Follow These Seven Steps As Your Basis for Navigating UDAAP Compliance
by Amber Goodrich
Q: When it comes to ensuring proper disclosures on our products and services, which consumer protection rule should my institution follow — UDAP or UDAAP? It’s been very difficult to differentiate between the two, and increasingly stressful to protect against violations.
A: You’re definitely not alone in your confusion about these two rules: Unfair or Deceptive Acts or Practices (UDAP) and Unfair, Deceptive or Abusive Acts or Practices (UDAAP). They obviously sound and look quite similar, and both aim to protect consumers against harmful practices related to debt collection. And indeed, their contents vastly overlap.
Fortunately, it looks as though UDAP, at least, is about to fade into history.
There’s Good News, But . . .
Last August, the Federal Reserve Board proposed to repeal UDAP, and the action is expected to become final this fall. That solves the confusion between the two rules, since after that, there will only be UDAAP with which to contend.
However, the thought process behind the original rule — protecting consumers in a host of situations surrounding the collection of consumer debt — is here to stay. And the Consumer Financial Protection Bureau’s (CFPB) definition of what constitutes a UDAAP remains vague, by design, to encourage financial institutions to consider consumer protection through an enterprise-wide lens — leaving many of them chasing their tails in an effort to stay compliant.
As something of a mea culpa, the CFPB has made public its Supervision and Examination Manual to help educate financial institutions on avoiding UDAAP violations.
Abundant Enforcement Actions
In 2014, federal regulators resolved about 50 UDAP/UDAAP cases, resulting in civil money penalties and consumer compensation of more than $2.5 billion. But there are valuable lessons to be learned here. In fact, it’s by monitoring and evaluating the enforcement actions against other institutions that you may just keep yours from making the same mistakes.
But, what else can you do to prevent accidental violations?
Seven Steps to Passing Your Next UDAAP Exam
The first thing regulators expect financial institutions to do is complete a risk assessment; and, in doing so, ensure every product and service takes UDAAP into account. This can be quite difficult because you don’t really know what you’re looking for, but making the effort to protect confidential information and IT assets goes a long way. In addition, financial institutions should take special care to:
- Evaluate New Products and Services. Review the features on all new solutions to ensure all related, proper disclosures are included. Disclosures should be overly clear so there is no question as to whether consumers can fully understand them. This process should continue each time a new product or service is introduced, as well as for such add-on offers as rewards and “no transfer fee” programs.
- Review Advertising Materials. Ensure all advertisements, as a best practice, are reviewed by both your marketing department and your compliance officer to safeguard against misleading or deceptive verbiage.
- Create a UDAAP Policy. Go beyond the risk assessment to create formal UDAAP policies and procedures. And since there’s no clear path to doing so, it’s a good idea to incorporate UDAAP language—for example, rules regarding proper disclosures—into your loan, BSA, credit card and other policies as an extra precaution.
- Stay Vigilant on Mortgage Rules. Pay extra attention to the new mortgage rules, which have been a hotbed of UDAAP violations and ensuing enforcement actions. Violations of loan originator compensation rules, in particular, are cited regularly.
- Make Sure Free Means Free. Ensure that, when marketing free products like debit or credit cards, they are truly free of any and all fees. Otherwise, this will be considered a deceptive practice.
- Monitor Customer/Consumer Complaints. Pay attention to complaints against your institution and others using the CFPB’s public consumer complaint database. You can search and filter through the database to gauge which topics are buzzing. And a heads-up: when the CFPB starts seeing lots of similar complaints—for example, on overdraft protection or debt collection—odds are they’ll put it on their rulemaking agenda.
- Evaluate vendor relationships. As evidenced by regular headlines, financial institutions are being held accountable for the actions of their third-party service providers. Since your institution is responsible not only for its own actions but also for those of its vendors, including UDAAP compliance expectations in every third-party contract makes for a solid vendor management program.
Remember, you should consider UDAAP in every facet of your institution, rather than viewing it as a separate entity. And although the UDAAP definition will likely remain gray, following these steps will help you steer clear of unknowingly committing consumer violations as well as their resulting enforcement actions.
Amber Goodrich serves as a compliance strategist for CSI Regulatory Compliance, and has more than 10 years of financial industry experience. She is a Certified Regulatory Compliance Manager (CRCM) and Certified Bank Secrecy Act (BSA) Professional (CBAP), and holds a wealth of knowledge in bank operations, compliance and enterprise risk management.