Fifty Shades of Confusion: UDAAP Issues in Lending

Financial Crimes and Fraud

Keeping track of UDAAP issues (Unfair, Deceptive, or Abusive Acts or Practices) in lending can cause fifty shades of confusion. Fully addressing UDAAP compliance requires looking at the entire lifecycle of a lending product or service to ensure that everything is covered. Some aspects of the rule are product-specific.

Lending Product Lifecycle
The product or service lifecycle includes:

• Development
• Marketing
• Account Opening
• Servicing
• Collections
• Third Parties, and
• Complaints.

Product/Service Development
The first phase of the lifecycle is the product or service development—or even the pre-development phase. This is when a new product or service is still a concept, and when the design or marketing teams are putting their heads together to brainstorm ideas.

It is important to understand every aspect of the product or service being developed. And, it is imperative that compliance professionals be invited to the brainstorming session. In order to evaluate a product, Compliance must know the ins and outs. For example, who pays the fees for the product? Compliance should engage with the bank to ensure that the new product or service offers value and that any fees charged are for value provided. While it is fair to earn a profit, the fees should align with the bank’s costs and risk projections.

For all new products and services, the bank should perform UDAAP due diligence including a risk assessment. The steps taken during this stage should include a thorough review of the product or service as well as diligence on any third party involved. A robust due diligence assessment should go beyond the vendor’s financial statements—consider including a survey of news reports. This should include pending or prior litigation matters, industry-wide concerns, regulatory criticisms, and consent orders. While none of these findings individually might be a deal-breaker, they could indicate higher risk. The bank will need to design controls to mitigate risks as they occur. If a third party will be used, verify the controls in place to monitor the third party and ensure that complaints are identified and monitored.

Compliance professionals will also need to assess whether the consumer base for the product or service is considered a vulnerable consumer, or if any vulnerable customers would be more likely to use the product than the general population. Economically vulnerable customers, older Americans, students, service members, and veterans may all be considered vulnerable markets. Often, new products and services are well intentioned; however, be aware of the end results and be sure to continually monitor the consumer outcomes.

Make sure the product or service can be delivered as promised. Be cautious when it comes to dependencies on information technology and systems. Testing is crucial to make sure the product or service offered is provided as promised to the consumer.

Because the compliance department cannot be everywhere, it is key to educate all staff through a corporate-wide UDAAP awareness or training program. The UDAAP training should not be a one-size-fits-all approach; compliance should tailor the training for each area. Marketing and product development teams benefit from UDAAP training so that when a product or service is in the development phase, fairness pitfalls can be identified and avoided before the product is marketed to consumers.

Marketing
All marketing materials for the product and service should be clear with material terms made conspicuous. Review marketing materials with a consumer lens. This can be difficult for bankers themselves, but think about how your family would understand the marketing materials, without having any background working in the industry. Would they fully understand the fees and limitations or would the materials cause confusion about the product or service? Pay close attention to any fees and product or service limitations and/or guarantees. Ask whether actual practices coincide with the marketing materials. This question highlights the importance of system testing. Finally, determine whether all advertised promotions are being honored.

You will also want to include leading practices as part of the review of the marketing materials. Prominence, presentation, and placement are important elements of marketing materials:

• Prominence: All material information should be in a font size large enough to attract attention.
• Presentation: The wording and format should be clear and understandable.
• Placement: Material information should not be in the fine print and should be located where consumers can readily view it.

Understand your target market, and whether it is considered vulnerable. (See the Product/Service Development section above for the list of vulnerable customers.) If it is, be sure that the tailored message would be understandable to that segment of your customer base. The marketing materials should promote a consumer understanding and full disclosure of the terms of the offer. Remember to perform ongoing analysis to make sure that there is a complete understanding of who is using the product or service as well as the value of the product or service. An area that is sometimes overlooked is the inclusion of contact information for questions and complaints on marketing materials. Bank staff should be trained to answer questions on the product or service—the last thing you want is for consumers to receive incorrect details on the fees, benefits, or limitations of a product or service.

Account Opening 
Disclosures represent a key component of the account opening process. There are some common disclosure pitfalls that should be considered. Assign ownership to disclosures—even after a product or service is no longer offered, disclosures should be retained and available for retrieval. Maintain version control for all disclosures, including current and previous versions. There should be a documented compliance and/or legal review and approval of all new and revised disclosures.

