www.fisglobal.com
Regulatory Intelligence Briefing –
A Roadmap to Proactive UDAAP Risk Management
September 9, 2015
August 12, 2015 CENTER OF REGULATORY INTELLIGENCE
2
©2015 FIS and/or its subsidiaries. All Rights Reserved.
REGULATORY INTELLIGENCE BRIEFING
Table of Contents
A. Editorial Note from the Managing Director, Center of Regulatory Intelligence ........... 3
B. Biweekly Washington, D.C. Regulatory Roundup .......................................................... 4
C. Featured Regulatory Intelligence Briefing – A Roadmap to Proactive UDAAP Risk Management ............................................................................................................. 6
D. Did You Know? ............................................................................................................... 24
E. About FIS’ Center of Regulatory Intelligence ............................................................... 26
3
©2015 FIS and/or its subsidiaries. All Rights Reserved.
REGULATORY INTELLIGENCE BRIEFING
A. Editorial Note from the Managing Director, Center of Regulatory Intelligence
Introduction
Proactively managing unfair, deceptive or abusive acts or practices (UDAAP) risk is made even more
challenging by the fact that the law is defined mostly by enforcement actions and informal guidance, such as the
Consumer Financial Protection Bureau’s (CFPB’s) Supervisory Highlights. This places compliance officers in
reactive mode – essentially reading about enforcement actions or the violations described in the Supervisory
Highlights, then assessing the risk of a similar situation occurring at their institution.
While careful review of enforcement actions is a valuable component of a UDAAP compliance program, a more
proactive approach to compliance will equip institutions with a better compliance profile. This Regulatory
Intelligence Briefing (RIB) analyzes recent key enforcement actions citing UDAAPs, shares what the CFPB and
other agencies are finding in exams and provides a roadmap for achieving and maintaining compliance.
The passage of the Dodd-Frank Act and the creation of the CFPB in 2010 brought a paradigm shift in the
regulatory environment that most financial institutions have yet to fully grasp today. For most of us, those days
of a simple “check-the-box” compliance program are gone, yet many compliance professionals are still operating
under that old regime.
Market participants need to better understand what the terms “unfair,” ”deceptive” and ”abusive” mean, and
what types of acts and omissions have a heightened risk of being classified as one or more of these. Such an
understanding is paramount to preventing millions of dollars in penalties and fines along with immeasurable
reputation damage.
Remember that no institution is immune. UDAAP applies to every financial institution, from the smallest local
banks and credit unions to the largest multi-national ones, as well as the host of other entities now regulated by
the CFPB, including mortgage companies, payday lenders and collection agencies, to name a few (hereinafter
referred to as “institution” for simplicity).
It is important to note that examination procedures have changed to accommodate this broadening scope, and
regulators are no longer restricting consumer exams to technical issues related to disclosures and
advertisements. Examiners today receive a comprehensive education on the legal standards for UDAAPs and
have developed a specific approach to examining for and identifying UDAAP violations.
We want to help you overcome the old way of thinking and give you a new compliance model for the next
century, in which “consumer friendly” is the new standard. It’s more than just a phrase; it’s a mindset.
In our next RIB, we will focus on an analysis of CFPB complaints, reports and enforcement actions to provide
you with detailed insights into the trends and emerging risks in consumer finance. This intelligence will aid your
institution in identifying and correcting issues long before the next compliance examination.
Peter D. Dugas Managing Director, Center of Regulatory Intelligence
Peter has more than 16 years of government and consulting experience in advising clients on supervisory matters
before the U.S. Government and in the implementation of enterprise risk management programs. He is a thought
leader in government affairs and regulatory strategies in support of banks and financial institutions compliance with the
Dodd-Frank Act and Basel Accords. Prior to joining FIS™, he served as a Director of Government Relations at Clark
Hill and in senior government positions, including serving as a Deputy Assistant Secretary at the U.S. Department of
the Treasury.
4
©2015 FIS and/or its subsidiaries. All Rights Reserved.
REGULATORY INTELLIGENCE BRIEFING
B. Biweekly Washington, D.C. Regulatory Roundup
Regulatory and Compliance Alerts
FinCEN Ruling on MSB Classification of Precious Metals Dealer
On August 14, 2015, the Financial Crimes Enforcement Network (FinCEN) published a response to a request
from a company for an administrative ruling (FIN-2015-R001) to determine if the types of activities in which it
engages makes it a money services business (MSB.)
The company provides Internet-based brokerage services between buyers and sellers of precious metals.
Buyers pay sellers directly by check, wire transfer or Bitcoin. The company buys and sells precious metals on its
own account. It also holds precious metals in custody for buyers that purchase this service, and customers can
trade or exchange precious metals holdings by any means that can be traded or exchanged using Bitcoin. The
company derives income from charging a transaction fee on transfers of digital certificates by customers and
custody fees for holding precious metals.
The definition of money transmission includes several exemptions, but the company does not fall under the e-
currencies or e-precious metals trading exemption because it issues a freely transferable digital certificate of
ownership to buyers and allows the unrestricted transfer of value from a customer’s commodity position to the
position of another customer or a third-party. Such activity goes beyond that of a broker or dealer in
commodities, and the company is acting as a convertible virtual currency administrator. As such, the company
falls under the definition of money transmitter. A money transmitter is a type of MSB.
FinCEN also ruled that the company, as a dealer that engages in the purchase and sale of precious metals,
precious stones or jewels for its own account, is considered to be a financial institution. A company that is either
a money transmitter or a dealer in precious metals, precious stones or jewels must assess the money
laundering risk involved in its non-exempt transactions and implement an anti-money laundering (AML) program
to mitigate such risk. The company must register with FinCEN and comply with the recordkeeping, reporting and
transaction monitoring requirements.
FinCEN Expands Geographic Targeting Orders on Border Cash Shipments in California and Texas
On August 7, 2015, in a press release, FinCEN announced that it has renewed a geographic targeting order
(GTO) currently in place for armored cars and other common carriers of currency at two U.S. border crossings in
southern California and issued a new, similar GTO applicable to carriers crossing the U.S. border at eight major
ports of entry in Texas.
