Building an SCRA Compliance Program: The Consent Decree Standard

Every DOJ SCRA consent decree imposed on a company (property manager, auto lender, bank, or storage operator) has required the same six components. The components do not vary by industry, company size, or violation type. Whether you manage 50 apartments or service 500,000 auto loans, the DOJ expects the same compliance infrastructure.

This guide explains each component, why the DOJ requires it, where companies fail, and how to implement it correctly. It is drawn from public consent decrees, DOJ settlement agreements, and the enforcement record of over $150 million in SCRA penalties since 2011.

You can build these components voluntarily, or the DOJ can require them after a settlement. The components are identical either way. The difference is whether you spend thousands on prevention or millions on remediation.

---

Why a Compliance Program Matters

The SCRA is not a paperwork exercise. It is a federal law that protects servicemembers from adverse civil actions while they serve. When companies violate it (by repossessing vehicles, foreclosing on homes, charging illegal fees, or filing false affidavits) the DOJ investigates and imposes penalties.

Since 2011, the DOJ has recovered over $150 million for approximately 149,000 servicemembers through SCRA enforcement. The enforcement pace is accelerating: 2025 and 2026 have seen settlements against Greystar, JWB, New City Funding, and CarMax, with the DOJ and CFPB issuing a joint warning letter to financial institutions in December 2024.

SCRA enforcement is bipartisan: 24 enforcement actions under the Trump administration, 27 under the Biden administration. Compliance is not optional regardless of the political environment.

The case for a formal compliance program is straightforward: every company the DOJ has penalized lacked one. Every consent decree requires building one. Companies that build them voluntarily avoid the enforcement action entirely.

---

The Six Components

1. Written SCRA Compliance Policy

What the DOJ requires:

A written policy that defines when and how the company will comply with the SCRA. The policy must be submitted to the DOJ for approval (under a consent decree) or reviewed internally (if voluntary). It must be accessible to every employee whose role can trigger an adverse action against a servicemember.

What the policy must cover:

• Scope: Which business processes are covered: evictions, repossessions, foreclosures, lease terminations, fee assessments, court filings, interest rate adjustments, credit reporting, collections
• Verification requirements: When military status verification is required (before every adverse action, no exceptions)
• Prohibited actions: What cannot be done to a covered servicemember: self-help repossession, eviction without court order, early termination fees, interest above 6% on pre-service debt
• Protected actions: What the company must do: honor lease terminations, process interest rate requests, appoint counsel in default judgment proceedings
• Escalation procedures: Chain of action when a servicemember is identified: halt adverse actions, route to compliance, document everything
• Record retention: What records must be kept, for how long, and in what format

Where companies fail:

Most SCRA violations are not caused by employees deliberately ignoring policy. They are caused by the absence of policy. Wells Fargo’s repossession workflow had no SCRA step. Greystar’s software charged termination fees by default. PRG Real Estate’s leasing agents filed affidavits without checking military status. In each case, the company had no written policy defining how SCRA compliance should work.

How to implement it:

Draft the policy in plain language. Organize it by business process, not by statute section. A collections agent needs to know “check DMDC before every repo,” not “see 50 U.S.C. Section 3952(c).” Have legal counsel review it for completeness. Update it annually or whenever regulations, enforcement actions, or business processes change.

2. Staff Training

What the DOJ requires:

SCRA training for every employee whose role involves any adverse action against a customer or tenant: collections agents, leasing agents, property managers, recovery coordinators, foreclosure specialists, customer service representatives, skip tracers, and their managers.

Training must be provided at hire and annually thereafter. The company must document who was trained, when, what was covered, and how competency was assessed.

What training must cover:

• Which servicemembers the SCRA protects and how protection periods work
• How to verify military status through the DMDC database
• The specific SCRA provisions relevant to the employee’s role (repossession, eviction, interest rate cap, default judgment)
• What to do when a customer or tenant self-identifies as military
• How to process SCRA-related requests (lease termination, interest rate reduction)
• Documentation requirements
• Consequences of non-compliance, for the company and for the individual (false affidavit liability under Section 3931(c))

Where companies fail:

Two failure modes are common. First, training happens once and never again. Greystar trained staff on SCRA procedures, but the manual override process they trained on did not work at scale, and no one retrained when the process changed. Second, training is limited to compliance staff and does not reach frontline employees. The leasing agent who files the eviction paperwork, the collections agent who initiates the repo order. These are the people who must know the SCRA, because these are the people whose actions create violations.

How to implement it:

Build role-specific training modules. A collections agent at an auto lender needs different content than a leasing agent at a property management company. Keep modules short (30 to 60 minutes per role) and test for comprehension. Update content when enforcement actions introduce new compliance expectations. Our free training video series at civrel.io/training provides a starting framework.

