UDAP vs. UDAAP – Understanding the differences, what all the hype is about and how third-party risk fits in

UDAP vs. UDAAP – Understanding the differences, what all the hype is about and how third-party risk fits in


By Gordon Rudd, Third Party Risk Officer, Venminder

The federal government has been enacting legislation to protect consumers from Unfair or Deceptive Acts or Practices (UDAP) and Unfair, Deceptive or Abusive Acts or Practices (UDAAP) targeting the finance industry since the early 2000’s. The Federal Deposit Insurance Corporation (FDIC), Federal Trade Commission (FTC) and Consumer Financial Protection Bureau (CFPB) all have legislation or governance recommendations for UDAAP in some form.
So, what is all the recent uproar about? Enforcement. Due to this, UDAP and UDAAP begin to drift in different directions. While the FDIC, FTC and CFPB each have enforcement capabilities, the CFPB is now the most active participant in enforcement. The how and why of the CFPB’s actions seem like a financial institution’s worst nightmare on steroids. This article will give you an idea of the what, when, why and how we’re seeing UDAAP take such a different direction.

UDAP and UDAAP – What’s the Difference?

In 2004, the FTC introduced UDAP. UDAP was originally enacted as regulatory guidance for financial institutions to use as a guideline to ensure the consumers utilizing their products or services were being treated fairly. According to the guidance, an act is deemed unfair if it may cause injury to consumers, can’t be reasonably avoided by consumers and isn’t outweighed by countervailing benefits to consumers or competitions. Deceptive is determined with a three-part test. This test includes verifying if a representation, omission or practice misleads the customer, next the consumer’s interpretation of this deception must be reasonable and finally the representation, omission or practice must be material.
In the beginning, the earlier version of UDAP gave us a general guideline regarding intent. The crux of the rule was intent to deceive. Some examples of questions that had to be asked included:
  1. Did a financial institution attempt to be deceptive in advertising or in the combination of customer services it arrayed before consumers?
  2. Was the fine print too fine and deceptive given the headline of the advertisement?
  3. Was the combination of services too hard for consumers to understand and price compare or overlapping in a manner that caused the consumer to receive a price that was different that the average consumer would expect to receive?
These simplistic examples are targeted at making the offers emanating from financial institutions clearer.
Today, we see the term “abusive” enter the fray. How do we determine if a financial institution has been “abusive”?
With the enactment of the Consumer Protection Act, and the Dodd-Frank Wall Street Reform Act in 2010, UDAAP was born. It’s important to note that UDAP and UDAAP are not the same thing. First off, unlike “unfair” and “deceptive”, the term “abusive” is not defined. Compliance and risk managers are accustomed to following clear guidance. Absent that guidance, it’s difficult to tell senior management precisely what needs to be done (or not done) to stay in compliance. Definitions for “unfair” and “deceptive”, are readily available and universally accepted. However, the term “abusive” is not defined. This makes it incredibly challenging for institutions to determine what will be considered as an abusive act or practice.
An unfair, deceptive or abusive act or practice may also violate other federal or state laws. For example, pursuant to the Truth in Lending Act (TILA), creditors must “clearly and conspicuously” disclose the costs and terms of credit. An act or practice that does not comply with these provisions of TILA may also be unfair, deceptive or abusive. Conversely, a transaction that is in technical compliance with other federal or state laws may nevertheless violate the prohibition against UDAAP.
Consider this example. An advertisement may comply with TILA’s requirements but contain additional statements that are untrue or misleading. Compliance with TILA’s disclosure requirements does not insulate the rest of the advertisement from the possibility of being deceptive. In this example, the financial institution has been deemed to be “abusive”.
And through all of this, keep in mind, not only do you oversee yourself to ensure you’re not committing a UDAAP violation but also your third parties – what they do affects you too.

