UDAAP – Is Your Compliance Management System Keeping Up?
We’ve said it before and we’ll say it again: to understand the CFPB, you need to understand another acronym—UDAAP. The Consumer Financial Protection Bureau exists, in large part, to guard consumers against what regulators deem “unfair, deceptive, or abusive acts and practices.” To that effect, half of the enforcement matters that the CFPB has made public have alleged UDAAP violations.
In theory, it sounds simple enough: a lender does something unfair, deceptive, or abusive, and the CFPB reacts in the form of a penalty, investigation, lawsuit, or other enforcement action. In practice, however, the words “unfair,” “deceptive,” and “abusive” sometimes seem to have no fixed, objective meaning. Who decides whether an act or practice constitutes a UDAAP? What’s really “abusive?”
How Does the CFPB Define “Abusive?”
Michael Semanie, an attorney with Killgore, Pearlman, Stamp, Denius & Squires, P.A, gets that question all the time. Here’s what he recently told our audience during our Blueprint for a Modern Compliance Program webinar: “It’s a catch-all. If the CFPB doesn’t like what you’re doing, and it doesn’t really fit into ‘deceptive,’ or ‘unfair,’ [it’s] abusive.”
To substantiate his point, Mike read the relevant statutory language. According to the UDAAP provisions in Title X of the Dodd–Frank Wall Street Reform and Consumer Protection Act, “abusive” refers to…
“…an act that materially interferes with the ability of a consumer to understand a term or condition of a consumer financial product or service; or takes an unreasonable advantage of a lack of understanding on the part of the consumer of the material risks, costs, or conditions of the product or service; the inability of the consumer to protect the interests of the consumer in selecting or using a consumer financial product or service; or the reasonable alliance by the consumer on a covered person to act in the interest of the consumer.”
Mike told us that the Act’s definition of “abusive” is longer than the “deceptive” and “unfair” provisions because lawmakers intended it to be as broad as possible—“to catch anything else that would maybe otherwise fall between the cracks of the deceptive and unfair, but the CFPB still believes it to be wrong somehow.”
How Can You Prevent UDAAPs?
By now, consumer finance companies seeking to stay out of the CFPB’s way have learned how important it is to refrain from UDAAPs. But the same ambiguity that lends regulators broad authority has presented difficulties in terms of actionable preventative measures. What can an organization actually do to prevent UDAAPs?
Mike brought up the CFPB’s guidance, much of which emphasizes risk assessments. He told our audience that an effective UDAAP compliance strategy resembles an effective overall compliance program: an organization identifies its risks and responsibilities and undergoes a “cyclical process” of learning, integration into business operations, review, corrective action (when necessary), re-identification of risks, and so on.
Mike mentioned some recent cases and corresponding CFPB guidance related to the practice of charging customers a fee when they choose to pay by phone. The Phone Pay Fee Compliance Bulletin 2017-01 includes a “laundry list” of acts and practices that the CFPB considers unfair, deceptive, or abusive. For some illustrative examples, take a look what the Bureau recently alleged one entity or that entity’s service provider did:
“(i) misrepresented in credit card agreements that the fee’s purpose was to allow payment by phone, when its purpose was solely to ensure payment posted the same day it was made; (ii) failed to disclose during collection calls that the fee’s purpose was solely to expedite payment, and in certain circumstances misrepresented that the fee was a ‘processing fee’; (iii) volunteered that consumers could make payment using a checking account and triggered the fee by setting such payments to post immediately by default; and (iv) failed to disclose the existence of no-cost payment alternatives, including free next-day payment.”
Companies shouldn’t merely look at a list of allegations like the one above and nod along or roll their eyes. Rather than saying, “Wow, that is new,” or “That doesn’t feel right,” or “That makes sense,” urged Mike, “Take that opportunity to go back and look at your compliance program, and make sure that that new issue fits in within it, and that you would catch that issue.”
In other words, updating your compliance program to address UDAAPs means staying aware of ongoing guidance and statutory interpretations, and—if your company engages in practices equivalent or similar to the ones you read about—adding new policies into your program and ensuring your employees know how to act accordingly. For example, said Mike:
“If you’re charging a fee for your pay-by-phone option, the first thing to do is go back and look at the policy: Do you have any policies that address that issue? Look at the information that you have in your account disclosures, your loan agreements, your periodic statements, the coupon books on the website, when you actually take a phone call—how is all that information disclosed to the consumer? And then, now, does that comply with the guidance that was raised by the CFPB?”
If you don’t update your compliance program accordingly, your company risks not only regulatory enforcement action, but private lawsuits. Mike added:
“This is what plaintiffs’ attorneys are looking for, too. When CFPB or FTC or any of these regulators come out with a statement about ‘here’s how I think this is wrong,’ compliance attorneys are all over that, saying, ‘look, even the regulators say this is wrong.’ … And [if] folks haven’t adapted quickly enough to where they can actually make those claims, that’s just low-hanging fruit for plaintiffs’ counsel.”
How well can your compliance program handle what Mike calls the “shifting sands” of Fair Lending regulations? If your CMS isn’t nimble enough to withstand constant legal proceedings, regulatory updates, and gray areas, it’s time to try a better compliance solution.