Category: Blog

Your blog category

  • Every Tool Can Be Right. Your Workflow Can’t Be Wrong.

    That is the tension many large PMCs are living in right now.

    Most, run on complex tech stacks.

    • A screening vendor for reports.
    • A fraud layer for identity and document checks.
    • A PMS for everything operational.
    • Sometimes a BI tool on top.
    • And now AI is making its way into decisions and exceptions.

    These tools do a lot of work.

    And most of them do that work correctly.

    Yet decisions still fail when they are challenged. Not because the tool malfunctioned. Because the workflow around the tool left gaps — gaps that become liabilities the moment someone asks a simple question:

    “Show me how you reached this decision.”

    That is where most operators discover the truth:
    Tools help. Workflows defend.

    Not because the tools failed.

    Because the workflow did.

    Remember, the stack is not your safeguard

    Across federal reports and enforcement actions, the pattern is consistent.

    Tools improve speed, scale, and consistency.

    But the responsibility for how information is used stays with the housing provider.

    Regulators expect you to know:

    • what criteria you use
    • how those criteria are applied
    • when exceptions are allowed
    • how you document the decision
    • how you handle disputes
    • how you prove compliance six months later

    This is where many leaders underestimate their risk. They assume that because the tools are reputable, the decisions are defensible.

    But defensibility is rarely tested inside the tool. It is tested in the workflow that surrounds it.

    None of that is news to most executives. We already know tools are not perfect.

    The more practical problem to consider is this:

    You can swap vendors, add another fraud layer, or renegotiate SLAs but if the way your team uses those tools is loose, undocumented, or inconsistent, your risk profile does not really change.

    Where workflows actually break in practice

    Even well-run portfolios have soft spots in their process.

    These weak points rarely show up day to day. They appear only when something goes wrong — a dispute, a complaint, a regulator inquiry, or a plaintiff attorney asking for the full packet.

    • Mismatched or misidentified records
      Wrong person, similar name, shared address, or merged files. CFPB has called out “shoddy name-matching procedures” as a specific source of harm in background screening. Consumer Financial Protection Bureau
    • Outdated or sealed information still in play
      Expunged, sealed, or too old records that continue to appear in reports and drive decisions, even when state law or policy says they should not. HUD Fair Housing Guidance
    • Missing outcomes and context
      Arrests with no disposition, civil cases without a final status, or debts shown without showing resolution. These are exactly the kinds of gaps CFPB and advocacy groups flag as misleading in tenant reports. Consumer Financial Protection Bureau+2NCLC+2
    • Limited or confusing dispute paths
      FTC and CFPB keep reminding tenants that they can and should dispute errors. That only matters if your internal workflow knows what to do when a dispute hits your desk, not just the CRA’s. Consumer Advice+2National Low Income Housing Coalition+2

    Notice something important here.

    Most of these issues are not about a single “bad” tool.
    They are about how information flows across tools, how people interpret it, and how exceptions are handled.

    That is workflow.

    3. The real liability: over reliance on “good” tools

    From a risk point of view, over reliance on tools shows up in a few specific ways inside a large PMC.

    a) “The vendor has us covered”

    The assumption sounds reasonable:

    Our screening partner is the CRA. They handle accuracy.
    We just consume the decision or recommendation.

    Regulators do not see it that way.

    FCRA places duties on users of reports, not only on the companies that produce them. HUD’s fair housing guidance treats the housing provider as responsible for how criteria are chosen, how they are applied, and how applicants can challenge them, even when a third party system is doing the heavy lifting. Federal Trade Commission+2Navigate Housing+2

    If your internal workflow is “click accept, move on” you may be outsourcing data collection, but you are not outsourcing liability.

    b) Configuration by folklore

    Many portfolios have screening criteria that evolved over time:

    • A regional manager asked for “stricter settings” after a bad loss.
    • Legal asked for language to be added to a notice template.
    • A site tweaked income thresholds based on “what works in this market”.

    Those changes may be defensible in context.

    The risk is when criteria live inside a tool configuration only, without a clean, current, and accessible policy that explains:

    • what the rule is
    • why it exists
    • how it should be applied
    • how exceptions are handled

    When a dispute or HUD inquiry shows up, you need the workflow story, not just a screenshot of vendor settings.

    c) Exceptions in email, decisions in the dark

    This is one of the most common patterns operators describe privately:

    • Leasing agent emails a supervisor for an exception.
    • Supervisor replies “approved, but watch for X next time”.
    • PMS note: “approved by manager”.

    That decision may have been reasonable.
    What you do not have is a packet that shows:

    • what the original data said
    • what rule would have done by default
    • why an exception was granted
    • who approved it and when

    If the only evidence is a line in a PMS note and a buried email thread, the workflow is functionally invisible.

    4. What “your workflow cannot be wrong” actually means

    No workflow will be perfect.
    No system can remove all risk.

