Five years after the passage of the Dodd-Frank Act, it is safe to say that the Unfair, Deceptive, or Abusive Acts and Practices law has been the greatest challenge the bank compliance industry has faced.
UDAAP is a completely different kind of compliance undertaking for financial institutions. Except for fair-lending laws, all other banking regulations that we deal with are based on technical, very specific rules.
Developing a compliance program for these technical regulations is relatively straightforward, and compliance professionals have done a good job of identifying and controlling these risks. They formulate procedures to incorporate all the specific requirements; they develop monitoring and testing routines, train staff, and perform risk assessments. All the compliance program elements are based on these technical rules as well as any regulatory guidance that exists.
However, in the case of UDAAP compliance, the program must be built differently. UDAAP is a principles-based law, without any technical rules. Most of the compliance program elements must be substantially reworked to be effective. For example, checklists are very effective to help control compliance violations of technical regulations; they are much less helpful for UDAAP compliance.
This lack of clear rules, coupled with the complexity of bank operations, makes UDAAP compliance difficult. For a UDAAP compliance program to be effective, bank staff must understand what UDAAP is, and each member should feel empowered to speak up if something looks like it could be a UDAAP risk.
There are three emerging themes in UDAAP compliance. Understanding them will allow compliance professionals and executive management to guard against potential UDAAP issues.
First, bankers must understand that all information conveyed to a consumer about a financial product or service should be treated as a promise from the bank to the consumer.
This is true whether the information is found in bank marketing materials, on the institution’s website, on mobile devices, or in the formal product literature provided to the consumer when the consumer’s account is opened or the loan is closed.
All information about how a product works must be true in every circumstance unless the exception is made clear in the consumer information. This is a difficult task. Not only are some products complicated by their nature (e.g., overdraft protection), but often the bank’s systems are so complex or limited that it is hard to make sure a product works the way it is represented in all circumstances.
However, the fastest way to a UDAAP claim is to have a product or service vary from the way it was sold to the consumer in a manner that affects the consumer adversely. Usually, this situation ends in a regulatory order, either formal or informal, where words like “deceptive” are used—and often restitution is required.
Complaints are the quickest way to determine where there are unintended variances in the way a product behaves. If a consumer did not get what he bargained for, that consumer will often complain. This will signal the bank that something is wrong.
Monitoring complaints is the lifeblood of a UDAAP compliance program.
Beyond those complaints, the next best way to assess your banking institution’s product performance is to dig down deeper into the operational departments. Question the employees who work with the product every day. They will almost always know where the “weak joints” of the operation are located.
When a rule gaffe is more
In the past, a violation of Regulation E or RESPA was just that, a technical violation. Now, it can mean more.
Many institutions are finding that a violation of technical rules can turn into a UDAAP violation as well if the bank’s conduct fails to meet UDAAP standards on fairness or transparency.
As an example: Violations of the consumer’s right to have an unauthorized transaction investigated in a timely manner (under Regulation E) have been called unfair under UDAAP, and the institution has been fined for UDAAP violations as well as for technical EFTA errors. In addition to these findings, violations of RESPA’s servicing rules have been found to be an unfair or deceptive practice.
To sum up, you could say that the second theme here is that keeping abreast of and vigilant on technical regulations is more than just good compliance management. It is smart UDAAP risk management also.
Any technical rules that provide the consumers with rights or provide the consumers with the information necessary for them to understand how a product or process works should be treated as an extension of UDAAP.
No armor in tech compliance
On the other hand, compliance with technical laws and regulations will not prevent a UDAAP violation.
So the third theme is a corollary to the second theme:
Even when you successfully comply with all the laws and regulations related to a product, you can still violate UDAAP with respect to that product.
For example, there are only a few technical rules that apply specifically to overdraft protection. There are Regulation DD disclosure rules and there is the Regulation E requirement to provide the consumer with an opt-in option for debit card and ATM overdrafts. However, there have been many cases of UDAAP regulatory actions related to overdraft protection even when the financial institution has fully complied with these technical regulations.
Follow these prescriptions
There is no magic bullet for UDAAP compliance. There are, however, four approaches that can help to mitigate a bank’s risks:
1. Rigorously review all product information given to consumers.
Treat all representations made by the bank as a promise, and make sure that every statement in all written communications is correct for all circumstances. This rule includes information on all screens (website, mobile screens, etc.) and on paper. No information should be disseminated without a thorough review by a UDAAP compliance expert.
2. Develop a first-rate complaints management program.
Complaints are the bank’s best friend for UDAAP purposes. Collect them as broadly as possible and design a process that can dig into the true cause. Then make sure that remediation of the consumer and the process are both fully complete. Monitor complaint trends to see where hot spots are located.
3. Risk-rate all technical requirements for UDAAP potential.
While compliance with all technical regulations is important, some requirements have UDAAP potential and these should carry a higher risk rating. Requirements that could cause the consumer to have a negative outcome are the ones with high risk. Additional resources (monitoring, testing, and training) should be devoted to ensuring compliance with the higher risk requirements.
4. Empower bank personnel to recognize UDAAP risks—and incent them for doing so.
In nearly every case where UDAAP issues were found, someone within the organization knew that a problem existed. Such people are usually deep within the operations or customer service area and could see how the product behaved under all circumstances. These are the people who need to feel empowered to bring UDAAP issues to the attention of management. This can only be achieved through consistent messaging and training.
When issues are brought forth, the person who speaks up should be rewarded in some way—even if it’s just with positive management attention.
If people speak up and bank management pays attention and fixes problems, it can literally save the organization millions of dollars in future restitution.
UDAAP is here to stay. All bank regulators have authority to enforce either UDAAP (in the case of the CFBP) or UDAP (in the case of the prudential regulators). Financial institutions have to continue to hone their principles-based compliance skills and programs to be ready to meet the challenge of UDAAP compliance as the law evolves.