Managing UDAAP Compliance Risks in Financial Institutions Compliance with Unfair, Deceptive or Abusive Acts or Practices (UDAAP) principles has become a thorny problem for U.S. financial institutions. The UDAAP regulatory scheme, as embodied by the Consumer Financial Protection Bureau, represents a new approach to regulating financial institutions and the industry has yet to fully adjust. This article reviews the history of UDAAP regulation in the U.S. and then examines the ways financial institutions must change their compliance management programs to minimize the risk of UDAAP violations. KATHLYN L. FARRELL C ompliance with Unfair, Deceptive or Abusive Acts or Practices (UDAAP) principles has become a thorny problem for U.S. financial institutions. Compliance management systems honed over the past 45 years to become models of well managed risk programs have proved substantially ineffective to keep institutional practices within the boundaries of the regulatory expectations for UDAAP compliance. The reason for this dilemma is that the UDAAP regulatory scheme, as embodied by the Consumer Financial Protection Bureau (CFPB), represents a new approach to regulating financial institutions and the industry has yet to fully adjust. UDAAP regulations are principles-based, not technically based. The difference is significant. This article presents an overview of the history of UDAAP regulation in the U.S., from the Federal Trade Commission Act amendments in 1938 to the DoddFrank Act era and the Consumer Financial Protection Bureau. It then examines the ways financial institutions must change their compliance management programs in order to minimize the risk of UDAAP violations. For 72 years UDAP existed without the second “A”— abusive. The original UDAP provisions were contained within Section 5 of the Federal Trade Commission Act (“FTC Act”) in 1938.1 The FTC Act was enacted 24 years earlier, in 1914, but it did not address UDAP 15 U.S.C. § 45. Kathlyn L. Farrell is a Managing Director at Treliant Risk Advisors, LLC. She may be contacted at lfarrell@treliant.com. November/December 2013 Vol 27 / No 2 2 38 Stat. 719 (1914). 3 Wheeler-Lea Act of 1938, P.L. 75-447, 52 Stat. 111 (1938). 4 HISTORICAL CONTEXT OF UDAAP 1 at all. Rather, in its original form, the FTC Act sought to protect consumers by banning anti-competitive, restraint of trade practices.2 It was not until 1938, with the passage of the Wheeler-Lea Act revisions to the FTC Act, that the focus of Section 5 was shifted to protect consumers from unfair and deceptive acts and practices.3 Virtually all of the FTC’s focus in the UDAP arena—even to the present—has been on sales and marketing practices. FTC litigation first focused on print advertisements and evolved with technology to concentrate on television advertising.4 The FTC enforced the UDAP protections in Section 5 primarily through litigation. The text of the law did not define “unfair” or “deceptive.” Over the years, the elements to these concepts were fleshed out in the courts and through FTC consent orders. The doctrines of “unfair” and “deceptive” were explained by the FTC chairman in policy statements addressed to Congress in 1980 and 1983, respectively.5 See W.H. Ramsay Lewis, “Infomercials, Deceptive Advertising and the FTC,” 19 Fordham Urb. L.J. 853-74 (1991). 5 Letter from Michael Pertschuk, Chairman, and Rand Dixon, David Clanton, Robert Pitofsky & Patricia Bailey, Commissioners, FTC, on the FTC Policy of Unfairness to Wendall Ford, Chairman, and John Danforth, Ranking Minority Member, of the Consumer Subcommittee, the Committee on Commerce, Science and Transportation, U.S. Senate (Dec. 17, 1980) (hereafter “FTC Policy Statement on Unfairness”), available at http://www.ftc.gov/bcp/ policystmt/ad-unfair.htm; Letter from James C. Miller, Chairman, FTC, on FTC Policy Statement on Deception, to Hon. John D. Dingell, Chairman, Committee on Energy and Commerce (Oct. 14, 1983) (hereafter “FTC Policy Statement on Deception”), available at http://www.ftc.gov/bcp/policystmt/ad-decept.htm. MANAGING UDAAP COMPLIANCE RISKS IN FINANCIAL INSTITUTIONS 21 These policy statements were a response to congressional inquiries to the Commission and they effectively restated the definitions as applied by the FTC at the time. “Unfairness” Defined. In explaining what makes a consumer injury the result of “unfairness,” Chairman Pertshuk stated that the injury must meet three prongs: “. . . it must be substantial; it must not be outweighed by any countervailing benefits to consumers or competition that the practice produces; and it must be an injury that consumers themselves could not reasonably have avoided.”6 This definition of “unfairness” was later codified in the FTC Improvement Act of 1994.7 To further explain the three prongs of the definition, Chairman Pertshuk stated that in order for the injury to be substantial, it must involve a monetary cost—emotional injuries will not meet the “unfairness” test. Nor is the Commission concerned with “trivial or speculative” harm.8 Second, for unfairness to exist there cannot be a beneficial counterweight to the injury that outweighs the effect of the injury. The key element in determining whether there has been deception involves the group the consumer represents—“reasonableness” is judged in the context of the particular consumer. A practice must cause a net effect of injury to the consumer.9 Finally, if the consumer could have reasonably avoided the injury, it will fail the unfairness test. In the policy statement, Chairman Pertshuk explained the view of the FTC on allowing consumers to freely make decisions in the free market: Normally we expect the marketplace to be selfcorrecting, and we rely on consumer choice—the ability of individual consumers to make their own private purchasing decisions without regulatory intervention—to govern the market. We anticipate that consumers will survey the available alternatives, choose those that are most desirable, and avoid those that are inadequate or unsatisfactory.10 “Deception” Defined. Three years after the Policy Statement on Unfairness was issued, the Commission issued a similar statement defining the doctrine of “deception.” As with the Policy Statement on Unfairness, the Policy Statement on Deception was issued as a response to a congressional inquiry and specifically stated that its purpose was to provide a concrete statement of how the Commission would “. . . enforce its deception mandate”11 and to allay concerns expressed by Congress about the lack of specificity in the doctrine of deception.12 In order to support a finding of “deception” there must be a representation or omission that is likely to mislead the consumer. The consumer in question must be acting reasonably and the representation or omission must be material.13 As with the Statement on Unfairness, the Statement on Deception further elaborated on the three prongs of the doctrine. First, the omission or representation must be misleading or likely to mislead (it need not actually mislead anyone). The statement lists several examples, all involving sales and marketing practices, such as bait-and-switch schemes.14 The second prong of the doctrine of deception is that the consumer must be acting reasonably. Is the consumer’s reaction to the misleading communication a reasonable one? A key element of this prong involves the group the consumer represents—“reasonableness” is judged in the context of the particular consumer.15 For example, if the consumer is elderly, the determination will involve a “reasonable” elderly person. Likewise, if the person is young, or is seriously ill, the potentially deceptive communication will be viewed through the lens of the consumer’s particular group, taking into account that group’s knowledge and level of sophistication. A key element of the policy statement’s analysis is that disclaimers and disclosures may not be able to cure a deceptive representation. A false headline is not fixed by the fine print.16 For disclosures to help negate a misleading statement they must be clear and understandable. The statement does, however, exclude general advertising puffery from the category of “deceptive.”17 The third element of the doctrine of deception is that the misrepresentation or omission must be When the marketplace fails to allow for consumers to reasonably protect themselves, the practice could rise to the level of “unfairness.” 