GTO reporting and recordkeeping requirements are designed to enhance the transparency of cross-border
money movements and prevent the attempted exploitation of reporting exemptions by some carriers suspected
of moving cash for Mexican drug trafficking organizations. The orders temporarily modify the Report of
International Transportation of Currency or Monetary Instruments (CMIR) requirements for common carriers of
currency when physically moving more than $10,000 in cash across designated border crossings in California
and Texas by eliminating reporting exemptions. All transported sums must be reported.
Common carriers of currency subject to the renewed southern California GTO must continue complying with the
enhanced reporting requirements until February 4, 2016. Common carriers of currency subject to the new GTO
at ports of entry in Texas must comply with the enhanced reporting requirements from September 17, 2015
through March 15, 2016.
5
©2015 FIS and/or its subsidiaries. All Rights Reserved.
REGULATORY INTELLIGENCE BRIEFING
CFPB Bulletin on Cancellation of Private Mortgage Insurance
On August 4, 2015, in a Bulletin, the CFPB provided guidance to mortgage servicers regarding the cancellation
and termination of private mortgage insurance.
Private mortgage insurance (PMI) protects the lender if the borrower stops making payments on a loan. Lenders
generally require consumers with a down payment of less than 20% to purchase PMI. The PMI premiums are
added to the borrower’s monthly mortgage payment. The Homeowners Protection Act of 1998 requires lenders
to cancel PMI when the level of borrower equity in a home increases.
The Bureau has identified substantial industry confusion over the implementation of PMI cancellation and
termination requirements. The purpose of the Bulletin is to clarify the existing PMI cancellation rules; it does not
impose new requirements.
OCC Guidance on Risk Management of Financial Derivatives
On August 4, 2015, in a Bulletin (2015-35), the Office of the Comptroller of the Currency (OCC) clarified its
expectations regarding the extent to which national banks and federal branches or agencies of a foreign bank
may make or take delivery of a physical commodity to hedge commodity derivative transactions.
Specifically, the Bulletin provides calculation guidance for determining whether physical hedging activities are a
nominal portion of risk management activities. OCC considers physical hedging positions of a bank to be
nominal only when they are no more than five percent of the notional value of the derivatives that are in that
same particular commodity and allow for physical settlement within 30 days. This Bulletin supplements Banking
Circular 277 (BC-277), "Risk Management of Financial Derivatives" (October 27, 1993).
As described in BC-277, a bank that satisfies certain conditions may engage in physical commodity transactions
(for example, by buying or selling title to a commodity via a warehouse receipt or bill of lading) to manage the
risks of commodity derivatives. One condition is that the physical commodity transactions constitute a nominal
percentage of the bank’s risk management activities. BC-277 does not, however, detail what percentage of risk
management activities is "nominal," nor does it provide a calculation methodology for this condition. This bulletin
provides that supplemental information.
The OCC expects a bank that plans to engage in such activity to present a detailed plan and to obtain prior
written non-objection from OCC supervisory staff before proceeding.
6
©2015 FIS and/or its subsidiaries. All Rights Reserved.
REGULATORY INTELLIGENCE BRIEFING
Unfair
Causes or is likely to cause substantial injury to consumers Not reasonably avoidable Injury not outweighed by benefits
Refusing to release a lien after the final payment is
made
Dishonoring convenience checks without notice
Deceptive
Misleads or is likely to
mislead consumers
Consumer’s interpretation
is reasonable
The misleading
representation is material
Presenting benefits in bold
font and costs/fees in
small font
Misrepresenting terms and
conditions
Abusive
Materially interferes with consumers’ understanding of features or takes unreasonable advantage of consumers Confusing or vague terms
and conditions
Targeting a vulnerable population with complex
products
C. Featured Regulatory Intelligence Briefing – A Roadmap to Proactive UDAAP Risk Management
Introduction
Mastery of the risks related to unfair, deceptive or abusive acts or
practices (UDAAPs) should be a priority for executives and
compliance personnel at all types of financial services organizations.
UDAAP has long reined as one of the most inherently high-risk areas
of regulatory compliance for the industry, with strategic implications
for financial institutions and nonbank industry participants alike. This
risk is increasing, as shown by indicators such as the volume and
severity of enforcement actions.
Examiner Focus
The Federal Perspective
For many years, UDAP stood for Unfair or Deceptive Acts or Practices, pursuant to Section 5 of the FTC Act.
The industry has now had some time to become accustomed to an additional “A” – Abusive – added to UDAP
by the Dodd-Frank Act, making it “UDAAP.” Examiners expect compliance and management personnel to be
aware of and educated on this key topic. Here is a quick refresher on the three elements.
Examiners can cite a UDAAP violation if they believe that any product, service or practice at an institution is
unfair, deceptive or abusive, making UDAAP an all-encompassing regulation that pertains to the entire
enterprise. This is not mutually exclusive of other regulations; rather, a UDAAP violation can be cited in
conjunction with another regulatory violation, or it can be cited in the absence of any technical regulatory
violations. Understanding UDAAP risk involves understanding all customer-facing operations, activities,
practices, products, services, third parties and ways of doing business at the institution from the ground up.
a! a! a!
7
©2015 FIS and/or its subsidiaries. All Rights Reserved.
REGULATORY INTELLIGENCE BRIEFING
The State Perspective
In addition to federal regulatory violations, there are state-specific UDAAP (or UDAP, depending on the state)
laws. In many ways, state laws pose an even higher risk than their federal counterparts, and include laws
relating to UDAAPs, UDAPs (the old federal model, without “abusive”), Unfair and Deceptive Trade Practice
Acts (UDTPAs) and Unfair Business Practices. There is often a lower standard of proof, broader coverage (for
example, permitting claims by businesses, not just consumers), and provisions for larger awards of damages
and attorney fees.
CFPB Focus and Authority
The Dodd-Frank Act granted the CFPB authority to enforce against UDAAPs at the federal level, and enforce it
has. In the few years since its inception, the CFPB has brought enforcement for UDAAPs against banks,
mortgage lenders, payday lenders, student lenders and more, assessing large civil money penalties in most
cases. UDAAP enforcement often also results in mandates for sweeping and costly changes to business
practices and compliance programs.
The CFPB is dedicated to protecting consumers from UDAAPs, and it has demonstrated in its short lifetime the
heavy blows it can land against institutions that engage in unfair, deceptive or abusive acts or practices. It is
clear that the CFPB takes UDAAP claims very seriously.
