly in client audits.

TPRM and compliance questions should represent roughly 35% of total evaluation weight for offshore programmes. This is the area where vendor differences have the largest downstream impact.

RFP questions for information security

These questions evaluate how the vendor handles sensitive candidate data, what controls are in place, and what certifications back their security posture. For BGV programmes handling PII across multiple jurisdictions, this section is non-negotiable.

# Question What a strong answer includes
S1 Describe your data encryption standards for candidate PII. Cover encryption at rest, in transit, and in use. Specify the algorithms, key lengths, and key management practices. AES-256 at rest. TLS 1.2+ in transit. Key management via HSM or equivalent. Key rotation schedule documented. No PII stored in plaintext at any stage.
S2 What access controls govern who can view candidate data within your organisation? Describe your role-based access model, the principle of least privilege implementation, and how access is logged and reviewed. RBAC with documented role definitions. Least privilege enforced. Access logs retained and reviewed on a defined schedule. Segregation of duties between analysts, QA, and administrators.
S3 List your current security certifications (SOC 2 Type II, ISO 27001, ISO 27701, or equivalent). Provide the scope of each certification, the certifying body, and the most recent audit date. SOC 2 Type II or ISO 27001 current and in scope for the BGV operations. Certification scope covers the data processing facilities and personnel that handle client data. Most recent audit within the last 12 months.
S4 Where is candidate data stored geographically? Describe your data residency options and whether clients can specify the jurisdiction for data storage and processing. Named data centre locations. Client ability to specify or restrict data residency. No data processing in jurisdictions outside the agreed scope without client consent.
S5 Describe your incident response and breach notification process. Include detection capabilities, notification timelines, and the information provided to affected clients in the event of a data breach. Documented incident response plan. Detection within hours via SIEM or equivalent. Client notification within 24 to 48 hours. Notification includes scope of breach, data affected, containment actions, and remediation timeline.
S6 When was your last penetration test conducted, and by whom? Provide a summary of findings and remediation status. Are penetration tests conducted at least annually? Annual penetration testing by a named third party. Summary of findings and remediation timeline provided. Critical and high findings remediated within 30 days. Test scope covers all client-facing and data-processing systems.
S7 How do you handle data shared with subcontractors or local verification agents? What controls ensure that PII shared for verification purposes is not retained, copied, or transmitted outside the authorised workflow? Data shared on a need-to-know basis only. Local agents access data through controlled portals, not email or local storage. Contractual obligations on data handling. Periodic audits of subcontractor data practices.

InfoSec questions should represent roughly 25% of total evaluation weight. A vendor without adequate security controls is a liability regardless of price or speed.

Scoring framework

The matrix below provides a starting point for weighting vendor responses. These weights are calibrated for offshore hiring programmes where candidates are in markets with uneven database coverage and where the client faces regulatory obligations in their home jurisdiction. Adjust the weights if your programme is domestic-only or operates in corridors with strong centralised databases.

Category Weight Key evaluation criteria
TPRM and compliance 35% Evidence chain quality, audit trail completeness, per-corridor methodology, subcontractor disclosure, regulatory compliance documentation
Information security 25% Encryption standards, access controls, certifications (SOC 2/ISO 27001), data residency, breach notification, penetration testing
Talent acquisition 20% Per-corridor TAT commitments, escalation process, candidate experience, status tracking, SLA framework with penalties
Procurement 20% Per-check pricing by corridor, volume tier transparency, contract flexibility, reporting, invoicing model
Why compliance is weighted highest for offshore programmes In domestic screening, database coverage is typically strong and regulatory requirements are well understood. In offshore programmes, the opposite is true. Database coverage is patchy, institutional response norms vary by country, and the client's home-jurisdiction regulator may audit verification records that span multiple foreign markets. The vendor's ability to produce defensible evidence across these corridors is the single largest risk factor in the programme. Weighting compliance at 35% reflects this reality.

For each question, score vendor responses on a four-point scale:

Red flags in vendor responses

After evaluating dozens of BGV vendor RFP responses, certain patterns reliably indicate a vendor that resells a platform rather than operates a verification programme. The comparison below highlights what to watch for.

Red flags

  • "We have access to 500+ databases worldwide" without specifying which databases cover which institutions in your corridors.
  • TAT commitments stated as global averages rather than per-corridor, per-check-type figures.
  • Unable to provide a sample report showing the evidence chain for a completed check.
  • "Proprietary technology" cited as the verification method without describing what happens when the technology cannot resolve a case.
  • Subcontracting arrangements described vaguely or not disclosed at all.
  • Security certifications cited without specifying scope. SOC 2 for a corporate office does not cover BGV operations if they run from a different facility.
  • "We comply with all applicable regulations" without naming specific regulations or describing how compliance is maintained per jurisdiction.

Strong signals

  • Per-corridor methodology descriptions that name specific databases, institutional contact methods, and escalation paths for each country.
  • TAT commitments broken down by country and check type, with percentile targets rather than averages.
  • Sample report provided with full evidence chain: source, method, contact name, date, and discrepancy resolution.
  • Clear description of what happens when technology or databases cannot resolve a case: human escalation, institutional contact, field verification.
  • Named subcontractors with documented quality controls and client approval rights.
  • Security certifications with scope explicitly covering BGV data processing. Penetration test summary available on request.
  • Jurisdiction-specific compliance documentation, naming the applicable regulation and the legal basis for processing in each corridor.
The "technology-first" tell Vendors that lead with technology capabilities (AI-powered verification, automated credential matching, proprietary algorithms) are often describing their database lookup process in more sophisticated language. Technology is a tool, not a methodology. The question is always: when the technology returns an inconclusive result, what happens next? If the answer is "the case is marked unable to verify," the vendor has no escalation capability. If the answer is "an analyst contacts the institution directly," the vendor has an operating model. The distinction matters.

Next steps

This RFP template provides the question framework. The following resources help you evaluate specific dimensions of a vendor's capability in more depth:

Related resources

  1. Verification depth: database vs source: deep dive on the four levels of verification depth and why database-only checks fail in most corridors.
  2. Audit defensibility: what regulators and auditors look for when they sample your verification records.
  3. Data handling: how candidate PII should be managed across the verification lifecycle.
  4. Compliance brief: overview of regulatory requirements across the corridors OutsourceVerify covers.
  5. Security posture: OutsourceVerify's security certifications, controls, and data handling practices.
Share this