History has taught us that when it comes to compliance, a proactive approach is always the best approach. Whether it’s related to corruption, misconduct or UDAAP, companies benefit from actively monitoring compliance issues and investigating every violation.

One of the best ways for financial services organizations to be proactive about compliance is to make sure that not only current and future acts and practices contain no hint of deception or abuse, but also acts and practices instituted before Dodd-Frank.

In other words, just because it’s not happening now, doesn’t mean you can’t get into trouble for it. It’s a lesson banks are learning from enforcement actions.

Going forward, companies are using case management software to track, manage and respond to customer complaints about UDAAP (and anything else). Learn more here. 

A Quick Recap of UDAAP

The high number of consumer complaints about financial institutions and their questionable tactics has pushed the government to pass new laws in order to protect consumers from what is known as UDAAP – unfair, deceptive or abusive acts and practices.

The CFPB, or Consumer Financial Protection Bureau, which oversees consumer protection in the financial services sector, lays out what may be considered unfair collection practices.

But what counts as being unfair, deceptive or abusive? Here are some of the things that would be considered UDAAP:

• Any act that can lead to substantial injury to the consumer. Substantial injury can be monetary or emotional.
• An injury doesn’t necessarily have to take place, but just having the significant risk of it taking place is sufficient for avoiding the practice.
• Any act that would mislead the consumer or keep the consumer from protecting their interest.

Examples of UDAAP would include such things as taking one’s property without the legal right to do so, misrepresenting the amount or legal status of the consumer’s debt, or false threats of lawsuits or arrests. While it would seem that this was in place all along, it wasn’t, hence the change in the law to protect consumers.

Retroactively Monitoring Practices

“Practices that predate Dodd-Frank are still subject to UDAAP enforcement authority and have in fact been the subject of enforcement actions,” says Andrea Mitchell, a partner in the Washington, DC office of BuckleySandler LLP.

For this reason, some institutions have decided to take a retroactive look at their practices to understand their UDAAP risk for previous actions.

“While taking corrective action to address potential UDAAP violations can help mitigate the risk of a public enforcement action, no amount of voluntary remediation or compliance program enhancements can “undo” a violation of law…It is important to understand that you can’t un-ring the bell,” she says.

Taking a retroactive look is particularly important when you know there has been activity at another bank that has been subject to enforcement action, or when you know that scrutiny of your bank’s practices is imminent.

“If you find what you perceive to be acts or practices at your institution that may run afoul of UDAAP, you have the option of proactively remediating and taking other corrective action or waiting to see if the potential violation goes undetected by the regulators and enforcement agencies. [But] voluntary remediation alone does not insulate an institution from a targeted examination, investigation or enforcement action,” says Mitchell.

The Bureau has issued a bulletin in the past encouraging institutions to engage in self-policing, self-reporting, remediation and cooperation with the CFPB. By adhering to the principles set forth in this bulletin, financial institutions will receive favorable consideration in any investigations.

“A critical element of the bulletin centers on self-reporting the potential violation to the Bureau, but many banks or companies don’t have an appetite for proactively reporting an issue to the CFPB in exchange for the mere prospect of receiving favorable treatment in a potential investigation down the road,” she says.

The Three Lines of Defense

As with the prudential federal banking regulators, the CFPB expects institutions under its jurisdiction to maintain a compliance program that includes three lines of defense.

1) Business unit: The first level of review should be conducted by the business unit. Whether the company is creating new products, developing marketing and advertising strategies, drafting sales or account servicing scripts, or determining the terms and conditions of products, they should scrutinize every action with a UDAAP filter.

2) Legal and compliance: The second level of review is by the legal and compliance units, to ensure compliance with applicable laws, regulations and company policy.

3) Audit: The third level of review is an internal audit. On a retroactive basis, an audit makes sure the company has been doing what it should be doing and is consistent with applicable laws, regulations and company policy.

How to Tell if a Practice is UDAAP

There’s no iron-clad rule stipulating exactly what the banking industry may or may not do when dealing with customers, making it difficult to determine whether an act is unfair, deceptive and abusive or not.

The fact-specific, institution-specific way the Bureau is approaching enforcement makes some people nervous. Financial service providers are being encouraged to read the bulletins that are issued by the CFPB and take into account the guidance documents issued by the prudential regulator to get clarification on what could be construed as UDAAP.

But just as importantly, Mitchell urges them to monitor the enforcement actions against other institutions to determine how the Bureau is interpreting consumer protection laws and how those issues compare to issues experienced by their own banks.  “Compare the policies and practices challenged in those orders against those at their company or bank,” says Mitchell.

In the absence of guidance and enforcement actions that relate to a consumer issue, “you have to use your fundamental common-sense filter for what fairness is, and what a reasonable person might misunderstand or be confused by,” says Mitchell

Many institutions are now creating a position for someone who is responsible for ensuring fairness and transparency with customers, she adds. This consumer ombudsman looks at everything the company is doing from the customer’s perspective and gives the company feedback on how something could be perceived as UDAAP.

Assessing Risk & Response

When assessing the proper course of action in response to a potential UDAAP violation, the decision to take voluntary and proactive corrective action requires a cost-benefit analysis, says Mitchell.

“It depends on the number of people harmed and the magnitude of the harm,” she says, adding that certain institutions might offer more extensive restitution due to the existence of an open Memorandum of Understanding or Matter Requiring Attention and the heightened consequences of committing another violation while a related matter is pending before the Bureau.

Another aspect of risk involves the severity of the potential UDAAP violation. If it’s not a clear UDAAP violation, and there’s a very low likelihood that it will ever come to the regulators’ or consumers’ attention, a company may decide to sit tight.

“There are many factors to consider in how a company will act in response to a potential UDAAP violation, so the discussion should be elevated to the appropriate level of management in the company,” says Mitchell, but she warns that it’s a sensitive issue from a legal and reputational standpoint and should only include those who are essential to making a decision about the proper course of action.