The TNCD did not ensure that transportation network companies conducted background record checks of their drivers and that they levied sanctions against drivers whose Clearance Certificates were suspended or revoked.

During our audit period, the Transportation Network Company Division did not effectively monitor transportation network companies (TNCs) to ensure that they conducted national background record checks of all rideshare drivers. We requested and reviewed reports of all quarterly audits performed by the division during the audit period and noted that the division had only performed one of the seven required quarterly audits of the national background record check information maintained by Uber and Lyft. The audit was for the period April 3, 2017 through June 30, 2019, and the division did not complete it until June 2020. As a result of these issues, the division cannot be certain that all the TNCs' rideshare drivers are qualified to work for them.

We selected a statistical sample of 53 of the 195 rideshare driver applications that were submitted to TNCs during our audit period. We reviewed copies of of criminal and driving records to ensure that background record checks were conducted using each applicant's license number, name, age, and license expiration date, and we reviewed each applicant's criminal history search, multistate driving history search, and sex offender national search for disqualifying events according to the suitability standards in Appendix B. Based on our test results, 2 of the 53 rideshare driver applications selected contained incidents that should have precluded the applicants from passing a national background record check. One applicant had a motor vehicle incident, and one had not had a multistate driving history search performed. Both drivers had been hired by the same TNC; there was no documentation of why the TNC had hired them. These rideshare driver applicants who passed TNCs’ national background record checks had criminal records or motor vehicle incidents (such as a lack of a valid driver’s license) that should have precluded them from being hired.

We selected a statistical sample of 58 of 851,334 rideshare drivers who worked for TNCs during the audit period to ensure that a six-month background record check was conducted using each driver's name, age, and driver's license number and expiration date. We reviewed each applicant's criminal history, multistate driving history, and sex offender national search for disqualifying events according to the suitability standards in Appendix B. For 20 of the 58 rideshare drivers in our sample, there was inadequate documentation that the TNC had conducted the most recent six-month national background record check. These rideshare drivers who had not had the most recent six-month background record check could present a safety risk to riders.

The Transportation Network Company Division did not request any information from TNCs to determine whether they had implemented the required penalties against rideshare drivers whose Clearance Certificates the TNCs had suspended or revoked or whether ineligible drivers were denied access tot he TNC's digital networks to prevent them from picking up riders. This issue presents a safety risk to riders. (See the previously mentioned scope limitation.)

According to Para. 5 of the TNC permit issued to Uber on February 13, 2019, which expired February 13, 2020 (Permit No. 2019-TNCDP-02),

From time to time, the Division will request information and/or records from the TNC to ensure compliance with M.G.L. c. 159A 1/2, 220 CMR 274.00, and D.P.U. 17-81-A, as well as to ensure compliance with other orders and directives issued by the Division. The TNC shall respond to such requests in timely manner and in accordance with M.G.L. c. 159A 1/2 and 220 CMR 274.00.

Section 274.06 of Title 220 of the Code of Massachusetts Regulations (CMR) states,

(2)(a)   A TNC shall conduct a nationwide background check for each Driver, which shall, at a minimum, include a review of the following:

1. Multi-state criminal history database;
2. Multi-state motor vehicle driving history database; and
3. U.S. Department of Justice National Sex Offender Public website.

(2)(b)   A TNC shall conduct a nationwide background check for each Driver not less than once every six months. . . .

(3)(d)   If the Division learns of and verifies a Driver's arrest for a crime or a Driver's citation for a driving infraction that would render the Driver unsuitable to provide Services . . . the Division shall immediately suspend or revoke the Driver's Clearance Certificate and notify the relevant TNC(s). After having been so notified, the TNC shall immediately suspend or revoke the Driver Certificate until the Division determines otherwise.

The regulation 220 CMR 274.13(3) states, “The Division shall quarterly audit records relating to 220 CMR 274.06(2).” These records would include copies of criminal, sexual offender, and motor vehicle background record checks.

In its reply to our draft audit report, management at the Department of Public Utilities (DPU) stated that it believed it was not required to perform all of the quarterly audits of TNCs in question because the final version of 220 CMR 274.13(3) was not in effect during the entire audit period:

From October 1, 2017 to February 12, 2019, the TNCs were governed by memoranda of understanding (“MOUs”) between the Department of Public Utilities and the TNCs (the “MOU Period”). From February 13, 2019 to August 31, 2019 (and beyond) TNCs were governed by the permits issued by the Division pursuant [to] the recently adopted Chapter 159A 1/2 of the General Laws and associated regulations (the “Permit Period”). . . . The later adopted Permit Period regulations include a number of requirements that did not apply during the MOU Period.