22 11 See FTC Policy Statement on Deception, supra note 5, at 1. 12 Id. 6 See FTC Policy Statement on Unfairness, supra note 5, at 3. 13 See id. at 2. 7 15 U.S.C. § 45(n). 14 Id. 8 See FTC Policy Statement on Unfairness, supra note 5, at 3. 15 See id. at 3. 9 Id. 16 Id. 10 Id. 17 Id. at 5. J O U R N A L O F TA X AT I O N A N D R E G U L AT I O N O F F I N A N C I A L I N S T I T U T I O N S November/December 2013 Vol 27 / No 2 material. It must have been an important part of the consumer’s decision making. In short, “Injury exists if consumers would have chosen differently but for the deception.”18 The definition of “deceptive” was not formally codified in the FTC Improvement Act of 1994. However, the three prongs have continued to be the standard for the doctrine through the present time. UDAP ENFORCEMENT BY FEDERAL BANKING REGULATORY AGENCIES The regulation of financial institutions for UDAP enforcement was expressly carved out of the FTC Act from the very beginning.19 In 1975 in the Magnuson-Moss Warranty Act (Title II was entitled the Federal Trade Commission Improvement Act) authority to enforce UDAP was expressly given to the prudential banking regulatory agencies (the Federal Reserve Board, Federal Deposit Insurance Corporation (FDIC) and Office of the Comptroller of the Currency (OCC)).20 Each agency was required to establish an office of consumer affairs for the purpose of receiving UDAP-related complaints. The Federal Reserve Board was given the rule-writing authority for UDAP, but the other agencies were empowered to write their own procedures to enforce compliance with “regulations prescribed under this subsection.”21 Each agency was empowered to enforce UDAP rules for the institutions within its jurisdiction. Regulation AA. No UDAP-related regulation was forthcoming until 1985 when the Federal Reserve Board published Regulation AA—Unfair or Deceptive Acts or Practices. 22 Regulation AA primarily prohibited certain onerous consumer credit contract terms, such as cognovits clauses or confessions of judgments, assignments of wages, and waivers of exemption. It also required regulated financial institutions to give notices to co-signors and made the practice of pyramiding late charges illegal. Finally, Regulation AA prohibited the taking of a security interest in household goods for nonpurchase money loans. Regulation AA represents the sole Federal Reserve Board effort to codify the FTC Act Section 5 UDAP rules into federal banking regulations. 18 See id. at 14. 19 See 15 U.S.C. § 45(a)(2) (2006). 20 See 15 U.S.C. § 57(a). 21 Id. 22 12 C.F.R. § 227. November/December 2013 Vol 27 / No 2 UDAP-Related Regulatory Issuances. Over the next 25 years, the prudential regulators wrote other regulations that dealt with UDAP-related issues in some manner. They also published several guidance documents that specifically dealt with products that had higher levels of UDAP risks and, although these do not rise to the level of formal regulation, they generally have the same practical effect. One overarching reason for the spate of regulatory issuances within this timeframe is that financial products and services began to develop and change at a rapid rate during the first decade of the 2000s. Particularly, the changes within the payment system involving the use of debit cards and other electronic payments (accelerating the use of overdraft protection programs) and the rise of non-traditional mortgage products caused rapid changes in the products egulation AA represents the sole Federal Reserve Board effort to codify the FTC Act Section 5 UDAP rules into federal banking regulations. R offered by regulated institutions. These regulations and guidance documents were a response to the market changes. Guidance on Unfair or Deceptive Acts or Practices. Both the FDIC and the OCC issued guidance documents in 2002 to describe the types of activity that posed UDAP risk to financial institutions.23 These publications are not identical. The OCC Advisory Letter explains the legal underpinnings of UDAP, lists examples of practices that may violate the prohibition against deceptive practices in the FTC Act, and explains how institutions should manage UDAP risks.24 The examples are based on OCC enforcement actions that all deal with deceptive practices such as misleading marketing materials that fail to adequately disclose fees or material limitations of the product. The guidance suggests that national banks should manage UDAP risks by such things as improving the information given to consumers and avoiding misleading terms such as “guaranteed,” “pre-approved,” and “lifetime rates” 23 FDIC, Financial Institutions Letters, FIL-57-2002, May 30, 2002, available at http://www.fdic.gov/news/news/financial/2002/ fil0257.html; OCC, Advisory Letter, AL 2002-3, Guidance on Unfair or Deceptive Acts or Practices, Mar. 22, 2002, available at http://www.occ.gov/static/news-issuances/memos-advisoryletters/2002/advisory-letter-2002-3.pdf. 24 See OCC Advisory Letter, supra note 23, at 3-4. MANAGING UDAAP COMPLIANCE RISKS IN FINANCIAL INSTITUTIONS 23 if there is any possibility that the consumer will not receive the product on those terms. The OCC guidance also cautions against the indiscriminate use of third parties such as telemarketers and suggests that the contracts with third parties should avoid financial incentives that lead to deceptive behavior.25 The FDIC Financial Institution Letter on UDAP, also published in 2002, is much shorter and focuses on advising state non-member banks that they are, in fact, subject to the prohibitions on UDAP in Section 5 of the FTC Act and warns that the FDIC will take action if it finds unfair or deceptive practices within a covered institution.26 Debt Cancellation and Debt Suspension Contracts. In 1963 the OCC ruled that national banks had the authority to sell debt cancellation and debt suspension contracts.27 These products became increasingly popular during the decade of the 2000s, especially as add-on sales to credit card and mortgage accounts. Debt cancellation and debt suspension contracts involve a contract between the bank and the consumer borrower whereby, for a fee, the bank will agree to suspend or cancel the consumer’s debt if a specified event occurs (usually the covered events include loss of employment or suffering a disability). Sometimes these products are referred to as “insurance” but they are not insurance in the legal sense nor are they regulated as such. These contacts are often referred to as “payment protection” products, along with credit life and health insurance. Fees for debt cancellation or suspension contracts are paid monthly, particularly on credit card or mortgage accounts. These products are often sold by telephone solicitations to existing customers. In 2002, the OCC issued regulations governing the sales of these products.28 One of the stated purposes of the OCC’s rule was to “. . . discourage unfair or abusive sales practices.”29 The OCC also prohibited single premium debt cancellation or debt suspension contracts in connection with mortgage loans as these were considered to be abusive.30 The regulation requires standardized disclosures in the marketing of these products, including information that must be sent to the consumer after the sale. It also required affirmative election and acknowledgement of the sale and a refund of fees if the contract was cancelled or the loan was repaid early.31 24 25 Id. at 7-8. 26 See FDIC, Financial Institutions Letters, supra note 23. 27 12 U.S.C. § 24. 28 67 Fed. Reg. 182, 58962 (Sept. 19, 2002). 