A class action lawsuit revealed that TransUnion flagged thousands of American consumers as potential matches to the U.S. Treasury Department’s OFAC terrorist watch list using nothing more than a crude first-and-last-name comparison. No date of birth, no Social Security number, no address verification — just a name match. The result was that 8,185 people had false “potential match” alerts buried in their credit files, and many discovered the problem only when they were denied credit, financing, or other services. The case produced a $9 million settlement for affected consumers whose flagged reports were actually shared with third parties.
The human cost of this practice was stark. Sergio Ramirez walked into a Nissan dealership in February 2011 to buy a car with his wife. After a routine credit check, the dealership told him — in front of his wife and father-in-law — that his name appeared on a terrorist list and they could not complete the sale. Ramirez described being “embarrassed, shocked, and scared.” He was so shaken that he canceled a planned trip to Mexico over concerns about the alert. His name had matched two entries on the OFAC list, neither of which was actually him.
Table of Contents
- How Did TransUnion List OFAC Terrorist Watch List Matches Without Verification?
- The Ramirez Lawsuit and What the FCRA Requires of Credit Bureaus
- A Record Jury Verdict and Its Reduction on Appeal
- The Supreme Court’s Standing Ruling and What It Means for Consumers
- The Disproportionate Impact on Consumers With Common Ethnic Names
- The $9 Million Settlement and What Class Members Received
- Regulatory Fallout and the Future of Credit Reporting Accuracy
- Frequently Asked Questions
How Did TransUnion List OFAC Terrorist Watch List Matches Without Verification?
Starting in 2002, transunion began selling an add-on product called the “OFAC Name Screen Alert” to its business clients. The product compared consumer names in TransUnion’s database against the Office of Foreign Assets Control’s Specially Designated Nationals list — a registry of terrorists, drug traffickers, and other individuals with whom conducting business is illegal under federal law. On paper, alerting businesses to potential OFAC matches sounds reasonable. In practice, TransUnion’s implementation was dangerously simplistic. The system relied on simple first-and-last-name matching only. If your name was similar to or identical to a name on the SDN list, a flag went on your credit file. TransUnion did not cross-reference dates of birth, Social Security numbers, middle names, addresses, or any other identifying information that would have quickly ruled out false matches.
Consider the scale of the problem: the OFAC list contains many names common in Latin American, Middle Eastern, and other communities. Anyone named, say, “Carlos Garcia” or “Mohammed Ali” could be swept up simply because someone with a similar name appeared on a government watch list. This is not a hypothetical — 8,185 consumers were falsely flagged through this system. The lack of verification was not a technical limitation. TransUnion had access to all the data points it would have needed to screen out false matches. It chose not to use them. The company’s decision to sell a bare-bones name-matching product without building in basic verification steps is what exposed it to one of the largest Fair Credit Reporting Act verdicts in history.
The Ramirez Lawsuit and What the FCRA Requires of Credit Bureaus
In February 2012, roughly a year after the dealership incident, Sergio Ramirez filed a class action lawsuit in the U.S. District Court for the Northern District of California. The central legal theory was straightforward: the Fair Credit Reporting Act requires credit reporting agencies to “follow reasonable procedures to assure maximum possible accuracy” of consumer reports. TransUnion’s name-only OFAC matching, Ramirez argued, was the opposite of reasonable. The FCRA was designed to protect consumers from exactly this kind of harm.
When a credit bureau includes inaccurate information in a consumer’s file — especially information as damaging as a potential terrorist designation — and fails to take basic steps to verify that information, it has violated federal law. However, proving a statutory violation and proving you have standing to sue for it turned out to be two different things, as the Supreme Court would later make painfully clear. It is worth noting a limitation of the FCRA that matters here: the statute provides for statutory damages of $100 to $1,000 per consumer for willful violations, even without proof of actual financial loss. This provision exists precisely because the harm from inaccurate credit reporting can be difficult to quantify. Being labeled a potential terrorist is humiliating and frightening, but putting a dollar figure on that experience is not straightforward. The statutory damages provision was supposed to bridge that gap — until the Supreme Court narrowed who could claim it.
A Record Jury Verdict and Its Reduction on Appeal
When the case went to trial in 2016, the jury sided with the class on every claim. The damages award was staggering: approximately $60 million total, broken down into roughly $8 million in statutory damages and $52 million in punitive damages. At the time, it was the largest FCRA verdict in history. The size of the punitive damages reflected the jury’s view that TransUnion’s conduct was not merely negligent but willful — the company knew its matching system was crude and kept selling it anyway.
TransUnion appealed, and the Ninth Circuit reduced the total award to approximately $40 million in 2020. Appellate reductions in punitive damages are common, as courts apply constitutional proportionality limits. But even the reduced figure represented an enormous judgment, and TransUnion was not finished fighting. The case then moved to the Supreme Court, where the question shifted from whether TransUnion did anything wrong to whether most of the class members had the legal right to sue at all. This pivot — from the merits to the procedural question of standing — would reshape class action law for years to come.
The Supreme Court’s Standing Ruling and What It Means for Consumers
On June 25, 2021, the Supreme court issued its decision in TransUnion LLC v. Ramirez, 594 U.S. 413. In a 5–4 ruling written by Justice Kavanaugh, the Court held that most class members lacked Article III standing because they had not suffered a “concrete injury.” Only 1,853 of the 8,185 class members — those whose falsely flagged credit reports had actually been disseminated to third-party businesses — had standing to pursue their claims. The remaining 6,332 class members, whose files contained the false terrorist-match alert but whose reports had never been pulled by a lender or other business, were out of luck. The practical tradeoff here is significant.
