Implications of Recent UDAAP Updates
It has been almost ten years since the Dodd-Frank Wall Street Reform and Consumer Protection Act (DFA) prohibited the use of unfair, deceptive and abusive acts or practices (UDAAP) by providers of consumer financial products and services or other related service providers. And yet, UDAAP, especially its abusive prong, continues to confuse those who are subject to it.
A review of the recent uptick in UDAAP activity—including comments, events and enforcement actions by the Consumer Financial Protection Bureau (CFPB)—suggests that enlightenment on the abusive definition within UDAAP may be coming. It also indicates that UDAAP will continue to be a closely examined compliance area.
UDAAP as Passed by the DFA
The DFA became law in July 2010, ushering in UDAAP. Unlike its older compliance cousin UDAP, which is part of the Federal Trade Commission Act and is enforced by prudential regulators, the CFPB has supervisory and rulemaking authority over UDAAP.
According to Independent Banker, the DFA generally defines UDAAP’s three prongs as follows:
- Unfair: Causes or is likely to cause substantial injury to consumers, when the injury is not reasonably avoidable by consumers or outweighed by benefits to them.
- Deceptive: Misleads or is likely to mislead the consumer, when the consumer’s interpretation of it is reasonable under the circumstances, and the misleading conduct is material.
- Abusive: Takes unreasonable advantage of consumers’ lack of understanding and inability to protect their interests in regard to consumer financial products or services, and their reasonable reliance that financial institutions will act in their best interest.
CFPB Acknowledges Need to Clarify Abusive within UDAAP
From the start and to the chagrin of UDAAP-covered entities, the definition of abusive has been vague and open-ended. That may be about to change.
Last October, both the American Bankers Association (ABA) and the Mortgage Bankers Association (MBA) reported that then CFPB Director Mick Mulvaney said as much at the MBA Annual Convention & Expo. According to ABA Risk and Compliance, Mulvaney indicated that the CFPB “will likely issue a rule to define what kinds of practices it considers ‘abusive,’ under the Dodd-Frank Act, providing greater clarity to the controversial UDAAP standard created by the statute.”
In explaining this intention, Mulvaney noted that both unfair and deceptive are “fairly well-established in the law,” however, the term abusive is not.
In its fall 2018 Rulemaking Agenda as part of the Unified Agenda, the CFPB made Mulvaney’s comments official: “The Bureau is considering whether rulemaking or other activities may be helpful to further clarify the meaning of ‘abusiveness’.”
First CFPB Symposium Series Focuses on the Abusive Question
Mulvaney’s tenure at the CFPB ended in December with Kathy Kraninger’s approval as the CFPB’s new director. To date, she has picked up right where Mulvaney left off. In fact, UDAAP’s abusive prong was the focus of the first event in her newly introduced Symposium Series. Held on June 25, the symposium featured both academic and legal experts discussing the definition of abusive.
In her opening remarks, Kraninger acknowledged that, “We have heard from some stakeholders that there is uncertainty about abusiveness’s parameters, which makes it harder for businesses that want to comply with the law to do so.”
According to Hinshaw Law, as the expert panels debated the topic, three positions emerged:
1. There is no need for further definition as “the scope of abusiveness should be set forth through enforcement actions and court interpretation.”
2. A rulemaking on abusive is necessary to help covered entities comply with UDAAP.
3. Additional CFPB guidance on its “intepretation of ‘abusive’ would serve the interests of the Bureau, consumers, and industry well.”
Their inability to reach a consensus “suggests that the drafting of any guidance or initiation of rulemaking will be time consuming and controversial.”
Supervisory Highlights Show CFPB Still Focused on UDAAP
At present, it is uncertain if or how the CFPB will move forward regarding the definition of abusive, but there can be little doubt that the Bureau remains focused on UDAAP as a whole.