29 Title Loans and Payday Loans. Although title loans and payday loans have traditionally not been products offered by regulated depository institutions, during 2000 the OCC issued advisory letters as some national banks began to fund third-party non-banks that were making these loans. The advisory letters warn that these types of credit product have both safety and soundness risks as well as consumer protection risks, particularly for abusive or unfair practices.32 Predatory and Abusive Practices in Lending and in Brokered and Purchased Loans. The OCC issued two advisory letters in early 2003 to caution national banks against certain practices that could violate section 5 of the FTC Act, both in their direct lending activities and in their purchases of loans.33 These letters were issued on the same day that the OCC published a notice of the receipt of a preemption request from National City Bank and its subsidiaries and the OCC’s response to such request. The OCC confirmed that National City was not subject to the state of Georgia’s anti-predatory lending statute.34 The purpose for issuing the advisory letters was to affirm that, although national banks are not subject to these statutes, the OCC expects that they will avoid such practices. The advisory letters spoke to several lending practices, including loan “flipping” (frequently refinancing a loan with little value to the consumer”), equity stripping, refinancing loans with the loss of loan terms that were beneficial to the consumer, and using loan features such as negative amortization to make it more difficult for a borrower to pay off a loan and fee packing.35 The guidance also cited targeting vulnerable customers, inadequate disclosures, and the offering of single premium credit life insurance as problematic practices.36 The guidance on brokered and purchased loans focused on the OCC’s expectation that national banks 32 OCC, Advisory Letter, AL 2000-10, Payday Lending, Nov. 27, 2000, available at http://www.occ.gov/static/news-issuances/ memos-advisory-letters/2000/advisory-letter-2000-10.pdf; OCC, Advisory Letter, AL 2000-11, Title Loan Programs, Nov. 27, 2000, available at http://www.occ.gov/static/news-issuances/memosadvisory-letters/2000/advisory-letter-2000-11.pdf. 33 OCC, Advisory Letter, AL 2003-2, Guidelines for National Banks to Guard Against Predatory and Abusive Lending Practices, Feb. 21, 2003, available at http://www.occ.gov/static/newsissuances/memos-advisory-letters/2003/advisory-letter-2003-2. pdf; OCC, Advisory Letter, AL 2003-3, Avoiding Predatory and Abusive Lending Practices in Brokered and Purchased Loans, Feb. 21, 2003, available at http://www.occ.gov/static/news-issuances/ memos-advisory-letters/2003/advisory-letter-2003-3.pdf. Id. at 58963. 34 68 Fed. Reg. 46264 (Aug. 5, 2003). 30 Id. 35 See OCC Advisory Letter, AL 2003-2, supra note 33, at 2. 31 12 CFR § 37. 36 Id. at 3. J O U R N A L O F TA X AT I O N A N D R E G U L AT I O N O F F I N A N C I A L I N S T I T U T I O N S November/December 2013 Vol 27 / No 2 would conduct due diligence to ensure that they were not purchasing loans from a predatory lender. Overdraft Protection. The agencies have issued several statements on overdraft protection since 2005. The first, in 2005, was an interagency guidance that covered a broad range of risks including UDAP risks under Section 5 of the FTC Act. The guidance specifically mentioned marketing and advertising issues and advised that “to avoid engaging in deceptive, inaccurate, misrepresentative or unfair practices, institutions should closely review all aspects of their overdraft protection programs, especially any materials that inform consumers about the programs.”37 After 2005 there was a significant rise in the visibility of bank overdraft protection programs and a general distaste for them from the community of consumer advocates. For example, The Center for Responsible Lending published a study on bank overdraft programs in 2007 that concluded that consumers paid over $17 billion per year in “abusive” overdraft fees. The report had several recommendations including that the regulatory agencies require that consumers consent to overdraft protection plans, that the number of overdraft fees be limited, and that banks be required to pay items in chronological order.38 The FDIC conducted a comprehensive study of overdraft protection programs in 2008 and in 2009 the Senate Committee on Banking, Housing and Urban Affairs held a hearing on a proposed bill that would regulate such programs. The Chairman, Senator Dodd, opened the hearing with a statement that framed overdraft protection programs: “. . . a practice that I find in too many instances abusive, and that is, misleading overdraft programs that encourage consumers to overdraw their accounts and then slam them with too high fees.”39 As a result of the rising criticism of these programs, in 2010 the FDIC issued a more stringent version of its guidance on overdraft protection.40 This guidance significantly raised the regulatory expectations for 37 70 Fed. Reg. 369127 (February 24, 2005). 38 See Eric Halperin & Peter Smith, “Out of Balance,” Center for Responsible Lending (July 11, 2007), available at http://www. responsiblelending.org/overdraft-loans/research-analysis/out-ofbalance-report-7-10-final.pdf. 39 See S. Hrg. 111-502, Protecting Consumers from Abusive Overdraft Fees: The Fairness and Accountability in Receiving Overdraft Coverage Act, at 2. 40 FDIC, Financial Institutions Letter, FIL 81-2010, Overdraft Payment Programs and Consumer Protection. Final Overdraft Payment Supervisory Guidance, Nov. 24, 2010, available at http:// www.fdic.gov/news/news/financial/2010/fil10081.html. November/December 2013 Vol 27 / No 2 state non-member banks, including that transactions should not be ordered in a manner that would maximize overdraft fees (presumably this meant that “high-to-low” posting orders would not be permitted), distinguish actual balances from balances with overdraft protection limits included, cap overdraft fees per day, implement de minimus rules that would allow consumers to avoid overdraft fees for small overdrawn balances, and monitor consumers for excessive overdraft usage and provide counseling on alternative credit products. The OCC issued a proposed guidance on overdraft protection and deposit advance programs. It was never finalized and was eventually withdrawn when the agency published a new proposal in 2013 that was limited to deposit advance products (short-term, low-dollar loans).41 This guidance severely limited the activities of national banks with respect to deposit CC guidance proposed in 2013 severely limited the activities of national banks with respect to deposit advance loans, requiring separate underwriting of each loan every time one is made. O advance loans, requiring separate underwriting of each loan every time one is made. Mortgage Lending. As the residential real estate and mortgage bubble grew during the late 1990s and through the first decade of the twenty-first century, the prudential banking regulators issued guidance to caution institutions about potentially unfair or deceptive practices. The Interagency Guidance on Non-Traditional Mortgage Product Risks, issued in 2006, primarily addressed safety and soundness issues but it also cautioned institutions against potentially deceptive practices, such as advertising the initial lower payments of a nontraditional mortgage product and downplaying the potential for future payment shock and negative amortization.42 Another interagency guidance was issued in 2007 to address concerns on subprime mortgage lending.43 It covered safety and soundness issues such as 41 OCC Bulletin 2013-11, Deposit Advance Products: Proposed Guidance on Supervisory Concerns and Expectations Regarding Deposit Advance Products, Apr. 25, 2013, available at http://www. occ.gov/news-issuances/bulletins/2013/bulletin-2013-11.html. 42 71 Fed. Reg. 192, 58609 (Oct. 4, 2006). 