“We are putting companies on notice that these deceptive practices are against the law and will not be
tolerated.” – Richard Cordray, CFPB Director, “CFPB Probe into Capital One Credit Card Marketing Results
in $140 Million Consumer Refund,” July 18, 2012
The CFPB frequently collaborates with the other major federal banking agencies on enforcement. New CFPB
standards and “best practices” are likely to be adopted by other federal banking regulators, ultimately impacting
smaller banks regardless of their size or primary regulator. The CFPB, along with the other federal bank
regulators, has issued more than 100 enforcement actions related to UDAAPs in recent years.
Source: FIS Database of Banking Agencies Enforcement Actions
$0
$10,000,000
$20,000,000
$30,000,000
$40,000,000
$50,000,000
CFPB OCC FDIC FRB
UDAAP Fines and Penalties
2014
2015
8
©2015 FIS and/or its subsidiaries. All Rights Reserved.
REGULATORY INTELLIGENCE BRIEFING
Unfair
Deceptive
In addition to fines, penalties and restitution, regulators may also downgrade a bank’s Community Reinvestment
(CRA) rating in connection with UDAAP enforcement. This can have a harmful trickle-down effect, potentially
preventing future growth by way of mergers, acquisitions and other new business initiatives.
UDAAP issues implicate all types of risk: strategic, compliance, reputation, legal and more. Consumer harm
(actual or perceived), lawsuits and negative press can cause irreparable damage to an institution’s reputation,
resulting in sizeable revenue loss. UDAAP violations tend to also be reported on by the general press, not just
within banking circles.
Making Headlines
On August 12, 2015, the CFPB, along with the OCC and the FDIC, reaffirmed their commitment to fighting
UDAAPs when they took action against a large U.S. bank holding company and its two banks, assessing
combined civil monetary penalties totaling $20.5 million and ordering $11 million in customer restitution. The
bank’s alleged unfair and deceptive misconduct, which related to deposit errors, took place over a six-year
period.
Strategic Impact
Institutions would be well-advised to take a closer look at deposit-taking functions
given this recent, high-profile action with regard to an area often given little
compliance attention. Specifically, assess how deposit errors are handled
operationally.
Are all deposit errors researched and corrected, or are there thresholds?
If there are thresholds, are they reasonable?
Are thresholds or limitations clearly communicated in account agreements?
Is there consistent application of policies?
If adjustments are made to deposits, are depositors notified?
“Deposit proof”
function
Retained the difference
between actual deposit and
what was listed on deposit
slip if it was less than $50
(later $25)
Customers were under-
credited by approximately
$12.3 million in all
Account agreements
implied that all deposits
would be verified and
discrepancies would be
researched and corrected,
but internal communications
limited this research and
correction to amounts below
the thresholds, which were
not listed in the disclosures
9
©2015 FIS and/or its subsidiaries. All Rights Reserved.
REGULATORY INTELLIGENCE BRIEFING
Lessons Learned
Broader lessons to be learned from this action include:
1. Monitor and track complaints – Deposit-taking functions are generally considered low-risk. As such,
they are subject to less monitoring and oversight than higher-risk areas. Logging and monitoring
complaints is a critical tool in early identification of patterns or practices that raise compliance issues. A
look at the complaint log may have revealed a trend of customer complaints about incorrect crediting of
deposits. This early warning could have aided the banks in identifying and correcting this issue long
before the next compliance examination. History has taught us that the prudential regulators and the
CFPB believe that customer complaints are often indicative of UDAAP issues. Therefore, heeding
Compliance Officer/Department requests that all business units cooperate with the logging and tracking
of customer complaints is well-advised.
2. Encourage internal complaints and involve the Compliance Officer – Employees should be
encouraged to speak up regarding practices that they believe may pose compliance issues or cause
consumer harm. Preferably, anonymous means of reporting should be available. However, compliance
officers are not typically included on whistleblower notification lists, so ensure that yours is informed of
such complaints and given an opportunity to analyze any potential compliance impact.
3. Apply a UDAAP lens throughout your organization – Ensure that all employees are trained on
watching for potential UDAAPs, and that reviews and audits include UDAAP coverage. This will help
ensure that possible UDAAPs are caught even in low-risk areas not subject to frequent review. Better to
proactively detect and remediate UDAAPs yourself than to risk such high-risk regulatory examination
findings.
4. Analyze efficiency ideas for potential compliance issues – The thresholds set by this bank may well
have been for the purpose of efficiency; after all, it would be much quicker to follow the internal
thresholds than to research each and every discrepancy. When performing your UDAAP risk
assessment, be sure to evaluate any practices that were implemented or modified under the auspices of
creating efficiencies.
5. Involve Compliance in change management – Organizations frequently reward employees for their
ideas regarding ‘revenue optimization’. This is perfectly acceptable; however, prior to implementation,
Compliance should be involved in assessing whether changes that are good for business are also
acceptable practices through a regulatory and consumer compliance lens, with specific attention to
possible UDAAPs.
10
©2015 FIS and/or its subsidiaries. All Rights Reserved.
REGULATORY INTELLIGENCE BRIEFING
Recent Federal Enforcement Actions
In addition to the big headlines, overall trends in enforcement reflect a rise in UDAAP scrutiny by examiners. As
illustrated by the charts below, UDAAP actions only accounted for eleven percent of 2014 federal enforcement
actions, whereas they already account for twenty-one percent of actions thus far in 2015.
Examinations
Examiners today are far more knowledgeable about UDAAP, and their approaches to examining for UDAAP
have changed. Prior to 2011, examiners considered UDAP an insignificant component of an overall consumer
compliance exam.
Be aware that the agencies’ attitudes toward UDAAP have changed significantly,
and this is reflected in both their training and in their examination procedures.
11
©2015 FIS and/or its subsidiaries. All Rights Reserved.
