Facing an SCRA Consent Decree: What Your Organization Must Do and How to Prepare

SCRA consent decrees are not just penalties. They are operational mandates that reshape how your organization works for years.

Greystar is under DOJ monitoring for five years. CarMax for four. Santander was monitored for five. When Westlake Financial violated the terms of its original 2017 consent decree, the DOJ discovered the breach during routine monitoring and imposed an additional $225,000 settlement in 2022. Consent decrees do not end when the check clears. They begin.

If your organization is facing an SCRA investigation, negotiating a consent decree, or simply trying to understand what compliance looks like when the DOJ is watching, this is what you need to know.

What Every SCRA Consent Decree Requires

The DOJ has settled SCRA cases with property managers, auto lenders, banks, and military housing operators. The specifics vary by case, but the core requirements are remarkably consistent. Every recent consent decree includes the same six elements.

1. DMDC Verification Before Adverse Actions

Every consent decree requires the organization to verify military status through the Defense Manpower Data Center (DMDC) before taking any adverse action: evictions, repossessions, foreclosures, or default judgments.

CarMax’s 2026 consent decree specifically requires DMDC verification to be built into the repossession workflow. Santander’s 2015 consent order required DMDC checks before any repossession. Greystar must verify military status before applying early termination fees.

The pattern is clear: the DOJ does not accept manual processes, self-reported status, or point-in-time checks as adequate. Verification must be systematic, documented, and integrated into existing workflows, not bolted on as an afterthought. See our analysis of why manual DMDC lookups aren’t enough.

2. Policy and Procedure Submission

Organizations under consent decrees must develop written SCRA compliance policies and submit them to the DOJ for approval. This is not optional and it is not a formality. The DOJ reviews these materials and can require modifications.

Santander’s consent order required submission of SCRA-compliant policies and procedures for motor vehicle repossessions, procedures for processing SCRA relief requests, and staff training materials. The DOJ had 45 calendar days from receipt to raise objections.

CarMax must send DOJ officials its proposed SCRA policies and procedures for motor vehicle repossessions, including how it reviews military service information provided by borrowers and how it searches the DMDC database.

If your policies are vague, incomplete, or fail to address the specific violations that triggered the investigation, the DOJ will send them back.

3. Mandatory Staff Training

Every consent decree mandates SCRA training for all personnel who interact with servicemember accounts. Training materials must be submitted to the DOJ for review, and training must be documented: who was trained, when, and on what material.

Typical requirements include initial training for all existing personnel within 60 to 90 days of the consent decree, training for new hires within 30 days, annual refresher training, and additional training when policies change.

The DOJ views training failures as a root cause of violations. Greystar’s leasing agents charged early termination fees because no one told them to check military status first. Santander’s collections staff initiated repossessions because they did not know about the court order requirement. Training is the first thing the DOJ fixes because it is usually the first thing that was broken.

4. Victim Remediation

Consent decrees require the organization to identify and compensate every affected servicemember. This includes direct financial compensation: Greystar set aside $1.35 million, CarMax paid $15,000 plus lost equity per servicemember, Hyundai Capital America paid $10,000 plus lost equity per servicemember.

It also includes credit repair. CarMax must request deletion of all negative credit reporting for affected servicemembers. Hyundai was required to repair servicemembers’ credit. PRG Real Estate was required to conduct credit repair for all 127 servicemembers affected by its 152 unlawful default judgments.

Organizations typically must notify affected servicemembers by letter within 30 days and establish multiple contact methods (email, website, and toll-free phone number) for affected individuals to reach the company.

5. Monitoring Period and Quarterly Reporting

Consent decrees impose monitoring periods of three to five years. During this period, the organization must submit quarterly reports to the DOJ documenting its compliance activities.

Greystar: five-year monitoring period with quarterly DOJ reporting. Santander: five-year consent order with court-retained jurisdiction. CarMax: four-year consent decree.

Quarterly reports typically cover the number of DMDC verifications conducted, any adverse actions taken against servicemember accounts, training activities completed, complaints received related to SCRA, and any instances where the organization identified and corrected a potential violation before it occurred.

The DOJ reviews these reports. When Westlake Financial failed to apply the 6% interest rate cap retroactively to the date orders were issued (a requirement of the original 2017 consent decree), the DOJ discovered it during monitoring and imposed the additional 2022 settlement.

6. Independent Audit

Several consent decrees require the organization to hire an independent consultant or auditor to review historical transactions and verify ongoing compliance.

Greystar was required to hire an independent consultant to audit lease terminations dating back to 2018. This is how the DOJ ensures that the full scope of violations is identified and remediated, not just the cases that triggered the original investigation.

Civil Penalties

On top of remediation costs, consent decrees include civil penalties paid to the United States. As of the July 2025 inflation adjustment, SCRA civil penalties are $79,380 for a first offense and $158,761 for subsequent offenses, per violation, not per case. For a full breakdown of recent penalties, see our SCRA enforcement trends report.

