Pdf A Roadmap to Proactive UDAAP Risk Management

www.fisglobal.com

Regulatory Intelligence Briefing –

A Roadmap to Proactive UDAAP Risk Management

September 9, 2015

August 12, 2015 CENTER OF REGULATORY INTELLIGENCE

2

©2015 FIS and/or its subsidiaries. All Rights Reserved.

REGULATORY INTELLIGENCE BRIEFING

Table of Contents

A. Editorial Note from the Managing Director, Center of Regulatory Intelligence ........... 3

B. Biweekly Washington, D.C. Regulatory Roundup .......................................................... 4

C. Featured Regulatory Intelligence Briefing – A Roadmap to Proactive UDAAP Risk Management ............................................................................................................. 6

D. Did You Know? ............................................................................................................... 24

E. About FIS’ Center of Regulatory Intelligence ............................................................... 26

3



A. Editorial Note from the Managing Director, Center of Regulatory Intelligence

Introduction

Proactively managing unfair, deceptive or abusive acts or practices (UDAAP) risk is made even more

challenging by the fact that the law is defined mostly by enforcement actions and informal guidance, such as the

Consumer Financial Protection Bureau’s (CFPB’s) Supervisory Highlights. This places compliance officers in

reactive mode – essentially reading about enforcement actions or the violations described in the Supervisory

Highlights, then assessing the risk of a similar situation occurring at their institution.

While careful review of enforcement actions is a valuable component of a UDAAP compliance program, a more

proactive approach to compliance will equip institutions with a better compliance profile. This Regulatory

Intelligence Briefing (RIB) analyzes recent key enforcement actions citing UDAAPs, shares what the CFPB and

other agencies are finding in exams and provides a roadmap for achieving and maintaining compliance.

The passage of the Dodd-Frank Act and the creation of the CFPB in 2010 brought a paradigm shift in the

regulatory environment that most financial institutions have yet to fully grasp today. For most of us, those days

of a simple “check-the-box” compliance program are gone, yet many compliance professionals are still operating

under that old regime.

Market participants need to better understand what the terms “unfair,” ”deceptive” and ”abusive” mean, and

what types of acts and omissions have a heightened risk of being classified as one or more of these. Such an

understanding is paramount to preventing millions of dollars in penalties and fines along with immeasurable

reputation damage.

Remember that no institution is immune. UDAAP applies to every financial institution, from the smallest local

banks and credit unions to the largest multi-national ones, as well as the host of other entities now regulated by

the CFPB, including mortgage companies, payday lenders and collection agencies, to name a few (hereinafter

referred to as “institution” for simplicity).

It is important to note that examination procedures have changed to accommodate this broadening scope, and

regulators are no longer restricting consumer exams to technical issues related to disclosures and

advertisements. Examiners today receive a comprehensive education on the legal standards for UDAAPs and

have developed a specific approach to examining for and identifying UDAAP violations.

We want to help you overcome the old way of thinking and give you a new compliance model for the next

century, in which “consumer friendly” is the new standard. It’s more than just a phrase; it’s a mindset.

In our next RIB, we will focus on an analysis of CFPB complaints, reports and enforcement actions to provide

you with detailed insights into the trends and emerging risks in consumer finance. This intelligence will aid your

institution in identifying and correcting issues long before the next compliance examination.

Peter D. Dugas Managing Director, Center of Regulatory Intelligence

Peter has more than 16 years of government and consulting experience in advising clients on supervisory matters

before the U.S. Government and in the implementation of enterprise risk management programs. He is a thought

leader in government affairs and regulatory strategies in support of banks and financial institutions compliance with the

Dodd-Frank Act and Basel Accords. Prior to joining FIS™, he served as a Director of Government Relations at Clark

Hill and in senior government positions, including serving as a Deputy Assistant Secretary at the U.S. Department of

the Treasury.

4



B. Biweekly Washington, D.C. Regulatory Roundup

Regulatory and Compliance Alerts

FinCEN Ruling on MSB Classification of Precious Metals Dealer

On August 14, 2015, the Financial Crimes Enforcement Network (FinCEN) published a response to a request

from a company for an administrative ruling (FIN-2015-R001) to determine if the types of activities in which it

engages makes it a money services business (MSB.)

The company provides Internet-based brokerage services between buyers and sellers of precious metals.

Buyers pay sellers directly by check, wire transfer or Bitcoin. The company buys and sells precious metals on its

own account. It also holds precious metals in custody for buyers that purchase this service, and customers can

trade or exchange precious metals holdings by any means that can be traded or exchanged using Bitcoin. The

company derives income from charging a transaction fee on transfers of digital certificates by customers and

custody fees for holding precious metals.

The definition of money transmission includes several exemptions, but the company does not fall under the e-

currencies or e-precious metals trading exemption because it issues a freely transferable digital certificate of

ownership to buyers and allows the unrestricted transfer of value from a customer’s commodity position to the

position of another customer or a third-party. Such activity goes beyond that of a broker or dealer in

commodities, and the company is acting as a convertible virtual currency administrator. As such, the company

falls under the definition of money transmitter. A money transmitter is a type of MSB.

FinCEN also ruled that the company, as a dealer that engages in the purchase and sale of precious metals,

precious stones or jewels for its own account, is considered to be a financial institution. A company that is either

a money transmitter or a dealer in precious metals, precious stones or jewels must assess the money

laundering risk involved in its non-exempt transactions and implement an anti-money laundering (AML) program

to mitigate such risk. The company must register with FinCEN and comply with the recordkeeping, reporting and

transaction monitoring requirements.

FinCEN Expands Geographic Targeting Orders on Border Cash Shipments in California and Texas

On August 7, 2015, in a press release, FinCEN announced that it has renewed a geographic targeting order

(GTO) currently in place for armored cars and other common carriers of currency at two U.S. border crossings in

southern California and issued a new, similar GTO applicable to carriers crossing the U.S. border at eight major

ports of entry in Texas.

