Managing UDAAP Compliance
Risks in Financial Institutions
Compliance with Unfair, Deceptive or Abusive Acts or Practices (UDAAP) principles has become a thorny problem for
U.S. financial institutions. The UDAAP regulatory scheme, as embodied by the Consumer Financial Protection Bureau,
represents a new approach to regulating financial institutions and the industry has yet to fully adjust. This article
reviews the history of UDAAP regulation in the U.S. and then examines the ways financial institutions must change their
compliance management programs to minimize the risk of UDAAP violations.
KATHLYN L. FARRELL
C
ompliance with Unfair, Deceptive or Abusive
Acts or Practices (UDAAP) principles has become a thorny problem for U.S. financial institutions. Compliance management systems honed over
the past 45 years to become models of well managed
risk programs have proved substantially ineffective to
keep institutional practices within the boundaries of the
regulatory expectations for UDAAP compliance. The
reason for this dilemma is that the UDAAP regulatory
scheme, as embodied by the Consumer Financial Protection Bureau (CFPB), represents a new approach to
regulating financial institutions and the industry has yet
to fully adjust. UDAAP regulations are principles-based,
not technically based. The difference is significant.
This article presents an overview of the history of
UDAAP regulation in the U.S., from the Federal Trade
Commission Act amendments in 1938 to the DoddFrank Act era and the Consumer Financial Protection
Bureau. It then examines the ways financial institutions
must change their compliance management programs
in order to minimize the risk of UDAAP violations.
For 72 years UDAP existed without the second “A”—
abusive. The original UDAP provisions were contained
within Section 5 of the Federal Trade Commission
Act (“FTC Act”) in 1938.1 The FTC Act was enacted
24 years earlier, in 1914, but it did not address UDAP
15 U.S.C. § 45.
Kathlyn L. Farrell is a Managing Director at Treliant Risk
Advisors, LLC. She may be contacted at lfarrell@treliant.com.
November/December 2013 Vol 27 / No 2
2
38 Stat. 719 (1914).
3
Wheeler-Lea Act of 1938, P.L. 75-447, 52 Stat. 111 (1938).
4
HISTORICAL CONTEXT OF UDAAP
1
at all. Rather, in its original form, the FTC Act sought
to protect consumers by banning anti-competitive,
restraint of trade practices.2 It was not until 1938,
with the passage of the Wheeler-Lea Act revisions to
the FTC Act, that the focus of Section 5 was shifted
to protect consumers from unfair and deceptive acts
and practices.3 Virtually all of the FTC’s focus in the
UDAP arena—even to the present—has been on sales
and marketing practices. FTC litigation first focused
on print advertisements and evolved with technology
to concentrate on television advertising.4
The FTC enforced the UDAP protections in Section
5 primarily through litigation. The text of the law did
not define “unfair” or “deceptive.” Over the years,
the elements to these concepts were fleshed out in the
courts and through FTC consent orders.
The doctrines of “unfair” and “deceptive” were
explained by the FTC chairman in policy statements
addressed to Congress in 1980 and 1983, respectively.5
See W.H. Ramsay Lewis, “Infomercials, Deceptive Advertising
and the FTC,” 19 Fordham Urb. L.J. 853-74 (1991).
5
Letter from Michael Pertschuk, Chairman, and Rand Dixon,
David Clanton, Robert Pitofsky & Patricia Bailey, Commissioners,
FTC, on the FTC Policy of Unfairness to Wendall Ford, Chairman,
and John Danforth, Ranking Minority Member, of the Consumer
Subcommittee, the Committee on Commerce, Science and Transportation, U.S. Senate (Dec. 17, 1980) (hereafter “FTC Policy
Statement on Unfairness”), available at http://www.ftc.gov/bcp/
policystmt/ad-unfair.htm; Letter from James C. Miller, Chairman,
FTC, on FTC Policy Statement on Deception, to Hon. John D.
Dingell, Chairman, Committee on Energy and Commerce (Oct. 14,
1983) (hereafter “FTC Policy Statement on Deception”), available
at http://www.ftc.gov/bcp/policystmt/ad-decept.htm.
MANAGING UDAAP COMPLIANCE RISKS IN FINANCIAL INSTITUTIONS
21
These policy statements were a response to congressional inquiries to the Commission and they effectively
restated the definitions as applied by the FTC at the
time.
“Unfairness” Defined. In explaining what makes a
consumer injury the result of “unfairness,” Chairman
Pertshuk stated that the injury must meet three prongs:
“. . . it must be substantial; it must not be outweighed by
any countervailing benefits to consumers or competition
that the practice produces; and it must be an injury
that consumers themselves could not reasonably have
avoided.”6 This definition of “unfairness” was later
codified in the FTC Improvement Act of 1994.7
To further explain the three prongs of the definition, Chairman Pertshuk stated that in order for the
injury to be substantial, it must involve a monetary
cost—emotional injuries will not meet the “unfairness” test. Nor is the Commission concerned with
“trivial or speculative” harm.8 Second, for unfairness
to exist there cannot be a beneficial counterweight to
the injury that outweighs the effect of the injury. The
key element in determining whether there has
been deception involves the group the consumer
represents—“reasonableness” is judged in the
context of the particular consumer.
A
practice must cause a net effect of injury to the consumer.9 Finally, if the consumer could have reasonably
avoided the injury, it will fail the unfairness test. In
the policy statement, Chairman Pertshuk explained
the view of the FTC on allowing consumers to freely
make decisions in the free market:
Normally we expect the marketplace to be selfcorrecting, and we rely on consumer choice—the
ability of individual consumers to make their own
private purchasing decisions without regulatory
intervention—to govern the market. We anticipate
that consumers will survey the available alternatives,
choose those that are most desirable, and avoid those
that are inadequate or unsatisfactory.10
“Deception” Defined. Three years after the Policy
Statement on Unfairness was issued, the Commission
issued a similar statement defining the doctrine
of “deception.” As with the Policy Statement on
Unfairness, the Policy Statement on Deception was
issued as a response to a congressional inquiry and
specifically stated that its purpose was to provide a
concrete statement of how the Commission would
“. . . enforce its deception mandate”11 and to allay
concerns expressed by Congress about the lack of
specificity in the doctrine of deception.12
In order to support a finding of “deception” there
must be a representation or omission that is likely
to mislead the consumer. The consumer in question
must be acting reasonably and the representation or
omission must be material.13 As with the Statement
on Unfairness, the Statement on Deception further
elaborated on the three prongs of the doctrine. First,
the omission or representation must be misleading or
likely to mislead (it need not actually mislead anyone).
The statement lists several examples, all involving
sales and marketing practices, such as bait-and-switch
schemes.14
The second prong of the doctrine of deception is
that the consumer must be acting reasonably. Is the
consumer’s reaction to the misleading communication
a reasonable one? A key element of this prong involves
the group the consumer represents—“reasonableness”
is judged in the context of the particular consumer.15
For example, if the consumer is elderly, the determination will involve a “reasonable” elderly person.
Likewise, if the person is young, or is seriously ill, the
potentially deceptive communication will be viewed
through the lens of the consumer’s particular group,
taking into account that group’s knowledge and level
of sophistication. A key element of the policy statement’s analysis is that disclaimers and disclosures
may not be able to cure a deceptive representation.