On one hand, the ruling means that a credit bureau can place false, defamatory information in your file, and as long as no one happens to request your report, you have no federal claim. On the other hand, the majority reasoned that without dissemination, there is no concrete harm analogous to the real-world injuries that courts have traditionally recognized. The dissent argued that the mere presence of false information in a credit file — particularly a false terrorist designation — is itself a concrete harm, much like the publication element in defamation law. For consumers, the decision creates an uncomfortable reality. You may have inaccurate information sitting in your credit file right now and have no legal remedy unless and until that information is shared with a third party. The ruling has also made it harder to bring large class actions under consumer protection statutes, because each class member must now demonstrate individualized concrete harm rather than relying on the statutory violation itself.
The Disproportionate Impact on Consumers With Common Ethnic Names
The TransUnion OFAC matching problem was not random in who it affected. The OFAC Specially Designated Nationals list is heavily populated with foreign nationals — people from Latin America, the Middle East, and other regions. Because TransUnion used only first-and-last-name matching, consumers with Latino, Arab, and other ethnic names that are common in those regions were far more likely to be falsely flagged. Sergio Ramirez himself is a clear example: “Sergio Ramirez” is a common enough name in the Spanish-speaking world that matching it against an international watch list without any other identifiers was almost guaranteed to produce false positives. This raises a warning about how facially neutral systems can produce discriminatory outcomes.
TransUnion’s matching algorithm did not target any racial or ethnic group by design. But by using only names — and by not accounting for the fact that names on an international watch list would disproportionately overlap with names common in immigrant communities — the system effectively subjected consumers of certain backgrounds to a higher risk of false flagging. A consumer named “John Smith” was far less likely to appear on the OFAC list than a consumer named “Hassan Mohammed” or “Carlos Hernandez.” The broader lesson is that automated screening systems require more than technical accuracy in their matching logic. They require consideration of disparate impact. TransUnion’s failure was not just a technical shortcut — it was a decision that imposed real costs on real people, and those costs fell unevenly across racial and ethnic lines.
The $9 Million Settlement and What Class Members Received
On December 15, 2022, the court granted final approval of a $9 million class settlement fund. Consistent with the Supreme Court’s standing ruling, the settlement class was limited to individuals whose OFAC-flagged consumer reports had actually been provided to a third party. Class counsel estimated that individual class members would receive in excess of $2,000 each on a pro rata basis, depending on how many valid claims were submitted.
The district court noted that this per-person amount actually exceeds the maximum statutory damages available under the FCRA, which caps at $1,000 per consumer for willful violations. So while the overall settlement figure dropped dramatically from the original $60 million verdict, the consumers who remained in the class after the standing ruling received meaningful individual compensation. That said, the 6,332 class members who were excluded by the Supreme Court’s decision received nothing — a bitter outcome for people who had false terrorist alerts in their credit files through no fault of their own.
Regulatory Fallout and the Future of Credit Reporting Accuracy
In November 2021, months after the Supreme Court’s decision, the Federal Register published a notice titled “Fair Credit Reporting; Name-Only Matching Procedures,” directly addressing the regulatory implications of TransUnion’s flawed system. The notice signaled that regulators were paying attention to the gap between what credit bureaus could do to ensure accuracy and what they were actually doing. The TransUnion v.
Ramirez case has had lasting consequences on two fronts. For class action litigation, the standing requirement now forces plaintiffs’ attorneys to build more granular evidence of individualized harm, making large consumer protection class actions more expensive and harder to certify. For the credit reporting industry, the case put bureaus on notice that crude matching systems carry enormous legal and reputational risk. Whether those incentives are strong enough to prevent the next version of this problem remains an open question — particularly as screening against government watch lists becomes more common across industries beyond lending.
Frequently Asked Questions
What was the TransUnion OFAC Name Screen Alert?
It was an add-on product TransUnion sold starting in 2002 that compared consumer names against the U.S. Treasury Department’s OFAC Specially Designated Nationals list. The product used only first-and-last-name matching — no dates of birth, Social Security numbers, or addresses — to flag potential matches, resulting in thousands of false alerts.
How many consumers were affected by the false OFAC alerts?
A total of 8,185 consumers had false OFAC “potential match” alerts placed in their credit files. However, the Supreme Court ruled that only 1,853 of those consumers — whose flagged reports were actually shared with third-party businesses — had legal standing to pursue claims.
How much did class members receive from the settlement?
The final settlement was a $9 million fund approved in December 2022. Class counsel estimated individual payments in excess of $2,000 per class member on a pro rata basis, which the court noted exceeds the FCRA’s maximum statutory damages of $1,000 per consumer.
Why did the Supreme Court reduce the class size?
In a 5–4 decision, the Supreme Court held that class members whose falsely flagged credit reports were never disseminated to third parties had not suffered a “concrete injury” sufficient for Article III standing. Only those whose reports were actually shared with businesses could sue.
Can I check if my credit report has an OFAC flag?
Yes. Under the FCRA, you have the right to request a copy of your consumer file from each credit bureau. You can obtain free annual reports through AnnualCreditReport.com, and if you have been denied credit or received adverse action, you are entitled to an additional free copy from the bureau that provided the report.
What is the broader impact of the TransUnion v. Ramirez ruling?
The decision has made it significantly harder for class members in consumer protection cases to establish standing without proving individualized concrete harm. A bare statutory violation of the FCRA, without evidence that the inaccurate information was actually disseminated, is no longer sufficient to sue in federal court.