    “Cannot be wrong” here is not about never making a tough call.
    It is about building a process that is:

    • Consistent
      The same inputs lead to the same path, across properties and teams, unless a documented exception applies.
    • Transparent
      You can show, in a packet, what criteria were in effect, what data was used, and how you moved from data to decision.
    • Controllable
      You can update criteria, adjust rules, or add a new tool in a way that is versioned, reviewed, and traceable.
    • Contestable
      When someone challenges a decision, you have a defined path to review the data, re run the logic if needed, and respond in a way that lines up with FCRA and fair housing expectations.

    In other words, workflows that are built to be defended, not rebuilt after something goes wrong.

    5. From tools first to workflow first

    For a large PMC, a workflow first posture usually starts with a few simple but hard questions:

    1. If a regulator, plaintiff attorney, or fair housing group asked for the full story on a denied application, what would we hand them today?
      A clean packet, or a scramble across email, PMS, and vendor portals.
    2. Where, in our process, are we depending on “the system” to do something we have never actually documented as policy?
      Auto declines, automated notices, templated criteria inside a vendor dashboard.
    3. When disputes, complaints, or “please review this decision” requests show up, do we have one standard workflow or ten different local versions?

    From there, the tools become components in a broader defensibility design:

    • Screening vendor for data and risk factors
    • PMS for core record and notes
    • Document or fraud layer for additional verification
    • Internal workflow for criteria, exceptions, and packet assembly

    Every tool can be right inside its own box.
    Your defensibility lives in how those boxes connect, how people use them, and what you can prove after the fact.

    Closing thought

    The market has spent a decade buying better tools.
    Regulators are now asking better questions.

    For executives, the real strategic shift is simple:

    Stop asking “is this tool accurate enough”.
    Start asking “if this decision were challenged six months from now, could we explain what happened, why it was reasonable, and how we would catch it if the tool got it wrong”.

    Every tool can be right.
    Your workflow cannot be wrong.

    That is where defensibility lives.

  • Introducing the DAx Defensibility Risk Assessment

    A practical, early look at how defensible your screening operations really are.

    Most operators can feel when their screening process is strained.

    Files take longer.

    Reviews get messy.

    Disputes catch the team off guard.

    But knowing something feels off isn’t the same as knowing where the gaps are — or how much those gaps might be costing you.

    That’s the problem the DAx Defensibility Risk Assessment is built to solve.

    What It Does

    This assessment gives you a fast, objective snapshot of your defensibility posture:

    your policies, timing, audit trail, documentation, and workflow design.

    It’s not legal advice.

    It’s not eligibility decisioning.

    It’s a process-readiness view of how your current system holds up under real pressure.

    In two minutes, you get:

    ✓ A Defensibility Risk Assessment

    ✓ Your highest-priority risk areas

    ✓ A readiness plan with clear next steps

    ✓ A financial exposure estimate

    ✓ A preview of the defensibility thoughts DAx is built on

    No data dumps.

    No consumer information.

    Just the operational truth of how your decisions are made — and whether you can defend them.

    Why This Matters

    In today’s environment, the biggest risk isn’t a single data error.

    It’s the process underneath:

    • Inconsistent adverse action timing

    • Slow or ad-hoc audit trail assembly

    • Policies that exist, but aren’t followed

    • Decisions no one can fully explain months later

    Those gaps create cost, disputes, and unnecessary vulnerability.

    Defensibility fixes that by making your workflow measurable, standardized, and backed by proof.

    Access Closed

    As it is I’ve put this project on hold.

    But if you’re ever interested in talking more about defensible screening feel free to reach out.

  • Thoughts On A Defensible Screening Standard (DSS)

    Screening isn’t just about who gets approved. It’s about being able to show your work when anyone asks why.

    The Defensible Screening Standard (DSS) is a proposal for how our industry can do that.

    It’s a shared way to design screening so decisions are lawful, explainable, and audit-ready. Think of DSS as the proof layer that connects policy, people, and systems — so your process can be inspected without exposing consumer data or revealing proprietary scoring.

    This is the starting line. DSS is not an approved or recognized standard. It’s a concept I’m putting on the table to invite critique, improvement, and collaboration across operators, vendors, advocates, and public agencies.

    The problem DSS wants to solve

    Most failures don’t come from one bad tool. They come from the space between tools.

    Policy says one thing. Systems say another. People work around both.

    That is where disputes multiply, timelines slip, and trust erodes.

    What if we aligned on a common structure for screening — not to tell anyone what to decide, but to make it easy to prove how the decision was made?