REGULATORY INTELLIGENCE BRIEFING
Today “consumer friendly” is the order of the day. Examiners are getting specific training on UDAAP, and the
approach to examinations is changing. A review of older versions of the exam manuals for various agencies
doesn’t reveal a section specifically addressing exam procedures on UDAAP; however, agency exam manuals
today contain robust exam procedures for UDAAP in dedicated sections. Comparing the current exam manuals
from the CFPB and the FDIC reveals the following:
The CFPB has a fairly extensive UDAAP section within its exam manual that provides the specific standards
used to evaluate what is unfair, deceptive or abusive, and they provide relevant examples of each element. It
also has significant sections which discuss analyzing complaints and the “key role” consumer complaints play in
the exam process for the detection of UDAAPs. The procedures instruct examiners to consider complaints
lodged against subsidiaries, affiliates and third parties regarding products and services offered through the
institution or using the institution’s name. No one is immune.
The FDIC exam procedures on UDAP, however, are more robust and provide more up-front information on what
the agency is looking for. In addition to background information on UDAP and a section on complaints, the FDIC
provides useful tools that examiners use to prepare for an exam. For example, there is an examination
questionnaire for UDAP, a discussion of what documentation the examiner will gather to provide support for a
potential UDAP finding, a discussion of risk management considerations, a list of agency issuances regarding
UDAP and more.
CFPB Risk Assessment – Risk to Consumers
The CFPB brought a unique perspective to risk assessments when it released its risk assessment template. Contrary to prior industry practice, the CFPB’s approach allows the overall residual risk to consumers to be higher than inherent risk. As stated in the template, “A risk controls conclusion of “Weak” should result in an overall risk conclusion that is no more favorable than “Moderate,” even if the degree of [inherent] risk is concluded to be “Low.” (CFPB Risk Assessment, p.21)
The “deposit proof” case discussed offers a good example of this in a UDAAP context. Deposit-taking is
ordinarily a low-risk area, but weaknesses in the banks’ compliance management systems resulted in harm to
consumers. Had these control weaknesses been identified, the area would have been ranked “High” residual
risk and would have received the additional attention that was needed to identify and remedy problems. Let’s
look at some other actions that offer valuable insight into where examiners place their focus.
Key Takeaways from Recent Enforcement Actions
The mistakes of others provide an opportunity to learn, improve and avoid being the next negative headline. The
CFPB’s semi-annual Supervisory Highlights publication offers some helpful insight into UDAAP issues seen in
the industry. An analysis of some of the findings shows a broad interpretation of unfair, deceptive and abusive
by the CFPB and provides insight for entities as they design their internal review and monitoring programs and
methodology. A few sample findings appear below (emphasis added for discussion purposes), followed by our
analysis of those findings.
12
©2015 FIS and/or its subsidiaries. All Rights Reserved.
REGULATORY INTELLIGENCE BRIEFING
2015 – Focus on Potential Consumer Harm
Violation = Inaccurate Disclosure Language Product/Activity = Student Loans
“…examiners determined that student loan servicers included language on periodic
statements suggesting that borrowers could not deduct on tax filings interest paid on
qualified student loans unless they paid more than $600 in interest. Examiners found this
practice to be deceptive because there is no minimum amount of qualified student loan
interest that borrowers must pay before taking a deduction.”
CFPB Supervisory Highlights, summer 2015, page 9
Violation = Conflicting Disclosure Language Product/Activity = Collections
“When attempting to collect on delinquent accounts, collectors offered consumers a recurring
ACH payment option. When informing consumers about this payment option, collectors
promoted the consumers’ ability to adjust or cancel a recurring ACH payment with only 24
hours’ notice. This representation, however, contradicted both an express representation in
monthly periodic statements provided to consumers and internal policies and procedures,
which stated that a minimum of 72 hours’ notice was required. The contradiction in oral and
written disclosures of the timeframe required to cancel or adjust a recurring ACH created a
risk of deception.”
CFPB Supervisory Highlights, winter 2015, page 7
Violation = Conflicting Disclosure Language Product/Activity = Overdraft Fees
“…the institutions assessed overdraft fees for electronic transactions in a manner
inconsistent with the overall net impression created by the disclosures. Examiners therefore
concluded that the disclosures were misleading or likely to mislead, and because such
misimpressions could be material to a reasonable consumer’s decision-making and
actions, examiners found the practice to be deceptive. Furthermore, because consumers
were substantially injured or likely to be so injured by overdraft fees assessed contrary to the
overall net impression created by the disclosures (in a manner not outweighed by
countervailing benefits to consumers or competition), and because consumers could not
reasonably avoid the fees (given the misimpressions created by the disclosures), the
practice of assessing the fees under these circumstances was found to be unfair.”
CFPB Supervisory Highlights, winter 2015, page 9
13
©2015 FIS and/or its subsidiaries. All Rights Reserved.
REGULATORY INTELLIGENCE BRIEFING
2014 – Focus on Compliance Management System Weaknesses
Violation = Improper Oversight of Third Parties Product/Activity = Payday lending
and Complaint Management
“…lenders failed to properly oversee third-party service providers, which contributed to
violations of the Fair Debt Collections Practices Act and the Dodd-Frank Act prohibition on
unfair, deceptive, or abusive acts or practices. Many contracts examined by CFPB
examiners between payday lenders and third-party service providers contained no specific
compliance-related expectations, and some did not include any reference at all to
compliance responsibilities. Further, a number of lenders lacked adequate processes for
analyzing the root causes of complaints and for monitoring the resolution of complaints.”
CFPB Supervisory Highlights, spring 2014, page 15
Violation = Inadequate UDAAP Training Product/Activity = Enterprise-Wide
“At multiple lenders, training programs were nonexistent or missing vital components,
such as applicable Federal consumer financial laws and instruction on how to avoid unfair,
deceptive, or abusive acts or practices.”
CFPB Supervisory Highlights, spring 2014, page 16
Violation = Misleading Borrowers Product/Activity = Collections
“…Supervision cited deceptive acts or practices at multiple lenders for their false or
misleading communications with borrowers. Examiners identified the following deceptive
claims during collections activities:
False threats to add additional fees;
False threats to report to consumer reporting agencies (CRAs);
False threats of legal action or referral to a non-existent in-house “legal department”;
False claims that the lender will debit the borrower’s account at any time; and
Deceptive messages regarding non-existent special promotions to induce borrowers to
return calls.”