In its Supervisory Highlights published in March 2019, the CFPB explicitly discussed UDAAP as an area in which its examiners are looking for and finding violations. It specifically called out several segments of our industry in regard to UDAAP. Here is what the CFPB had to say about them:
- Automobile Loan Servicing: “The Bureau continues to examine auto loan servicing activities, primarily to assess whether servicers have engaged in unfair, deceptive or abusive acts or practices (UDAAPs) prohibited by the Consumer Financial Protection Act of 2010 (CFPA).
- Deposits: “Examiners found that one or more institutions engaged in a deceptive act or practice” related to “payments made through an institution’s online bill-pay service.”
- Mortgage Servicing: “Recent examinations identified unfair acts or practices for charging consumers unauthorized amounts,” as well as deceptive acts related to private mortgage insurance cancellation and “potentially misleading statements to successors-in-interest on reverse mortgages.”
- Remittances: During examinations, “The Bureau also reviews for any UDAAPs in connection with remittance transfers.”
CFPB Enforcement Actions Since January Reinforce UDAAP’s Relevance
Both under Mulvaney and Kraninger’s leadership, the CFPB has exerted significant UDAAP enforcement. In 2018, the CFPB issued $1.35 billion in UDAAP consent orders, “10 times the 2017 total,” according to ABA Risk and Compliance. Our own review of CFPB enforcement actions from the first half of this year reveals that they already total over $986 million in redress, restitution and fines related to UDAAP.
There are some very telling facts within the 13 UDAAP-related enforcement actions issued by the CFPB so far in 2019:
- In the majority of cases, the penalty for violating UDAAP is significant:
- The largest penalty, against Equifax for unfair and deceptive practices, was $700 million.
- In six of the 13 actions, the financial consequence soared over $10 million.
- Eight of 13 actions resulted in fines or restitution of more than $1 million.
- UDAAP guilt by association is punishable:
- Two organizations, a law firm and a student loan management company, were cited for substantially assisting others in committing UDAAP violations. This underscores the importance of appropriate vendor due diligence.
- Senior leadership is ultimately responsible for UDAAP:
- One of the actions was issued against both the company itself and its CEO. This emphasizes that CEOs and board members are ultimately responsible for what happens at the firms they lead.
- Abusive makes an appearance:
- The majority of 2019 UDAAP-related actions referenced unfair or deceptive acts; however, the CFPB notably used the term “abusively” to describe violations in a recent complaint. This occurred in July after the CFPB Symposium, where the definition of abusive was the primary topic.
UDAAP Is Here to Stay
As much as our industry may bristle against UDAAP, it appears that even under a regulatory-friendly administration, it is here to stay. Any provider of consumer financial products or services should expect that it will be examined for possible UDAAP violations.
Additionally, keep in mind that UDAAP has been used to cite a single regulatory violation twice during an examination. For example, an advertisement that violates the Truth in Savings Act can also violate UDAAP, especially if a distinct pattern or practice is noted. This could result in even steeper penalties. Conversely, examiners can find UDAAP violations where all other regulations are found to be in full compliance.
As Independent Banker notes, “The potential for UDAAP issues is extensive, and, because the law could apply to virtually any inconsistent, inaccurate or omitted information, the threat of UDAAP is open-ended.”
In order to comply with UDAAP, covered entities should have a distinct UDAAP policy that ensures an enterprise-wide focus on all its products and services. Hinshaw Law advises that, “As a practical matter, businesses must remain concerned with scrutinizing their products and service offerings with all the UDAAP prongs in mind.”
For the time being, the term “abusive” is a judgement call, but that appears likely to change at some point in the future. Keep a watch for developments on the abusive definition from all possible avenues: further enforcement actions that specifically cite abusive acts, additional guidance from the CFPB and/or from a proposed rule that clarifies the term. No matter how the CFPB chooses to clarify the abusive definition, it will be important to update your UDAAP policy accordingly and in a timely fashion.
The CFPB has proven that it takes UDAAP seriously. All providers of consumer financial products and services need to be just as serious about this particular regulation.
Amber Goodrich, compliance strategist for CSI Regulatory Compliance, has more than 15 years of financial industry experience. She is a Certified Anti-Money Laundering Specialist (CAMS) and a Certified Regulatory Compliance Manager (CRCM).