What "Good" Defensibility Looks Like
Most property managers think defensibility is a legal thing. It’s not.
Defensibility is an operational safety net. It’s what protects you when someone asks, “Why was this applicant approved? Why was this one denied?” It’s what keeps inconsistencies from turning into fair housing complaints.
In my experience working across screening, fraud prevention, and tenant decisioning, this is the gap that gets operators in trouble. Not bad intent. Undocumented process. And it’s the only way to show that your decisions were consistent, explainable, and criteria-based.
Here’s where defensibility is actually built or lost.
It starts with the criteria, and whether you can prove what was active when
Written criteria sound obvious. They’re not. I’ve seen operators with screening “policies” that exist only in the head of whoever handles applications that week. When that person leaves, the policy leaves with them. That’s not policy. That’s tribal knowledge.
Good criteria are objective, easy to follow, and versioned. You should be able to answer “which rules were active on March 14?” without digging through emails. Every team, at every site, should be running the same version. And exceptions need to be documented so they’re explainable later, not just remembered.
When criteria drift, inconsistency creeps in. And inconsistency, not malice, is a major cause of fair housing exposure. Staff using old rules. Managers improvising. Decisions you can’t explain six months later.
This connects directly to consistency across your portfolio. If Site A denies what Site B approves, patterns form. Patterns turn into allegations. Allegations become complaints. And the operator is forced to defend the indefensible. One criteria set, trained the same way, monitored for drift. That’s one of the strongest fair housing protections you have.
You don’t own the data. You own what you do with it.
You don’t generate or verify public-record data. But you rely on it, so it needs to be understandable. The screening report should show final dispositions (dismissed, withdrawn, satisfied). Your team shouldn’t be relying on sealed or expunged items. (In many states, using them is prohibited by law. Requirements vary; confirm what applies in your jurisdiction.) You should catch obvious duplicates that inflate perceived risk, and request clarification when a record doesn’t match your criteria windows.
Most defensibility problems start right here. A dismissed case treated like a conviction. A duplicate eviction counted twice. An expunged item that shouldn’t have been used. A 12-year-old charge applied to a 7-year rule. You’re not responsible for fixing bad data. But you are responsible for not using it.
Adverse action and disputes are part of the decision, not afterthoughts
Most FCRA complaints involving PMCs don’t come from bad data. They come from bad communication.
Adverse action notices need to tell the applicant the real reason they were denied. Not “risk profile.” Not “pattern.” Not “overall score.” FCRA § 1681m requires notice before the adverse action is finalized, not after. The reason has to tie back to written criteria.
When applicants don’t understand why they were denied, disputes increase, complaints escalate, and legal exposure grows. Clear reasons reduce conflict and give your team defensibility when questioned.
Disputes work the same way. You’re not responsible for investigating them; that’s the CRA’s job. But you are responsible for handling them consistently. Timestamped intake. Sending the consumer to the correct dispute channel. Pausing decisions when appropriate. Filing the corrected outcome. And actually using the updated information, not the old version.
Most operators get exposed here because they keep relying on the old report, can’t show when the dispute was received, have no record of what changed, or staff don’t know what to do when a dispute comes in. Even if someone else investigates, you own the process impact.
Automation helps speed. It doesn’t help nuance.
Most public enforcement actions, including the HUD/DOJ SafeRent matter, point to the same issue: unexplained automation is risky automation.
Good screening processes add a human checkpoint for cases where automation might oversimplify. The reasoning gets documented. The decision ties back to criteria, not intuition. Voucher and nontraditional income cases get reviewed carefully, not to apply different criteria, but to make sure the standard criteria are applied correctly to non-traditional income structures. The goal is consistent application, not elevated scrutiny.
A quick human review prevents unsupported denials, uneven treatment, algorithmic bias allegations, and complaints you can’t answer. Humans don’t slow the process down. They protect it.
If you can’t reconstruct the decision, you can’t defend it
When something goes wrong, the first question is always: “Can you show me what happened?”
Most PMCs can’t. And when you can’t reconstruct a decision, you look inconsistent, unprepared, and exposed.
Set a simple internal standard: you can rebuild the full decision packet within 24 to 72 hours. That means the criteria version used, the applicant’s information, the screening reports, notes or decisions made, the adverse action notice if applicable, any dispute communications, and timestamps for each step.
You don’t need a blockchain to get there. Just a clean timeline. Who did what. When it happened. What was changed. Why it was changed. Which version of the criteria was active.
Memory is not defensible. Activity logs are. If someone asks about a decision three months later and the answer is “I think what happened was…” you’re already exposed. Operators win when they can hit print and show the steps.
Why this matters
Here’s the truth most operators quietly acknowledge: you can’t control the data, but you can control the decisions.
Defensibility protects your staff, your properties, your ownership group, and your legal exposure. Defensible systems don’t stop mistakes. They stop mistakes from becoming liabilities.
This is educational content, not legal advice. Screening obligations vary by jurisdiction. Consult qualified counsel for guidance specific to your operations