43 72 Fed. Reg. 131, 37569 (July 10, 2007). MANAGING UDAAP COMPLIANCE RISKS IN FINANCIAL INSTITUTIONS 25 underwriting guidelines and verifying the consumer’s ability to repay the loan, but also more heavily concentrated on consumer protection principles such as providing clear and timely information on the risks and benefits of the products. It specifically required that consumers be informed of payment shock, prepayment penalties, balloon payments, cost of reduced loan documentation, and the fact that the consumer will be responsible for taxes and insurance payments.44 Not surprisingly, these factors all played a part in the financial crisis and the vast numbers of foreclosures that happened shortly thereafter. sick, disabled, or unemployed would not have to make payments for up to 18 months. What Providian did not clearly disclose is that (1) the benefits were limited to the number of months that the consumer had paid the fee for the product and (2) the unemployment benefit could not be used until fees had been paid for at least three months. In addition, the bank could deny benefits if the consumer was delinquent or over the limit or if the consumer used or accessed credit from any other card. The OCC also determined that the bank was misleading in its advertising for rebates on new cards and for its no-annual fee card. First National Bank in Brookings. In First National UDAP ENFORCEMENT ACTIONS OF THE PRUDENTIAL Bank in Brookings47 the OCC found that this South BANKING REGULATORS Dakota bank engaged in deceptive marketing practices There were some significant UDAP-related enforcement actions taken by the prudential banking regulators both prior to and after the passage of the Dodd-Frank Act.45 The prudential regulatory agencies do not have he FDIC found that Advanta Bank Corp. advertised its cash-back rewards program in a deceptive manner as the advertisements preceded the amount of the award with the words “up to,” thereby causing the consumer to believe that the amount of the reward would be the full amount stated. T statutory authority to enforce the “abusive” standard. The responsibility for enforcing the prohibition against “abusive” acts or practices was given solely to the Consuer Financial Protection Bureau (CFPB) under the Dodd-Frank Act; however, the prudential regulators retain their authority to enforce UDAP under Section 5 of the FTC Act. The following sections outline a few of the significant UDAP enforcement actions by the federal prudential regulatory agencies. Providian National Bank. With a civil money penalty at $300 million, Providian National Bank46 was the first really large UDAP enforcement action. Issued in 2000, Providian, a credit card bank, was found to have engaged in unfair and deceptive marketing practices. The bank sold payment protection products with the representation that a consumer who became 44 Id. at 37574. Wachovia Bank National Association. In 2008 Wachovia consented to pay $10 million in civil money penalties for engaging in unfair practices related to payment processing and direct telemarketers.48 Interestingly, the majority of consumers injured by Wachovia’s actions were not customers of the bank. Wachovia was the bank of deposit for several (apparently) unscrupulous telemarketing firms who deposited remotely created checks drawn on consumer accounts at various banks around the country. The checks were purportedly to pay for goods or services the company sold to the consumers. In reality, the consumers had not authorized the checks and were required to dispute the payment at their own bank in order to get the money refunded. There was evidence that Wachovia had knowledge that its telemarketing customers were defrauding these consumers, many of whom were elderly. The OCC found that this was an unfair practice under Section 5 of the FTC Act. Advanta Bank Corp. The FDIC found that Advanta Bank Corp. advertised its cash-back rewards program Dodd-Frank Wall Street Reform and Consumer Protection Act, P.L. 111-203, 124 Stat. 1376 (2010). 47 OCC Consent Order #2003-1, In the Matter of: First National Bank in Brookings, Brookings, South Dakota, Jan. 17, 2003, http:// www.occ.gov/static/enforcement-actions/ea2003-1.pdf. 46 OCC, In the Matter of Providian National Bank, Consent Order #2000-53, June 28, 2000, http://www.occ.gov/static/news-issuances/news-releases/2000/nr-occ-2000-49-consent-order-53.pdf. 48 OCC Consent Order # 2008-027, In the Matter of Wachovia National Bank Association, Apr. 24, 2008, available at http://www. occ.gov/static/enforcement-actions/ea2008-027.pdf. 45 26 by advertising credit cards and charging fees with the result that the consumer obtained very little or no net benefit from the card. In 2003 the bank was ordered to pay restitution in an amount to be not less than $6 million. This money was earmarked primarily for cardholders who received $50 or less of net credit availability on their cards at the time of account opening. The bank was also involved in payday lending through third-party vendors. The order required the bank to terminate those relationships. J O U R N A L O F TA X AT I O N A N D R E G U L AT I O N O F F I N A N C I A L I N S T I T U T I O N S November/December 2013 Vol 27 / No 2 in a deceptive manner as the advertisements preceded the amount of the award with the words “up to,” thereby causing the consumer to believe that the amount of the reward would be the full amount stated. In 2009 the bank was ordered to make restitution to all consumers who responded to the advertising by paying the full cash reward. The bank was also required to pay a civil money penalty of $150,000.49 Woodforest National Bank. In 2010 Woodforest agreed to pay up to $164 million in restitution and assistance to consumers as a result of unfair and deceptive practices related to the bank’s overdraft program and $1 million in civil money penalties.50 The accounts were marketed as “free checking.” The bank’s overdraft program included a feature whereby the consumer not only was charged a one-time fee per item that caused the account to be overdrawn, but the bank also charged a fee for every day the account remained in an overdraft state. The OCC deemed this practice to be unfair since the consumer could not avoid this fee. The bank did not cap either the number or the amount of fees. This practice was found to be deceptive. Although the consent order itself does not state this fact, a large number of Woodforest’s branches were in Walmart stores. This fact may have played into the OCC’s consideration of the violation, since the population of customers that bank at the Walmart branches may be more vulnerable than others. Republic Bank & Trust Company. Among several other issues encompassed by this enforcement, including Truth in Lending Act and Equal Credit Opportunity Act violations, the FDIC found that Republic Bank engaged in deceptive practices in its marketing of tax refund anticipation loans to consumers. 51 Refund anticipation loans are made through third parties, usually the tax preparers themselves. The bank, along with the tax preparer, advertised that the consumer 49 FDIC, Order to Cease and Desist, In the Matter of Advanta Bank Corp., June 30, 2009, available at http://www.fdic.gov/news/ news/press/2009/pr09109a.pdf. 50 OCC, In the Matter of Woodforest National Bank, Consent Order for a Civil Money Penalty, #2010-202, available at http:// www.occ.gov/news-issuances/news-releases/2010/nr-occ-2010122a.pdf; Agreement by and Between, Woodforest National Bank The Woodlands, Texas and The Comptroller of the Currency #2010-203, Oct. 6, 2010, http://www.occ.gov/static/enforcementactions/ea2010-203.pdf. 51 FDIC, In the Matter of Republic Bank & Trust Company, Louisville, Kentucky, Amended Notice of Charges for An Order to Cease and Desist, Notice of Assessment of Civil Money Penalties, Findings of Fact and Conclusions of Law; Order to Pay; And Notice of Hearing, May 3, 2011, available at http://www.fdic.gov/ bank/individual/enforcement/2011-05-55.pdf. November/December 2013 Vol 27 / No 2 could obtain the refund within one to two business days. The FDIC found that this representation was material, was not necessarily true, and therefore was misleading. In 2011 the bank was required to pay $2 million in civil money penalties. JP Morgan Chase. In 2011, the OCC fined JP Morgan Chase $2 million for engaging in unfair or deceptive practices in the marketing of credit protection