GTO reporting and recordkeeping requirements are designed to enhance the transparency of cross-border

money movements and prevent the attempted exploitation of reporting exemptions by some carriers suspected

of moving cash for Mexican drug trafficking organizations. The orders temporarily modify the Report of

International Transportation of Currency or Monetary Instruments (CMIR) requirements for common carriers of

currency when physically moving more than $10,000 in cash across designated border crossings in California

and Texas by eliminating reporting exemptions. All transported sums must be reported.

Common carriers of currency subject to the renewed southern California GTO must continue complying with the

enhanced reporting requirements until February 4, 2016. Common carriers of currency subject to the new GTO

at ports of entry in Texas must comply with the enhanced reporting requirements from September 17, 2015

through March 15, 2016.

http://www.fincen.gov/news_room/rp/rulings/pdf/FIN-2015-R001.pdf

http://www.fincen.gov/news_room/nr/html/20150807.html

5



CFPB Bulletin on Cancellation of Private Mortgage Insurance

On August 4, 2015, in a Bulletin, the CFPB provided guidance to mortgage servicers regarding the cancellation

and termination of private mortgage insurance.

Private mortgage insurance (PMI) protects the lender if the borrower stops making payments on a loan. Lenders

generally require consumers with a down payment of less than 20% to purchase PMI. The PMI premiums are

added to the borrower’s monthly mortgage payment. The Homeowners Protection Act of 1998 requires lenders

to cancel PMI when the level of borrower equity in a home increases.

The Bureau has identified substantial industry confusion over the implementation of PMI cancellation and

termination requirements. The purpose of the Bulletin is to clarify the existing PMI cancellation rules; it does not

impose new requirements.

OCC Guidance on Risk Management of Financial Derivatives

On August 4, 2015, in a Bulletin (2015-35), the Office of the Comptroller of the Currency (OCC) clarified its

expectations regarding the extent to which national banks and federal branches or agencies of a foreign bank

may make or take delivery of a physical commodity to hedge commodity derivative transactions.

Specifically, the Bulletin provides calculation guidance for determining whether physical hedging activities are a

nominal portion of risk management activities. OCC considers physical hedging positions of a bank to be

nominal only when they are no more than five percent of the notional value of the derivatives that are in that

same particular commodity and allow for physical settlement within 30 days. This Bulletin supplements Banking

Circular 277 (BC-277), "Risk Management of Financial Derivatives" (October 27, 1993).

As described in BC-277, a bank that satisfies certain conditions may engage in physical commodity transactions

(for example, by buying or selling title to a commodity via a warehouse receipt or bill of lading) to manage the

risks of commodity derivatives. One condition is that the physical commodity transactions constitute a nominal

percentage of the bank’s risk management activities. BC-277 does not, however, detail what percentage of risk

management activities is "nominal," nor does it provide a calculation methodology for this condition. This bulletin

provides that supplemental information.

The OCC expects a bank that plans to engage in such activity to present a detailed plan and to obtain prior

written non-objection from OCC supervisory staff before proceeding.

http://www.consumerfinance.gov/newsroom/cfpb-provides-guidance-about-private-mortgage-insurance-cancellation-and-termination/

http://www.occ.gov/news-issuances/bulletins/2015/bulletin-2015-35.html

6



Unfair

Causes or is likely to cause substantial injury to consumers Not reasonably avoidable Injury not outweighed by benefits

Refusing to release a lien after the final payment is

made

Dishonoring convenience checks without notice

Deceptive

Misleads or is likely to

mislead consumers

Consumer’s interpretation

is reasonable

The misleading

representation is material

Presenting benefits in bold

font and costs/fees in

small font

Misrepresenting terms and

conditions

Abusive

Materially interferes with consumers’ understanding of features or takes unreasonable advantage of consumers Confusing or vague terms

and conditions

Targeting a vulnerable population with complex

products

C. Featured Regulatory Intelligence Briefing – A Roadmap to Proactive UDAAP Risk Management

Introduction

Mastery of the risks related to unfair, deceptive or abusive acts or

practices (UDAAPs) should be a priority for executives and

compliance personnel at all types of financial services organizations.

UDAAP has long reined as one of the most inherently high-risk areas

of regulatory compliance for the industry, with strategic implications

for financial institutions and nonbank industry participants alike. This

risk is increasing, as shown by indicators such as the volume and

severity of enforcement actions.

Examiner Focus

The Federal Perspective

For many years, UDAP stood for Unfair or Deceptive Acts or Practices, pursuant to Section 5 of the FTC Act.

The industry has now had some time to become accustomed to an additional “A” – Abusive – added to UDAP

by the Dodd-Frank Act, making it “UDAAP.” Examiners expect compliance and management personnel to be

aware of and educated on this key topic. Here is a quick refresher on the three elements.

Examiners can cite a UDAAP violation if they believe that any product, service or practice at an institution is

unfair, deceptive or abusive, making UDAAP an all-encompassing regulation that pertains to the entire

enterprise. This is not mutually exclusive of other regulations; rather, a UDAAP violation can be cited in

conjunction with another regulatory violation, or it can be cited in the absence of any technical regulatory

violations. Understanding UDAAP risk involves understanding all customer-facing operations, activities,

practices, products, services, third parties and ways of doing business at the institution from the ground up.

a! a! a!

7



The State Perspective

In addition to federal regulatory violations, there are state-specific UDAAP (or UDAP, depending on the state)

laws. In many ways, state laws pose an even higher risk than their federal counterparts, and include laws

relating to UDAAPs, UDAPs (the old federal model, without “abusive”), Unfair and Deceptive Trade Practice

Acts (UDTPAs) and Unfair Business Practices. There is often a lower standard of proof, broader coverage (for

example, permitting claims by businesses, not just consumers), and provisions for larger awards of damages

and attorney fees.