CFPB Supervisory Highlights, spring 2014, page 18
An analysis of these violations reveals that the CFPB views each situation through the eyes of the consumer
who receives information from disclosures and advertisements and then takes some type of action based on the
“overall net impression” of all of the information received. It makes sense, then, to ensure that your UDAAP
monitoring follows the same approach. Note that contradictory information provided to consumers appears to be
a key contributor to UDAAP violations due to its impact on consumers’ ability to make clear decisions. The
CFPB also points out root causes of many violations, including inadequate training programs, inadequate
monitoring and lack of attention paid to third-party relationships and consumer complaints.
High-Risk Products, Services and Activities
Looking holistically at the violations noted in the Supervisory Highlights and the recent enforcement actions, we
can see that certain products, services and activities are frequently the subject of regulatory actions. Initially,
violations and enforcement actions focused on inherently high-risk areas, which were typically related to credit.
These have included credit card add-on products, predatory lending practices, debt collection activities and
advertising misrepresentations.
14
©2015 FIS and/or its subsidiaries. All Rights Reserved.
REGULATORY INTELLIGENCE BRIEFING
02468
101214161820
Parties to CFPB Enforcement
2014
2015
Although overdraft protection programs have also been the focus of UDAAP scrutiny over the years, only a few
enforcement actions have pertained to deposit products – those being overdraft protection, the advertisement of
checking accounts as being “free” (when in fact they were not) and the deposit posting error discussed
previously.
Source: FIS Database of Banking Agencies Enforcement Actions
As shown in the graph, in 2014, most UDAAP-related enforcement was against banks. However, this year
examiners have focused increasing attention on nonbank institutions. Recent enforcement actions continue to
reflect a focus on credit-related activities, such as default loan servicing, foreclosure relief services, sham credit
cards and a new item in 2015 - tax refund anticipation loans.
A look at enforcement action data and trends gives us a useful lens into what products and activities are highest
risk. These are listed below, with red items being very high risk.
High-Risk Products High-Risk Operational Areas/Activities
Mortgage Loans *Mortgage Loan Servicing
Student Loans *Debt Collection Services
Auto Loans Foreclosure Relief Services
Retail Installment Loans Credit Repair Services
Credit Cards Advertising Loans Supported by Government Programs
Payday Loans Outsourcing
Consumer Loans to Servicemembers Assessing Overdraft Fees
Tax Refund Loans Advertising Overdraft Programs
Prepaid Debit Cards Military Loan Origination and Servicing
Rewards Programs Advertising Mortgage Rates
Overdraft Protection Programs Advertising Any Product or Service as “Free”
*Mortgage Servicing and Debt Collections activities are notable in that they’re the only activities that
have had all three types of violations: unfair violations, deceptive violations and abusive violations.
15
©2015 FIS and/or its subsidiaries. All Rights Reserved.
REGULATORY INTELLIGENCE BRIEFING
It is interesting to see that many of the practices considered UDAPs and highlighted by the now defunct Office of
Thrift Supervision (OTS) in its 2010 UDAP Examination Procedures are still seen at institutions today and
remain high-risk areas. Examples include:
Failing to limit aggregate overdraft fees
Increasing the annual percentage rate (APR) without giving notice or reason
Failing to protect consumers’ personal information
Failing to protect consumers from financial abuse
Making misleading representations in advertisements
Deceptive overdraft disclosures
Misrepresenting available credit
Inadequate fee disclosures
Failing to disclose product limitations
How Loan Servicing Practices Can Become UDAAPs Although servicing loans would appear to be fairly straightforward and lower-risk with regard to UDAAP, there
are in fact several areas of loan servicing in which institutions are at risk of UDAAP violations. Some of these
violations may also be violations of other regulations, while others may technically comply with all other
regulations but are implemented in such a way that they result in unfair, deceptive or abusive practices. Let’s
review a few of these:
Failure to timely and accurately apply payments – This is fairly common when an institution
purchases a loan from another institution and takes over the servicing of that loan. The customer will
accidentally mail payment to the old servicer. The new servicer should have a policy in place to ensure
that the payment is applied as of the date received by the old servicer, regardless of when it is actually
received by the new servicer. This should be done for at least 60 days.
Failure to maintain accurate account statements – There should be adequate internal controls and
ongoing testing to ensure that all of the data elements that are being populated in periodic account
statements are correct.
Charging unauthorized fees for default-related services – This is another common error that can
result from purchasing a loan from another institution or from indirect lenders. It is not uncommon for
another lender to use a default charge that is different than what is the allowable maximum in the state
in which the contract was signed. If your institution uses a table based on state maximums, and you
take on a contract that charges more than the maximum, then you are violating the loan contract each
time you charge the fee programmed into your system.
The loss mitigation process in particular is susceptible to many practices that can be
deemed UDAAPs, such as:
Impeding borrowers’ access to loss-mitigation by taking an excessive amount of
time to review loss-mitigation applications
Failing to provide accurate information to borrowers
Failing to assign and train adequate staff for loss-mitigation activities
Charging unauthorized loss-mitigation fees
Providing incorrect information to borrowers regarding the appeals process
Wrongfully denying loss-mitigation applications
Misleading short sale borrowers regarding seeking deficiency judgments
16
©2015 FIS and/or its subsidiaries. All Rights Reserved.
REGULATORY INTELLIGENCE BRIEFING
Sending permanent modification agreements to borrowers with one set of terms and then, after
substantial delays, sending new modification agreements with materially different terms
Swaying borrowers away from the Home Affordable Modification Program (HAMP) modification option
and misrepresenting HAMP
Neglecting to inform borrowers in a timely manner that applications were missing required documents
Risk and compliance officers should identify all products, services and activities across the institution that are
considered high-risk, paying special attention to very high-risk activities, such as loss mitigation.
Emerging UDAAP Risks
Overdrafts have been a frequent source of UDAAP violations. Some of the questionable practices have included
manipulating debit transactions, posting transactions from highest to lowest and leading customers to believe
that they have a larger available balance than they actually do. All of these practices were allegedly
implemented with the sole purpose of maximizing overdraft fees. Based on some of the CFPB’s recent findings,
it would appear that overdrafts continue to be a virtual lightning rod for UDAAP issues. In its winter 2015
Supervisory Highlights (Highlights), the CFPB addressed concerns regarding overdraft protection services:
A particular practice that has been identified as an emerging risk is the switch by institutions
from the ledger-balance method to an available-balance method for the purpose of calculating
whether a transaction results in an overdraft and whether a fee should be assessed.