A false headline is not fixed by the fine print.16 For
disclosures to help negate a misleading statement they
must be clear and understandable. The statement
does, however, exclude general advertising puffery
from the category of “deceptive.”17
The third element of the doctrine of deception
is that the misrepresentation or omission must be
When the marketplace fails to allow for consumers
to reasonably protect themselves, the practice could
rise to the level of “unfairness.”
22
11
See FTC Policy Statement on Deception, supra note 5, at 1.
12
Id.
6
See FTC Policy Statement on Unfairness, supra note 5, at 3.
13
See id. at 2.
7
15 U.S.C. § 45(n).
14
Id.
8
See FTC Policy Statement on Unfairness, supra note 5, at 3.
15
See id. at 3.
9
Id.
16
Id.
10
Id.
17
Id. at 5.
J O U R N A L O F TA X AT I O N A N D R E G U L AT I O N O F F I N A N C I A L I N S T I T U T I O N S
November/December 2013 Vol 27 / No 2
material. It must have been an important part of the
consumer’s decision making. In short, “Injury exists
if consumers would have chosen differently but for
the deception.”18
The definition of “deceptive” was not formally codified in the FTC Improvement Act of 1994. However,
the three prongs have continued to be the standard
for the doctrine through the present time.
UDAP ENFORCEMENT BY FEDERAL BANKING
REGULATORY AGENCIES
The regulation of financial institutions for UDAP
enforcement was expressly carved out of the FTC
Act from the very beginning.19 In 1975 in the Magnuson-Moss Warranty Act (Title II was entitled the
Federal Trade Commission Improvement Act) authority to enforce UDAP was expressly given to the
prudential banking regulatory agencies (the Federal
Reserve Board, Federal Deposit Insurance Corporation (FDIC) and Office of the Comptroller of the Currency (OCC)).20 Each agency was required to establish
an office of consumer affairs for the purpose of receiving UDAP-related complaints. The Federal Reserve
Board was given the rule-writing authority for UDAP,
but the other agencies were empowered to write their
own procedures to enforce compliance with “regulations prescribed under this subsection.”21 Each agency
was empowered to enforce UDAP rules for the institutions within its jurisdiction.
Regulation AA. No UDAP-related regulation
was forthcoming until 1985 when the Federal
Reserve Board published Regulation AA—Unfair
or Deceptive Acts or Practices. 22 Regulation AA
primarily prohibited certain onerous consumer
credit contract terms, such as cognovits clauses or
confessions of judgments, assignments of wages,
and waivers of exemption. It also required regulated
financial institutions to give notices to co-signors
and made the practice of pyramiding late charges
illegal. Finally, Regulation AA prohibited the taking
of a security interest in household goods for nonpurchase money loans.
Regulation AA represents the sole Federal Reserve
Board effort to codify the FTC Act Section 5 UDAP
rules into federal banking regulations.
18
See id. at 14.
19
See 15 U.S.C. § 45(a)(2) (2006).
20
See 15 U.S.C. § 57(a).
21
Id.
22
12 C.F.R. § 227.
November/December 2013 Vol 27 / No 2
UDAP-Related Regulatory Issuances. Over the next 25
years, the prudential regulators wrote other regulations
that dealt with UDAP-related issues in some manner.
They also published several guidance documents that
specifically dealt with products that had higher levels
of UDAP risks and, although these do not rise to the
level of formal regulation, they generally have the
same practical effect.
One overarching reason for the spate of regulatory issuances within this timeframe is that financial
products and services began to develop and change
at a rapid rate during the first decade of the 2000s.
Particularly, the changes within the payment system
involving the use of debit cards and other electronic
payments (accelerating the use of overdraft protection programs) and the rise of non-traditional mortgage products caused rapid changes in the products
egulation AA represents the sole Federal
Reserve Board effort to codify the FTC
Act Section 5 UDAP rules into federal banking
regulations.
R
offered by regulated institutions. These regulations
and guidance documents were a response to the
market changes.
Guidance on Unfair or Deceptive Acts or Practices. Both the FDIC and the OCC issued guidance
documents in 2002 to describe the types of activity
that posed UDAP risk to financial institutions.23 These
publications are not identical. The OCC Advisory
Letter explains the legal underpinnings of UDAP, lists
examples of practices that may violate the prohibition
against deceptive practices in the FTC Act, and explains
how institutions should manage UDAP risks.24 The examples are based on OCC enforcement actions that all
deal with deceptive practices such as misleading marketing materials that fail to adequately disclose fees or
material limitations of the product. The guidance suggests that national banks should manage UDAP risks
by such things as improving the information given
to consumers and avoiding misleading terms such as
“guaranteed,” “pre-approved,” and “lifetime rates”
23
FDIC, Financial Institutions Letters, FIL-57-2002, May 30,
2002, available at http://www.fdic.gov/news/news/financial/2002/
fil0257.html; OCC, Advisory Letter, AL 2002-3, Guidance on
Unfair or Deceptive Acts or Practices, Mar. 22, 2002, available
at http://www.occ.gov/static/news-issuances/memos-advisoryletters/2002/advisory-letter-2002-3.pdf.
24
See OCC Advisory Letter, supra note 23, at 3-4.
MANAGING UDAAP COMPLIANCE RISKS IN FINANCIAL INSTITUTIONS
23
if there is any possibility that the consumer will not
receive the product on those terms. The OCC guidance also cautions against the indiscriminate use of
third parties such as telemarketers and suggests that
the contracts with third parties should avoid financial
incentives that lead to deceptive behavior.25
The FDIC Financial Institution Letter on UDAP,
also published in 2002, is much shorter and focuses
on advising state non-member banks that they are, in
fact, subject to the prohibitions on UDAP in Section
5 of the FTC Act and warns that the FDIC will take
action if it finds unfair or deceptive practices within
a covered institution.26
Debt Cancellation and Debt Suspension Contracts.
In 1963 the OCC ruled that national banks had the
authority to sell debt cancellation and debt suspension
contracts.27 These products became increasingly popular during the decade of the 2000s, especially as add-on
sales to credit card and mortgage accounts. Debt cancellation and debt suspension contracts involve a contract between the bank and the consumer borrower
whereby, for a fee, the bank will agree to suspend or
cancel the consumer’s debt if a specified event occurs
(usually the covered events include loss of employment
or suffering a disability). Sometimes these products are
referred to as “insurance” but they are not insurance
in the legal sense nor are they regulated as such. These
contacts are often referred to as “payment protection”
products, along with credit life and health insurance.
Fees for debt cancellation or suspension contracts
are paid monthly, particularly on credit card or mortgage accounts. These products are often sold by telephone solicitations to existing customers. In 2002, the
OCC issued regulations governing the sales of these
products.28 One of the stated purposes of the OCC’s
rule was to “. . . discourage unfair or abusive sales
practices.”29 The OCC also prohibited single premium
debt cancellation or debt suspension contracts in connection with mortgage loans as these were considered
to be abusive.30 The regulation requires standardized
disclosures in the marketing of these products, including information that must be sent to the consumer
after the sale. It also required affirmative election and
acknowledgement of the sale and a refund of fees if the
contract was cancelled or the loan was repaid early.31
24
25
Id. at 7-8.
26
See FDIC, Financial Institutions Letters, supra note 23.