CFPB Focus and Authority

The Dodd-Frank Act granted the CFPB authority to enforce against UDAAPs at the federal level, and enforce it

has. In the few years since its inception, the CFPB has brought enforcement for UDAAPs against banks,

mortgage lenders, payday lenders, student lenders and more, assessing large civil money penalties in most

cases. UDAAP enforcement often also results in mandates for sweeping and costly changes to business

practices and compliance programs.

The CFPB is dedicated to protecting consumers from UDAAPs, and it has demonstrated in its short lifetime the

heavy blows it can land against institutions that engage in unfair, deceptive or abusive acts or practices. It is

clear that the CFPB takes UDAAP claims very seriously.

“We are putting companies on notice that these deceptive practices are against the law and will not be

tolerated.” – Richard Cordray, CFPB Director, “CFPB Probe into Capital One Credit Card Marketing Results

in $140 Million Consumer Refund,” July 18, 2012

The CFPB frequently collaborates with the other major federal banking agencies on enforcement. New CFPB

standards and “best practices” are likely to be adopted by other federal banking regulators, ultimately impacting

smaller banks regardless of their size or primary regulator. The CFPB, along with the other federal bank

regulators, has issued more than 100 enforcement actions related to UDAAPs in recent years.

Source: FIS Database of Banking Agencies Enforcement Actions

$0

$10,000,000

$20,000,000

$30,000,000

$40,000,000

$50,000,000

CFPB OCC FDIC FRB

UDAAP Fines and Penalties

2014

2015

8



Unfair

Deceptive

In addition to fines, penalties and restitution, regulators may also downgrade a bank’s Community Reinvestment

(CRA) rating in connection with UDAAP enforcement. This can have a harmful trickle-down effect, potentially

preventing future growth by way of mergers, acquisitions and other new business initiatives.

UDAAP issues implicate all types of risk: strategic, compliance, reputation, legal and more. Consumer harm

(actual or perceived), lawsuits and negative press can cause irreparable damage to an institution’s reputation,

resulting in sizeable revenue loss. UDAAP violations tend to also be reported on by the general press, not just

within banking circles.

Making Headlines

On August 12, 2015, the CFPB, along with the OCC and the FDIC, reaffirmed their commitment to fighting

UDAAPs when they took action against a large U.S. bank holding company and its two banks, assessing

combined civil monetary penalties totaling $20.5 million and ordering $11 million in customer restitution. The

bank’s alleged unfair and deceptive misconduct, which related to deposit errors, took place over a six-year

period.

Strategic Impact

Institutions would be well-advised to take a closer look at deposit-taking functions

given this recent, high-profile action with regard to an area often given little

compliance attention. Specifically, assess how deposit errors are handled

operationally.

Are all deposit errors researched and corrected, or are there thresholds?

If there are thresholds, are they reasonable?

Are thresholds or limitations clearly communicated in account agreements?

Is there consistent application of policies?

If adjustments are made to deposits, are depositors notified?

“Deposit proof”

function

Retained the difference

between actual deposit and

what was listed on deposit

slip if it was less than $50

(later $25)

Customers were under-

credited by approximately

$12.3 million in all

Account agreements

implied that all deposits

would be verified and

discrepancies would be

researched and corrected,

but internal communications

limited this research and

correction to amounts below

the thresholds, which were

not listed in the disclosures

http://files.consumerfinance.gov/f/201408_cfpb_consent-order-rbs-citizens.pdf

9



Lessons Learned

Broader lessons to be learned from this action include:

1. Monitor and track complaints – Deposit-taking functions are generally considered low-risk. As such,

they are subject to less monitoring and oversight than higher-risk areas. Logging and monitoring

complaints is a critical tool in early identification of patterns or practices that raise compliance issues. A

look at the complaint log may have revealed a trend of customer complaints about incorrect crediting of

deposits. This early warning could have aided the banks in identifying and correcting this issue long

before the next compliance examination. History has taught us that the prudential regulators and the

CFPB believe that customer complaints are often indicative of UDAAP issues. Therefore, heeding

Compliance Officer/Department requests that all business units cooperate with the logging and tracking

of customer complaints is well-advised.

2. Encourage internal complaints and involve the Compliance Officer – Employees should be

encouraged to speak up regarding practices that they believe may pose compliance issues or cause

consumer harm. Preferably, anonymous means of reporting should be available. However, compliance

officers are not typically included on whistleblower notification lists, so ensure that yours is informed of

such complaints and given an opportunity to analyze any potential compliance impact.

3. Apply a UDAAP lens throughout your organization – Ensure that all employees are trained on

watching for potential UDAAPs, and that reviews and audits include UDAAP coverage. This will help

ensure that possible UDAAPs are caught even in low-risk areas not subject to frequent review. Better to

proactively detect and remediate UDAAPs yourself than to risk such high-risk regulatory examination

findings.

4. Analyze efficiency ideas for potential compliance issues – The thresholds set by this bank may well

have been for the purpose of efficiency; after all, it would be much quicker to follow the internal

thresholds than to research each and every discrepancy. When performing your UDAAP risk

assessment, be sure to evaluate any practices that were implemented or modified under the auspices of

creating efficiencies.

5. Involve Compliance in change management – Organizations frequently reward employees for their

ideas regarding ‘revenue optimization’. This is perfectly acceptable; however, prior to implementation,

Compliance should be involved in assessing whether changes that are good for business are also

acceptable practices through a regulatory and consumer compliance lens, with specific attention to

possible UDAAPs.

10



Recent Federal Enforcement Actions

In addition to the big headlines, overall trends in enforcement reflect a rise in UDAAP scrutiny by examiners. As

illustrated by the charts below, UDAAP actions only accounted for eleven percent of 2014 federal enforcement

actions, whereas they already account for twenty-one percent of actions thus far in 2015.

Examinations

Examiners today are far more knowledgeable about UDAAP, and their approaches to examining for UDAAP

have changed. Prior to 2011, examiners considered UDAP an insignificant component of an overall consumer

compliance exam.

Be aware that the agencies’ attitudes toward UDAAP have changed significantly,

and this is reflected in both their training and in their examination procedures.