    What DSS proposes (concept)

    DSS proposes a small set of controls and evidence artifacts that every screening workflow can produce, regardless of the tech stack. The idea is simple:

    • Every request to use consumer data ties to a clear business need.
    • Every rule in your criteria has a plain-English rationale.
    • Every decision can be reconstructed from inputs, reasoning, and notices.
    • Every exception, dispute, or accommodation is documented end to end.
    • Every portfolio can run quick outcome checks and adjust with intent.

    DSS does not replace your screening tools. It wraps them with process clarity and proof.

    What DSS is not

    • Not a legal service or legal advice.
    • Not a consumer reporting agency.
    • Not an endorsement by any regulator or association.
    • Not a black-box model that tells you who to accept or deny.

    DSS is a shared frame for process + proof.

    Decisions remain yours.

    Principles behind the proposal

    Good Data:
    Use trusted, verified sources of truth.

    Good People:
    Keep human judgment in the loop where it matters.

    Good Design:
    Build compliance into the workflow, not as an afterthought.

    These principles guide how controls are phrased and how artifacts are produced.

    How DSS would show up in practice (at a glance)

    Imagine each application generating a compact Decision Proof Packet that contains:

    • The policy snapshot in effect that day.
    • The inputs relied upon and which identifiers were used.
    • The reasons actually applied in the decision.
    • The notice that was sent, and when.
    • Any exceptions, disputes, or accommodations, with outcomes.

    With this, there would need to be some kind of portfolio-level dashboard that can answer simple but high-value questions:

    • Are adverse-action notices consistent across properties?
    • Do public-record items include dispositions before they influence a decision?
    • Are exceptions concentrated in a few criteria that need a second look?
    • Are outcome patterns hinting at criteria that should be tuned?

    These would be the minimum necessary core of DSS. Not new math. Better line of sight.

    Why this matters to everyone

    Operators & Owners
    You get a workflow that holds up when challenged and a repeatable way to train new teams. Your process becomes faster to explain and cheaper to defend.

    Screening Vendors & Platforms
    You can map your product features to clear controls and provide customers with the artifacts they need, without becoming their policy department.

    Advocates & Public Agencies
    You gain a transparent view of how decisions are made, which reduces uncertainty and focuses collaboration on facts instead of assumptions.

    Investors & Partners
    You see how risk is managed in practice — with evidence — not just promises.

    The public outline (concept level)

    To keep the introduction simple, DSS groups controls into six families. The internal keys use a stable CTRL scheme for traceability across versions.

    A) Lawful access & transparency

    • CTRL-001 Permissible purpose & certification
    • CTRL-002 Identity & match expectations
    • CTRL-003 Publishable, business-necessary criteria

    B) Accuracy & relevance

    • CTRL-004 Individualized assessment for criminal records
    • CTRL-005 Reasonable accommodations workflow
    • CTRL-006 Consistent adverse-action notices

    C) Disputes, corrections & fairness

    • CTRL-007 Clear dispute path and re-adjudication
    • CTRL-008 Optional pre-decision review window

    D) Equal-housing awareness & model governance

    • CTRL-009 Outcome snapshots and remediation notes
    • CTRL-010 Model or score transparency and guardrails

    E) Security, retention & vendors

    • CTRL-011 Data retention and proper disposal
    • CTRL-012 Information-security program where applicable
    • CTRL-013 Vendor oversight and attestations

    F) Proof & auditability

    • CTRL-014 Decision audit trail and exception logging

    The detailed control text, legal anchors, and artifacts stay private while the idea matures with the working group.

    What “good” could look like

    • A leasing associate can explain a denial in two sentences because the reasons are recorded in plain English and tied to policy.
    • A regional manager can export five Decision Proof Packets and answer an auditor’s questions in one meeting.
    • A vendor can show, in one page, how their product outputs align with the portfolio’s criteria and proof needs.
    • A public agency can understand the decision logic without seeing any consumer PII.

    This is not a directive for a specific tool. It’s a proposal for a shared structure.

    An open invitation to help shape DSS

    The goal is simple: make DSS useful in the real world without creating busywork.

    Who would be ideal to join

    • Property managers and owners
    • Screening vendors and platforms
    • Counsel and compliance leaders
    • Advocates and public-sector stakeholders

    How to express interest
    This is still comletely a work in progress, even as an idea and concept. But if you’d be interested in talking with me about it. The best way to get in touch would be to message me on LinkedIn.

    https://www.linkedin.com/in/johnnybravo/

    Where we go from here

    This post is the beginning. I am proposing a structure, listening for feedback, and soon, inviting participation.

    If the idea proves valuable, it will evolve in the open, to document what works, and keep the detailed materials with the people who are doing the work.

    If you have thoughts — supportive or skeptical — I’d love to hear them.

    DAx — Where proof meets process.

  • Defensibility Augmentation (and Orchestration): The Missing Layer in Rental Screening

    Short version: Most operators and platforms invest heavily in detection (scores, models, signals). But regulators keep citing explainability, accuracy, and notice failures—the proof layer.