products in its auto lending divisions.52 The bank made false or misleading statements regarding the coverage and cost of the products. Specifically, the sales staff was trained to use scripts to “rebut” the consumer’s decision not to purchase the product. The rebuttals were found to be materially misleading and caused the consumer to misapprehend the terms of the product that was offered. In 2013 the OCC again found that JP Morgan Chase had engaged in unfair practices, this time because the bank sold identity theft protection to credit card holders and billed them monthly for this service when, in some cases, the cardholder received no benefit. Upon purchase of the product, the cardholder was required to submit additional information and authorize the credit monitoring service. In many cases, cardholders did not submit the information or authorization, but their accounts nonetheless were billed monthly for the service. The OCC required the bank to reimburse the consumers for all fees charged for the service plus any over-thelimit fees stemming from the charge and interest on those amounts.53 The Bancorp Bank and Higher One. Two enforcement actions from the FDIC, involving The Bancorp Bank and Higher One, are related in that Higher One (an issuer of debit cards to students) is an institution affiliated party to The Bancorp Bank as a result of a contractual relationship between them. Higher One contracts with colleges and universities to provide the payment mechanism by which student loans and grants are disbursed to the student. The student debit cards are marketed as a checking account with FDIC insurance. Higher One contracts with an FDIC insured institution to issue the card. In this case The Bancorp Bank was the contracting insured depository. 52 OCC, JPMorgan Chase Bank, Consent Order #2011-94, June 14, 2011, available at http://www.occ.gov/static/enforcementactions/ea2011-094.pdf. 53 Department of the Treasury, OCC, In the Matter of JPMorgan Chase Bank, Chase Bank, Consent Order #2013-139 Sept. 18, 2013, available at http://www.occ.gov/static/enforcement-actions/ ea2013-139.pdf. MANAGING UDAAP COMPLIANCE RISKS IN FINANCIAL INSTITUTIONS 27 The FDIC required Higher One to pay $110,000 in civil money penalties and $11 million in restitution to consumers (in this case, college students) for engaging in unfair and deceptive practices related to charging overdraft fees. The FDIC found that Higher One was charging multiple overdraft fees for one transaction and also charged a daily fee for overdrafts outstanding. The Bancorp Bank was also fined $172,000 and required to strengthen its third-party controls.54 Abusive Acts Defined. Section 1031 of the Dodd-Frank Act defined an abusive act or practice as one which either: 1) materially interferes with the ability of a consumer to understand a term or condition of a consumer financial product or service; or 2) takes unreasonable advantage of— (A) a lack of understanding on the part of the consumer of the material risks, costs, or conditions of the product or service; (B) the inability of the consumer to protect the interests of the consumer in selecting or using a consumer financial product or service; or (C) the reasonable reliance by the consumer on a covered person to act in the interests of the consumer.56 RBS Citizens, N.A. The OCC assessed a civil money penalty of $5 million against RBS Citizens in 2013 for deceptive practices in marketing its overdraft protection program.55 One example of deceptive practices was the fact that the bank advertised a savings transfer program to cover overdrafts in a checking account. However, the bank did not disclose that no transfer fter Dodd-Frank, although the other agencies continued to enforce Section 5 of the FTC Act, the CFPB was given sole authority to regulate both banks and non-banks for abusive behavior. A would occur if the savings balance would not cover the entire amount overdrawn, even if it would cover some of the items comprising the overdrawn balance. POST DODD-FRANK: UDAAP IN THE CFPB ERA The passage of the Dodd-Frank Act provided a sea change in the UDAP arena. The statute added an entirely new concept of “abusive” acts or practices. Although the other agencies have used the word “abusive” within their guidance, prior to the Dodd-Frank Act the term had no legal definition. Also, the law shifted the locus of UDAAP enforcement to the newly created CFPB. After Dodd-Frank, although the other agencies continued to enforce Section 5 of the FTC Act, the CFPB was given sole authority to regulate both banks and non-banks for abusive behavior. (The Dodd-Frank Act also included a definition of “unfair,” just as it was codified in the FTC Improvement Act in 1994, but did not mention “deceptive.”) 54 FDIC, In the Matter of The Bancorp Bank, Consent Order FDIC, Aug. 7, 2012, http://www.cfpaguide.com/portalresource/ bancorp%20bank%20enforcement.pdf; FDIC, In the Matter of Higher One, Consent Order, Aug. 12, 2012, available at http:// www.cfpaguide.com/portalresource/higher%20one%20enforcement.pdf. 55 OCC, In the Matter of RBS Citizens, Consent Order #2013040, Apr. 29, 2013, available at http://www.occ.gov/static/ enforcement-actions/ea2013-040.pdf. 28 While no one can be sure how this definition will be applied to real life situations in the future, it would appear that the concepts seem to be meant to protect so-called “vulnerable consumers.” These are consumers in groups that, due to their circumstances, require more protection than the average person. Vulnerable populations could include older persons, college age persons, service members, and financially distressed individuals, among others. Concern has arisen regarding the last prong of the “abusive” test. It appears to require that the banker act in the customer’s best interest when selling traditional financial products. This standard has never applied previously in retail banking services. Historically, in the normal course of business, a bank employee opening an account at a retail branch did not have a burden to investigate the financial situation of a consumer who came in to open an account in the same way that a retail securities broker is required to do under FINRA’s suitability rules.57 If this is indeed what is now required, it would signal a significant change in how banks do business. Although the law authorizes the CFPB to write UDAAP regulations, including one that would interpret the abusive standard, the CFPB has indicated that it has no plans to do so.58 One difficulty in managing UDAAP risks is the lack of clarity and certainty around this rule. UDAAP is inherently a subjective concept compared to other consumer financial protection regulations. It requires a different method of risk management. 56 P.L. 111-203 § 1031(d), July 21, 2010. 57 See FINRA Rule 2111(a). 58 See “Trying to Stay Above Politics: A Conversation With Richard Cordray” (American Banker, Mar. 23, 2012), available at http:// www.americanbanker.com/issues/177_58/cordray-cfpb-supervisionenforcement-consumers-UDAAP-UDAP-1047798-1.html. J O U R N A L O F TA X AT I O N A N D R E G U L AT I O N O F F I N A N C I A L I N S T I T U T I O N S November/December 2013 Vol 27 / No 2 CFPB Enforcement Actions. Some insight can be gleaned from the CFPB’s enforcement actions to date. The first one was issued nearly a year after the CFPB began its official operations in 2011. The first several consent orders centered around the deceptive doctrine. The first “abusive” case, also discussed below, was filed in 2013. Capital One, N.A. The CFPB’s first enforcement action was issued in 2012 against Capital One. This action involved the bank’s payment protection add-on product sold to consumers within its credit card business. The consent order lists a series of false or misleading representations made to consumers regarding the payment protection and credit monitoring product, including that the product (1) was not optional (it was), (2) was free (it was not), and (3) would improve the consumer’s credit score. The bank was required to make restitution (totaling at least $140 million) to