11



Today “consumer friendly” is the order of the day. Examiners are getting specific training on UDAAP, and the

approach to examinations is changing. A review of older versions of the exam manuals for various agencies

doesn’t reveal a section specifically addressing exam procedures on UDAAP; however, agency exam manuals

today contain robust exam procedures for UDAAP in dedicated sections. Comparing the current exam manuals

from the CFPB and the FDIC reveals the following:

The CFPB has a fairly extensive UDAAP section within its exam manual that provides the specific standards

used to evaluate what is unfair, deceptive or abusive, and they provide relevant examples of each element. It

also has significant sections which discuss analyzing complaints and the “key role” consumer complaints play in

the exam process for the detection of UDAAPs. The procedures instruct examiners to consider complaints

lodged against subsidiaries, affiliates and third parties regarding products and services offered through the

institution or using the institution’s name. No one is immune.

The FDIC exam procedures on UDAP, however, are more robust and provide more up-front information on what

the agency is looking for. In addition to background information on UDAP and a section on complaints, the FDIC

provides useful tools that examiners use to prepare for an exam. For example, there is an examination

questionnaire for UDAP, a discussion of what documentation the examiner will gather to provide support for a

potential UDAP finding, a discussion of risk management considerations, a list of agency issuances regarding

UDAP and more.

CFPB Risk Assessment – Risk to Consumers

The CFPB brought a unique perspective to risk assessments when it released its risk assessment template. Contrary to prior industry practice, the CFPB’s approach allows the overall residual risk to consumers to be higher than inherent risk. As stated in the template, “A risk controls conclusion of “Weak” should result in an overall risk conclusion that is no more favorable than “Moderate,” even if the degree of [inherent] risk is concluded to be “Low.” (CFPB Risk Assessment, p.21)

The “deposit proof” case discussed offers a good example of this in a UDAAP context. Deposit-taking is

ordinarily a low-risk area, but weaknesses in the banks’ compliance management systems resulted in harm to

consumers. Had these control weaknesses been identified, the area would have been ranked “High” residual

risk and would have received the additional attention that was needed to identify and remedy problems. Let’s

look at some other actions that offer valuable insight into where examiners place their focus.

Key Takeaways from Recent Enforcement Actions

The mistakes of others provide an opportunity to learn, improve and avoid being the next negative headline. The

CFPB’s semi-annual Supervisory Highlights publication offers some helpful insight into UDAAP issues seen in

the industry. An analysis of some of the findings shows a broad interpretation of unfair, deceptive and abusive

by the CFPB and provides insight for entities as they design their internal review and monitoring programs and

methodology. A few sample findings appear below (emphasis added for discussion purposes), followed by our

analysis of those findings.

12



2015 – Focus on Potential Consumer Harm

Violation = Inaccurate Disclosure Language Product/Activity = Student Loans

“…examiners determined that student loan servicers included language on periodic

statements suggesting that borrowers could not deduct on tax filings interest paid on

qualified student loans unless they paid more than $600 in interest. Examiners found this

practice to be deceptive because there is no minimum amount of qualified student loan

interest that borrowers must pay before taking a deduction.”

CFPB Supervisory Highlights, summer 2015, page 9

Violation = Conflicting Disclosure Language Product/Activity = Collections

“When attempting to collect on delinquent accounts, collectors offered consumers a recurring

ACH payment option. When informing consumers about this payment option, collectors

promoted the consumers’ ability to adjust or cancel a recurring ACH payment with only 24

hours’ notice. This representation, however, contradicted both an express representation in

monthly periodic statements provided to consumers and internal policies and procedures,

which stated that a minimum of 72 hours’ notice was required. The contradiction in oral and

written disclosures of the timeframe required to cancel or adjust a recurring ACH created a

risk of deception.”

CFPB Supervisory Highlights, winter 2015, page 7

Violation = Conflicting Disclosure Language Product/Activity = Overdraft Fees

“…the institutions assessed overdraft fees for electronic transactions in a manner

inconsistent with the overall net impression created by the disclosures. Examiners therefore

concluded that the disclosures were misleading or likely to mislead, and because such

misimpressions could be material to a reasonable consumer’s decision-making and

actions, examiners found the practice to be deceptive. Furthermore, because consumers

were substantially injured or likely to be so injured by overdraft fees assessed contrary to the

overall net impression created by the disclosures (in a manner not outweighed by

countervailing benefits to consumers or competition), and because consumers could not

reasonably avoid the fees (given the misimpressions created by the disclosures), the

practice of assessing the fees under these circumstances was found to be unfair.”

CFPB Supervisory Highlights, winter 2015, page 9

13



2014 – Focus on Compliance Management System Weaknesses

Violation = Improper Oversight of Third Parties Product/Activity = Payday lending

and Complaint Management

“…lenders failed to properly oversee third-party service providers, which contributed to

violations of the Fair Debt Collections Practices Act and the Dodd-Frank Act prohibition on

unfair, deceptive, or abusive acts or practices. Many contracts examined by CFPB

examiners between payday lenders and third-party service providers contained no specific

compliance-related expectations, and some did not include any reference at all to

compliance responsibilities. Further, a number of lenders lacked adequate processes for

analyzing the root causes of complaints and for monitoring the resolution of complaints.”

CFPB Supervisory Highlights, spring 2014, page 15

Violation = Inadequate UDAAP Training Product/Activity = Enterprise-Wide

“At multiple lenders, training programs were nonexistent or missing vital components,

such as applicable Federal consumer financial laws and instruction on how to avoid unfair,

deceptive, or abusive acts or practices.”


Violation = Misleading Borrowers Product/Activity = Collections

“…Supervision cited deceptive acts or practices at multiple lenders for their false or

misleading communications with borrowers. Examiners identified the following deceptive

claims during collections activities:

False threats to add additional fees;

False threats to report to consumer reporting agencies (CRAs);

False threats of legal action or referral to a non-existent in-house “legal department”;

False claims that the lender will debit the borrower’s account at any time; and

Deceptive messages regarding non-existent special promotions to induce borrowers to

return calls.”


