“How do you solve a problem like Maria? How do you catch a cloud and pin it down?”
– Lyrics, “Maria,” The Sound of Music
The singing nuns in the iconic film described the trainee Maria as “A flibbertijibbet! A will-o’-the wisp!”
In financial services compliance, we have our own elusive flibbertijibbet, and its name is UDAAP.
The Unfair, Deceptive, or Abusive Acts and Practices Act (UDAAP) is a formidable challenge for even the most experienced compliance professionals. Until the implementation of the Dodd–Frank Wall Street Reform and Consumer Protection Act (Dodd-Frank), everything we knew about unfair or deceptive practices came from Federal Reserve Board Regulation AA – Unfair or Deceptive Acts or Practices (UDAP). The scope of the ‘little’ UDAP was limited and basically included:
- Notices to cosigners;
- Prohibitions on pyramiding of late charges; and
- Prohibitions on confessions of judgment.
Along came Dodd-Frank. It included the Unfair, Deceptive, or Abusive Acts or Practices Act (UDAAP). The ‘big’ UDAAP is very broad and added language about “misleading or inaccurate” information, disclosures, and advertising; added the “abusive” standard; and renewed initiatives for regulators to pursue enforcement. Dodd-Frank also created the Consumer Financial Protection Bureau (CFPB), which has rulemaking authority for UDAAP and, with respect to entities within its jurisdiction, it has enforcement authority to prevent unfair, deceptive, or abusive acts or practices in connection with any transaction with a consumer for a consumer financial product or service, or the offering of a consumer financial product or service. That’s a pretty broad street to cross.
The UDAAP threat is open ended. It has the potential to appear in any product, service, employee, or department, and can manifest itself in any number of ways – inaccurate information, omitted information, misinterpretation of information. The Consumer Financial Protection Bureau and other federal regulatory agencies have primarily taken the “know it when you see it” approach, with no agency being able define UDAAP compliance or non-compliance succinctly.
Some of the best lessons can be learned from the mistakes of others. When the UDAAP provision of Dodd-Frank became effective, there were sizable enforcement actions against highly-visible financial institutions right out of the gate: Capital One Bank, N.A.; Higher One, Inc., and The Bancorp Bank; Discover Bank; and American Express and a number of its subsidiary companies. Since those events, the hits have kept coming. In 2017, we’ve seen several by the first trimester, including: Ocwen Financial Corporation; CitiMortgage Inc.; TCF National Bank; and Navient Corporation, Navient Solutions, Inc., and Pioneer Credit Recovery, Inc..
UDAAP is a study in risk management. Each financial institution must develop a risk-based approach to managing UDAAP risk, and using their Compliance Management Systems (CMS) to monitor, identify, and address UDAAP hazards. UDAAP risk management requires a wholistic approach to the way in which policies, procedures, and practices effectuate technical compliance and how they seamlessly mesh to provide compliance coverage for the financial institution.
Since UDAAP issues could occur anywhere, how do we prevent them? UDAAP implementation, training, and monitoring must be included throughout the CMS with other laws and regulations. Coverage of UDAAP is broad, and it includes what is there and, frequently, what is not there. Its requirements and prohibitions should be included in, but not limited to:
- Written policies and procedures in all areas;
- Credit products, underwriting standards and procedures;
- Deposit product terms and fees;
- Internal or external collections;
- Business development, marketing and advertising;
- Product development, terms and conditions;
- Third-Party Vendor management;
- Enterprise Risk Management programs;
- Communication channels, including social media;
- Customer and consumer complaints;
- Internal and external audits;
- Compliance monitoring and review activities; and,
- Board of Director and Senior Management discussions.
Complete and accurate compliance implementation on the front end is important, and, compliance monitoring on the back end is critical to determine the gaps among technical requirements, written policies and procedures, and the documentation that shows the actual practices of the financial institution. UDAAP compliance demands appropriate scope adjustments to internal compliance monitoring; internal audit procedures; and external engagements with third parties. Using a combination of transaction monitoring and process and procedure reviews as part of your monitoring and audit schedules can help expose UDAAP risks, and provide you with insight about the strength of the CMS to manage UDAAP risk.
If you do identify a potential UDAAP-covered violation, you may look to UDAAP for guidance on how much to correct and how to correct. Good luck. While some regulations have statutes of limitations, the CFPB takes an “administrative route” to UDAAP enforcement, allowing it to levy complaints against institutions even after UDAAP issues have been identified and stopped. Prudent practice dictates that financial institutions consider the most comprehensive corrective action available – based partly on any technical corrective action requirements in other related regulations and on the extent to which consumers may have been harmed by the UDAAP error or omission. Financial institutions should consult with legal counsel when determining the length of a look-back period and extent of corrective measures for self-identified concerns.
Does your staff have to receive annual UDAAP training? You will not find a regulation that specifically requires UDAAP training. You do need to raise staff awareness during or concurrently with other compliance training by focusing on the risks and penalties of UDAAP as well as institution-specific policies and procedures to reduce your UDAAP risk exposure.
No matter how you slice it, UDAAP’s elusive nature requires a comprehensive, wholistic view of technical requirements, institution policies and procedures, and actual practices to bring the flibbertijibbet down to earth where it can be solved.
Around the Industry:
CFPB issues mortgage servicing policy guidance.
NCUA issues a final rule to amend its Freedom of Information Act (FOIA) regulation.
On the Horizon:
NCUA Acting Chairman Watters recommends Congress ease regulatory burdens.
What has a change in ownership to do with NMLS? Ask the ‘Om-Bobs-man’!