Recruitment and verification in the age of AI
- 2 days ago
- 4 min read
Trust, but verify. Unfortunately, in the age of Artificial Intelligence, this adage is getting increasingly more tenuous, especially in the field of recruitment. AI has enabled fraud at scale and in South Africa, where unemployment is at an all-time high and there is unfortunately a prevailing culture of ‘moral flexibility’, verification processes have become increasingly complex but more necessary than ever.
How is AI enabling fraud in recruitment?
AI is making traditional fraudulent actions so much easier, and ‘fraud as a service’ has become an actual business, because it can be offered at scale with the use of AI.
Some examples:
Synthetic ID’s – Creating a profile which combines real and false data, comprising qualifications, employment history, online activities and social media profiles.
CV’s crafted by AI which does not give a real reflection of the candidate, but focuses on exploiting keywords and on fooling ATS systems.
Deep fake videos – Showing someone doing or saying things that is done or said by someone else. This can happen when conducting live video assessments or job interviews online, or checking references with someone over an electronic medium.
Assessments that are not completed by the candidate, but are being outsourced to a third party, or by the provision of scripted answers.
Cloned voices, spoofed emails, false third-party communications (such as correspondence seemingly from universities or previous employers).
Using AI to run your recruitment / verification processes also has its risks: think algorithmic bias, the inability to defend/explain decisions to appoint or not, indirect discrimination by excluding people on certain grounds without any context evaluation as may be required by law.
Why is failure to authenticate a risk for business?
It is not just about a bad hire. Yes, if the new employee is (inevitably) found to be unable or unwilling to perform as required for the role, it causes all sorts of headaches for HR as well as Operations. It takes time and money to try and rectify this, or ultimately to dismiss the employee, all the while without the work actually getting done and putting stress on the team.
Employing a dodgy person however also has other, inherent risks. They will be gaining access to your customer data, confidential information, trade secrets and internal systems. This opens the door to further adverse actions – cyber crime, corruption, financial losses, reputational harm, security compromises, leaked information, and so on.
What must organisations do to limit these risks?
It calls for an enhanced due diligence process when embarking on recruitment. Ideally, an internal governance process that is designed specifically for your business and that provides for various touch points and cross-referencing relating to a prospective candidate, to see if the total picture ‘adds up’.
However, this does not mean that recruiters can demand all sorts of information with impunity under the guise of verification. POPIA and the right to privacy is still very much an active consideration, and should be reflected in this process. And importantly – ‘consent’ from the candidate is not a magic wand to get past this. If a prospective employee is asked for consent to investigate their private information and they refuse, disqualifying them on that basis when the employer is unable to justify why that specific information is actually relevant to the job applied for, could lead to a legal challenge. (Think credit checks for example – are these really necessary for all roles?)
Verification processes must be lawful, necessary, transparent and proportionate and the challenge is how to balance this with the need for increased verification.
How could this be achieved?
Employers have to become very targeted in this process and ‘privacy by design’ has to be front and centre when formulating an internal due diligence process for recruitment and onboarding.
Here are some pointers:
Start with a very clear job description and a role-based screening matrix for each specific position. Steer away from generic/standardised templates and tick-box exercises. Make sure you are able to justify why you need specific information for verification and onboarding purposes in that specific role. Ensure that all of the 8 conditions for lawful processing of personal information under POPIA are complied with.
Get short-listed applicants to personally complete and sign a custom Application Form, rather than just relying on CV’s or applications submitted online.
Transparency is king. Have documents ready to share with job applicants (and new employees) that comply with the requirements of POPIA. These could include access to the organisation’s privacy policy, details of the information officer and importantly, a privacy notice that relates to the specific role and explains how the person’s private information will be processed (obtained, used, shared, stored) and what will happen to it after the recruitment process.
Using AI for verification purposes also has its own privacy risks – e.g. how secure is the AI tool you use, would candidates’ personal information be uploaded into an open AI platform, what are the restrictions on further use of that data under the AI vendor’s licence, cross-border transfer of (special) personal information, etc..
Conclusion
Employers and recruiters will have to review their current recruitment and verification processes and documentation to stay on top of real world changes and technological developments. Governance processes in this regard have to become much more targeted and specific in order to be effective and legally defensible.
Prospective employees must also keep in mind that, should it be uncovered that they were less than honest during the recruitment process, this could have serious repercussions, including criminal prosecution and dismissal for dishonesty. It is not an excuse to say ‘everybody does it’ or 'I used AI'. The consequences will be yours alone.
© Judith Griessel
[Credit: Excerpts from LexisNexis webinar by Ahmore Burger-Smidt]