An analysis of these violations reveals that the CFPB views each situation through the eyes of the consumer

who receives information from disclosures and advertisements and then takes some type of action based on the

“overall net impression” of all of the information received. It makes sense, then, to ensure that your UDAAP

monitoring follows the same approach. Note that contradictory information provided to consumers appears to be

a key contributor to UDAAP violations due to its impact on consumers’ ability to make clear decisions. The

CFPB also points out root causes of many violations, including inadequate training programs, inadequate

monitoring and lack of attention paid to third-party relationships and consumer complaints.

High-Risk Products, Services and Activities

Looking holistically at the violations noted in the Supervisory Highlights and the recent enforcement actions, we

can see that certain products, services and activities are frequently the subject of regulatory actions. Initially,

violations and enforcement actions focused on inherently high-risk areas, which were typically related to credit.

These have included credit card add-on products, predatory lending practices, debt collection activities and

advertising misrepresentations.

14



02468

101214161820

Parties to CFPB Enforcement

2014

2015

Although overdraft protection programs have also been the focus of UDAAP scrutiny over the years, only a few

enforcement actions have pertained to deposit products – those being overdraft protection, the advertisement of

checking accounts as being “free” (when in fact they were not) and the deposit posting error discussed

previously.

Source: FIS Database of Banking Agencies Enforcement Actions

As shown in the graph, in 2014, most UDAAP-related enforcement was against banks. However, this year

examiners have focused increasing attention on nonbank institutions. Recent enforcement actions continue to

reflect a focus on credit-related activities, such as default loan servicing, foreclosure relief services, sham credit

cards and a new item in 2015 - tax refund anticipation loans.

A look at enforcement action data and trends gives us a useful lens into what products and activities are highest

risk. These are listed below, with red items being very high risk.

High-Risk Products High-Risk Operational Areas/Activities

Mortgage Loans *Mortgage Loan Servicing

Student Loans *Debt Collection Services

Auto Loans Foreclosure Relief Services

Retail Installment Loans Credit Repair Services

Credit Cards Advertising Loans Supported by Government Programs

Payday Loans Outsourcing

Consumer Loans to Servicemembers Assessing Overdraft Fees

Tax Refund Loans Advertising Overdraft Programs

Prepaid Debit Cards Military Loan Origination and Servicing

Rewards Programs Advertising Mortgage Rates

Overdraft Protection Programs Advertising Any Product or Service as “Free”

*Mortgage Servicing and Debt Collections activities are notable in that they’re the only activities that

have had all three types of violations: unfair violations, deceptive violations and abusive violations.

15



It is interesting to see that many of the practices considered UDAPs and highlighted by the now defunct Office of

Thrift Supervision (OTS) in its 2010 UDAP Examination Procedures are still seen at institutions today and

remain high-risk areas. Examples include:

Failing to limit aggregate overdraft fees

Increasing the annual percentage rate (APR) without giving notice or reason

Failing to protect consumers’ personal information

Failing to protect consumers from financial abuse

Making misleading representations in advertisements

Deceptive overdraft disclosures

Misrepresenting available credit

Inadequate fee disclosures

Failing to disclose product limitations

How Loan Servicing Practices Can Become UDAAPs Although servicing loans would appear to be fairly straightforward and lower-risk with regard to UDAAP, there

are in fact several areas of loan servicing in which institutions are at risk of UDAAP violations. Some of these

violations may also be violations of other regulations, while others may technically comply with all other

regulations but are implemented in such a way that they result in unfair, deceptive or abusive practices. Let’s

review a few of these:

Failure to timely and accurately apply payments – This is fairly common when an institution

purchases a loan from another institution and takes over the servicing of that loan. The customer will

accidentally mail payment to the old servicer. The new servicer should have a policy in place to ensure

that the payment is applied as of the date received by the old servicer, regardless of when it is actually

received by the new servicer. This should be done for at least 60 days.

Failure to maintain accurate account statements – There should be adequate internal controls and

ongoing testing to ensure that all of the data elements that are being populated in periodic account

statements are correct.

Charging unauthorized fees for default-related services – This is another common error that can

result from purchasing a loan from another institution or from indirect lenders. It is not uncommon for

another lender to use a default charge that is different than what is the allowable maximum in the state

in which the contract was signed. If your institution uses a table based on state maximums, and you

take on a contract that charges more than the maximum, then you are violating the loan contract each

time you charge the fee programmed into your system.

The loss mitigation process in particular is susceptible to many practices that can be

deemed UDAAPs, such as:

Impeding borrowers’ access to loss-mitigation by taking an excessive amount of

time to review loss-mitigation applications

Failing to provide accurate information to borrowers

Failing to assign and train adequate staff for loss-mitigation activities

Charging unauthorized loss-mitigation fees

Providing incorrect information to borrowers regarding the appeals process

Wrongfully denying loss-mitigation applications

Misleading short sale borrowers regarding seeking deficiency judgments

16



Sending permanent modification agreements to borrowers with one set of terms and then, after

substantial delays, sending new modification agreements with materially different terms

Swaying borrowers away from the Home Affordable Modification Program (HAMP) modification option

and misrepresenting HAMP

Neglecting to inform borrowers in a timely manner that applications were missing required documents

Risk and compliance officers should identify all products, services and activities across the institution that are

considered high-risk, paying special attention to very high-risk activities, such as loss mitigation.

Emerging UDAAP Risks

Overdrafts have been a frequent source of UDAAP violations. Some of the questionable practices have included

manipulating debit transactions, posting transactions from highest to lowest and leading customers to believe

that they have a larger available balance than they actually do. All of these practices were allegedly

implemented with the sole purpose of maximizing overdraft fees. Based on some of the CFPB’s recent findings,

it would appear that overdrafts continue to be a virtual lightning rod for UDAAP issues. In its winter 2015

Supervisory Highlights (Highlights), the CFPB addressed concerns regarding overdraft protection services:

A particular practice that has been identified as an emerging risk is the switch by institutions

from the ledger-balance method to an available-balance method for the purpose of calculating

whether a transaction results in an overdraft and whether a fee should be assessed.

