From UDAP to UDAAP: New directions in regulation and enforcement
Financial institutions have long been subject to laws regulating unfair or deceptive acts or practices. Section 5 of the Federal Trade Commission Act (FTC Act) establishes the statutory basis for what is known as UDAP, with rulemaking and enforcement authority given to the various regulatory agencies. Financial regulators generally have tended to enforce UDAP by focusing on disclosure practices in customer-facing communications (e.g., advertising, marketing brochures, television spots, promotional materials). What this has meant for compliance managers is that their controls systems focused on marketing and advertising, and little more. A common expectation was that a good disclosure policy was enough to meet most UDAP requirements.
Rewriting the rules of UDAP
In recent years, this regulatory regime has changed. The impetus for change started in 2008 with the financial crisis and has continued to evolve in response to political and legislative pressures in subsequent years. The passage of the Dodd-Frank Wall Street Reform and Consumer Protection Act (Dodd-Frank) in 2010 marked a major milestone in UDAP regulation. It expanded the definition of what constitutes unfair or deceptive acts or practices and created a new regulatory authority over UDAP; this authority enforces UDAP for institutions with over $10 billion in assets. The law has increased regulators' power to bring UDAP actions against financial institutions. They are taking a broader view of what constitutes unfair or deceptive practices, well beyond the traditional focus, and are applying UDAP concepts to other areas of financial institutions' business practices. The consequence has been the imposition of stricter UDAP standards, and a growing number of UDAP enforcement actions.
Where is it all leading?
These events have left many financial institutions in a quandary, unsure as to what all this means and where it is leading. How far will this go and how broadly will UDAP be interpreted? And what does it mean at the ground level for individual organizations? Financial institutions are especially uncertain about the fitness of their present compliance control systems, and whether they are adequate in a new UDAP age. These are important considerations, since the consequences for financial institutions could be significant. The broader UDAP standards could be applied to actions brought in civil courts and by state attorneys general, as well as by federal regulators. In any of these venues, the penalty and/or restitution amounts could be substantial, especially in cases where consumer complaints evolve into class-action lawsuits. Other consequences include unsatisfactory CRA (Community Reinvestment Act) ratings, downgraded consumer compliance ratings, negative press coverage and damaged public and community reputations.
UDAP applies to all types and sizes of financial institutions, including small community banks. Yet some small banks believe that regulators will only pursue large institutions over UDAP violations, or that regulators are only interested in practices related to credit cards or automated overdraft products. These are certainly the types of cases that receive the most press attention. In point of fact, however, small banks would be remiss to believe they are beyond the purview of regulatory scrutiny. Since 2008, 43 percent of UDAP violations cited by the FDIC were for banks with total assets of $250 million or less.
Traditional UDAP standards
Before examining new trends in UDAP enforcement, let's briefly review how UDAP is defined by Section 5 of the FTC Act.
"Unfair" is defined as follows:
"An act or practice is unfair where it:
- Causes or is likely to cause substantial injury to consumers
- Cannot be reasonably avoided by consumers
- Is not outweighed by countervailing benefits to consumers or to competition
Public policy, as established by statute, regulation, or judicial decisions, may be considered with all other evidence in determining whether an act or practice is unfair."
"Deceptive" is defined as "an act or practice where:
• A representation, omission, or practice misleads or is likely to mislead the consumer
• A consumer's interpretation of the representation, omission, or practice is considered
reasonable under the circumstances
• The misleading representation, omission, or practice is material"
New interpretations under Dodd-Frank
The FTC Act mandated five financial institution regulators: (the FDIC, the Board of Governors of the Federal Reserve, the Officer of the Comptroller of the Currency, the Office of Thrift Supervision and the National Credit Union Administration) to enforce UDAP, issue rules and regulations and receive consumer complaints. Regulators responded by implementing Regulation AA.
Dodd-Frank essentially maintains the FTC Act's definitions of "unfair" and "deceptive," while also adding a third element, "abusive"(making the acronym UDAAP), and a sixth financial regulatory body, the Consumer Financial Protection Bureau (CFPB), to enforce UDAAP for institutions with over $10 billion in assets. The FTC Act empowers the CFPB to serve as a new rulemaker and enforcer of UDAAP.
"Abusive" is defined by Dodd-Frank, as follows:
- Materially interferes with the ability of a consumer to understand a term or condition of a consumer financial product or service.
- Takes unreasonable advantage of a lack of understanding on the part of the consumer of the material risks, costs or conditions of the product or service.
- The inability of the consumer to protect the interests of the consumer in selecting or using a consumer financial product or service.
- The reasonable reliance by the consumer on a covered person to act in the interests of the consumer.
"Birth to grave" risk management
Staying in compliance with the expanded UDAAP laws may require significant modifications to a financial institution's risk management program. If your present compliance activities are focused mainly or solely on front-end marketing, then you may want to re-think your entire process. Today's broader UDAAP regulations can apply to every stage and activity of the product life cycle. Compliance activities should likewise be involved in all stages of the product life cycle, from birth to grave. This includes monitoring during product development, marketing, sales, advertising and throughout the post-sales account servicing period. Compliance should serve as a second set of eyes, scrutinizing every action from a UDAAP perspective.
To ensure that the product or service disclosure is compliant with UDAAP at every juncture, apply the consistency test to each step. Ask yourself, "Are all communications to the consumer consistent throughout the cycle?" For example:
- Does the disclosure accurately describe the actual product or service?
- If a product has been modified or updated, have you also modified your disclosures?
- Does the language in the sales script match the disclosures?
- Are customer service policies and practices consistent with the disclosures?
- If you are farming out a task to a third-party vendor, have you taken steps to insure that they (their activities, services or disclosures) are also in compliance with UDAAP?
Another test is the "Mother Test." Ask yourself, "Would my mother understand this service or product; would she be able to make an informed decision?" The rationale for using one's "mother" as the standard of measurement is so that compliance managers can imagine themselves in the role of the consumer or a person (like a mother) they would not want to see deceived.
Watch for UDAAP red flags
Financial institutions should identify red flag areas that pose exceptional UDAAP risks. For example, products sold on a commission basis or with any kind of incentive carry a higher risk. Compliance managers may want to scrutinize sales scripts or monitor sales calls to ensure that no deceptive or misleading claim is made in the course of the sales transaction.
Often overlooked in UDAAP compliance are the backend processes. These are the post-sales interactions with customers that are involved with the servicing of the account. Any of those interactions could be subject to UDAAP violations. A claim could be made that repricing of a loan was not in accordance with the contract provisions, that an account maintenance fee was not disclosed, or that information was not disclosed in a timely manner. Misstatements or other errors by customer service representatives (often the result of faulty training) may also lead to UDAAP problems. To guard against these occurrences, financial institutions should take steps to ensure that post-sales customer interactions are in compliance with the original disclosures.
Finally, customer complaints are a rich source of information for compliance managers. Oftentimes, UDAAP violations are uncovered by reviewing and tabulating the complaints received for each issue. If one issue seems to be the target of many complaints, then it should be investigated for possible violations.
All financial institutions should reexamine their compliance programs, in light of the UDAAP environment laws and enforcement practices.