A ledger-balance method factors in only settled transactions in calculating an account’s balance, while an
available-balance method calculates an account’s balance based on electronic transactions that the institution
has authorized (and therefore is obligated to pay) but not yet settled, along with settled transactions. An
available balance also reflects holds on deposits that have not yet cleared.
The Highlights state that examiners found that overdrafts were occurring under the available-balance method
that would not have occurred under the ledger-balance method. Also, after the switch to the available-balance
method, examiners found that electronic transactions were authorized, but settlement of a later and unrelated
transaction lowered the customer’s balance. Thus, when the original electronic transaction was presented for
settlement, it resulted in the account being overdrawn, despite the fact that at the time the transaction was
approved, there were sufficient funds in the account.
Examiners found that the changes to the balance method were deceptive because they were not disclosed,
which resulted in consumers being unaware of the circumstances that would lead to an overdraft fee. The
settlement of transactions was cited as unfair and deceptive because consumers were harmed when they
incurred a fee, the institution did not adequately disclose this practice and consumers could not have reasonably
avoided incurring the overdraft fee.
This is not only a good example of an emerging risk under UDAAP; it is also a good
example of how simply following the regulations is not enough. The institutions that
were the subject of these findings, in all likelihood, complied with all of the regulatory
requirements for initial disclosures and overdraft opt-in requirements. Nonetheless,
it was insufficient. While the institutions complied with the letter of the law, they
still failed to give consumers key information that could have help prevent the
consumers from overdrawing their accounts and incurring fees.
17
©2015 FIS and/or its subsidiaries. All Rights Reserved.
REGULATORY INTELLIGENCE BRIEFING
Key Reminder – Strategic Impact from UDAAP Risks
The Board of Directors, Executive Management, Risk and Compliance need to keep in mind the strategic impact
posed from failure to mitigate UDAAP risks.
Any pattern or practice of UDAAPs can result in a downgrade in compliance and
CRA ratings (for banks), possible assessment of civil money penalties and
restitution to affected consumers. Downgrade of CRA rating for a bank can result
in delay or denial of a corporate application for approval for merger, acquisition,
launch of new lines of business or other strategic growth initiative. Negative
publicity or community activist group protests may lead to an adverse impact to the
institution’s reputation, as well as loss of business.
Let’s look at an example of UDAAP risk causing strategic impact. Here is an excerpt from a bank’s publicly
disclosed CRA Performance Evaluation issued by its prudential regulator:
In this case, the examiners uncovered unfair and deceptive practices in a routine compliance examination of the
bank, resulting in a downgrade of the CRA rating from “Satisfactory” to “Needs to Improve.” An enforcement
action was initiated, restitution to customers was mandated and the bank’s plans to acquire other banks and
launch new products were put on hold until the next examination. This affected the bank’s growth plan
adversely, impacting shareholder valuation materially.
18
©2015 FIS and/or its subsidiaries. All Rights Reserved.
REGULATORY INTELLIGENCE BRIEFING
Proactive Management of UDAAP Risks
Strategies for Addressing the Challenges to Compliance
To mitigate the multitude of UDAAP risks and enhance UDAAP compliance in an institution, the three
overarching strategies presented below should be supplemented by the ten action items described
thereafter. At the strategic level, be sure to:
1. Develop a compliance strategy that recognizes the risk of noncompliance for all customer-facing
activities at the institution. Ensure that executive management understands how changes in the
institution’s overall business strategy, including the products/services mix, impact the overall
UDAAP risk profile.
2. Develop a comprehensive third-party management and oversight program for any service
provider that interfaces directly with customers. This overall strategy should include a contract
strategy that goes beyond requiring contracts to simply say “including UDAAP risks,” and instead
identify those risks along with responsibilities. Pay special attention to third parties who service
mortgages, collect debt, market products and services to customers or handle customer
complaints.
When considering third-party risks, be mindful of the increase in cybersecurity risks, as even a
data breach can be perceived as a UDAP (FTC definition) issue. Although it might not be readily
apparent, the UDAP risk stems from the FTC’s authority to prohibit unfair or deceptive acts or
practices among businesses.
The argument is that a business, such as a bank service provider, has a basic obligation to
protect data using reasonable commercial means. When a vendor doesn’t do so, and a breach
occurs, the vendor could be found to have been deceptive in its practices. Consider requiring
vendors to certify that they adhere to bank policies and procedures, and consider taking a page
out of the HIPAA/HITECH playbook by requiring vendors to notify you of security breaches.
19
©2015 FIS and/or its subsidiaries. All Rights Reserved.
REGULATORY INTELLIGENCE BRIEFING
3. Develop a comprehensive UDAAP risk assessment and compliance management system
(CMS), including the ten action items below, to continually identify issues before customers are
harmed.
Call to Action – The “Top Ten” Steps to Stay Proactive
To support the strategies just described, entities should implement a risk and compliance program that includes
these ten action items:
1. Appoint line of business UDAAP champions
2. Perform a UDAAP risk assessment
3. Provide specialized operational training
4. Review advertisements prior to launch
5. Strengthen the complaint management process
6. Enhance written policies and procedures
7. Implement robust ongoing compliance monitoring
8. Monitor intelligence and review guidance
9. Assess new products and services before adoption
10. Maximize Compliance Committee meetings
Let’s take a look at each of these in more detail.
1. APPOINT LINE OF BUSINESS CHAMPIONS
UDAAP is an enterprise issue that pertains to all lines of business, functions, products
and services. As such, a management-level compliance “champion” should be appointed
in each area to view the bigger picture across the enterprise and see through the silos
that inevitably develop, even in mature compliance programs. Each compliance champion
should be tasked with monitoring for potential UDAAP issues in addition to regulatory
violations.
2. PERFORM A UDAAP RISK ASSESSMENT
Every proactive compliance program begins with a solid assessment of risk. You should evaluate UDAAP risk
specifically across six general inherent risk factor categories and across five control system risk factor
categories, acknowledging that there is some overlap among these.
Inherent Risk Factor Categories System Control Factor Categories
Product Risks Oversight/Accountability
Third-Party Risks Policies/Procedures
Advertising Training
Customer Complaints Monitoring
Systems/Operations Other Systems Controls
Organizational
20
©2015 FIS and/or its subsidiaries. All Rights Reserved.