A ledger-balance method factors in only settled transactions in calculating an account’s balance, while an

available-balance method calculates an account’s balance based on electronic transactions that the institution

has authorized (and therefore is obligated to pay) but not yet settled, along with settled transactions. An

available balance also reflects holds on deposits that have not yet cleared.

The Highlights state that examiners found that overdrafts were occurring under the available-balance method

that would not have occurred under the ledger-balance method. Also, after the switch to the available-balance

method, examiners found that electronic transactions were authorized, but settlement of a later and unrelated

transaction lowered the customer’s balance. Thus, when the original electronic transaction was presented for

settlement, it resulted in the account being overdrawn, despite the fact that at the time the transaction was

approved, there were sufficient funds in the account.

Examiners found that the changes to the balance method were deceptive because they were not disclosed,

which resulted in consumers being unaware of the circumstances that would lead to an overdraft fee. The

settlement of transactions was cited as unfair and deceptive because consumers were harmed when they

incurred a fee, the institution did not adequately disclose this practice and consumers could not have reasonably

avoided incurring the overdraft fee.

This is not only a good example of an emerging risk under UDAAP; it is also a good

example of how simply following the regulations is not enough. The institutions that

were the subject of these findings, in all likelihood, complied with all of the regulatory

requirements for initial disclosures and overdraft opt-in requirements. Nonetheless,

it was insufficient. While the institutions complied with the letter of the law, they

still failed to give consumers key information that could have help prevent the

consumers from overdrawing their accounts and incurring fees.

17



Key Reminder – Strategic Impact from UDAAP Risks

The Board of Directors, Executive Management, Risk and Compliance need to keep in mind the strategic impact

posed from failure to mitigate UDAAP risks.

Any pattern or practice of UDAAPs can result in a downgrade in compliance and

CRA ratings (for banks), possible assessment of civil money penalties and

restitution to affected consumers. Downgrade of CRA rating for a bank can result

in delay or denial of a corporate application for approval for merger, acquisition,

launch of new lines of business or other strategic growth initiative. Negative

publicity or community activist group protests may lead to an adverse impact to the

institution’s reputation, as well as loss of business.

Let’s look at an example of UDAAP risk causing strategic impact. Here is an excerpt from a bank’s publicly

disclosed CRA Performance Evaluation issued by its prudential regulator:

In this case, the examiners uncovered unfair and deceptive practices in a routine compliance examination of the

bank, resulting in a downgrade of the CRA rating from “Satisfactory” to “Needs to Improve.” An enforcement

action was initiated, restitution to customers was mandated and the bank’s plans to acquire other banks and

launch new products were put on hold until the next examination. This affected the bank’s growth plan

adversely, impacting shareholder valuation materially.

18



Proactive Management of UDAAP Risks

Strategies for Addressing the Challenges to Compliance

To mitigate the multitude of UDAAP risks and enhance UDAAP compliance in an institution, the three

overarching strategies presented below should be supplemented by the ten action items described

thereafter. At the strategic level, be sure to:

1. Develop a compliance strategy that recognizes the risk of noncompliance for all customer-facing

activities at the institution. Ensure that executive management understands how changes in the

institution’s overall business strategy, including the products/services mix, impact the overall

UDAAP risk profile.

2. Develop a comprehensive third-party management and oversight program for any service

provider that interfaces directly with customers. This overall strategy should include a contract

strategy that goes beyond requiring contracts to simply say “including UDAAP risks,” and instead

identify those risks along with responsibilities. Pay special attention to third parties who service

mortgages, collect debt, market products and services to customers or handle customer

complaints.

When considering third-party risks, be mindful of the increase in cybersecurity risks, as even a

data breach can be perceived as a UDAP (FTC definition) issue. Although it might not be readily

apparent, the UDAP risk stems from the FTC’s authority to prohibit unfair or deceptive acts or

practices among businesses.

The argument is that a business, such as a bank service provider, has a basic obligation to

protect data using reasonable commercial means. When a vendor doesn’t do so, and a breach

occurs, the vendor could be found to have been deceptive in its practices. Consider requiring

vendors to certify that they adhere to bank policies and procedures, and consider taking a page

out of the HIPAA/HITECH playbook by requiring vendors to notify you of security breaches.

19



3. Develop a comprehensive UDAAP risk assessment and compliance management system

(CMS), including the ten action items below, to continually identify issues before customers are

harmed.

Call to Action – The “Top Ten” Steps to Stay Proactive

To support the strategies just described, entities should implement a risk and compliance program that includes

these ten action items:

1. Appoint line of business UDAAP champions

2. Perform a UDAAP risk assessment

3. Provide specialized operational training

4. Review advertisements prior to launch

5. Strengthen the complaint management process

6. Enhance written policies and procedures

7. Implement robust ongoing compliance monitoring

8. Monitor intelligence and review guidance

9. Assess new products and services before adoption

10. Maximize Compliance Committee meetings

Let’s take a look at each of these in more detail.

1. APPOINT LINE OF BUSINESS CHAMPIONS

UDAAP is an enterprise issue that pertains to all lines of business, functions, products

and services. As such, a management-level compliance “champion” should be appointed

in each area to view the bigger picture across the enterprise and see through the silos

that inevitably develop, even in mature compliance programs. Each compliance champion

should be tasked with monitoring for potential UDAAP issues in addition to regulatory

violations.

2. PERFORM A UDAAP RISK ASSESSMENT

Every proactive compliance program begins with a solid assessment of risk. You should evaluate UDAAP risk

specifically across six general inherent risk factor categories and across five control system risk factor

categories, acknowledging that there is some overlap among these.