27
12 U.S.C. § 24.
28
67 Fed. Reg. 182, 58962 (Sept. 19, 2002).
29
Title Loans and Payday Loans. Although title loans
and payday loans have traditionally not been products
offered by regulated depository institutions, during
2000 the OCC issued advisory letters as some national banks began to fund third-party non-banks that
were making these loans. The advisory letters warn
that these types of credit product have both safety and
soundness risks as well as consumer protection risks,
particularly for abusive or unfair practices.32
Predatory and Abusive Practices in Lending and
in Brokered and Purchased Loans. The OCC issued
two advisory letters in early 2003 to caution national
banks against certain practices that could violate section 5 of the FTC Act, both in their direct lending activities and in their purchases of loans.33 These letters
were issued on the same day that the OCC published
a notice of the receipt of a preemption request from
National City Bank and its subsidiaries and the OCC’s
response to such request. The OCC confirmed that
National City was not subject to the state of Georgia’s
anti-predatory lending statute.34
The purpose for issuing the advisory letters was to
affirm that, although national banks are not subject
to these statutes, the OCC expects that they will
avoid such practices. The advisory letters spoke to
several lending practices, including loan “flipping”
(frequently refinancing a loan with little value to
the consumer”), equity stripping, refinancing loans
with the loss of loan terms that were beneficial to the
consumer, and using loan features such as negative
amortization to make it more difficult for a borrower
to pay off a loan and fee packing.35 The guidance
also cited targeting vulnerable customers, inadequate
disclosures, and the offering of single premium credit
life insurance as problematic practices.36
The guidance on brokered and purchased loans
focused on the OCC’s expectation that national banks
32
OCC, Advisory Letter, AL 2000-10, Payday Lending, Nov.
27, 2000, available at http://www.occ.gov/static/news-issuances/
memos-advisory-letters/2000/advisory-letter-2000-10.pdf; OCC,
Advisory Letter, AL 2000-11, Title Loan Programs, Nov. 27, 2000,
available at http://www.occ.gov/static/news-issuances/memosadvisory-letters/2000/advisory-letter-2000-11.pdf.
33
OCC, Advisory Letter, AL 2003-2, Guidelines for National
Banks to Guard Against Predatory and Abusive Lending Practices, Feb. 21, 2003, available at http://www.occ.gov/static/newsissuances/memos-advisory-letters/2003/advisory-letter-2003-2.
pdf; OCC, Advisory Letter, AL 2003-3, Avoiding Predatory and
Abusive Lending Practices in Brokered and Purchased Loans, Feb.
21, 2003, available at http://www.occ.gov/static/news-issuances/
memos-advisory-letters/2003/advisory-letter-2003-3.pdf.
Id. at 58963.
34
68 Fed. Reg. 46264 (Aug. 5, 2003).
30
Id.
35
See OCC Advisory Letter, AL 2003-2, supra note 33, at 2.
31
12 CFR § 37.
36
Id. at 3.
J O U R N A L O F TA X AT I O N A N D R E G U L AT I O N O F F I N A N C I A L I N S T I T U T I O N S
November/December 2013 Vol 27 / No 2
would conduct due diligence to ensure that they were
not purchasing loans from a predatory lender.
Overdraft Protection. The agencies have issued
several statements on overdraft protection since 2005.
The first, in 2005, was an interagency guidance that
covered a broad range of risks including UDAP risks
under Section 5 of the FTC Act. The guidance specifically mentioned marketing and advertising issues and
advised that “to avoid engaging in deceptive, inaccurate, misrepresentative or unfair practices, institutions
should closely review all aspects of their overdraft
protection programs, especially any materials that inform consumers about the programs.”37
After 2005 there was a significant rise in the visibility of bank overdraft protection programs and
a general distaste for them from the community of
consumer advocates. For example, The Center for
Responsible Lending published a study on bank overdraft programs in 2007 that concluded that consumers
paid over $17 billion per year in “abusive” overdraft
fees. The report had several recommendations including that the regulatory agencies require that consumers consent to overdraft protection plans, that the
number of overdraft fees be limited, and that banks
be required to pay items in chronological order.38
The FDIC conducted a comprehensive study of
overdraft protection programs in 2008 and in 2009
the Senate Committee on Banking, Housing and
Urban Affairs held a hearing on a proposed bill that
would regulate such programs. The Chairman, Senator Dodd, opened the hearing with a statement that
framed overdraft protection programs: “. . . a practice
that I find in too many instances abusive, and that
is, misleading overdraft programs that encourage
consumers to overdraw their accounts and then slam
them with too high fees.”39
As a result of the rising criticism of these programs,
in 2010 the FDIC issued a more stringent version of
its guidance on overdraft protection.40 This guidance
significantly raised the regulatory expectations for
37
70 Fed. Reg. 369127 (February 24, 2005).
38
See Eric Halperin & Peter Smith, “Out of Balance,” Center
for Responsible Lending (July 11, 2007), available at http://www.
responsiblelending.org/overdraft-loans/research-analysis/out-ofbalance-report-7-10-final.pdf.
39
See S. Hrg. 111-502, Protecting Consumers from Abusive
Overdraft Fees: The Fairness and Accountability in Receiving
Overdraft Coverage Act, at 2.
40
FDIC, Financial Institutions Letter, FIL 81-2010, Overdraft
Payment Programs and Consumer Protection. Final Overdraft
Payment Supervisory Guidance, Nov. 24, 2010, available at http://
www.fdic.gov/news/news/financial/2010/fil10081.html.
November/December 2013 Vol 27 / No 2
state non-member banks, including that transactions should not be ordered in a manner that would
maximize overdraft fees (presumably this meant that
“high-to-low” posting orders would not be permitted), distinguish actual balances from balances with
overdraft protection limits included, cap overdraft
fees per day, implement de minimus rules that would
allow consumers to avoid overdraft fees for small
overdrawn balances, and monitor consumers for
excessive overdraft usage and provide counseling on
alternative credit products.
The OCC issued a proposed guidance on overdraft
protection and deposit advance programs. It was
never finalized and was eventually withdrawn when
the agency published a new proposal in 2013 that
was limited to deposit advance products (short-term,
low-dollar loans).41 This guidance severely limited the
activities of national banks with respect to deposit
CC guidance proposed in 2013 severely
limited the activities of national banks with
respect to deposit advance loans, requiring
separate underwriting of each loan every time
one is made.
O
advance loans, requiring separate underwriting of
each loan every time one is made.
Mortgage Lending. As the residential real estate
and mortgage bubble grew during the late 1990s and
through the first decade of the twenty-first century, the
prudential banking regulators issued guidance to caution institutions about potentially unfair or deceptive
practices.
The Interagency Guidance on Non-Traditional
Mortgage Product Risks, issued in 2006, primarily
addressed safety and soundness issues but it also
cautioned institutions against potentially deceptive
practices, such as advertising the initial lower payments of a nontraditional mortgage product and
downplaying the potential for future payment shock
and negative amortization.42
Another interagency guidance was issued in 2007
to address concerns on subprime mortgage lending.43 It covered safety and soundness issues such as
41
OCC Bulletin 2013-11, Deposit Advance Products: Proposed
Guidance on Supervisory Concerns and Expectations Regarding
Deposit Advance Products, Apr. 25, 2013, available at http://www.
occ.gov/news-issuances/bulletins/2013/bulletin-2013-11.html.