3. Military Status Verification (DMDC)

What the DOJ requires:

Military status must be verified through the Defense Manpower Data Center (DMDC) database before every adverse action. No exceptions. No alternatives. DMDC is the DOJ’s recognized source for military status verification.

When to verify:

Industry	Verify Before
Property management	Every eviction filing, every fee assessment, every court action, every adverse action on a tenant account
Auto lending	Every repossession, every court filing, every adverse credit report, every collections action
Banking / mortgage	Every foreclosure, every default judgment, every adverse action on a loan
All industries	When a customer or tenant self-identifies as military; at regular intervals for all accounts in adverse status

Manual vs. automated verification:

Manual verification (logging into scra.dmdc.osd.mil and entering names individually) introduces three risks that the DOJ has specifically flagged:

1. It can be skipped. If the check depends on a human remembering to run it, it will eventually be forgotten. This is the root cause of every SCRA enforcement action in the database.

2. It doesn’t scale. A company with thousands of accounts in collections, delinquency, or eviction cannot manually check each one through a web portal.

3. It creates a documentation gap. Manual checks produce no automatic audit trail. When the DOJ asks for proof that you verified before every adverse action, you need system-generated records, not someone’s recollection.

Automated verification integrates the DMDC check into your workflow so it runs before every adverse action, with no human decision point to skip it. This is the standard the DOJ consent decrees now require.

Where companies fail:

CarMax is the most instructive recent case. Some borrowers told CarMax they were in the military. CarMax repossessed their vehicles anyway. Self-identification was present, but the process did not act on it. The failure was not information; it was workflow. The process did not route military-identified accounts to a compliance check.

Greystar is the counterpart in property management. The software charged fees automatically. Staff were supposed to manually waive them for military tenants. The manual override failed because it depended on someone remembering to do it for every military tenant at every property.

4. Documentation & Record Retention

What the DOJ requires:

Complete, organized, searchable records of every SCRA-related decision and action. Consent decrees specify minimum retention periods (typically 3-5 years) and require records to be producible on request during the monitoring period.

What to document:

• Every DMDC verification: date, query parameters, result, system or person who ran it
• Every adverse action taken or not taken, and the SCRA compliance basis for the decision
• Interest rate cap requests: date received, service dates, rate adjustment date, calculation method, confirmation sent
• Lease termination requests: date received, military orders, termination date, fee adjustments
• Court filings: military status affidavits, DMDC results attached, court orders received
• Communications with servicemembers about their SCRA rights
• Training records: who, when, what content, competency assessment results
• Policy updates and version history

Where companies fail:

Consent decree audits reveal that companies often cannot prove they verified military status, even when they did. Records are scattered across email, CRM notes, paper files, and individual employees’ memories. When the DOJ asks “show me the DMDC check for this repossession,” the company cannot produce it.

How to implement it:

Centralize SCRA compliance records in a single system. Every verification, every decision, every communication should be logged with a timestamp and traceable to the specific account and action. If you use automated verification, the system generates this audit trail automatically. If you use manual processes, build documentation requirements into each step, and audit for completion.

Retention period: 5-7 years recommended. DOJ consent decrees require 3-5 years, but the statute of limitations for private SCRA lawsuits can extend to 7 years. Keep everything.

5. Monitoring & Self-Assessment

What the DOJ requires:

Ongoing compliance monitoring to detect and correct violations before the DOJ finds them. Consent decrees typically require quarterly audits and annual self-assessments, with results documented and available for DOJ review.

Some consent decrees require hiring an independent third-party compliance monitor (at the company’s expense) to verify that the compliance program is functioning.

What to monitor:

• Quarterly audits: Sample adverse actions (evictions, repossessions, foreclosures, fee assessments) and verify that DMDC checks were performed before each one. Track the compliance rate. It should be 100%.
• Interest rate cap processing: Review timeline from request to implementation. Are requests being processed within 30 days? Are calculations correct? Are servicemembers receiving written confirmation?
• Training completion: Are all eligible employees trained? Are new hires trained within their first 30 days?
• Documentation completeness: Can you produce the DMDC verification for every adverse action in the sample?
• Annual self-assessment: A comprehensive review of all SCRA compliance processes. Identify gaps, document findings, implement corrective actions.

Where companies fail:

Monitoring is the component companies most often skip, and the one that would have prevented the most violations. Westlake’s interest rate failures were discovered during consent decree monitoring. If Westlake had been monitoring its own interest rate processing, it would have found the failures before the DOJ did.