Inherent Risk Factor Categories System Control Factor Categories

Product Risks Oversight/Accountability

Third-Party Risks Policies/Procedures

Advertising Training

Customer Complaints Monitoring

Systems/Operations Other Systems Controls

Organizational

20



Be sure to review financial statements to determine where there is reliance on fees and revenue, and inquire

about recent “fee/revenue enhancement” projects or “efficiency” exercises, as we learned from the recent

enforcement action discussed above.

When reporting the results of the UDAAP Risk assessment, issue not only a quantitative risk assessment grid

(or matrix), but also include a narrative report in which you describe the drivers of UDAAP risk across the

enterprise to the reader – typically an examiner. Provide background information on the law, regulatory

environment, methodology used, risk ratings and conclude on the overall level of inherent risk, strength of

controls, level of residual risk and direction of risk. The results of the risk assessment should drive the scope

and frequency of monitoring and training.

3. PROVIDE SPECIALIZED OPERATIONAL TRAINING

Provide specialized UDAAP training to managers who oversee high-risk functions, products, services and third-

party relationships. This training should not only include overall UDAAP concepts, but also examples, case

studies and an analysis of enforcement actions related to the functions, products and services for which the

managers are responsible.

The training should also include the results of any monitoring or audit activities that have taken place, as well as

an analysis of customer complaints. Compliance trainers should operationalize UDAAP requirements for

managers and make the content come alive by not only using case studies and examples, but by explaining the

thought process that led to the citing of a violation.

4. REVIEW ADVERTISTMENTS PRIOR TO LAUNCH

Ensure that all advertisements, promotions, scripts, disclosures, customer letters, and website and social media

content and practices are reviewed for UDAAP risk with the same wide-angle lens the CFPB describes in its

commentary – prior to publishing or deploying the document. Consider having UDAAP reviews performed by

someone who is not also reviewing for compliance with Regulations DD, Z or B. The perspective of the review

is very different, and UDAAP risk can reside where no other regulatory violation has occurred. Accordingly,

checklist-style reviews do not lend themselves well to UDAAP. Instead, use narrative-style reviews where the

reviewer notes all the associated materials reviewed, impressions and intended audience.

When reviewing materials, always consider the financial sophistication of the consumers who will rely on them.

For example, when reviewing a new prepaid debit card that their institution is co-branding, note that the

21



consumer may have been previously unbanked and might not be financially savvy. Below are some specific hot

button questions to ask before deploying advertising materials:

If the word “free” is used, is the item truly “free,” or are there

hidden fees and charges?

Are headers and captions supported by the body of the ad,

or could they be considered misleading?

Are there so many ‘caveats’ in the fine print to qualify for

receiving some benefit of the product as to render it fairly

impossible for anyone to receive the benefit?

Are fees disclosed in a manner that makes it difficult for

consumers to know what they will pay?

Are any associations or affiliations improperly implied, such

as an implied association with a governmental agency or

lender?

In addition to the actual ad, related materials must be reviewed to verify the accuracy and consistency of claims.

As we learned above, it’s the “total net impression” that matters. Look for language or situations that simply

pose the risk of being unfair, deceptive or abusive, and look for conflicting information between materials.

5. STRENGTHEN THE COMPLAINT MANAGEMENT PROCESS

Implement a second review process for consumer complaints

received by the institution from all sources. On a monthly basis,

perform a 12-month trend analysis on all consumer complaints at an

overview level, looking beyond any other apparent violations

inherent in the complaints, and instead looking for patterns of unfair,

deceptive or abusive practices. Ask:

What else is going on in these complaints and inquiries?”

Are complaints increasing or decreasing?

Is there a pattern of certain products, services or practices

being mentioned in the complaints?

This second review process should also verify that there was resultant corrective action that truly addresses the

issue going forward, in addition to resolving the specific issue with the customer.

6. ENHANCE WRITTEN POLICIES AND PROCEDURES

While this may seem like old news, many enforcement actions still indicate

deficiencies in written policies and procedures. This is particularly true for UDAAP,

which now demands more specific coverage in written policies and procedures than it

did in the past. Clearly, written policies and compliance and operating procedures

with specific references to UDAAP should be in place for all of the above. Review

your institution’s policies and procedures for adequate UDAAP coverage; many

institutions are surprised to find it omitted.

22



7. IMPLEMENT ROBUST ONGOING COMPLIANCE MONITORING

Although policies and procedures are important, they are not a panacea, and plenty of enforcement actions are

assessed against entities that have policies and procedures, but simply aren’t following them. Testing for

compliance with internal policies is part of the UDAAP monitoring program that must be implemented. Your

UDAAP monitoring program should include monitoring by all three lines of defense:

1. Lines of business

2. Compliance Department

3. Internal Audit Department (or outsourced internal auditors)

Those performing the monitoring and auditing should be well-versed in the

risks associated in each function and product and be aware of the wide-angle

lens used to evaluate UDAAP. If these reviews or audits are outsourced, be

sure to validate the qualifications of the individuals performing the testing.

The scope and frequency of UDAAP monitoring should be based upon the

results of the risk assessment; however, pay special attention to any co-branded or re-branded products where

the vendor provides the advertising or disclosures, such as prepaid cards or online deposit products. Review all

of the web pages that advertise these products, including fee sections, benefits sections and all disclosures. If

mortgage loan servicing is done in-house, consider a special UDAAP monitoring program focused solely on

mortgage loan servicing.

8. MONITOR INTELLIGENCE AND REVIEW GUIDANCE

Intelligence comes from published guidance, such as the UDAAP exam

procedures and regulatory bulletins, but it can also come from enforcement

actions and even the customer complaint database, so it’s critical that these

sources are actively monitored by the Compliance Officer. Summaries of this

material are readily available online and should be discussed at Compliance

Committee meetings and used in the risk assessment, monitoring processes

and training programs.

With respect to the CFPB customer complaints database, reading these

narratives provides the Compliance Officer with insight into the entire

consumer experience. Since UDAAP compliance requires that entities understand the financial sophistication of

the consumers to which they market products and services and how those consumer perceive certain actions,

the information in these published complaints is invaluable.

