What Is a Consumer Reporting Agency? Why It Matters for Tenant Screening
Most operators have never asked their screening vendor whether they operate as a Consumer Reporting Agency.
That question isn't a compliance detail. It's the first question that determines whether your screening process has defined behavior when a decision gets challenged. Whether accuracy standards apply. Whether applicants have statutory dispute rights. Whether adverse action is handled inside a regulated framework or outside one entirely.
Get it wrong and you don't just have a compliance gap. You own the outcome, the process, and the risk.
The definition is functional, not self-declared
Under the Fair Credit Reporting Act, a Consumer Reporting Agency is any entity that regularly assembles or evaluates consumer information to furnish reports used in housing, credit, or employment decisions. That's the statutory definition. What matters about it is what most operators miss: a company doesn't have to call itself a CRA to be treated as one under the law.
If a vendor regularly provides credit data, criminal history, eviction records, or income verification for housing decisions, it may meet the definition regardless of what it calls its product. "Background check company" is not a compliance category. It's a marketing label applied to vendors that operate under very different legal frameworks. Some are CRAs. Some aren't. Those are not equivalent models, and treating them as interchangeable is where exposure starts.
What actually changes when the vendor is a CRA
Three obligations attach the moment a CRA is in the screening chain. They're not features. They're system properties — the difference between a process that has defined behavior under pressure and one that doesn't.
Accuracy. Section 607 of the FCRA requires reasonable procedures to assure maximum possible accuracy. In practice that means identity matching controls, suppression of sealed or expunged records, and validation of public record data before it reaches a report. A CRA can't outsource this obligation. "The vendor gave us the data" doesn't satisfy it. The accuracy standard runs through the chain, not just to the top of it.
Dispute rights. Section 611 gives applicants a statutory right to dispute inaccurate information, trigger reinvestigation within defined timelines (generally 30 days), and have errors corrected or removed. These rights aren't optional features a vendor can choose to offer based on their product tier. They're built into the framework. Without them, disputes don't resolve through a system. They escalate into your operation without a defined path.
Adverse action. Section 615 requires that when a housing decision is made using a consumer report, the operator must provide the CRA's name and contact information, notice that the CRA didn't make the decision, and notice of the applicant's right to dispute. Most operators assume the vendor handles this. Most vendors assume the operator does. That gap is where adverse action failures live, and when they happen, the failure sits with the operator.
What happens when the vendor isn't a CRA
An applicant disputes a record in their screening report. The record is wrong. A misdemeanor attributed to someone with a similar name. The operator contacts the vendor. The vendor says they pulled the data from a third-party source and they don't reinvestigate.
There's no Section 611 obligation. No defined timeline. No requirement to notify the furnisher. The applicant has no statutory path to correct the error.
The operator made a housing decision based on inaccurate information about the wrong person. And they have no documented process to show otherwise.
Nothing in that workflow is broken. It's functioning exactly as designed. There's no requirement to investigate, no requirement to correct, no requirement to document. Because no system was ever defined to handle it.
That's not an edge case. It's what happens when you mistake a marketing label for a legal classification.
Why quiet enforcement isn't the same as low risk
The standard assumption goes like this: enforcement comes in waves, guidance changes, and most operators never face a complaint. That assumption is incomplete in one important way.
HUD's 2016 guidance on criminal history and disparate impact put the industry on notice that blanket screening policies carried Fair Housing risk. That guidance was rescinded in 2025. The underlying disparate impact exposure under the Fair Housing Act didn't go away with it. Louis v. SafeRent Solutions settled the same year under exactly that theory, for $2.275 million. Private litigation doesn't depend on regulatory guidance being active. It depends on the facts.
Not knowing your vendor's classification doesn't reduce your risk. It delays when you discover it.
If you can't answer these, the system isn't controlled
Most operators evaluate screening vendors on price, turnaround time, and whether the report is easy to read. Those aren't wrong questions. But they're not the first ones.
The first ones are:
- Is your provider operating as a Consumer Reporting Agency under the FCRA?
- Which parts of your workflow fall under FCRA requirements, and which don't?
- Who owns adverse action delivery, and is it executed correctly every time? Most operators assume the vendor handles it. Most vendors assume the operator does.
- What happens when an applicant disputes information in their report?
- What procedures exist to support the accuracy obligation if a record is challenged?
If those answers are unclear, you don't have a controlled screening system. You have a process that hasn't been tested yet.
Why this is the foundation of defensible screening
Most screening conversations focus on results. The more important question is whether the system producing those results can be defended.
Decisions that can be explained, reconstructed, and challenged don't happen by accident. They happen when the process underneath them has defined accuracy standards, a structured dispute path, and clear ownership of who made the call. The CRA framework under the FCRA is what makes those things possible. Not guaranteed. Possible.
CRA status doesn't determine the outcome. It determines whether the system can support the outcome.
Without that foundation, you don't have a screening process that can hold up when it's questioned. You have a workflow that produces decisions.
Those aren't the same thing.
The distinction between a CRA and a non-CRA vendor is binary. The risk isn't.
Because once a decision is challenged, nobody asks how fast the report came back, how clean the interface looked, or what the vendor called itself.
They ask one thing: did the process hold up?