    Defensibility isn’t a bolt-on; it’s an orchestration problem across data, people, and process.

    What I mean by “Defensibility Augmentation & Orchestration”

    • Defensibility augmentation: adding the controls, artifacts, and audit-trail needed to prove that a decision was made lawfully, consistently, and fairly—without turning your stack into a CRA decisioning engine.
    • Orchestration: coordinating the end-to-end journey (intake → screening inputs → human checks → adverse action → disputes → packet retrieval) so every step is explainable, logged, and recoverable on demand.

    Said plainly: if a regulator, partner, or plaintiff asks “show me how this decision was made,” you can supply a complete, accurate packet—including sources behind third-party data, human judgment points, and time-stamped events.

    That is the gap most teams still have.

    Why I think this is missing (and how the record backs it up)

    1. Regulators are focused on accuracy, transparency, and explainability → not just better risk scores.
      In January 2024, CFPB issued advisory opinions clarifying that background screening reports must exclude outdated/expunged data, include dispositions, avoid duplicate entries, and that consumers are entitled to their complete file—including the source(s) of each item (original and intermediary vendor sources).

      This is a traceability requirement → an orchestration problem.
    2. When enforcement hits screening, it often cites missing procedures and poor data lineage.
      In October 2023, the CFPB and FTC obtained a stipulated order against TransUnion Rental Screening Solutions for failing to ensure maximum possible accuracy of eviction records (e.g., sealed/incorrect or missing dispositions) and for withholding third-party source information from renters; $15M was ordered in penalties/redress.

      Again, the remedy is procedures and provenance, not a “stronger model.”

      Earlier, AppFolio settled with the FTC for $4.25M over FCRA accuracy procedures in tenant reports—another example where process controls, not algorithmic prowess, were the issue.
    3. Independent government review reinforces the theme: accuracy, AI explainability, and notice.
      In July 2025 the U.S. GAO, Government Accountability Office, summarized federal actions around rental proptech, including: the TransUnion case (accuracy and disclosures), AppFolio (accuracy procedures), and DOJ/HUD positions that screening companies can implicate the FHA. GAO also noted HUD’s 2024 screening guidance addressed AI/ML explainability and recommended giving applicants a chance to dispute negative info → classic defensibility controls.
    4. Fair Housing risk is about how criteria are applied and justified—documentation matters.
      HUD’s longstanding 2016 OGC guidance warns that blanket bans (and arrest-only policies) can create disparate impact; providers must show a substantial, legitimate, nondiscriminatory interest and use more tailored criteria.

      These expectations implicitly demand an audit-ready rationale, not just a thumbs-down from a score.
    5. Trendline, not just anecdotes: CFPB’s 20232024 activity emphasized enforcement tied to reporting accuracy, dispute handling, and consumers’ access to complete files.

      That’s not a call for “more detection” → it’s a call for defensible process and packet-level explainability.

    Counterpoint (and why this post isn’t anti-detection):
    Better detection still reduces losses and friction. But the public record shows that failures most likely to trigger regulatory or legal pain are proof failures—inaccurate/irrelevant data, missing dispositions, opaque vendors, and broken notice/dispute flows.

    You don’t fix those by buying a newer score; you fix them by designing for traceability, notices, and human-in-loop review with artifacts.

    The orchestration gap (why tooling alone won’t get you there)

    Vendors often promise “accuracy,” but enforcement actions keep spotlighting missing procedures, disclosures, and artifact trails.

    Orchestration is the connective tissue: it coordinates vendors, merges signals with human judgment, enforces templates and timers, and emits a packet you can hand to counsel or a regulator tomorrow morning.

    That’s not another mode → it’s process + proof.

    Design around the three G’s: Good data (verifiable sources), Good people (judgment in-loop), Good design (compliance built-in).

    If you do nothing else this quarter

    1. Map your current notice and dispute flows against CFPB expectations for completeness and source disclosure; plug gaps.
    2. Require vendors to return final dispositions and disallow sealed/expunged items—contract for it.
    3. Pilot a retrievability drill: can you reproduce a full screening packet in 24–48 hours, including third-party sources and timestamps? If not, you don’t have defensibility—you have hope.

    Where I’m challenging my own thesis

    If your stack already delivers accurate, disposition-aware data with complete source lineage; issues clear, specific adverse-action notices; and regenerates packets on demand— you’re already in good shape.

    But most teams I’ve talked to have a brittle mix of vendor outputs, email notices, and ad-hoc dispute handling. The public enforcement record suggests that’s where risk lives today.

  • Introducing DAx

    Introducing DAx

    DAx is a private research project exploring how defensible processes are designed, documented, and audited.

    The goal is simple → to understand what makes compliance explainable.

    This space serves as a working journal: short essays, observations, and frameworks that examine the intersection of transparency, trust, and design in regulated industries.