Consumer Complaints – The Focal Point

With the introduction of UDAAP, the CFPB has gone on to make consumer complaints a focal point. According to the CFPB’s own examination manual, “Consumer complaints play a key role in the detection of unfair, deceptive or abusive practices.” The CFPB sees consumer complaints as an indication that an institution has a poor compliance management program in place. Now a financial institution must make sure it’s not simply monitoring consumer complaints, but recording the individual complaint, recording the institution’s action on the complaint and the consumer’s response, if any. The institution must be able to report to the board, or a committee of the board, the results of their actions.
The CFPB created a complaint management database tool which allows consumers to submit complaints that are available to the public to view and search. Since there is no algorithm to the complaint submission validity, it can be quite troublesome for institutions as it makes it very difficult for them to sift through and manage the complaints. Due to this, institutions must continue to pay close attention to complaint management practices, as many complaints can be deemed as an abusive act or practice.
The determination of “abusive” has taken an interesting turn of late. Not only can consumers go directly to the CFPB’s website and log a complaint, the consumer may log the complaint with the financial institution by any means. The consumer can call, email, text or show up in person. The institution is required to log the complaint, analyze the complaint, decide on the action the institution will take and record the decision, the action taken and the consumer’s response. The CFPB has also determined that consumers can file complaints not only at the institution itself, but they can also file a complaint with the Better Business Bureau (BBB), State Attorneys General, the FTC’s Consumer Sentinel, the CFPB Consumer Response Center or other federal and state agencies. Any complaint filed against the institution or the institution’s subsidiaries, affiliates and third parties constitute as a complaint that financial institutions must now monitor and respond to.
Consumer complaints have become the source for the CFPB to mine and review. In fact, the CFPB monitors social media for complaints against a financial institution, its subsidiaries, affiliates and third parties. The CFPB is looking for a class of consumers (Not to be confused with the term “class” as used in a class action litigation). The CFPB monitors the number of consumers who have all used the same products or services and have had the same negative result, and as a result, the consumer may view as abusive.
So how can you help prevent your institution from a regulatory finding or an enforcement action? Below are our thoughts on best practices to avoid the CFPB’s scrutiny.

7 Complaint Management Best Practices

  1. Establish a well-written complaint management policy. Within the policy, clearly identify who is responsible for tracking and responding to complaints.
  2. Search the Better Business Bureau (BBB), State Attorneys General, the FTC’s Consumer Sentinel, the CFPB Consumer Response Center or other federal and state agencies, as well as social media platforms, for any mention of your institution or its subsidiaries, affiliates and third parties.
  3. Search for negative public news on your own institution. Utilizing Google news alerts and the CFPB’s consumer complaint database should help tremendously.
  4. Log, track and escalate complaints as they’re received from any source or uncovered by your social media due diligence. Define this process in your complaint management policy.
  5. Have a well-developed response and compliance management system in place since the CFPB sees consumer complaints as an essential source of information for examinations and enforcement. The CFPB also views a significant number – the number seems to be relative to every situation – of consumer complaints as an indicator of a weak compliance management system.
  6. Develop a clear link between your third party risk management practices, particularly those around monitoring and oversight, to your compliance management system and to the contracts created with third parties to spell out how you expect them to handle complaints (e.g., resolve and root cause, refer to the institution). Documentation is essential.
  7. Review recent enforcement actions. Research recent complaint sanctions that other institutions have received and implement policies at your own institution to prevent them from happening to you too. The enforcement actions against other institutions can yield insights into how your institution should be handling complaints.
Recent enforcement action against Mastercard and UniRush clearly demonstrate that a financial institution’s third parties can be the cause of an enforcement action. Today, all financial institutions must monitor their third party vendors closely, meaning each third party must be monitored and reviewed periodically as part of a robust compliance management system. Every compliance exam today will have a vendor management (third party risk) component.

Avoid Regulatory Issues

Managing complaints from consumers is increasingly complex yet a fundamental component of risk management. Although said, it’s very important to say again, financial institutions must monitor consumer complaints at the institution itself, the BBB, State Attorneys General, the FTC’s Consumer Sentinel, the CFPB Consumer Response Center or other federal and state agencies and social media. The compliant management process must be very well defined.
Third party risk management is now a key component of a well-managed compliance program. Those who implement a standard complaint management policy document, a third party risk management program and have software to help manage and record activities and actions in an enterprise complaint monitoring process have the best chance of avoiding regulatory scrutiny.
Join CEFPRO and Venminder at the 4th Annual Vendor & Third Risk USA conference, June 4-5, 2019.

Meet Venminder at…

vendor & third party risk usa series

Have you made your free account?