Recent civil penalties: Greystar paid $77,370. CarMax paid $79,380. Hyundai Capital America paid $74,941. These are single-penalty amounts. Organizations with hundreds or thousands of affected accounts face exposure that scales quickly.

The Real Cost Is Not the Fine

The direct financial penalty is often the smallest part of an SCRA consent decree. The real cost is operational. For a detailed cost analysis, see the true cost of manual SCRA compliance.

Years of DOJ oversight. Every policy change, training program, and operational procedure must be developed, documented, submitted, reviewed, and approved. The DOJ effectively becomes a co-manager of your compliance function for three to five years.

Independent audits. Hiring external auditors to review years of historical transactions is expensive and time-consuming. The audit scope is set by the DOJ, not by you.

Credit repair obligations. Correcting credit reporting for dozens or hundreds of affected servicemembers requires coordination with all major credit bureaus, individual letter campaigns, and follow-up verification.

Technology mandates. Greystar’s consent decree requires the company to adopt SCRA-compliant software. CarMax must integrate DMDC verification into its repossession workflow. These are not suggestions. They are court-ordered requirements with specific timelines.

Reputational damage. Every SCRA settlement is published as a DOJ press release. It shows up in Google searches, industry publications, and competitor sales materials. Greystar’s settlement was covered by Multifamily Dive, Propmodo, and national media. CarMax’s was covered by Army Times, Fox Business, and CBS News.

How to Prepare Before the DOJ Calls

If your organization is not currently under investigation, the best time to build compliance infrastructure is now. The consent decree requirements listed above are not arbitrary. They represent what the DOJ considers minimum acceptable compliance. Building these capabilities proactively costs a fraction of building them under a consent decree.

Implement automated DMDC verification. Every consent decree requires it. Do not wait until a settlement agreement mandates the technology. Integrate military status verification into your adverse action workflows (repossessions, evictions, foreclosures, default proceedings) so that no action proceeds without a documented status check.

Write and document your policies. If you cannot produce written SCRA compliance policies today, you are not compliant. Document your procedures for military status verification, each type of adverse action, SCRA relief processing, staff training, and record-keeping. Write them to the standard the DOJ would require.

Train your staff. Cover who the SCRA protects, what protections apply to your specific business, how to verify military status, what to do when military status is confirmed, and how to document everything. Do it annually. Document attendance. See our guide to what the DOJ expects from SCRA training programs.

Build your audit trail. Every verification, every decision, every action should be documented and retrievable. When the DOJ asks for records (and they will), you need to produce them quickly and completely.

Monitor continuously. Reservists and National Guard members cycle between civilian and active-duty status. A borrower who was civilian at origination may be active duty at the time of a collections action. Single point-in-time checks are not sufficient. Ongoing monitoring is what the DOJ expects.

Run your own audits. Review historical transactions for potential SCRA violations before a regulator does. If Greystar had audited its lease termination fees for military tenants before the DOJ investigated, it could have identified and corrected the issue at a fraction of the cost.

What Triggers a DOJ Investigation

Understanding how investigations begin helps organizations assess their risk. Based on recent cases, the DOJ Servicemembers and Veterans Initiative receives cases through several channels:

Servicemember complaints. Santander’s $9.35 million investigation was triggered by a single complaint from an Army Specialist whose car was repossessed during basic training. One complaint is enough.

CFPB referrals. The CFPB receives and analyzes servicemember complaints. Patterns get referred to the DOJ Civil Rights Division for enforcement action. See our analysis of how CFPB changes affect SCRA enforcement.

DOJ monitoring of existing consent decrees. Westlake’s 2022 settlement resulted from the DOJ monitoring its 2017 consent decree and finding new violations.

State attorney general referrals. State AGs can investigate independently. Washington State’s AG added a separate $46,000 settlement against Olympic Management independent of any federal action. See our overview of state-level military protections.

Proactive DOJ enforcement. The DOJ Servicemembers and Veterans Initiative, led by the Civil Rights Division, conducts affirmative investigations. The SCRA Enforcement Support Pilot Program has placed dedicated Assistant U.S. Attorneys in districts with large military populations.

Servicemember complaints hit 84,600 in 2023, up 98% from 2021. More complaints mean more investigations. The question is not whether your organization will face scrutiny, but when.

The Bottom Line

Every organization that has been through an SCRA consent decree was required to build the same infrastructure: automated DMDC verification, written policies, staff training, audit trails, and continuous monitoring. Every one of them spent more building it under DOJ oversight than it would have cost to build it proactively.

The consent decree requirements are a blueprint. They tell you exactly what the DOJ considers adequate SCRA compliance. You can build to that standard on your own terms and timeline, or you can build to it on the DOJ’s.

civrel.io automates SCRA compliance end-to-end: DMDC verification integrated into your workflows, proactive monitoring for military status changes, audit-ready documentation, and the reporting infrastructure consent decrees require. Whether you are under a consent decree or building a compliance program to avoid one, the requirements are the same.

---

152 default judgments. $1.59 million. That’s what PRG Real Estate paid for filing evictions without checking military status. How many evictions did you file last year without a DMDC verification?

Check Your Exposure → · See Pricing →