Almost a year to the date that the Consumer Financial Protection Bureau became an active federal regulatory agency, it issued its first enforcement action against a financial institution. That action was followed by two more consent agreements issued within the next 90 days. These enforcement actions were significant in a couple of ways.
First, the size of the penalties and required reimbursements were larger than nearly any other consumer-protection-related actions issued in the past.
Second, at their core, all three actions are based primarily on UDAAP issues, i.e., Unfair, Deceptive or Abusive Acts or Practices--although the "abusive" standard is not specifically mentioned in any of them.
Most of the practices and products called into question in have been in use by financial institutions for quite a while. Note that none of the institutions that were the subject of these orders admitted any wrongdoing.
A careful review of these consent orders yields lessons to be learned and action steps to be taken to avoid UDAAP issues.
Although it's early in the life of the Bureau, and more enforcement actions are undoubtedly on the way, there are five key points for compliance officers and executive leadership to understand:
1. Marketing and sales practices are especially prone to UDAAP violations.
Much of the alleged wrongdoing described in these enforcement actions involved sales practices and marketing strategies. If a consumer is "deceived" in the purchase of a financial product, that's the stage where it will likely occur. These areas are high risk for UDAAP problems and need strong risk-management controls.
For example, outbound telephone marketing calls specifically came under fire in two of the orders. Criticism centered on allegations that the bank's agent did not fully explain the product nor highlight the required disclosures. Specific advertising was called out as being deceptive by promising more than would be delivered. It is critical in all cases to surround an institution's marketing strategy and sales practices with effective and proactive controls.
Every institution should subject its marketing strategy to a compliance review periodically, and especially every time a material change is made. These reviews should focus on UDAAP--specifically on the fairness and transparency of the marketing philosophy, strategy, and practices.
A best practice is to have Compliance represented in the room as the marketing strategy is being formulated and as advertising pieces are being created. Having Compliance sign off at the end of the process is no longer considered adequate.
In addition, Compliance and legal should review advertising copy every time--even if the same ad has been approved in the past.
Overkill? No--the regulatory environment is so volatile that no one can count on the language being acceptable today just because it passed muster yesterday.
Sales practices should have UDAAP risk management controls that are commensurate with their risk. Selling bank products and services in a branch environment in response to consumer inquiries or posting sales information on the bank's internet site are fairly low risk methods. However, even in these cases, branch personnel need training specific to the products and services being sold and they need UDAAP training so they know what "deceptive" behavior looks like.
2. Formal UDAAP compliance programs are necessary.
Traditionally banks have not maintained formal UDAP nor UDAAP compliance programs; however, they are now necessary. Simply tacking UDAAP onto a list of regulations the bank monitors, and hoping that the bank stays out of trouble, won't suffice.
Unfair, deceptive, or abusive practices cannot be easily avoided like technical compliance errors. (UDAP--Unfair or Deceptive Acts and Practices--was expanded into UDAAP by the Dodd-Frank Act.)
UDAAP compliance requires strategic and proactive planning and thoughtful structuring of compliance resources. UDAAP applies broadly throughout the bank--throughout the life cycle of every product and service offered or sold to consumers.
Building an effective program requires collaboration between Compliance and the lines of business. No one can manage UDAAP compliance alone. It takes a team of marketing, compliance, risk management, and lines of business leadership to effectively build and sustain a fairness program. Bank executive leadership must provide an effective tone at the top in order to effectively influence the bank's culture for customer fairness in a positive way.
Building a proactive, strategic compliance program was explored in more depth in an article which I co-authored with my colleague, Jo Ann Barefoot, published in the June 2011 issue of Banking Exchange with a companion resources page and podcast.
3. Comprehensive complaint management programs are no longer optional.
Clearly consumer complaints are the primary channel the regulatory agencies have used to find the most egregious UDAAP problems. In most situations if regulators find a UDAAP problem, the bank has received complaints on the product or practice.
Complaints are the "canary in the coal mine" for UDAAP violations. An institution that does not have a comprehensive, first-rate complaint management program is literally flying blind to potential UDAAP risks. In the Dodd-Frank era, this is not optional--not for banks that want to find potential UDAAP issues before examiners do.
Complaint management is more than just resolving complaints that are escalated to the bank president, the bank's regulatory agency, the state attorney general, or the Better Business Bureau.
A good compliance management system clearly defines what a "complaint" is so that everyone in the institution has a clear understanding of which customer communications comprise complaints.