42
71 Fed. Reg. 192, 58609 (Oct. 4, 2006).
43
72 Fed. Reg. 131, 37569 (July 10, 2007).
MANAGING UDAAP COMPLIANCE RISKS IN FINANCIAL INSTITUTIONS
25
underwriting guidelines and verifying the consumer’s
ability to repay the loan, but also more heavily concentrated on consumer protection principles such as
providing clear and timely information on the risks
and benefits of the products. It specifically required
that consumers be informed of payment shock,
prepayment penalties, balloon payments, cost of
reduced loan documentation, and the fact that the
consumer will be responsible for taxes and insurance
payments.44 Not surprisingly, these factors all played
a part in the financial crisis and the vast numbers of
foreclosures that happened shortly thereafter.
sick, disabled, or unemployed would not have to make
payments for up to 18 months. What Providian did
not clearly disclose is that (1) the benefits were limited
to the number of months that the consumer had paid
the fee for the product and (2) the unemployment
benefit could not be used until fees had been paid
for at least three months. In addition, the bank could
deny benefits if the consumer was delinquent or over
the limit or if the consumer used or accessed credit
from any other card. The OCC also determined that
the bank was misleading in its advertising for rebates
on new cards and for its no-annual fee card.
First National Bank in Brookings. In First National
UDAP ENFORCEMENT ACTIONS OF THE PRUDENTIAL Bank in Brookings47 the OCC found that this South
BANKING REGULATORS
Dakota bank engaged in deceptive marketing practices
There were some significant UDAP-related enforcement
actions taken by the prudential banking regulators
both prior to and after the passage of the Dodd-Frank
Act.45 The prudential regulatory agencies do not have
he FDIC found that Advanta Bank Corp. advertised
its cash-back rewards program in a deceptive
manner as the advertisements preceded the amount
of the award with the words “up to,” thereby
causing the consumer to believe that the amount
of the reward would be the full amount stated.
T
statutory authority to enforce the “abusive” standard. The responsibility for enforcing the prohibition
against “abusive” acts or practices was given solely
to the Consuer Financial Protection Bureau (CFPB)
under the Dodd-Frank Act; however, the prudential
regulators retain their authority to enforce UDAP
under Section 5 of the FTC Act. The following sections
outline a few of the significant UDAP enforcement actions by the federal prudential regulatory agencies.
Providian National Bank. With a civil money penalty
at $300 million, Providian National Bank46 was the
first really large UDAP enforcement action. Issued
in 2000, Providian, a credit card bank, was found
to have engaged in unfair and deceptive marketing
practices. The bank sold payment protection products
with the representation that a consumer who became
44
Id. at 37574.
Wachovia Bank National Association. In 2008 Wachovia
consented to pay $10 million in civil money penalties for
engaging in unfair practices related to payment processing
and direct telemarketers.48 Interestingly, the majority
of consumers injured by Wachovia’s actions were not
customers of the bank. Wachovia was the bank of deposit
for several (apparently) unscrupulous telemarketing
firms who deposited remotely created checks drawn
on consumer accounts at various banks around the
country. The checks were purportedly to pay for goods
or services the company sold to the consumers. In reality,
the consumers had not authorized the checks and were
required to dispute the payment at their own bank in
order to get the money refunded. There was evidence
that Wachovia had knowledge that its telemarketing
customers were defrauding these consumers, many of
whom were elderly. The OCC found that this was an
unfair practice under Section 5 of the FTC Act.
Advanta Bank Corp. The FDIC found that Advanta
Bank Corp. advertised its cash-back rewards program
Dodd-Frank Wall Street Reform and Consumer Protection
Act, P.L. 111-203, 124 Stat. 1376 (2010).
47
OCC Consent Order #2003-1, In the Matter of: First National
Bank in Brookings, Brookings, South Dakota, Jan. 17, 2003, http://
www.occ.gov/static/enforcement-actions/ea2003-1.pdf.
46
OCC, In the Matter of Providian National Bank, Consent
Order #2000-53, June 28, 2000, http://www.occ.gov/static/news-issuances/news-releases/2000/nr-occ-2000-49-consent-order-53.pdf.
48
OCC Consent Order # 2008-027, In the Matter of Wachovia
National Bank Association, Apr. 24, 2008, available at http://www.
occ.gov/static/enforcement-actions/ea2008-027.pdf.
45
26
by advertising credit cards and charging fees with the
result that the consumer obtained very little or no net
benefit from the card. In 2003 the bank was ordered
to pay restitution in an amount to be not less than
$6 million. This money was earmarked primarily for
cardholders who received $50 or less of net credit
availability on their cards at the time of account
opening. The bank was also involved in payday lending
through third-party vendors. The order required the
bank to terminate those relationships.
J O U R N A L O F TA X AT I O N A N D R E G U L AT I O N O F F I N A N C I A L I N S T I T U T I O N S
November/December 2013 Vol 27 / No 2
in a deceptive manner as the advertisements preceded
the amount of the award with the words “up to,”
thereby causing the consumer to believe that the
amount of the reward would be the full amount stated.
In 2009 the bank was ordered to make restitution
to all consumers who responded to the advertising
by paying the full cash reward. The bank was also
required to pay a civil money penalty of $150,000.49
Woodforest National Bank. In 2010 Woodforest agreed
to pay up to $164 million in restitution and assistance
to consumers as a result of unfair and deceptive
practices related to the bank’s overdraft program and
$1 million in civil money penalties.50 The accounts
were marketed as “free checking.” The bank’s
overdraft program included a feature whereby the
consumer not only was charged a one-time fee per item
that caused the account to be overdrawn, but the bank
also charged a fee for every day the account remained
in an overdraft state. The OCC deemed this practice to
be unfair since the consumer could not avoid this fee.
The bank did not cap either the number or the amount
of fees. This practice was found to be deceptive.
Although the consent order itself does not state
this fact, a large number of Woodforest’s branches
were in Walmart stores. This fact may have played
into the OCC’s consideration of the violation, since
the population of customers that bank at the Walmart
branches may be more vulnerable than others.
Republic Bank & Trust Company. Among several other
issues encompassed by this enforcement, including
Truth in Lending Act and Equal Credit Opportunity
Act violations, the FDIC found that Republic Bank
engaged in deceptive practices in its marketing of tax
refund anticipation loans to consumers. 51 Refund
anticipation loans are made through third parties,
usually the tax preparers themselves. The bank, along
with the tax preparer, advertised that the consumer
49
FDIC, Order to Cease and Desist, In the Matter of Advanta
Bank Corp., June 30, 2009, available at http://www.fdic.gov/news/
news/press/2009/pr09109a.pdf.
50
OCC, In the Matter of Woodforest National Bank, Consent
Order for a Civil Money Penalty, #2010-202, available at http://
www.occ.gov/news-issuances/news-releases/2010/nr-occ-2010122a.pdf; Agreement by and Between, Woodforest National Bank
The Woodlands, Texas and The Comptroller of the Currency
#2010-203, Oct. 6, 2010, http://www.occ.gov/static/enforcementactions/ea2010-203.pdf.
51
FDIC, In the Matter of Republic Bank & Trust Company,
Louisville, Kentucky, Amended Notice of Charges for An Order
to Cease and Desist, Notice of Assessment of Civil Money Penalties, Findings of Fact and Conclusions of Law; Order to Pay; And
Notice of Hearing, May 3, 2011, available at http://www.fdic.gov/
bank/individual/enforcement/2011-05-55.pdf.
