News & Events

Performing A UDAAP Risk Assessment

A little over a year ago, we told you about the potential expansion and increased emphasis on unfair, deceptive and abusive acts and practices (UDAAP) by the CFPB. In August of this year, we told you how the CFPB had lived up to its promises with its first enforcement action against Capital One assessing approximately $210 million in total penalties. We continue to see evidence that the CFPB is not taking UDAAP enforcement lightly. Since August, it has issued two more enforcement actions making examples out of Discover and American Express.  In its enforcement action against Discover, the CFPB alleged unfair, deceptive and abusive acts and practices which, as in the case against Capital One, related to the marketing and sales tactics of certain credit card add-on products. Discover’s total penalty is expected to be approximately $214 million, including $14 million in civil money penalties and approximately $200 million in refunds to more than 3.5 million consumers.  Most recently, the CFPB entered into a consent order with American Express alleging, among other things, that American Express engaged in deceptive marketing practices, age discrimination, charging fees in violation of TILA, failure to report consumer disputes, and deceptive debt collection practices. American Express’s penalty totaled approximately $112.5 million made up of $27.5 million in civil money penalties owed to the CFPB, the FDIC, the Federal Reserve and the OCC and an estimated $85 million in refunds to approximately 250,000 customers.  If you are beginning to think that none of this is applicable to your bank because you do not offer credit card services, please stay tuned because the lessons learned apply to all aspects of the banking business including, but not limited to, product development, marketing, lending, customer service and operations. Previously, a simple review of marketing materials, advertisements and consumer account agreements and disclosures would have been a sufficient UDAAP review, but now with the obvious increased UDAAP regulation, a more thorough review must be performed. It is important for each institution to assess and monitor all products, services, disclosures, agreements, marketing materials, scripts, employment incentive plans and third party contracts.  We encourage each of you to perform a UDAAP risk assessment to determine the level of risk that exists at your bank. The primary areas to consider when performing the risk assessment are management and polices, servicing and collections, employees and third parties, products and services, and availability of terms and services as advertised. The review should also focus on consumer complaints and the bank’s processes and procedures for appropriately and timely responding to those complaints and taking corrective action. The existence of UDAAP issues can be detected through a review of trends in consumer complaints.  As you assess management’s involvement, it is important to ensure that management is made aware of any potential UDAAP risks and takes immediate, corrective action upon discovery. Additionally, third party service providers are increasingly seen as a potential source of UDAAP violations. Aggressive sales tactics and incentive compensation arrangements are concerns. Fees, pricing, agreements, penalties, rates and other aspects of all of your bank’s products and services should be reviewed. And, finally, all marketing and advertising should be reviewed to ensure that the availability of terms and services is as advertised. During the review, please keep in mind that disclosures and advertisements must be compliant throughout the entire lifecycle of a product or service. Products and services should be described accurately in all initial disclosures, and if the product is modified, it is important that related disclosures are also modified.

We have developed a spreadsheet for the participants in the CMS Initiative that can be used in performing the UDAAP risk assessment and computing a risk rating. If you are creating your own risk assessment, we suggest closely following your regulator’s examination procedures and those recently published by the CFPB which can be found online. Using that criteria, you will be able to rate the risk for each element presented as low, medium or high. A numeric value can be given to each rating. For example, low=1, medium=2, and high =3. The number resulting at the end of your risk assessment will be used to give your Bank its overall UDAAP Risk Rating.

The process of performing a risk assessment is subjective and each Bank must judge its own situation as to whether an element is low risk, medium risk, or high risk given what you know about your Bank’s practices, marketing, products and services, recent examinations or reviews, etc. An overall rating average of “3” will obviously mean that your Bank is at a high risk for a UDAAP violation. Further, an explanation of each item and each risk level rating will help examiners, as well as Management and the Board of Directors, to understand.