However, in our opinion, the Transportation Company Division was required to comply with this regulation once it became effective on September 22, 2017, before the beginning of our audit period. Although the division had the ability to waive this regulatory requirement “on its own motion, or for good cause shown” pursuant to 220 CMR 274.19, it did not invoke this waiver provision.

In addition, the Transportation Network Company Division has not established written policies and procedures for auditing TNCs or monitoring any actions taken by TNCs against individuals whose Clearance Certificates have been suspended or revoked.

The Transportation Network Company Division should establish written policies and procedures for auditing TNCs and establish a monitoring process to ensure that TNCs take appropriate actions against rideshare drivers whose Clearance Certificates have been suspended or revoked.

The Transportation Network Company Division (“Division”) disagrees with this generalized finding and with a number of related, subsidiary findings noted below. The [Office of the State Auditor’s] incorrect assessments here result to a large degree from erroneously conflating two distinct sets of regulatory requirements for TNCs that applied during two different periods within the overall audit period. . . .

As background, when the Legislature enacted Chapter 159A 1/2 of the General Laws empowering the Division to regulate TNCs and requiring the Division to issue permits, a number of TNCs had already established substantial operations in the Commonwealth. To avoid shutting down the industry while the Division created regulations and permit requirements through the required, public regulatory process, the Legislature explicitly provided that “all transportation network drivers and transportation network companies operating in the commonwealth prior to the promulgation of regulations issued by the division . . . may continue to provide transportation network services.” St. 2016, c. 187, § 13. The Legislature in fact provided that TNCs and drivers did not even have to apply for all required permits and certificates until 120 days after the effective date of the Division’s regulations. Id.

In order to achieve the principal public safety benefits authorized by the TNC legislation during the period in which the development of a complete regulatory structure was underway, the Division established an interim regulatory oversight by entering into MOUs with the established TNC operators. Under the MOUs, for the first time, all drivers received a thorough secondary background check by the Division, following a primary background check by the TNCs. The MOUs were a critical interim measure to ensure public safety while we staffed the Division, established a first-in-the nation background-check system, promulgated comprehensive regulations pursuant to the procedural requirements of Chapter 30A, and went through the permit process with TNCs.

Finding 1a

The finding mistakenly states that during the audit period, the Division “only performed one of the seven required quarterly audits of the national background records checks information maintained by Uber and Lyft.” Quarterly audits were not required during the MOU Period; the requirement was implemented in the Permit Period. During the period of the [Office of the State Auditor’s] audit, therefore, only one quarterly audit was required. The Division conducted that audit. The Division conducted its first quarterly audit at the close of the Permit Period’s first full quarter in July 2019 and, consistent with 220 CMR 274.13(3), the Division has conducted the required audits every quarter since then.

While not required, the Division determined that the TNCs’ performance during the MOU Period should be examined and voluntarily conducted a single audit for that period. This audit was a larger undertaking that covered a substantially longer period and broader scope than a typical quarterly audit. The Division completed this audit in July 2020. While it showed, among other things, that the TNCs have strengthened their background check processes since 2017, the Division directed the TNCs to develop more robust internal controls of their background checks. The TNCs have since developed more standardized procedures for their background checks.

Additionally, in December 2019, the Division hired a full-time auditor. The Division’s written audits of TNCs are exhaustive. As part of the Division’s audit process, it establishes sampling methodologies, creates audit scopes and timelines, sets milestones, issues information requests, reviews and analyzes documentary evidence provided by TNCs, prepares a planning memo, and issues a final report. The Division is currently memorializing this existing process in comprehensive written policies and procedures.

In its response, DPU asserts that it was not required to perform quarterly audits of TNCs’ national background record checks during the memorandum of understanding (MOU) period and that the audits began in the permit period. DPU’s reliance on the MOU and permit periods is flawed, as DPU concedes its response that the MOUs were put in place as interim placeholders before the promulgation of 220 CMR 274. Once 220 CMR 274 became effective, as of September 22, 2017, the regulations therein—including the requirement of 220 CMR 274.13 that “the Division shall quarterly audit records relating to 220 CMR 274.06(2)”—superseded the MOUs and the permitting process. Further, if DPU wanted to continue to operate under the MOUs and waive its obligations under 220 CMR 274.13(3) to conduct quarterly audits, 220 CMR 274.19 provides such authority. However, neither the MOUs nor subsequent addenda refer to this waiver provision, and DPU has not provided any evidence that it invoked this waiver provision. Finally, whether or not the MOUs and permitting process were in place, Section 8 of Chapter 159A 1/2 of the Massachusetts General Laws gives DPU authority to obtain records related to 224 CMR 274.06(2):

Each transportation network company or applicant for a transportation network company permit shall furnish all information and documents related to the condition, management and operation of the company upon the division's request.