November/December 2013 Vol 27 / No 2
could obtain the refund within one to two business
days. The FDIC found that this representation was
material, was not necessarily true, and therefore was
misleading. In 2011 the bank was required to pay $2
million in civil money penalties.
JP Morgan Chase. In 2011, the OCC fined JP Morgan
Chase $2 million for engaging in unfair or deceptive
practices in the marketing of credit protection products
in its auto lending divisions.52 The bank made false
or misleading statements regarding the coverage
and cost of the products. Specifically, the sales staff
was trained to use scripts to “rebut” the consumer’s
decision not to purchase the product. The rebuttals
were found to be materially misleading and caused the
consumer to misapprehend the terms of the product
that was offered.
In 2013 the OCC again found that JP Morgan
Chase had engaged in unfair practices, this time
because the bank sold identity theft protection to
credit card holders and billed them monthly for
this service when, in some cases, the cardholder
received no benefit. Upon purchase of the product,
the cardholder was required to submit additional
information and authorize the credit monitoring
service. In many cases, cardholders did not submit
the information or authorization, but their accounts
nonetheless were billed monthly for the service. The
OCC required the bank to reimburse the consumers
for all fees charged for the service plus any over-thelimit fees stemming from the charge and interest on
those amounts.53
The Bancorp Bank and Higher One. Two enforcement
actions from the FDIC, involving The Bancorp Bank
and Higher One, are related in that Higher One (an
issuer of debit cards to students) is an institution
affiliated party to The Bancorp Bank as a result of a
contractual relationship between them. Higher One
contracts with colleges and universities to provide
the payment mechanism by which student loans and
grants are disbursed to the student. The student debit
cards are marketed as a checking account with FDIC
insurance. Higher One contracts with an FDIC insured
institution to issue the card. In this case The Bancorp
Bank was the contracting insured depository.
52
OCC, JPMorgan Chase Bank, Consent Order #2011-94,
June 14, 2011, available at http://www.occ.gov/static/enforcementactions/ea2011-094.pdf.
53
Department of the Treasury, OCC, In the Matter of JPMorgan
Chase Bank, Chase Bank, Consent Order #2013-139 Sept. 18,
2013, available at http://www.occ.gov/static/enforcement-actions/
ea2013-139.pdf.
MANAGING UDAAP COMPLIANCE RISKS IN FINANCIAL INSTITUTIONS
27
The FDIC required Higher One to pay $110,000 in
civil money penalties and $11 million in restitution to
consumers (in this case, college students) for engaging
in unfair and deceptive practices related to charging
overdraft fees. The FDIC found that Higher One was
charging multiple overdraft fees for one transaction
and also charged a daily fee for overdrafts outstanding. The Bancorp Bank was also fined $172,000 and
required to strengthen its third-party controls.54
Abusive Acts Defined. Section 1031 of the Dodd-Frank
Act defined an abusive act or practice as one which
either:
1) materially interferes with the ability of a consumer
to understand a term or condition of a consumer
financial product or service; or
2) takes unreasonable advantage of—
(A) a lack of understanding on the part of the
consumer of the material risks, costs, or conditions of the product or service;
(B) the inability of the consumer to protect the
interests of the consumer in selecting or using
a consumer financial product or service; or
(C) the reasonable reliance by the consumer on
a covered person to act in the interests of the
consumer.56
RBS Citizens, N.A. The OCC assessed a civil money
penalty of $5 million against RBS Citizens in 2013 for
deceptive practices in marketing its overdraft protection
program.55 One example of deceptive practices was
the fact that the bank advertised a savings transfer
program to cover overdrafts in a checking account.
However, the bank did not disclose that no transfer
fter Dodd-Frank, although the other agencies
continued to enforce Section 5 of the FTC Act,
the CFPB was given sole authority to regulate both
banks and non-banks for abusive behavior.
A
would occur if the savings balance would not cover the
entire amount overdrawn, even if it would cover some
of the items comprising the overdrawn balance.
POST DODD-FRANK: UDAAP IN THE CFPB ERA
The passage of the Dodd-Frank Act provided a sea
change in the UDAP arena. The statute added an
entirely new concept of “abusive” acts or practices.
Although the other agencies have used the word “abusive” within their guidance, prior to the Dodd-Frank
Act the term had no legal definition. Also, the law
shifted the locus of UDAAP enforcement to the newly
created CFPB. After Dodd-Frank, although the other
agencies continued to enforce Section 5 of the FTC
Act, the CFPB was given sole authority to regulate
both banks and non-banks for abusive behavior. (The
Dodd-Frank Act also included a definition of “unfair,”
just as it was codified in the FTC Improvement Act in
1994, but did not mention “deceptive.”)
54
FDIC, In the Matter of The Bancorp Bank, Consent Order
FDIC, Aug. 7, 2012, http://www.cfpaguide.com/portalresource/
bancorp%20bank%20enforcement.pdf; FDIC, In the Matter of
Higher One, Consent Order, Aug. 12, 2012, available at http://
www.cfpaguide.com/portalresource/higher%20one%20enforcement.pdf.
55
OCC, In the Matter of RBS Citizens, Consent Order #2013040, Apr. 29, 2013, available at http://www.occ.gov/static/
enforcement-actions/ea2013-040.pdf.
28
While no one can be sure how this definition will
be applied to real life situations in the future, it would
appear that the concepts seem to be meant to protect
so-called “vulnerable consumers.” These are consumers in groups that, due to their circumstances, require
more protection than the average person. Vulnerable
populations could include older persons, college age
persons, service members, and financially distressed
individuals, among others.
Concern has arisen regarding the last prong of
the “abusive” test. It appears to require that the
banker act in the customer’s best interest when selling traditional financial products. This standard has
never applied previously in retail banking services.
Historically, in the normal course of business, a bank
employee opening an account at a retail branch did
not have a burden to investigate the financial situation
of a consumer who came in to open an account in the
same way that a retail securities broker is required to
do under FINRA’s suitability rules.57 If this is indeed
what is now required, it would signal a significant
change in how banks do business.
Although the law authorizes the CFPB to write
UDAAP regulations, including one that would interpret
the abusive standard, the CFPB has indicated that it has
no plans to do so.58 One difficulty in managing UDAAP
risks is the lack of clarity and certainty around this rule.
UDAAP is inherently a subjective concept compared
to other consumer financial protection regulations. It
requires a different method of risk management.
56
P.L. 111-203 § 1031(d), July 21, 2010.
57
See FINRA Rule 2111(a).
58
See “Trying to Stay Above Politics: A Conversation With Richard Cordray” (American Banker, Mar. 23, 2012), available at http://
www.americanbanker.com/issues/177_58/cordray-cfpb-supervisionenforcement-consumers-UDAAP-UDAP-1047798-1.html.
J O U R N A L O F TA X AT I O N A N D R E G U L AT I O N O F F I N A N C I A L I N S T I T U T I O N S
November/December 2013 Vol 27 / No 2
CFPB Enforcement Actions. Some insight can be gleaned
from the CFPB’s enforcement actions to date. The first
one was issued nearly a year after the CFPB began its
official operations in 2011. The first several consent
orders centered around the deceptive doctrine. The first
“abusive” case, also discussed below, was filed in 2013.