REGULATORY INTELLIGENCE BRIEFING
Be sure to review financial statements to determine where there is reliance on fees and revenue, and inquire
about recent “fee/revenue enhancement” projects or “efficiency” exercises, as we learned from the recent
enforcement action discussed above.
When reporting the results of the UDAAP Risk assessment, issue not only a quantitative risk assessment grid
(or matrix), but also include a narrative report in which you describe the drivers of UDAAP risk across the
enterprise to the reader – typically an examiner. Provide background information on the law, regulatory
environment, methodology used, risk ratings and conclude on the overall level of inherent risk, strength of
controls, level of residual risk and direction of risk. The results of the risk assessment should drive the scope
and frequency of monitoring and training.
3. PROVIDE SPECIALIZED OPERATIONAL TRAINING
Provide specialized UDAAP training to managers who oversee high-risk functions, products, services and third-
party relationships. This training should not only include overall UDAAP concepts, but also examples, case
studies and an analysis of enforcement actions related to the functions, products and services for which the
managers are responsible.
The training should also include the results of any monitoring or audit activities that have taken place, as well as
an analysis of customer complaints. Compliance trainers should operationalize UDAAP requirements for
managers and make the content come alive by not only using case studies and examples, but by explaining the
thought process that led to the citing of a violation.
4. REVIEW ADVERTISTMENTS PRIOR TO LAUNCH
Ensure that all advertisements, promotions, scripts, disclosures, customer letters, and website and social media
content and practices are reviewed for UDAAP risk with the same wide-angle lens the CFPB describes in its
commentary – prior to publishing or deploying the document. Consider having UDAAP reviews performed by
someone who is not also reviewing for compliance with Regulations DD, Z or B. The perspective of the review
is very different, and UDAAP risk can reside where no other regulatory violation has occurred. Accordingly,
checklist-style reviews do not lend themselves well to UDAAP. Instead, use narrative-style reviews where the
reviewer notes all the associated materials reviewed, impressions and intended audience.
When reviewing materials, always consider the financial sophistication of the consumers who will rely on them.
For example, when reviewing a new prepaid debit card that their institution is co-branding, note that the
21
©2015 FIS and/or its subsidiaries. All Rights Reserved.
REGULATORY INTELLIGENCE BRIEFING
consumer may have been previously unbanked and might not be financially savvy. Below are some specific hot
button questions to ask before deploying advertising materials:
If the word “free” is used, is the item truly “free,” or are there
hidden fees and charges?
Are headers and captions supported by the body of the ad,
or could they be considered misleading?
Are there so many ‘caveats’ in the fine print to qualify for
receiving some benefit of the product as to render it fairly
impossible for anyone to receive the benefit?
Are fees disclosed in a manner that makes it difficult for
consumers to know what they will pay?
Are any associations or affiliations improperly implied, such
as an implied association with a governmental agency or
lender?
In addition to the actual ad, related materials must be reviewed to verify the accuracy and consistency of claims.
As we learned above, it’s the “total net impression” that matters. Look for language or situations that simply
pose the risk of being unfair, deceptive or abusive, and look for conflicting information between materials.
5. STRENGTHEN THE COMPLAINT MANAGEMENT PROCESS
Implement a second review process for consumer complaints
received by the institution from all sources. On a monthly basis,
perform a 12-month trend analysis on all consumer complaints at an
overview level, looking beyond any other apparent violations
inherent in the complaints, and instead looking for patterns of unfair,
deceptive or abusive practices. Ask:
What else is going on in these complaints and inquiries?”
Are complaints increasing or decreasing?
Is there a pattern of certain products, services or practices
being mentioned in the complaints?
This second review process should also verify that there was resultant corrective action that truly addresses the
issue going forward, in addition to resolving the specific issue with the customer.
6. ENHANCE WRITTEN POLICIES AND PROCEDURES
While this may seem like old news, many enforcement actions still indicate
deficiencies in written policies and procedures. This is particularly true for UDAAP,
which now demands more specific coverage in written policies and procedures than it
did in the past. Clearly, written policies and compliance and operating procedures
with specific references to UDAAP should be in place for all of the above. Review
your institution’s policies and procedures for adequate UDAAP coverage; many
institutions are surprised to find it omitted.
22
©2015 FIS and/or its subsidiaries. All Rights Reserved.
REGULATORY INTELLIGENCE BRIEFING
7. IMPLEMENT ROBUST ONGOING COMPLIANCE MONITORING
Although policies and procedures are important, they are not a panacea, and plenty of enforcement actions are
assessed against entities that have policies and procedures, but simply aren’t following them. Testing for
compliance with internal policies is part of the UDAAP monitoring program that must be implemented. Your
UDAAP monitoring program should include monitoring by all three lines of defense:
1. Lines of business
2. Compliance Department
3. Internal Audit Department (or outsourced internal auditors)
Those performing the monitoring and auditing should be well-versed in the
risks associated in each function and product and be aware of the wide-angle
lens used to evaluate UDAAP. If these reviews or audits are outsourced, be
sure to validate the qualifications of the individuals performing the testing.
The scope and frequency of UDAAP monitoring should be based upon the
results of the risk assessment; however, pay special attention to any co-branded or re-branded products where
the vendor provides the advertising or disclosures, such as prepaid cards or online deposit products. Review all
of the web pages that advertise these products, including fee sections, benefits sections and all disclosures. If
mortgage loan servicing is done in-house, consider a special UDAAP monitoring program focused solely on
mortgage loan servicing.
8. MONITOR INTELLIGENCE AND REVIEW GUIDANCE
Intelligence comes from published guidance, such as the UDAAP exam
procedures and regulatory bulletins, but it can also come from enforcement
actions and even the customer complaint database, so it’s critical that these
sources are actively monitored by the Compliance Officer. Summaries of this
material are readily available online and should be discussed at Compliance
Committee meetings and used in the risk assessment, monitoring processes
and training programs.
With respect to the CFPB customer complaints database, reading these
narratives provides the Compliance Officer with insight into the entire
consumer experience. Since UDAAP compliance requires that entities understand the financial sophistication of
the consumers to which they market products and services and how those consumer perceive certain actions,
the information in these published complaints is invaluable.