Therefore, in the opinion of the Office of the State Auditor (OSA), once 220 CMR 274.13(3) became effective on September 22, 2017, the regulation required the Transportation Network Company Division to perform quarterly audits of this information, and the division should have conducted seven such audits during our audit period. As noted above, in addition to the one quarterly audit the division conducted during our audit period, the division states in its response that in July 2020, it completed a broader “single audit” of TNCs that covered the entire MOU period back to April 2017. In OSA’s opinion, auditing TNC information back to April 2017 indicates that the division believes it should have been auditing TNCs as soon as 220 CMR 274.13(3) went into effect.

Delays in quarterly audits could allow unsuitable drivers to provide rideshare services, increasing risks to riders.

Based on its response, the division is taking measures to address our concerns in this area.  

Finding 1b

This finding is misleadingly stated and rests on an inaccurate assessment of the TNC initial background checks examined. The finding states that [two] drivers out of a random sampling of [53] driver applications should not have passed the initial TNC background check, due to. . . a disqualifying motor vehicle incident, and . . . an incomplete background check. As an initial matter, to be clear, none of these candidate drivers ever provided a single ride in Massachusetts. But the draft audit report’s broad statement also does not reflect the actual facts of the [two] underlying cases. . . .

The . . . two candidates [OSA] identified both received a national criminal background check. Those background checks showed that neither candidate had a disqualifying criminal offense. One candidate, however, had less than the required three years of driving experience and the other did not receive a driving history search by the TNC.

OSA acknowledges that the two applicants in question were not approved by the Transportation Network Company Division to work for a rideshare company in Massachusetts during the audit period. Our concern was that these applicants passed a national background record check by a TNC despite each having a disqualifying event in the background records. Further, we do not agree with the auditee’s assertion that this audit finding is misleading or based on an inaccurate assessment of TNCs’ initial (national) background record checks. As stated above, during our audit testing in this area, we found that 2 of the 53 rideshare driver applicants in our sample had disqualifying events in their records that should have prevented them from passing the background record checks.

Specifically, one of the two applicants only had seven days of driving experience instead of the mandatory 12 months, but passed the background record check. Not having the required minimum driving experience is a disqualifying event according to 220 CMR 274.21; therefore, the TNC should have denied this application. It should be noted that, based on its background record check, the Transportation Network Company Division denied this application, which supports OSA’s conclusion that the TNC should have denied it.

The second applicant’s file did not have documentation indicating that the TNC had performed a background record check. The lack of such a check is a disqualifying event according to 220 CMR 274.21, so the TNC should have denied this application. Based on its background record check, the Transportation Network Company Division also denied this application, which supports OSA’s conclusion that the TNC should have denied it.

Therefore, we urge the division to implement our recommendations on this matter.

Finding 1c

This finding is not correct. . . . In fact, out of the 20 drivers identified by [OSA], only one did not receive a required six-month background check within the required period. In that single case, however, that driver’s background check occurred 4 days after the required six-month background check period. For the other 19 drivers in [OSA’s] sample, no six-month background check was required.

The draft report’s miscalculation rests on two analytical errors. First, the draft report here again improperly applies to the MOU Period standards that became applicable only during the Permit Period. Six-month background checks were not required during the MOU Period. Second, even under the regulations applicable during the Permit Period and going forward, TNCs are not required to conduct a six-month background check on a person who is not an active driver. This is because inactive drivers do not have access to the TNCs’ platforms and cannot provide rides.

Of the 20 drivers identified by [OSA], 12 were under the requirements of the MOU Period, and therefore the six-month background check was not required. Four of the remaining identified drivers did not require six-month background checks because they were not active on the TNC platform. Three of the remaining four drivers were inadvertently submitted to the Division due to a data transmission error by the associated TNC that the Division identified at the time. Once informed of the error, the TNC withdrew those three submissions. Accordingly, the TNC did not provide [OSA] with the requested records because those drivers never applied to become Massachusetts TNC drivers and never provided a ride in Massachusetts. As a result, of the 20 drivers identified by [OSA], only one did not receive a timely required six-month background check. That check was only four days late.

Additionally, the Division notes that [OSA]’s methodology in calculating required timing for six-month background check[s] may have led to some mathematical inaccuracies. [OSA] appears to have calculated the six-month cadence for background checks based on 30-day months and did not consider that seven months have 31 calendar days. This miscalculation appears to have led [OSA] to conclude that certain background check cadences were off. Additionally, [OSA] appears to have assumed that both the criminal and driving record checks (the two parts of the background check) necessarily should occur at the same time. TNCs, however, start the respective checks at different intervals because some checks take longer than others to complete. This failure of [OSA]’s methodology to account for these sorts of appropriate variations appears to have led [OSA] to conclude that certain background check cadences were off when they were not.

