The unfair, deceptive or abusive acts or practices standard (UDAAP) is one of the most talked about compliance issues today. The Dodd-Frank Act added the word “abusive” to what was forbidden under the law previously, expanding the scope of what constituted an UDAAP violation. All banking regulators are now charged with enforcing a new standard in consumer protection. This renewed focus on UDAAP has created an especially heightened regulatory concern for banks and other financial institutions governed by the Consumer Financial Protection Bureau (CFPB), particularly due to the lack of certainty behind how the term “abusive” will be interpreted. Given the heavy fines issued by the CFPB in 2012 and high profile settlements, directors will want to take inventory of their UDAAP compliance program and evaluate how each product and service is impacting the consumer. Here are a few recommendations.
Promote a Culture Shift to Focus on Risk to the Consumer
In this new consumer-centric supervisory context, in addition to evaluating the traditional risk to the institution if a compliance violation occurs, banks must also focus on the inherent risk to the consumer for any given process or product. This is a major shift in how institutions are being asked to examine risk and essentially creates a new risk discipline. Board members can lead the charge by making sure that any adverse impact on the consumer is evaluated right alongside traditional risk disciplines.
Set the Tone
Like all things related to regulatory risk and compliance, the best practice for creating a UDAAP-conscious organization is to establish the tone for compliance at the top. Financial institutions are well advised to review what is being communicated downward through various means, particularly in the form of policies, procedures and training materials. The key to establishing an effective UDAAP compliance program within the framework of your compliance management program is having strong controls. The CFPB prescribes the following four interdependent control components:
- Board and Management Oversight
- Formal Compliance Program (i.e., policies and procedures; training; and monitoring corrective action)
- Response to Consumer Complaints
- Compliance Audit
Ask the Questions
In applying practical thinking to managing UDAAP compliance risk and considering the high-risk areas, ask your senior management, does our compliance management system:
- Establish compliance responsibility and accountability for UDAAP compliance at all levels of the organization?
- Communicate to all employees their responsibility for compliance with UDAAP through training and regular compliance updates?
- Ensure that UDAAP requirements are incorporated into the everyday business processes, as well as the procedures followed by contractors and third-party service providers?
- Review operations for compliance with UDAAP requirements?
- Require corrective action when non-compliance or a potential weakness is identified?
Evaluate Fairness and Transparency throughout the Product Lifecycle
Banks should always strive for fairness and transparency when communicating product features, terms and costs to customers, and apply the same standard in the delivery, support and servicing of all products. Consider the full extent of the product lifecycle when assessing your UDAAP compliance risks. High risk areas to focus on are:
- Advertising and Solicitations
- Loan and Account Disclosures
- Servicing and Collections
- Third-Party Service Provider Oversight
In all aspects of the product lifecycle, stress absolute transparency and hold each business line and product group accountable for continuously reviewing technical accuracy, alignment to actual practices, and clarity and ease of understanding from the consumer’s point-of-view.
Manage Consumer Complaints
With the CFPB actively soliciting complaints from consumers and using that data to support their supervisory activities, you need to take a close look at your complaint data management and response processes. Particular attention should be paid to:
- Your definition of a complaint
- How complaints are categorized and classified internally
- How they are routed for analysis of root cause, formal response, and ultimate resolution
An effective complaint management system must be able to receive and process complaints from all sources, ranging from complaints issued directly to the bank to complaints from external sources such regulators, attorneys, the Better Business Bureau, consumer protection groups, web-based sources and social networking media. Complaints, while often troubling, are an opportunity to detect and address UDAAP issues such as false or misleading statements, inaccuracies in disclosures, and excessive and/or previously undisclosed fees. Keep in mind that third-party service providers performing services on behalf of your organization should have conforming processes in place to receive complaints that mirror your own complaint handling processes.
If you have not already taken a hard look at where your organization stands with respect to UDAAP, the time for action is now.