9. REVIEW NEW PRODUCTS AND SERVICES BEFORE ADOPTION
This is the essence of UDAAP risk management and is related to, but somewhat different from, new
expectations regarding third-party risk management.
Although new products and services might be attached to a new
third-party relationship, the UDAAP risk from the product or
service itself should be evaluated before the product or service
is adopted or implemented.
23
©2015 FIS and/or its subsidiaries. All Rights Reserved.
REGULATORY INTELLIGENCE BRIEFING
The review should include:
The structure of the product or service
The intended customer base
How it is intended to be used by the customer
Benefits
How all of the above information will be conveyed to the customer
Analysis of where the product or service lies on the regulatory radar
Third parties involved with the product or service
Number of complaints regarding the product or service in the CFPB complaints database
Management structure surrounding the product or service
10. MAXIMIZE COMPLIANCE COMMITTEE MEETINGS
Take advantage of Compliance Committee
meetings to review UDAAP topics with
management and provide ongoing training. If the
standing agenda for the Compliance Committee
meeting doesn’t already include the following three
topics, they should be added:
Customer complaints
New products/services
Recent UDAAP developments
Conclusion
Given the frequency of UDAAP enforcement actions and the size of civil money penalties and customer
restitution orders, it makes sense that institutions stay in front of UDAAP risk and develop a robust risk
management and compliance management system that addresses UDAAP and supports the strategies of the
institution.
The top ten action items above will build out the risk management and compliance management system with a
focus on UDAAP and will serve an institution well in proactively avoiding UDAAP violations and preventing
consumer harm.
Sharon A. Blanchette, CPA, CIA, CRCM, CAMS, MBA Director, Risk Management Solutions
Sharon has more than 25 years of risk, compliance, audit and information security experience within the banking and
healthcare industries. Prior to joining FIS, Sharon held positions as Chief Risk Officer, Director of Regulatory
Compliance and Director of Internal Audit/Controls for community banks. Originally coming from a public accounting
and business consulting background, Sharon adds value to client risk and compliance programs, balancing risk with
strategic business objectives. Sharon frequently writes and speaks on topics of interest to financial services.
24
©2015 FIS and/or its subsidiaries. All Rights Reserved.
REGULATORY INTELLIGENCE BRIEFING
FIS UDAAP SERVICES
D. L DID YOU KNOW?
The CFPB considers a risk assessment to be an
important part of an organization’s UDAAP compliance.
Financial institutions need to understand inherent risks
as well as review policies and procedures implemented
to lessen those risks.
Specifically, institutions should evaluate UDAAP risk across six general inherent risk factor categories and across five control system risk factor categories, acknowledging that there is some overlap among these. Inherent risk Factors System Control Factors
- Product Risks - Oversight/Accountability - Third-Party Risks - Policies/Procedures - Advertising - Training - Customer Complaints - Monitoring - Systems/Operations - Other Systems Controls FIS can help you better understand inherent risk and system control factors, and create a plan to mitigate UDAAP risks. We will assess risks in the following areas:
Print, radio, television, website, and social media advertising
Solicitations
Disclosures and product/service agreements
New product/services review and approval process
Deposit products, lending products, NDIP products
Vendor relationships
Customer complaint process
Once our experts perform a comprehensive review, we provide a detailed written report of our findings and recommendations and discuss all of the results with stakeholders. Additionally, we can make recommendations for corrective action based on industry best practices. We also provide detailed work papers, which would remain the property of the institution.
Learn more about FIS’ UDAAP Risk
Assessment services here.
25
©2015 FIS and/or its subsidiaries. All Rights Reserved.
REGULATORY INTELLIGENCE BRIEFING
UDAAP training is essential for compliance and risk
mitigation. Organizations should provide specialized
UDAAP training to managers who oversee high-risk
functions, products, services and third-party relationships,
as well as to any staff that interacts with consumers. This
training should not only include overall UDAAP concepts,
but also examples, case studies and an analysis of
enforcement actions related to the functions, products and
services for which the managers are responsible.
The training should also include the results of any
monitoring or audit activities that have taken place, as well
as an analysis of customer complaints. Compliance
trainers should operationalize UDAAP requirements for
managers and make the content come alive by not only
using case studies and examples, but by explaining the
thought process that led to the citing of a violation.
FIS offers comprehensive online and in-
person training for UDAAP to help you
comply, meet examiner expectations and
avoid litigation and reputational damage.
Regulatory University Courses on UDAAP
ending Regulatory University Courses
Learn more about FIS Regulatory University’s
online learning courses for UDAAP here.
26
©2015 FIS and/or its subsidiaries. All Rights Reserved.
REGULATORY INTELLIGENCE BRIEFING
E. About FIS’ Center of Regulatory Intelligence
FIS™ (NYSE: FIS), a global leader in banking and payments technology as well as consulting and outsourcing
solutions, opened its Center of Regulatory Intelligence (“Center”) in Washington, D.C. on June 16, 2015. The
primary goal of the Center is to translate policy, legislative and regulatory developments into actionable
intelligence for FIS clients to enable knowledge advantage. The unique perspective gained by monitoring
regulatory change at such close proximity to the policy makers and regulators will enable the Center to empower
FIS clients to stay one step ahead, identify impact precisely, make smart business decisions and succeed. FIS
clients will have the opportunity to receive insights from the Center through regularly published regulatory
intelligence briefings and thought leadership insights intended to give client institutions deep intelligence into
regulatory initiatives coming out of the legislature, administration and regulatory agencies. Input from the Center
also will help drive FIS research and development efforts as well as consulting services aimed at helping
institutions address regulatory changes prior to implementation.
The Center provides the latest intelligence, thought leadership and cutting-edge regulatory insights into risk,
information security and compliance issues facing the financial services industry. This new FIS thought
leadership center will provide early insight on regulatory changes, helping financial services clients stay
compliant with new regulations. Through the Center, FIS will interface with key policymakers to provide industry
perspectives on the potential impacts of regulatory mandates to financial institutions.
Contact Us
FIS Center of Regulatory Intelligence
1101 Pennsylvania Ave., NW Suite 600
Washington, DC 20004
P: 202.756.2263