Virtually every compliance officer has been in a new product development meeting in which someone has asked where in a law or regulation a specific practice is prohibited. Often, the correct answer is, “technically, nowhere.” Yet seasoned compliance professionals know that lack of an explicit prohibition doesn’t mean the institution is fully shielded from regulatory criticism if the practice could be viewed to confuse or otherwise harm consumers – and the risks in this area are increasing due to changes under the Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010.
Section 5 of the Federal Trade Commission (FTC) Act protects consumers against unfair or deceptive acts or practices (UDAP) in most aspects of commerce, including financial services. Over time, the federal prudential banking regulators have adopted rules and utilized their UDAP enforcement authority to address predatory lending, credit card disclosures, marketing activities, servicing fees and collections practices, among other areas.
Dodd-Frank authorizes the new Consumer Financial Protection Bureau (CFPB) to issue and enforce regulations related to UDAP and prohibit acts and practices deemed to be potentially abusive with respect to consumer financial products or services (expanding “UDAP” to “UDAAP”). The CFPB has indicated it will include steps related to UDAAP in its regular examination process and conduct targeted exams based upon its evaluation of consumer complaints and other data it may request from its supervised entities. As a result, financial institutions (banks and nonbanks alike) must establish reasonable procedures and processes to prevent and detect potential UDAAP.
Challenges and Opportunities
Dodd-Frank defines “abusive” in the context of material interference with a consumer’s understanding of a product’s risks and benefits, or taking unreasonable advantage of a consumer by a financial institution; however, there is not yet definitive guidance from the CFPB as to how this standard will be applied specifically in practice.
Institutions that follow a strategy of looking for explicit prohibitions regarding products, services and practices will be poorly positioned to deal with shifts in examination focus and regulatory expectations. Inadequate consideration of consumer impacts when making business decisions may give rise to UDAAP-related risks that are subtle. Institutions should empower an executive (or committee) to act as a customer advocate and provide sufficient authority to identify and mitigate acts or practices that might be unfavorable to customers and create UDAAP risks.
Once lines of authority have been established, where should institutions focus their risk management efforts? Marketing campaigns have long posed recognized UDAAP risks, but institutions should also consider operational activities where these risks may originate, including:
- Product terms, conditions and disclosures
- Customer support and loan servicing, including assessment of fees and loss mitigation activities
- Customer-facing third-party or affiliate service providers
- Investigation of and responses to consumer complaints
Our Point of View
UDAAP-related impacts can vary according to an institution’s product mix and infrastructure; however, institutions should be able to demonstrate awareness of and efforts to identify and remediate those risks proactively, including:
- Through policies, procedures and training, provide guidance to avoid UDAAP.
- Establish robust processes to evaluate the development of new, or changes to existing, products and services for potential UDAAP, including a review of terms, conditions, disclosures and marketing strategies.
- Identify and monitor/audit regularly high-risk areas for potential UDAAP.
- Identify the root cause of consumer complaints and potential trends by product, line of business, employee, etc., related to UDAAP.
- Evaluate employee incentive compensation arrangements and contracts with (and monitor ongoing performance of) customer-facing vendors to avoid incentives for potential UDAAP.
- Monitor the regulatory environment regularly for potential regulatory guidance or other “headline” events that may indicate potential UDAAP trends, and assess applicability of those risks to their institution.
How We Help Companies Succeed
Our Risk and Compliance professionals can help your institution develop and maintain an effective UDAAP compliance program and remediate potential deficiencies. We have deep experience in the following areas:
Compliance Program Design and Evaluation
- Performing an independent UDAAP compliance program gap assessment, and identifying potential program deficiencies and opportunities to enhance or develop controls and processes to mitigate compliance risks
- Applying our proprietary model that assesses and scores UDAAP risk by business line, product and product feature across the enterprise
- Assisting with the design and implementation of UDAAP compliance governance programs
- Conducting independent reviews or internal audits of the UDAAP compliance program
- Implementing rapid-response efforts to potential or actual supervisory regulatory actions
- Designing and executing remediation strategies • Coordinating with regulatory agencies, independent monitoring firms and third parties, and/or fulfilling obligations as an independent monitor
- Performing analytics to identify customer populations potentially impacted by a regulatory action
A national bank sought our assistance to comply with the terms of an enforcement agreement related to potentially misleading mortgage advertising and origination practices.
We developed a strategy and implemented a systemic methodology to calculate remediation payments and identify eligible borrowers, and implemented an automated tool to manage the remediation process. We advised the bank on its ongoing interactions with its regulator and presented remediation efforts to the bank’s board of directors and regulators. Through our efforts, the bank met the enforcement agreement’s terms in a timely and cost-efficient manner, resulting in the termination of the agreement.