Complaint data should be gathered and documented from the lowest level (including oral complaints) and root cause analysis must be conducted on high-risk complaints to determine their cause--especially those related to fairness. The businesses, marketing, or operational areas must be held accountable to fix problems once the root cause is identified.
Information on fixes should be fed back into the system as a risk management control. Complaint data must be analyzed and trend reports provided to executive management for review. [Banking Exchange's June 2012 cover story discussed banks' complaint handling approaches.]
4. Internal Audit must officially include UDAAP in its scope.
Each of CFPB's enforcement actions mentions Internal Audit and its role in UDAAP risk management. Such auditing has, in the past, been limited to technical compliance--such as Regulation AA compliance. Auditing for "fairness" is much harder--but it has become necessary.
Regulatory agencies will consider internal audit functions to be deficient if they omit UDAAP from their compliance audits. UDAAP compliance must be treated like any other high-risk area and included in internal audit testing plans and schedules.
UDAAP auditing presents special challenges.
First, UDAAP audits are hard to scope. Because UDAAP laws cover the entire bank, there is much to choose from. Scoping the audit requires knowledge of the institution, including its products and services and its compliance history.
Second, the number of audit hours that can be assigned to UDAAP auditing must be sufficient to the task--but, realistically, no one can audit the entire organization for UDAAP every year. Effective UDAAP auditing takes a great deal of thoughtful planning, assessing risks, assigning resources.
How do you get it right?
Internal audit teams can approach a UDAAP audit in a number of ways. The audit could encompass just high risk areas--such as mortgage servicing, or credit card add-on products. Alternatively, it could focus on the entire life cycle of a product or service. For example, if the audit scope was consumer loans, the lifecycle audit would start with the marketing and solicitation of consumer loans, and then the rest of the stages, including the application, underwriting, closing, servicing, and collections.
Another challenge with UDAAP auditing is that the UDAAP issues are quite subjective. Auditors must walk a line between independence and the need to be careful not to make too many subjective judgments and unnecessarily provide a roadmap for the bank's regulators in targeting issues to criticize. The audit questions must be carefully written to make sure that they are objective and include only well settled concepts of fairness and transparency.
5. Third-party management is essential to effective UDAAP compliance.
The actions of third parties played a large role in the CFPB enforcement actions. Third parties often manage consumer products and services, from telemarketing and fulfillment to collections. Third-party contractors who interface with consumers will be treated like the bank for UDAAP purposes by regulators. Therefore, the same level of risk controls used at the bank should be applied by the bank to third parties that have contact with the bank's consumer customers.
In order to protect itself the bank must conduct effective due diligence before engaging a third party. Reviewing policies and procedures, contacting references, requiring proof of insurance, determining how training is delivered, and how incentives are structured all play a role in determining if the third party will put a premium on treating the customer fairly and transparently.
Once the relationship is established, monitoring the behavior and practices of the third party is necessary. The contract with the third party should allow the bank to cancel if any unfair or deceptive behavior is noted. Complaints sent to the bank or the third party should be monitored as part of the bank's complaint management program.
While the CFPB is sure to issue more enforcement actions, the importance of proactively treating customers in a fair and transparent manner is the primary message from the first three. Crafting an effective compliance program requires a commitment of time and resources but the payoff is a good reputation and the ability to avoid serious regulatory problems.
Consumer Bureau’s first three actions plus supervisory report
Recently the Consumer Financial Protection Bureau issued its fall Supervisory Highlights, which you can download here.
To read up on the three enforcement actions that author Lyn Farrell refers to, use the links below to CFPB’s website:
• American Express pays $85 million refund for illegal credit card practices
• Discover pays $200 million consumer refund for deceptive marketing
• Capital One pays $140 million consumer refund over credit card marketing
ABA help with UDAAP
ABA has been on the UDAAP case. Here are examples of aid you can obtain:
• Telephone Briefings: Multiple events with UDAAP themes have been held. See the full ABA listing of recorded sessions here.
• Regulatory Compliance Conference recordings: Many sessions at the 2012 conference involved CFPB and UDAAP matters. Review available recordings here.
• ABA members can access services of the ABA Center for Regulatory Compliance through the association’s new Compliance Central.
• The Center’s work can also be accessed here.
• The Center maintains a wealth of CFPB-related materials here.
- Cybersecurity Risk Factors, M&As in the Age of COVID-19
- OCC Levies Third Major Fine This Month
- The Contrasting Fortunes of Citigroup and Morgan Stanley
- Equal Credit Opportunity: Critical Considerations for Fair Access and Fair Treatment in Consumer Lending
- What the Federal Reserve’s Latest Move Means for Large U.S. Banks