9. REVIEW NEW PRODUCTS AND SERVICES BEFORE ADOPTION

This is the essence of UDAAP risk management and is related to, but somewhat different from, new

expectations regarding third-party risk management.

Although new products and services might be attached to a new

third-party relationship, the UDAAP risk from the product or

service itself should be evaluated before the product or service

is adopted or implemented.

23



The review should include:

The structure of the product or service

The intended customer base

How it is intended to be used by the customer

Benefits

How all of the above information will be conveyed to the customer

Analysis of where the product or service lies on the regulatory radar

Third parties involved with the product or service

Number of complaints regarding the product or service in the CFPB complaints database

Management structure surrounding the product or service

10. MAXIMIZE COMPLIANCE COMMITTEE MEETINGS

Take advantage of Compliance Committee

meetings to review UDAAP topics with

management and provide ongoing training. If the

standing agenda for the Compliance Committee

meeting doesn’t already include the following three

topics, they should be added:

Customer complaints

New products/services

Recent UDAAP developments

Conclusion

Given the frequency of UDAAP enforcement actions and the size of civil money penalties and customer

restitution orders, it makes sense that institutions stay in front of UDAAP risk and develop a robust risk

management and compliance management system that addresses UDAAP and supports the strategies of the

institution.

The top ten action items above will build out the risk management and compliance management system with a

focus on UDAAP and will serve an institution well in proactively avoiding UDAAP violations and preventing

consumer harm.

Sharon A. Blanchette, CPA, CIA, CRCM, CAMS, MBA Director, Risk Management Solutions

Sharon has more than 25 years of risk, compliance, audit and information security experience within the banking and

healthcare industries. Prior to joining FIS, Sharon held positions as Chief Risk Officer, Director of Regulatory

Compliance and Director of Internal Audit/Controls for community banks. Originally coming from a public accounting

and business consulting background, Sharon adds value to client risk and compliance programs, balancing risk with

strategic business objectives. Sharon frequently writes and speaks on topics of interest to financial services.

24



FIS UDAAP SERVICES

D. L DID YOU KNOW?

The CFPB considers a risk assessment to be an

important part of an organization’s UDAAP compliance.

Financial institutions need to understand inherent risks

as well as review policies and procedures implemented

to lessen those risks.

Specifically, institutions should evaluate UDAAP risk across six general inherent risk factor categories and across five control system risk factor categories, acknowledging that there is some overlap among these. Inherent risk Factors System Control Factors

- Product Risks - Oversight/Accountability - Third-Party Risks - Policies/Procedures - Advertising - Training - Customer Complaints - Monitoring - Systems/Operations - Other Systems Controls FIS can help you better understand inherent risk and system control factors, and create a plan to mitigate UDAAP risks. We will assess risks in the following areas:

Print, radio, television, website, and social media advertising

Solicitations

Disclosures and product/service agreements

New product/services review and approval process

Deposit products, lending products, NDIP products

Vendor relationships

Customer complaint process

Once our experts perform a comprehensive review, we provide a detailed written report of our findings and recommendations and discuss all of the results with stakeholders. Additionally, we can make recommendations for corrective action based on industry best practices. We also provide detailed work papers, which would remain the property of the institution.

Learn more about FIS’ UDAAP Risk

Assessment services here.

http://www.fisglobal.com/products-governanceriskandcompliance-riskmanagementservices

25



UDAAP training is essential for compliance and risk

mitigation. Organizations should provide specialized

UDAAP training to managers who oversee high-risk

functions, products, services and third-party relationships,

as well as to any staff that interacts with consumers. This

training should not only include overall UDAAP concepts,

but also examples, case studies and an analysis of

enforcement actions related to the functions, products and

services for which the managers are responsible.

The training should also include the results of any

monitoring or audit activities that have taken place, as well

as an analysis of customer complaints. Compliance

trainers should operationalize UDAAP requirements for

managers and make the content come alive by not only

using case studies and examples, but by explaining the

thought process that led to the citing of a violation.

FIS offers comprehensive online and in-

person training for UDAAP to help you

comply, meet examiner expectations and

avoid litigation and reputational damage.

Regulatory University Courses on UDAAP

ending Regulatory University Courses

Learn more about FIS Regulatory University’s

online learning courses for UDAAP here.

http://www.fisglobal.com/ucmprdpub/groups/public/documents/document/c025868.pdf

26



E. About FIS’ Center of Regulatory Intelligence

FIS™ (NYSE: FIS), a global leader in banking and payments technology as well as consulting and outsourcing

solutions, opened its Center of Regulatory Intelligence (“Center”) in Washington, D.C. on June 16, 2015. The

primary goal of the Center is to translate policy, legislative and regulatory developments into actionable

intelligence for FIS clients to enable knowledge advantage. The unique perspective gained by monitoring

regulatory change at such close proximity to the policy makers and regulators will enable the Center to empower

FIS clients to stay one step ahead, identify impact precisely, make smart business decisions and succeed. FIS

clients will have the opportunity to receive insights from the Center through regularly published regulatory

intelligence briefings and thought leadership insights intended to give client institutions deep intelligence into

regulatory initiatives coming out of the legislature, administration and regulatory agencies. Input from the Center

also will help drive FIS research and development efforts as well as consulting services aimed at helping

institutions address regulatory changes prior to implementation.

The Center provides the latest intelligence, thought leadership and cutting-edge regulatory insights into risk,

information security and compliance issues facing the financial services industry. This new FIS thought

leadership center will provide early insight on regulatory changes, helping financial services clients stay

compliant with new regulations. Through the Center, FIS will interface with key policymakers to provide industry

perspectives on the potential impacts of regulatory mandates to financial institutions.

Contact Us

FIS Center of Regulatory Intelligence

1101 Pennsylvania Ave., NW Suite 600

Washington, DC 20004

E: [email protected]

P: 202.756.2263

http://www.fisglobal.com/index.htm

Documents

Pdf A Roadmap to Proactive UDAAP Risk Management