Covered isn’t compliant: What security firms get wrong about scheduling

Security Guard Management /

Covered isn’t compliant: What security firms get wrong about scheduling

Post Orders Aren’t the Problem. Disconnected Systems Are.

There’s an assumption baked into most security operations: if a shift is covered, it’s covered correctly. Covered and compliant, though, are two different things. The gap between them is where wage liability, certification violations, and joint employer exposure quietly accumulate, shift by shift, until they don’t.

Recent enforcement activity makes this concrete. In April 2023, the U.S. Department of Labor ordered a California security firm to pay 54 guards a total of $78,000 after finding the company had illegally denied overtime pay and attempted to conceal the hours by recording them as training, bonuses, and reimbursements. A separate DOL action that year targeted a Chicago security company for misclassifying guards as independent contractors, resulting in over $450,000 in back wages and damages.

These cases look like payroll problems. They’re not. They started in scheduling workflows.

The credential trap: Deployed before they were qualified

Many jurisdictions legally prohibit deploying uncertified workers in defined security officer roles. Washington, D.C. requires that security officers working in office buildings receive wages based on the Guard 1 classification established by the U.S. Secretary of Labor under the Service Contract Act, Office of Attorney General a rate tied explicitly to certified officer status. As of July 2024, that rate is no less than $19.39 per hour plus $4.98 in fringe benefits.

Here’s the trap: a guard deployed before obtaining required certification may be ineligible for the protected wage rate retroactively, while the firm may have simultaneously violated deployment law. It’s a double exposure, and it’s not a manager making a bad call. It’s a scheduling system with no guardrails.

When Trackforce’s credential tracking is active, ineligible guards are blocked from being assigned to protected posts before the shift is ever built. Expiry alerts surface renewal windows proactively. The system enforces the rule so your scheduler doesn’t have to remember it at 11pm when they’re trying to fill a last-minute opening.

The title trap: What you call the role doesn’t matter. What they do does.

Courts and labor regulators are increasingly focused on actual duties performed, not the job title on the contract or the pay stub. A “lobby ambassador” or “site monitor” who patrols, controls access, responds to alarms, and removes trespassers is a security officer under most statutory definitions, regardless of what the client contract says.

This is a classification risk that compounds across hundreds of posts over time. And it’s hard to defend against after the fact, when the only documentation of role duties is a loosely worded job description written to avoid regulatory thresholds.

When shifts are built in Trackforce against defined post templates with documented duty sets, the firm creates an auditable record of what each role actually entails. That documentation is your first line of defense in any classification dispute, and it forces the conversation to happen at contract time, not in discovery.

The joint employer trap: A direct warning for corporate clients

If your organization manages contract security, this section is about you.

The NLRB’s 2023 joint employer rule dramatically lowered the threshold for classifying a contracting entity as an employer, The Harvard Crimson and enforcement has followed. In a high-profile 2023 case, the NLRB alleged that Harvard University was a joint employer of those guards, a finding that labor law experts said could significantly change how the university manages contractor relationships. The core issue: Harvard dictated scheduling requirements, set conduct policies, and served as the primary contact for contract performance.

Many enterprise clients don’t realize their standard vendor management practices, including detailed post orders, direct supervisor contact, and regular performance reviews, can read as joint employment in a courtroom. Under the NLRB’s expanded framework, an entity can be considered a joint employer even if it has only the authority to control a term of employment, not just when it actively exercises that control. WTW

The Trackforce answer for corporate buyers is straightforward: compliance visibility without operational control. A facility manager can confirm in real time that every post is covered by a currently certified guard, without directing how those guards perform their duties. That’s the distinction that matters legally. You’re buying assurance, not supervision.

Compliance begins with accurate scheduling workflows

Most scheduling tools are built to solve a coverage problem. Fill the shift, close the gap, move on. In regulated industries like security, that framing is a liability.

Who fills the shift matters as much as whether it’s filled. The scheduling workflow is where compliance is either built in or left out, with no visible signal when it’s been left out.

The Trackforce workflow loop closes that gap systematically: credential expiry detected, guard flagged, blocked from ineligible posts, supervisor alerted, replacement sourced from qualified pool, shift filled with a documented compliance record. Payroll integrity follows naturally. When the right person is in the right role with a time-stamped credential record, wage rate disputes have a clear paper trail.

The trend line isn’t moving in a favorable direction

Wage protection laws for security officers are expanding across U.S. jurisdictions. Class action litigation means a single systemic scheduling flaw can scale across thousands of shifts and dozens of plaintiffs. Plaintiff attorneys are increasingly sophisticated about how scheduling systems work and what they fail to document.

The firms best positioned aren’t those with better policies. Most firms have the right policies. The gap is between policy and enforcement, and that gap lives in the scheduling workflow. A policy that says “only deploy certified guards” doesn’t help if your scheduling system has no way to act on it.

The question your scheduling system should answer

The compliance question in security operations isn’t whether your firm has a certification policy. It’s whether your scheduling system knows about it and whether it acts on it before a shift is assigned, not after a violation surfaces.

That’s the difference between a compliance program and a compliance record.

See how Trackforce automates credential compliance across your scheduling workflow with its Business Administration suite of tools.

Frequently Asked Questions

Yes. In jurisdictions with protected wage rates tied to certification status, such as Washington, D.C., deploying an uncertified guard to a covered post creates two simultaneous exposures: a potential deployment law violation and a wage rate violation. The firm may owe back wages at the protected rate even if the guard was paid at the standard rate at the time of deployment. The risk compounds when firms lack documentation showing which guards held valid credentials at the time each shift was worked.

Joint employer liability means a client organization can be held legally responsible for wage and labor violations committed by their security contractor, even if they never directly employed or paid the guards. Courts and the NLRB look at how much control the client exercises over the guards’ day-to-day work. Factors that can establish joint employer status include setting schedules, issuing conduct policies, maintaining direct supervisor contact with guards, and conducting performance reviews. Enterprise security clients who manage their contract programs closely are at higher risk than those who rely on the contractor to manage operations independently.

The most defensible approach is a time-stamped, system-generated compliance record that links each shift assignment to the guard’s credential status at the time of scheduling. Manual records, spreadsheets, and after-the-fact documentation are difficult to defend in litigation because they can be altered and don’t establish what the firm knew at the moment the shift was filled. Scheduling platforms that block uncertified guards from ineligible posts and generate an automatic audit trail provide the clearest evidence that the firm acted in compliance before deployment, not after a violation was identified.

For wage and labor law purposes, the job title on a contract or pay stub is largely irrelevant. Regulators and courts look at the duties actually performed. A worker called a “site monitor” or “concierge” who patrols, controls access, responds to incidents, and removes unauthorized individuals will typically meet the statutory definition of a security officer in most U.S. jurisdictions. This means they may be entitled to certification requirements, protected wage rates, and other protections that apply to security officers, regardless of how the role was labeled in the contract.

The key compliance features to look for are automated credential verification at the point of scheduling (not just as a periodic audit), expiry alerts that surface upcoming renewals before a guard becomes ineligible, post templates that document defined duty sets for each role, and a complete audit trail that records who was assigned to each shift, when, and what their credential status was at the time. Firms operating across multiple jurisdictions should also look for software that can apply different compliance rules by location, since wage protection requirements and certification mandates vary significantly by state and city.

Follow email icon