Capital One, N.A. The CFPB’s first enforcement action was issued in 2012 against Capital One. This action
involved the bank’s payment protection add-on product
sold to consumers within its credit card business. The
consent order lists a series of false or misleading representations made to consumers regarding the payment
protection and credit monitoring product, including
that the product (1) was not optional (it was), (2) was
free (it was not), and (3) would improve the consumer’s
credit score. The bank was required to make restitution
(totaling at least $140 million) to the consumers who
had purchased the product and was ordered to pay a
civil money penalty of $25 million. The compliance
plan contained in the consent order is interesting in its
granularity. It requires an overhaul of the bank’s sales
and marketing practices for these products and even
requires that information provided in telephone sales
calls be “. . . spoken and disclosed in a volume, cadence
and syntax sufficient for an ordinary consumer to hear
and comprehend.” It also requires that the sales person
disclose to the consumer during the same phone call the
fact that the consumer is purchasing the product.59
Discover Bank. Later in 2012 the CFPB entered
into a consent order, similar to the Capital One action, with Discover. The bank was found to have engaged in deceptive practices and, again, the product at
issue was payment protection on credit card accounts.
The consent order noted that the Discover telemarketers “. . . spoke more rapidly during the mandatory
disclosure portion of the sales call, which included a
statement of the Product’s price and some—but not
all—material terms and conditions of the Product.”
Also, the sales callers “. . . frequently downplayed this
mandatory disclosure during their telemarketing sales
presentation, implying to Cardmembers that the mandatory disclosure was not important, even though it
was designed to alert Cardmembers to the Product’s
price and certain terms and conditions.”60
59
CFPB, In the Matter of Capital One Banks, Consent
Order, Administrative Proceeding #2012-CFPB -0001, July 16,
2012, available at http://files.consumerfinance.gov/f/201209_
cfpb_0001_001_Consent_Order_and_Stipulation.pdf.
60
FDIC CFPB, In the Matter of Discover Bank, Joint Consent
Order with the FDIC, #2012 CFPB-0005, Sept. 24, 2012, available
at http://files.consumerfinance.gov/f/201209_cfpb_0005_001_Consent_Order.pdf.
November/December 2013 Vol 27 / No 2
This consent order highlights a significant issue that
financial institutions had not, until this point, really
understood—legal disclosures, even model language
that comes from the regulation, may not prevent the
message from being deceptive overall. Although this
doctrine is clearly a part of the FTC’s doctrine on
deception, banks have traditionally been so highly
regulated with such technical disclosure requirements
for all types of products, both loans and deposits,
that relying on the accuracy of these disclosures had
become a source of some security.
American Express. Also in 2012, the CFPB assessed
a civil money penalty in the amount of $3.9 million
against American Express (and the company was also
separately fined by the FDIC, the OCC, and the Federal
Reserve) for several violations of consumer protection
he Discover Bank consent order highlights
a significant issue that financial institutions
had not, until this point, really understood—
legal disclosures, even model language that
comes from the regulation, may not prevent the
message from being deceptive overall.
T
laws, including the deceptive doctrine of Section 5 of
the FTC Act.61 The deceptive acts included misrepresentations to consumers that, if charged-off debt were repaid, the consumers’ credit reports would be amended
and their scores improved. Also, the CFPB found
that a credit card promotion was misleading because,
while it appeared to offer $300 in cash, in fact what
it offered was a comparable amount of reward points.
The company was also required to pay restitution to
consumers.
CFPB v. American Debt Settlement Solutions.
The CFPB filed suit in 2013 against American Debt
Settlement Solutions (ADSI) and its owner, Michael
Dipanni, for deceptive and abusive acts or practices.
ADSI was required to pay a $15,000 civil money penalty and disgorge nearly $500,000 in fees to consumers. ADSI solicited consumers in debt with a promise
that the company would settle at least one debt and
make it easier for the consumer to get out of financial
trouble. The court in CFPB v. American Debt Settlement Solutions found that the company deceptively
61
FDIC CFPB, In the Matter of American Express Centurion
Bank, Joint Consent Order #2012-CFPB-0002, Oct. 1, 2012,
available at http://files.consumerfinance.gov/f/2012-CFPB-0002American-Express-Centurion-Consent-Order.pdf.
MANAGING UDAAP COMPLIANCE RISKS IN FINANCIAL INSTITUTIONS
29
marketed its services because, since its inception, 89
percent of the consumers who enrolled in the service
and paid a fee had no debts settled by the company.
In addition, ADSI had knowledge that there was no
likelihood of settling debts under $700, but it continued to receive fees for enrolling debts less than this
amount. It also continued to enroll consumers whose
incomes were too low to complete the debt repayment
plan. The CFPB found that these actions were abusive.62 This was the first action by the CFPB to enforce
the “abusive” standard of the Dodd-Frank Act.
UDAAP RISK MANAGEMENT
Principles-Based Regulation Versus Technical Rules. It
is clear from a review of the enforcement actions that
there are numerous ways a financial institution can
incur UDAAP-related risks and face potential fines,
penalties, and disgorgement of revenue. The overriding
DAAP is a principles-based regulation in an
industry that is built around technical rules.
Incorporating “fairness” into operations is much
harder than programing a computer to correctly
calculate an annual percentage rate.
U
UDAAP-related issue facing regulatory compliance
risk managers in regulated financial institutions is
uncertainty. UDAAP is a principles-based regulation
in an industry that is built around technical rules.
Since 1968, with the passage of the Truth in Lending Act, bank regulatory compliance risk management
has been technically focused. Over the last 40 years,
the closest thing to a principles-based consumer
protection law has been fair lending. However, as a
risk management discipline, fair lending has evolved
with more certainty into a quantifiable science—the
subjectivity is almost gone. It should be noted that
with the CFPB (and other agencies) beginning to use
the doctrine of disparate impact when evaluating fair
lending compliance, uncertainty has begun to grow.
Principles-based regulatory compliance is more
difficult than technical compliance in part because
the lines of business within the bank do not have
clarity and therefore do not understand what needs to
be done to comply. There is no checklist that can be
made, no work program or cut and dried procedures
to write. Incorporating “fairness” into operations is
much harder than programing a computer to correctly
calculate an annual percentage rate. When challenged
by the risk managers or legal department, a line of
business leader till now has always been able to say
“Show me where it says I can’t do that.” In the case
of UDAAP no one can point to anything concrete.63
As proof that UDAAP compliance is difficult,
one need only consider that the largest U.S. banking
institutions, which have the most sophisticated and
expensive risk management programs and extensive
resources to bring legal and regulatory skill to bear,
have been running afoul of the UDAAP standards.
Minimizing UDAAP risks requires a different way
of thinking about compliance risk management.
Elements of Good Regulatory Risk Management.
Historically, regulatory compliance risk management
has consisted of several elements. These elements,
discussed below, are universal in all well run regulatory
compliance risk management groups.
Governance Structures. Someone (a person or
group) within the organization has to be ultimately
responsible for UDAAP compliance governance and
the program framework. Often this responsibility lies
within the corporate compliance department or similar risk management area. However, good governance
requires that this responsibility report up the organization to a higher level. It is common to see the reporting for this function culminate at the board committee
level, such as the Risk Committee. The actual responsibility for UDAAP compliance execution generally
lies within the lines of businesses.