the consumers who had purchased the product and was ordered to pay a civil money penalty of $25 million. The compliance plan contained in the consent order is interesting in its granularity. It requires an overhaul of the bank’s sales and marketing practices for these products and even requires that information provided in telephone sales calls be “. . . spoken and disclosed in a volume, cadence and syntax sufficient for an ordinary consumer to hear and comprehend.” It also requires that the sales person disclose to the consumer during the same phone call the fact that the consumer is purchasing the product.59 Discover Bank. Later in 2012 the CFPB entered into a consent order, similar to the Capital One action, with Discover. The bank was found to have engaged in deceptive practices and, again, the product at issue was payment protection on credit card accounts. The consent order noted that the Discover telemarketers “. . . spoke more rapidly during the mandatory disclosure portion of the sales call, which included a statement of the Product’s price and some—but not all—material terms and conditions of the Product.” Also, the sales callers “. . . frequently downplayed this mandatory disclosure during their telemarketing sales presentation, implying to Cardmembers that the mandatory disclosure was not important, even though it was designed to alert Cardmembers to the Product’s price and certain terms and conditions.”60 59 CFPB, In the Matter of Capital One Banks, Consent Order, Administrative Proceeding #2012-CFPB -0001, July 16, 2012, available at http://files.consumerfinance.gov/f/201209_ cfpb_0001_001_Consent_Order_and_Stipulation.pdf. 60 FDIC CFPB, In the Matter of Discover Bank, Joint Consent Order with the FDIC, #2012 CFPB-0005, Sept. 24, 2012, available at http://files.consumerfinance.gov/f/201209_cfpb_0005_001_Consent_Order.pdf. November/December 2013 Vol 27 / No 2 This consent order highlights a significant issue that financial institutions had not, until this point, really understood—legal disclosures, even model language that comes from the regulation, may not prevent the message from being deceptive overall. Although this doctrine is clearly a part of the FTC’s doctrine on deception, banks have traditionally been so highly regulated with such technical disclosure requirements for all types of products, both loans and deposits, that relying on the accuracy of these disclosures had become a source of some security. American Express. Also in 2012, the CFPB assessed a civil money penalty in the amount of $3.9 million against American Express (and the company was also separately fined by the FDIC, the OCC, and the Federal Reserve) for several violations of consumer protection he Discover Bank consent order highlights a significant issue that financial institutions had not, until this point, really understood— legal disclosures, even model language that comes from the regulation, may not prevent the message from being deceptive overall. T laws, including the deceptive doctrine of Section 5 of the FTC Act.61 The deceptive acts included misrepresentations to consumers that, if charged-off debt were repaid, the consumers’ credit reports would be amended and their scores improved. Also, the CFPB found that a credit card promotion was misleading because, while it appeared to offer $300 in cash, in fact what it offered was a comparable amount of reward points. The company was also required to pay restitution to consumers. CFPB v. American Debt Settlement Solutions. The CFPB filed suit in 2013 against American Debt Settlement Solutions (ADSI) and its owner, Michael Dipanni, for deceptive and abusive acts or practices. ADSI was required to pay a $15,000 civil money penalty and disgorge nearly $500,000 in fees to consumers. ADSI solicited consumers in debt with a promise that the company would settle at least one debt and make it easier for the consumer to get out of financial trouble. The court in CFPB v. American Debt Settlement Solutions found that the company deceptively 61 FDIC CFPB, In the Matter of American Express Centurion Bank, Joint Consent Order #2012-CFPB-0002, Oct. 1, 2012, available at http://files.consumerfinance.gov/f/2012-CFPB-0002American-Express-Centurion-Consent-Order.pdf. MANAGING UDAAP COMPLIANCE RISKS IN FINANCIAL INSTITUTIONS 29 marketed its services because, since its inception, 89 percent of the consumers who enrolled in the service and paid a fee had no debts settled by the company. In addition, ADSI had knowledge that there was no likelihood of settling debts under $700, but it continued to receive fees for enrolling debts less than this amount. It also continued to enroll consumers whose incomes were too low to complete the debt repayment plan. The CFPB found that these actions were abusive.62 This was the first action by the CFPB to enforce the “abusive” standard of the Dodd-Frank Act. UDAAP RISK MANAGEMENT Principles-Based Regulation Versus Technical Rules. It is clear from a review of the enforcement actions that there are numerous ways a financial institution can incur UDAAP-related risks and face potential fines, penalties, and disgorgement of revenue. The overriding DAAP is a principles-based regulation in an industry that is built around technical rules. Incorporating “fairness” into operations is much harder than programing a computer to correctly calculate an annual percentage rate. U UDAAP-related issue facing regulatory compliance risk managers in regulated financial institutions is uncertainty. UDAAP is a principles-based regulation in an industry that is built around technical rules. Since 1968, with the passage of the Truth in Lending Act, bank regulatory compliance risk management has been technically focused. Over the last 40 years, the closest thing to a principles-based consumer protection law has been fair lending. However, as a risk management discipline, fair lending has evolved with more certainty into a quantifiable science—the subjectivity is almost gone. It should be noted that with the CFPB (and other agencies) beginning to use the doctrine of disparate impact when evaluating fair lending compliance, uncertainty has begun to grow. Principles-based regulatory compliance is more difficult than technical compliance in part because the lines of business within the bank do not have clarity and therefore do not understand what needs to be done to comply. There is no checklist that can be made, no work program or cut and dried procedures to write. Incorporating “fairness” into operations is much harder than programing a computer to correctly calculate an annual percentage rate. When challenged by the risk managers or legal department, a line of business leader till now has always been able to say “Show me where it says I can’t do that.” In the case of UDAAP no one can point to anything concrete.63 As proof that UDAAP compliance is difficult, one need only consider that the largest U.S. banking institutions, which have the most sophisticated and expensive risk management programs and extensive resources to bring legal and regulatory skill to bear, have been running afoul of the UDAAP standards. Minimizing UDAAP risks requires a different way of thinking about compliance risk management. Elements of Good Regulatory Risk Management. Historically, regulatory compliance risk management has consisted of several elements. These elements, discussed below, are universal in all well run regulatory compliance risk management groups. Governance Structures. Someone (a person or group) within the organization has to be ultimately responsible for UDAAP compliance governance and the program framework. Often this responsibility lies within the corporate compliance department or similar risk management area. However, good governance requires that this responsibility report up the organization to a higher level. It is common to see the reporting for this function culminate at the board committee level, such as the Risk Committee. The actual responsibility for UDAAP compliance execution generally lies within the lines of businesses. In addition, a strong