Contrary to what DPU asserts in its response, the audit finding is accurate. As noted above, OSA believes that the requirement that TNCs perform six-month background record checks became effective when 220 CMR 274 was enacted on September 22, 2017 and that background checks were therefore required for all 20 of the drivers in question. Also as noted above, there was inadequate documentation that the TNC had conducted the most recent six-month national background record check for these 20 drivers.  

With regard to DPU’s assertion that 4 of the 20 drivers in question were inactive, the software application that DPU uses to search for information on rideshare drivers only records the current driver activity and status, without an effective date for that status. This is the software we used to conduct our testing in this area, and at the time our testing was conducted, the software did not show the 4 drivers in question as inactive.

The three drivers DPU says were inadvertently submitted to the Transportation Network Company Division because of a data transmission error were never identified by the division as part of such an error. Also, during our audit, the division never informed OSA of this situation or of why it could not provide background check documentation for these three drivers.

Although the Transportation Network Company Division asserts that our method for calculating the six-month interval for national background checks is inaccurate, calculating for a 31-day month affected the same number of drivers as calculating for a 30-day month. Calculating the six-month interval for national background record checks based on a 30-day month resulted in 49 occurrences of late reporting that affected 11 drivers. Calculating the same interval based on a 31-day month resulted in 33 occurrences of late reporting that affected the same 11 drivers.

Based on the issues we identified in this area, we again recommend that the Transportation Network Company Division develop written policies and procedures for auditing TNCs and monitoring actions taken by TNCs to ensure that they take appropriate actions against rideshare drivers whose Clearance Certificates have been suspended or revoked.

Finding 1d

This finding is formulated in a misleading way. The draft audit report states that the Division “did not request any information from [TNCs]” to determine whether drivers were prevented from accessing the TNCs’ platform after the Division denied them. This is not true. During the entire audit period, the Division has required the TNCs to provide this information, and it has established formal procedures to ensure that unsuitable drivers do not have access to the TNCs’ platform.

As part of normal business operations, the Division requires TNCs to provide information addressing driver suitability, including background check reports and rider/passenger feedback on the driver’s performance. The Division reviews this information to determine whether driver applications and appeals should be allowed or denied. Since 2017, the Division has conducted over 5,000 appeals of applicants denied by the Division. In those appeals, the Division reviews information regularly reported by the TNCs in order to determine whether the TNC promptly prevented a person from accessing its digital network and whether the driver should continue to be prevented from accessing the TNC’s platform.

Moreover, in January 2019, the Division established formal directives requiring TNCs to notify the Division of all driver deactivations to provide an additional means of assuring that TNC drivers who are not eligible to provide services have been denied practical access to drive. In January 2020, the Division began monthly driver roster checks to ensure that each TNC deactivated drivers that did not pass the Division’s background check or its continuous monitoring of [driver] criminal activity. More recently, in July 2021 the Division issued an order requiring TNCs to notify the Division weekly of all drivers that are deactivated for public safety reasons. . . .

The Division has a process to monitor that TNCs are preventing drivers’ access to their platforms when those drivers are suspended by the Division. First, every 24 hours the Division monitors whether a TNC has acknowledged receipt of a communication from the Division regarding an ineligible driver. Each month, the Division conducts a quality control review with all TNCs to confirm that the appropriate actions were taken based on Division communications. Further, TNCs must notify the Division every week of drivers that the TNCs have prevented from accessing their platforms due to safety reasons. The Division reviews the information provided by the TNCs to determine whether the Division should issue suspensions as well.

In its response, the division asserts that it obtains information from TNCs, including whether they have promptly prevented a person from accessing their digital networks, for rideshare drivers who are appealing the suspension or revocation of their Clearance Certificates. Even if this is true, in OSA’s opinion, the division should have obtained this information from TNCs for all rideshare drivers who had their Clearance Certificates suspended or revoked, not just those who were appealing a certificate suspension or revocation. The division also should have ensured that the receipt of this information was properly documented.

OSA acknowledges that 220 CMR 274.06(3)(d) requires TNCs and the division to notify each other when a driver is unsuitable and denied either a DPU-issued Clearance Certificate or a TNC-issued Driver Certificate. However, as noted above, during our audit the Transportation Network Company Division could not provide evidence that it had requested and obtained documentation from TNCs that drivers it had deemed unsuitable had been barred from the TNCs’ digital networks. During our audit, we asked division management for evidence to substantiate that it had requested this documentation. Management stated that division personnel confirmed by phone that TNCs had barred drivers from the networks, but did not routinely document the calls. Therefore, OSA attempted to obtain confirmation that the drivers had been barred directly from TNCs, but we were denied access to this information. (See the previously mentioned scope limitation.)  

In its response, the Transportation Network Company Division asserts that it has a process in place to ensure that TNCs prevent drivers’ access to their platforms when the division suspends the drivers’ Clearance Certificates; however, this process was not in place during our audit period.