In addition, a strong regulatory compliance function is required to be capable of credibly challenging
the lines of business. In no regulatory area is this more
important than in UDAAP compliance. The lack of
clearly enumerated technical rules requires that the
risk management function be able to convincingly
articulate why a practice is potentially an unfair,
deceptive, or abusive one. The lines are often blurry
and issues are seldom black and white.
Policies. Strong, concrete policies that clearly state
the bank’s attitude and expectations regarding the fair
treatment of consumers are a foundation of effective
UDAAP compliance. Framing the main policy as “fair
63
62
Consumer Financial Protection Bureau v. American Debt
Settlement Solutions Inc. and Michael DiPanni, 9:2013cv80548
So. 2d (Fla. 2013), available at http://files.consumerfinance.
gov/f/201305_cfpb_complaint_adss.pdf.
30
See Jo Ann Barefoot, “Nine Dangerous Words: Show Me
Where It Says I Can’t Do That” (American Banker, Sept. 13,
2011), available at http://www.americanbanker.com/bankthink/
udaap-unfair-deceptive-abusive-acts-practices-compliance-barefoot-1042171-1.html.
J O U R N A L O F TA X AT I O N A N D R E G U L AT I O N O F F I N A N C I A L I N S T I T U T I O N S
November/December 2013 Vol 27 / No 2
treatment” rather than as “UDAAP compliance” is
helpful in that it is more positive and helps to connect
the policy to each employee’s day-to-day work that
impacts consumers.
Procedures. UDAAP-related business level procedures that are specifically targeted to job duties are
extremely helpful to prompt employees to make good
decisions that will benefit both the bank and its customers. For example, procedures for telephone sales
practices should include not only instructions for how
to convey the information to the consumer and what
to say to answer questions that are raised, but also
procedures for how to terminate the conversation
without pressing for a sale when the consumer appears to be confused or states that he or she does not
want to purchase the product.
Risk Assessments. Good risk management practices necessarily require that the bank identify both
the risks it faces and the controls in place to mitigate
the risks. A UDAAP risk assessment comprehensively
identifies such risks across the enterprise and throughout the life cycle of each product and service. Measuring the effectiveness of the controls is an integral part
of determining the level of residual risk remaining.
Mapping the risks to each control is a great exercise
to help the organization find any gaps remaining in its
compliance program.
Monitoring and Testing. A requirement for every
risk management program is to regularly test the effectiveness of the processes. The risk management area
is considered to be the second line of defense in the
overall risk controls (the line of business processes are
the first line, the internal audit function is the third.)64
Implementing UDAAP monitoring and testing can be
challenging since the lack of technical rules makes it
hard to fashion a checklist of things to review. However, thoughtful reviews of the product on a lifecycle
basis can help uncover potential issues.
Auditing. The internal audit function was specifically mentioned in the CFPB’s enforcement actions
against American Express and Discover as being
“inadequate” for failing to catch the UDAAP issues.
Internal audit is supposed to operate as the so-called
64
See IIA Position Paper: The Three Lines of Defense in
Effective Risk Management and Control, Institute of Internal
Auditors (Jan. 2013), available at http://www.unima.mw/wpcontent/uploads/2012/downloads/position%20paper.pdf; Carolyn
Duchene, Remarks Before the American Bankers Association Risk
Management Forum (Apr. 25, 2013), available at http://www.occ.
gov/news-issuances/speeches/2013/pub-speech-2013-70.pdf.
November/December 2013 Vol 27 / No 2
“third line of defense.”65 UDAAP auditing comes with
the same types of challenges as UDAAP monitoring.
Audit programs are generally based on very specific
requirements. Since UDAAP has so few technical,
concrete requirements, it is more difficult to prepare
effective work programs. One approach is to audit
each line of business or individual product over its
entire lifecycle with a thoughtful approach to test the
UDAAP risk management controls at each phase of
the lifecycle.
Training. UDAAP training is key not only to
transferring awareness of UDAAP concepts to all
bank personnel at every level but also to influencing a culture of fairness within the organization. All
employees at leadership levels and all with customer
impact should receive more specific UDAAP training
no less often than annually.
raming the main policy as “fair treatment”
rather than as “UDAAP compliance” is helpful
in that it is more positive and helps to connect
the policy to each employee’s day-to-day work
that impacts consumers.
F
Management Reporting. Financial institutions,
like all businesses, run on metrics. UDAAP/fairnessrelated metrics are essential to understanding the level
of UDAAP compliance risks at any point in time.
Developing these metrics requires a careful review of
products, services, and processes to determine what
are the indices of key UDAAP or fairness risks.
Identifying and Minimizing Future UDAAP Risks. The
traditional risk management processes are all still
essential. However, unlike a technically based
regulation, UDAAP risks cannot be effectively
controlled with just the tactical and reactive tools that
risk managers have honed over the years for managing
regulatory compliance. In short, a risk management
framework consisting solely of these elements will not
keep an institution out of UDAAP trouble.
Establishing Fairness Principles. Effective UDAAP
risk management requires a more strategic, proactive
approach. A good first step is to establish commonly
understood principles of fairness for the entire bank to
follow. These principles can help to shape the bank’s
culture and guide the elements of the UDAAP compliance program. The purpose of formulating these
65
See IIA Position Paper, supra note 64.
MANAGING UDAAP COMPLIANCE RISKS IN FINANCIAL INSTITUTIONS
31
principles is to bring all parties to the table so that all
agree on what “fairness” looks like for the institution.
There are four principles that can be easily conveyed to the bank as a whole and can be used to evaluate fairness in financial products throughout their
lifecycles from product design all the way through
to the servicing stage:
1. Understandability: The consumer should be easily
able to grasp the concepts (i.e., terms and conditions) of the product. If it is too complicated, it
carries greater UDAAP risk.
2. Predictability: Consumers should be able to understand how the product will work in the future
and, for example, how they can avoid fees or
penalties. Complicated overdraft protection plans
sometimes are not predictable enough for the
consumer to avoid overdraft fees. Hence they can
carry elevated UDAAP risks.
3. Value: There must be a real benefit for the consumer. An example of a case where the consumers
received no value is when cardholders paid for
identity theft protection each month but did not
activate the service so they got no benefit.
4. Appropriateness: If a product is inappropriate for
the consumer, it is likely has some fairness issues.
An example is the marketing and sale of secured
credit card products to individuals who would
qualify for prime products. Secured credit cards
are almost always more costly. By taking advantage of a consumer who does not understand that
he or she could qualify for something more appropriate, the institution is running a risk of violating
the abusive standard.
Once these fairness principles are understood and
agreed upon, other more proactive risk management
processes can be implemented.
Make a Cultural Commitment. To begin with,
bank leadership must make a strong commitment to
cultivating a culture of fairness. Communication is a
key component beginning with the “tone at the top.”
Culture is created from the top of the house—the messaging from executive leadership has to be strong and
unequivocal. To move the cultural needle, a consistent
internal messaging campaign should be forthcoming
from the bank’s leadership.
Institute Proactive Risk Scans. Risk managers, including regulatory compliance, legal, and operational
risk areas all must establish systems to scan the risk horizon for emerging issues from the regulatory agencies,
new litigation, and within the bank’s own operational
32
areas where new products and promotions all have the
potential for UDAAP risks.