regulatory compliance function is required to be capable of credibly challenging the lines of business. In no regulatory area is this more important than in UDAAP compliance. The lack of clearly enumerated technical rules requires that the risk management function be able to convincingly articulate why a practice is potentially an unfair, deceptive, or abusive one. The lines are often blurry and issues are seldom black and white. Policies. Strong, concrete policies that clearly state the bank’s attitude and expectations regarding the fair treatment of consumers are a foundation of effective UDAAP compliance. Framing the main policy as “fair 63 62 Consumer Financial Protection Bureau v. American Debt Settlement Solutions Inc. and Michael DiPanni, 9:2013cv80548 So. 2d (Fla. 2013), available at http://files.consumerfinance. gov/f/201305_cfpb_complaint_adss.pdf. 30 See Jo Ann Barefoot, “Nine Dangerous Words: Show Me Where It Says I Can’t Do That” (American Banker, Sept. 13, 2011), available at http://www.americanbanker.com/bankthink/ udaap-unfair-deceptive-abusive-acts-practices-compliance-barefoot-1042171-1.html. J O U R N A L O F TA X AT I O N A N D R E G U L AT I O N O F F I N A N C I A L I N S T I T U T I O N S November/December 2013 Vol 27 / No 2 treatment” rather than as “UDAAP compliance” is helpful in that it is more positive and helps to connect the policy to each employee’s day-to-day work that impacts consumers. Procedures. UDAAP-related business level procedures that are specifically targeted to job duties are extremely helpful to prompt employees to make good decisions that will benefit both the bank and its customers. For example, procedures for telephone sales practices should include not only instructions for how to convey the information to the consumer and what to say to answer questions that are raised, but also procedures for how to terminate the conversation without pressing for a sale when the consumer appears to be confused or states that he or she does not want to purchase the product. Risk Assessments. Good risk management practices necessarily require that the bank identify both the risks it faces and the controls in place to mitigate the risks. A UDAAP risk assessment comprehensively identifies such risks across the enterprise and throughout the life cycle of each product and service. Measuring the effectiveness of the controls is an integral part of determining the level of residual risk remaining. Mapping the risks to each control is a great exercise to help the organization find any gaps remaining in its compliance program. Monitoring and Testing. A requirement for every risk management program is to regularly test the effectiveness of the processes. The risk management area is considered to be the second line of defense in the overall risk controls (the line of business processes are the first line, the internal audit function is the third.)64 Implementing UDAAP monitoring and testing can be challenging since the lack of technical rules makes it hard to fashion a checklist of things to review. However, thoughtful reviews of the product on a lifecycle basis can help uncover potential issues. Auditing. The internal audit function was specifically mentioned in the CFPB’s enforcement actions against American Express and Discover as being “inadequate” for failing to catch the UDAAP issues. Internal audit is supposed to operate as the so-called 64 See IIA Position Paper: The Three Lines of Defense in Effective Risk Management and Control, Institute of Internal Auditors (Jan. 2013), available at http://www.unima.mw/wpcontent/uploads/2012/downloads/position%20paper.pdf; Carolyn Duchene, Remarks Before the American Bankers Association Risk Management Forum (Apr. 25, 2013), available at http://www.occ. gov/news-issuances/speeches/2013/pub-speech-2013-70.pdf. November/December 2013 Vol 27 / No 2 “third line of defense.”65 UDAAP auditing comes with the same types of challenges as UDAAP monitoring. Audit programs are generally based on very specific requirements. Since UDAAP has so few technical, concrete requirements, it is more difficult to prepare effective work programs. One approach is to audit each line of business or individual product over its entire lifecycle with a thoughtful approach to test the UDAAP risk management controls at each phase of the lifecycle. Training. UDAAP training is key not only to transferring awareness of UDAAP concepts to all bank personnel at every level but also to influencing a culture of fairness within the organization. All employees at leadership levels and all with customer impact should receive more specific UDAAP training no less often than annually. raming the main policy as “fair treatment” rather than as “UDAAP compliance” is helpful in that it is more positive and helps to connect the policy to each employee’s day-to-day work that impacts consumers. F Management Reporting. Financial institutions, like all businesses, run on metrics. UDAAP/fairnessrelated metrics are essential to understanding the level of UDAAP compliance risks at any point in time. Developing these metrics requires a careful review of products, services, and processes to determine what are the indices of key UDAAP or fairness risks. Identifying and Minimizing Future UDAAP Risks. The traditional risk management processes are all still essential. However, unlike a technically based regulation, UDAAP risks cannot be effectively controlled with just the tactical and reactive tools that risk managers have honed over the years for managing regulatory compliance. In short, a risk management framework consisting solely of these elements will not keep an institution out of UDAAP trouble. Establishing Fairness Principles. Effective UDAAP risk management requires a more strategic, proactive approach. A good first step is to establish commonly understood principles of fairness for the entire bank to follow. These principles can help to shape the bank’s culture and guide the elements of the UDAAP compliance program. The purpose of formulating these 65 See IIA Position Paper, supra note 64. MANAGING UDAAP COMPLIANCE RISKS IN FINANCIAL INSTITUTIONS 31 principles is to bring all parties to the table so that all agree on what “fairness” looks like for the institution. There are four principles that can be easily conveyed to the bank as a whole and can be used to evaluate fairness in financial products throughout their lifecycles from product design all the way through to the servicing stage: 1. Understandability: The consumer should be easily able to grasp the concepts (i.e., terms and conditions) of the product. If it is too complicated, it carries greater UDAAP risk. 2. Predictability: Consumers should be able to understand how the product will work in the future and, for example, how they can avoid fees or penalties. Complicated overdraft protection plans sometimes are not predictable enough for the consumer to avoid overdraft fees. Hence they can carry elevated UDAAP risks. 3. Value: There must be a real benefit for the consumer. An example of a case where the consumers received no value is when cardholders paid for identity theft protection each month but did not activate the service so they got no benefit. 