Self-assessment is also where companies discover that their compliance program looks good on paper but fails in practice. A written policy that says “check DMDC before every repo” is meaningless if the quarterly audit reveals that 40% of repos had no DMDC check.

6. Escalation Procedures

What the DOJ requires:

A defined escalation path for when a servicemember is identified, whether through DMDC verification, self-identification, or any other means. The escalation must be immediate, documented, and result in a compliance review before any further action.

What the escalation path should include:

1. Immediate halt: All adverse actions against the identified servicemember are paused. No repossession, no eviction, no fee, no court filing proceeds until a compliance review is complete.
2. Compliance review: A designated compliance officer or team reviews the account within 24 hours. They determine which SCRA protections apply and what actions are permitted.
3. Legal consultation: If court action is needed (e.g., petitioning for permission to repossess under Section 3952), legal counsel is engaged.
4. Documentation: Every step of the escalation is documented: who identified the servicemember, when, what actions were paused, what the compliance review determined, what actions were taken.
5. Follow-through: The servicemember’s account is flagged for ongoing monitoring. If their status changes (e.g., discharge from active duty), the account is reviewed again.

Where companies fail:

The most common failure is the absence of a halt mechanism. The escalation exists on paper, but the system continues processing the adverse action while the escalation is in progress. The repossession order was already dispatched. The fee was already assessed. The eviction was already filed. By the time the compliance review reaches a conclusion, the violation has already occurred.

The solution is a system-level block: when a servicemember is identified, the system prevents adverse actions, not just flags them for review. This is the difference between a process that catches violations and one that prevents them.

---

Building vs. Buying

Companies have three options for SCRA compliance infrastructure:

Option 1: Build internally. Draft policies, build training programs, integrate DMDC verification into existing workflows, create documentation systems, establish monitoring cadences. This works for large organizations with dedicated compliance teams and engineering resources. It requires sustained investment: not just the initial build, but ongoing maintenance, updates, and monitoring.

Option 2: Bolt onto existing software. Add SCRA compliance steps to Yardi, RealPage, Entrata, or whatever platform you use. This is what Greystar attempted, and what failed. Generic platforms are not built for SCRA compliance. Adding manual override steps to automated processes creates the exact failure mode that cost Greystar $1.4 million.

Option 3: Purpose-built compliance automation. Use software designed specifically for SCRA compliance: automated DMDC verification, system-level blocks on adverse actions against protected servicemembers, continuous monitoring of status changes, audit-ready documentation generated automatically.

civrel.io is Option 3. We built it because Options 1 and 2 keep failing, and the DOJ keeps finding the failures.

---

The Compliance Program Self-Assessment

Use this framework to evaluate your current compliance program against consent decree standards:

Component	Question	If the Answer Is No
Written Policy	Do you have a written SCRA compliance policy accessible to all relevant staff?	Draft one. Model it on consent decree requirements.
Training	Are all employees in adverse-action roles trained on the SCRA at hire and annually?	Build role-specific training. Our free videos (civrel.io/training) are a starting point.
DMDC Verification	Is military status verified before every adverse action, with no way to skip the check?	This is the most critical gap. Automate it.
Documentation	Can you produce the DMDC verification for any adverse action from the past 3 years?	Centralize your records. Build the audit trail now.
Monitoring	Do you audit a sample of adverse actions quarterly for SCRA compliance?	Start auditing. The first audit will tell you where you stand.
Escalation	When a servicemember is identified, does your system halt adverse actions automatically?	Build the halt mechanism. Flagging is not enough.

If you answered “no” to any of these questions, your organization has the same structural gap that led to enforcement actions against Greystar, Wells Fargo, PRG Real Estate, Santander, Capital One, Westlake, CarMax, and every other company in the DOJ’s SCRA enforcement database.

---

Next Steps

1. Assess your current compliance: Download our free SCRA Self-Assessment Checklist (civrel.io/resources), covering 49 items across 8 compliance areas, built to consent decree standards
2. Review enforcement actions: See every DOJ settlement on our SCRA Enforcement Tracker (civrel.io/enforcement)
3. Train your staff: Watch our free training video series at civrel.io/training
4. Automate verification: civrel.io replaces manual DMDC lookups with automated, continuous military status verification, with audit-ready documentation and system-level blocks on adverse actions

---

Sources: DOJ Consent Decrees (justice.gov/servicemembers/cases); DOJ Press Releases; CFPB Servicemember Resources; 50 U.S.C. Sections 3901-4043.

This guide is for educational purposes only and does not constitute legal advice. Consult qualified legal counsel for guidance specific to your organization.

© 2026 civrel.io. All rights reserved.