Align Incentives. Incentives for all bank employees
with UDAAP-relevant jobs should have performance
measures for UDAAP. Incentive compensation should
be reviewed rigorously to ensure that no one is incented for bad behavior.
Review New Products. Rigorous new product initiative processes should include UDAAP screens so
that all new ideas for products and services are reviewed for fairness issues. New products and promotions must be thoroughly tested operationally in order
to make sure they work as they will be advertised.
Finally, ensuring that consumers understand each
product through the use of focus groups and the like
is a key to avoiding deception issues in the future.
Establish Complaint Management Programs.
Arguably the most important risk management tool
for UDAAP compliance management is a robust complaint management program. Capturing the data on
all complaints and resolving them is just the beginning. Complaints should be analyzed for their root
cause and the trends analyzed to determine where
changes should be made within products and in the
UDAAP compliance program itself.
Be Proactive in Identification and Remediation
of Issues. While it seems intuitive that an organization should attempt to identify its own problems
and remediate them as quickly as possible, in the
litigious environment in which all corporations live,
this activity is sometimes not encouraged as much as
it should be. However, proactive financial organizations that successfully deal with UDAAP compliance
in the future will aggressively find and fix their own
problems.
The CFPB mentioned this concept of proactive
compliance management in its guidance on Responsible Conduct issued in June 2013. This guidance
provides an understanding of when the CFPB will
give an institution “credit” for a proactive compliance culture and program during an examination.
Questions that will be germane to the determination
include whether there was a culture of compliance
and what the “tone at the top” was. The guidance
provides a roadmap for rewarding an institution that
encourages proactive compliance management:
J O U R N A L O F TA X AT I O N A N D R E G U L AT I O N O F F I N A N C I A L I N S T I T U T I O N S
. . . a party may proactively self-police for potential
violations, promptly self-report to the Bureau when it
identifies potential violations, quickly and completely
November/December 2013 Vol 27 / No 2
remediate the harm resulting from violations, and
affirmatively cooperate with any Bureau investigation
above and beyond what is required. If a party meaningfully engages in these activities, which this bulletin
refers to collectively as “responsible conduct,” it may
favorably affect the ultimate resolution of a Bureau
enforcement investigation.66
CONCLUSION
66
CFPB Bulletin 2013-06, Responsible Business Conduct (June
25, 2013), available at http://files.consumerfinance.gov/f/201306_
cfpb_bulletin_responsible-conduct.pdf.
UDAAP compliance risks are the most difficult consumer protection risks to manage for financial institutions. There are no formal rules or black-and-white
guidelines. The increased complexity of financial
products, and the payment system in particular, over
the last 30 years has made the task more daunting.
The best path to success for financial institution executives is to implement a proactive compliance risk
management program with a strong culture of fairQ
ness within the institution itself.
STATEMENT OF OWNERSHIP, MANAGEMENT AND CIRCULATION (Required by 39 U.S.C. 3685). 1. Title of publication: Journal of Taxation and Regulation of Financial
Institutions 2. Publication No.: 1547-3996. Date of filing: October 3, 2013 4. Frequency of issue: Bimonthly 5. No. of issues published annually: 6 6. Annual subscription price:
$359 7. Complete mailing address of known office of publication: 4478 U.S. Route 27, P.O. Box 585, Kingston, NJ 08528 8. Complete mailing address of headquarters or general
business office of publisher: same 9. Complete mailing address of publisher, editor, and managing editor: Publisher: Mark E. Peel, 4478 Route 27 Ste 202, Kingston NJ 08528;
Editor, Houman B. Shadab, 353 West 48th Street, 4th Floor New York, NY 10036; Managing Editor, Deborah J. Launer, 353 West 48th Street, 4th Floor New York, NY 10036
10. Owner: Fred Cohen, 9771 E Vista Montanas, Tucson AZ 85749; William C. Collins, PO Box 2316, Olympia WA 98507; Deborah J. Launer, 216 W 89th St, #7D, New York
NY 10024; Mark E. Peel, PO Box 450, Kingston NJ 08528; Lois Rosenfeld, 330 W 72nd St, New York NY 10023; F. Rosenfeld, 175 N Tigertail Rd, Los Angeles CA 90049. 11
Known bondholders, mortgagees, and other security holders owning or holding 1 percent of more of total amount of bonds, mortgages, or other securities: None 12. For completion
by nonprofit organizations authorized to mail at special rates: Not applicable 13. Publication name: Journal of Taxation and Regulation of Financial Institutions 14. Issue date for
circulation data below: September/October 2013 15. Extent and Nature of Circulation. Average No Copies Each Issue During Preceding 12 Months: 15 a. Total Number of Copies
(Net Press Run): 483. 15b(1) Mailed Outside County Paid Subscriptions: 175; 15b(2) Mailed In-County Paid Subscriptions: 0; 15b(3): Paid Distribution Outside Mail: 0; 15b(4):
Paid Distribution by Other Classes of Mail through USPS: 7; 15c. Total Paid Distribution: 182; 15d. Free Distribution by Mail: 15d(1) Free or Nominal Outside-County Copies
included on PS Form 3541: 106; 15d(2) Free or Nominal In-County: 1; 15d(3) Free or Nominal Copies Mailed at Other Classes through USPS: 0; 15d(4) Free or Nominal Rate
Distribution Outside the Mail: 0; 15e. Total Free or Nominal Rate Distribution: 107; 15f. Total Distribution: 289; 15g: Copies not Distributed: 194; 15h. Total 483; 15i. Percent
Paid: 63%. No copies of Single Issue Published Nearest to Filing Date: 15 a. Total Number of Copies (Net Press Run): 400. 15b(1) Mailed Outside County Paid Subscriptions: 156;
15b(2) Mailed In-County Paid Subscriptions: 0; 15b(3): Paid Distribution Outside Mail: 0; 15b(4): Paid Distribution by Other Classes of Mail through USPS: 6; 15c. Total Paid
Distribution: 162; 15d. Free Distribution by Mail: 15d(1) Free or Nominal Outside-County Copies included on PS Form 3541: 42; 15d(2) Free or Nominal In-County: 1; 15d(3)
Free or Nominal Copies Mailed at Other Classes through USPS: 0; 15d(4) Free or Nominal Rate Distribution Outside the Mail: 0; 15e. Total Free or Nominal Rate Distribution:
43; 15f. Total Distribution: 205; 15g: Copies not Distributed: 195; 15h. Total 400; 15i. Percent Paid: 79%. 16. Publication Statement of Ownership will be printed in the November
2013 issue of this publication. 17. I certify that the statements made by me above are correct and complete: (Signed) Mark Peel, President.
November/December 2013 Vol 27 / No 2
MANAGING UDAAP COMPLIANCE RISKS IN FINANCIAL INSTITUTIONS
33
©
Authorized Electronic Copy
This electronic copy was prepared for and is authorized solely for the use of the
purchaser/subscriber. This material may not be photocopied, e-mailed, or otherwise reproduced
or distributed without permission, and any such reproduction or redistribution is a violation of
copyright law.
For permissions, contact the Copyright Clearance Center at
http://www.copyright.com/
You may also fax your request to 1-978-646-8700 or contact CCC with your permission request
via email at info@copyright.com. If you have any questions or concerns about this process you
can reach a customer relations representative at 1-978-646-2600 from the hours of 8:00 - 5:30
eastern time.