4. Appropriateness: If a product is inappropriate for the consumer, it is likely has some fairness issues. An example is the marketing and sale of secured credit card products to individuals who would qualify for prime products. Secured credit cards are almost always more costly. By taking advantage of a consumer who does not understand that he or she could qualify for something more appropriate, the institution is running a risk of violating the abusive standard. Once these fairness principles are understood and agreed upon, other more proactive risk management processes can be implemented. Make a Cultural Commitment. To begin with, bank leadership must make a strong commitment to cultivating a culture of fairness. Communication is a key component beginning with the “tone at the top.” Culture is created from the top of the house—the messaging from executive leadership has to be strong and unequivocal. To move the cultural needle, a consistent internal messaging campaign should be forthcoming from the bank’s leadership. Institute Proactive Risk Scans. Risk managers, including regulatory compliance, legal, and operational risk areas all must establish systems to scan the risk horizon for emerging issues from the regulatory agencies, new litigation, and within the bank’s own operational 32 areas where new products and promotions all have the potential for UDAAP risks. Align Incentives. Incentives for all bank employees with UDAAP-relevant jobs should have performance measures for UDAAP. Incentive compensation should be reviewed rigorously to ensure that no one is incented for bad behavior. Review New Products. Rigorous new product initiative processes should include UDAAP screens so that all new ideas for products and services are reviewed for fairness issues. New products and promotions must be thoroughly tested operationally in order to make sure they work as they will be advertised. Finally, ensuring that consumers understand each product through the use of focus groups and the like is a key to avoiding deception issues in the future. Establish Complaint Management Programs. Arguably the most important risk management tool for UDAAP compliance management is a robust complaint management program. Capturing the data on all complaints and resolving them is just the beginning. Complaints should be analyzed for their root cause and the trends analyzed to determine where changes should be made within products and in the UDAAP compliance program itself. Be Proactive in Identification and Remediation of Issues. While it seems intuitive that an organization should attempt to identify its own problems and remediate them as quickly as possible, in the litigious environment in which all corporations live, this activity is sometimes not encouraged as much as it should be. However, proactive financial organizations that successfully deal with UDAAP compliance in the future will aggressively find and fix their own problems. The CFPB mentioned this concept of proactive compliance management in its guidance on Responsible Conduct issued in June 2013. This guidance provides an understanding of when the CFPB will give an institution “credit” for a proactive compliance culture and program during an examination. Questions that will be germane to the determination include whether there was a culture of compliance and what the “tone at the top” was. The guidance provides a roadmap for rewarding an institution that encourages proactive compliance management: J O U R N A L O F TA X AT I O N A N D R E G U L AT I O N O F F I N A N C I A L I N S T I T U T I O N S . . . a party may proactively self-police for potential violations, promptly self-report to the Bureau when it identifies potential violations, quickly and completely November/December 2013 Vol 27 / No 2 remediate the harm resulting from violations, and affirmatively cooperate with any Bureau investigation above and beyond what is required. If a party meaningfully engages in these activities, which this bulletin refers to collectively as “responsible conduct,” it may favorably affect the ultimate resolution of a Bureau enforcement investigation.66 CONCLUSION 66 CFPB Bulletin 2013-06, Responsible Business Conduct (June 25, 2013), available at http://files.consumerfinance.gov/f/201306_ cfpb_bulletin_responsible-conduct.pdf. UDAAP compliance risks are the most difficult consumer protection risks to manage for financial institutions. There are no formal rules or black-and-white guidelines. The increased complexity of financial products, and the payment system in particular, over the last 30 years has made the task more daunting. The best path to success for financial institution executives is to implement a proactive compliance risk management program with a strong culture of fairQ ness within the institution itself. STATEMENT OF OWNERSHIP, MANAGEMENT AND CIRCULATION (Required by 39 U.S.C. 3685). 1. Title of publication: Journal of Taxation and Regulation of Financial Institutions 2. Publication No.: 1547-3996. Date of filing: October 3, 2013 4. Frequency of issue: Bimonthly 5. No. of issues published annually: 6 6. Annual subscription price: $359 7. Complete mailing address of known office of publication: 4478 U.S. Route 27, P.O. Box 585, Kingston, NJ 08528 8. Complete mailing address of headquarters or general business office of publisher: same 9. Complete mailing address of publisher, editor, and managing editor: Publisher: Mark E. Peel, 4478 Route 27 Ste 202, Kingston NJ 08528; Editor, Houman B. Shadab, 353 West 48th Street, 4th Floor New York, NY 10036; Managing Editor, Deborah J. Launer, 353 West 48th Street, 4th Floor New York, NY 10036 10. Owner: Fred Cohen, 9771 E Vista Montanas, Tucson AZ 85749; William C. Collins, PO Box 2316, Olympia WA 98507; Deborah J. Launer, 216 W 89th St, #7D, New York NY 10024; Mark E. Peel, PO Box 450, Kingston NJ 08528; Lois Rosenfeld, 330 W 72nd St, New York NY 10023; F. Rosenfeld, 175 N Tigertail Rd, Los Angeles CA 90049. 11 Known bondholders, mortgagees, and other security holders owning or holding 1 percent of more of total amount of bonds, mortgages, or other securities: None 12. For completion by nonprofit organizations authorized to mail at special rates: Not applicable 13. Publication name: Journal of Taxation and Regulation of Financial Institutions 14. Issue date for circulation data below: September/October 2013 15. Extent and Nature of Circulation. Average No Copies Each Issue During Preceding 12 Months: 15 a. Total Number of Copies (Net Press Run): 483. 15b(1) Mailed Outside County Paid Subscriptions: 175; 15b(2) Mailed In-County Paid Subscriptions: 0; 15b(3): Paid Distribution Outside Mail: 0; 15b(4): Paid Distribution by Other Classes of Mail through USPS: 7; 15c. Total Paid Distribution: 182; 15d. Free Distribution by Mail: 15d(1) Free or Nominal Outside-County Copies included on PS Form 3541: 106; 15d(2) Free or Nominal In-County: 1; 15d(3) Free or Nominal Copies Mailed at Other Classes through USPS: 0; 15d(4) Free or Nominal Rate Distribution Outside the Mail: 0; 15e. Total Free or Nominal Rate Distribution: 107; 15f. Total Distribution: 289; 15g: Copies not Distributed: 194; 15h. Total 483; 15i. Percent Paid: 63%. No copies of Single Issue Published Nearest to Filing Date: 15 a. Total Number of Copies (Net Press Run): 400. 15b(1) Mailed Outside County Paid Subscriptions: 156; 15b(2) Mailed In-County Paid Subscriptions: 0; 15b(3): Paid Distribution Outside Mail: 0; 15b(4): Paid Distribution by Other Classes of Mail through USPS: 6; 15c. Total Paid Distribution: 162; 15d. Free Distribution by Mail: 15d(1) Free or Nominal Outside-County Copies included on PS Form 3541: 42; 15d(2) Free or Nominal In-County: 1; 15d(3) Free or Nominal Copies Mailed at Other Classes through USPS: 0; 15d(4) Free or Nominal Rate Distribution Outside the Mail: 0; 15e. Total Free or Nominal Rate Distribution: 43; 15f. Total Distribution: 205; 15g: Copies not Distributed: 195; 15h. Total 400; 15i. Percent Paid: 79%. 16. Publication Statement of Ownership will be printed in the November 2013 issue of this publication. 17. I certify that the statements made by me above are correct and complete: (Signed) Mark Peel, President. November/December 2013 Vol 27 / No 2 MANAGING UDAAP COMPLIANCE RISKS IN FINANCIAL INSTITUTIONS 33 © Authorized Electronic Copy This electronic copy was prepared for and is authorized solely for the use of the purchaser/subscriber. This material may not be photocopied, e-mailed, or otherwise reproduced or distributed without permission, and any such reproduction or redistribution is a violation of copyright law. For permissions, contact the Copyright Clearance Center at http://www.copyright.com/ You may also fax your request to 1-978-646-8700 or contact CCC with your permission request via email at info@copyright.com. If you have any questions or concerns about this process you can reach a customer relations representative at 1-978-646-2600 from the hours of 8:00 - 5:30 eastern time.