Disclosure language should be customer friendly and not overly complex. You will need to balance regulatory safe harbor language with readability.

There should be a validation of the disclosures to the system. Any of the lines of defense could perform this validation, including the line of business, operational support area, compliance department, and/or audit team.

Compliance must thoroughly vet the sales phase of the product or service. Carefully review the training materials and sales scripts. Develop a process to ensure that customers receive all required disclosures. The bank must provide to the customer enough material information to make an informed choice of products and services—before opening an account. There may be instances in which a product or service that is best for the customer is not the easiest or best for the bank employee. Watch out for this concern and design internal controls and monitoring programs to prevent and detect it. Consider implementing a “mystery shopping” program to continually assess the sales practices. (See the article on Sales Practices in the March–April 2017 ABA Bank Compliance magazine, page 12, for more details.)

Servicing
There are two types of servicing issues to note: processing and customer service. The key to UDAAP-compliant processing is to develop procedures to process payments timely and in accordance with laws and account disclosures/agreements. Develop and implement clear processes and procedures for obtaining and processing payments.

Other processing pitfalls include force-placing flood insurance under the Flood Disaster Protection Act, such as the determination of how much insurance should be placed, consideration for subordinate liens, changes in flood maps, and lapses of insurance policies. There should also be defined procedures for timely lien releases, mortgage discharges, payoff quotes, and cancelling private mortgage insurance.

Customer service issues can also cause UDAAP issues. For example, agents should be providing customers with all of their options and letting customers make informed choices about how they would like to proceed. On the phone, hold times above the industry average or a significant number of dropped calls could also present issues.

Collections
Understand the Fair Debt Collection Practices Act. Even if you are technically exempt from coverage, it is advisable to consider the requirements. Be sure not to mislead customers during attempts to collect debt. Collection teams should not make false promises to entice settlement.

Be sure to include collection call monitoring as part of compliance testing. There is something to be said for listening first-hand on the calls. All of the best procedures and scripts will not do any good if they are not followed.

Collection teams should also stay away from referencing credit scores. Scores are complicated algorithms, and collection staff should not try to guess what might happen with regard to whether making a payment will increase a credit score or improve a customer’s eligibility for another product.

A review of the loan data for accuracy should be ongoing. All data provided to consumer reporting agencies must be accurate. This is an area that has received a lot of attention, so you should also give it attention.

Any bank doing debt sales should include a step for identifying loans in collections or past due. This is another area that is often overlooked.

Third Parties
Banks are fully responsible for any third-party service provider they engage. The basic rule is that if the bank should have a control as part of its UDAAP program or any compliance program, it must ensure that the third party has something similar in place. Compliance should be part of the due diligence and ongoing review of the third party.

Ensure that controls and monitoring are in place around the activities performed by the third party. Establish contractual protections including ability to perform audits and termination rights for failures. A formal process should be in place to obtain and monitor complaints received by or regarding the third party. Conduct periodic on-site reviews for high-risk third parties.

Complaints 
A comprehensive complaint program should be in place to track, monitor, and resolve all complaints, including those involving third parties. Develop a robust corporate complaint policy that includes the definition of a complaint.

Complaint training should include UDAAP. Review and track complaints from all sources. Also, review areas in which no complaints were received, since this could be an indicator that complaints are not being appropriately identified. Look for trends that could lead to UDAAP concerns, such as consumer confusion or expressions of being misled. Have a process in place for determining the root cause. Understanding the root cause and taking action can help prevent similar complaints. Make sure all UDAAP complaints are escalated.

Product-Specific UDAAP Challenges

Some higher-risk lending products and services that deserve additional attention include:

• Mortgage: Listen to what the customer wants/needs. Offer all options to the customer, not just the easiest to process. Monitor for steering toward certain products. Understand the sales incentives for mortgages. Have products for all consumers not just for the affluent. Perform mystery shopping using defined scripts.
• Auto Loans: Develop monitoring programs for both direct and indirect channels. Develop robust quality control/assurance processes to identify any regulatory or procedural violations. Payment programs should not be misleading or unfair to the consumer. Pay attention to balloon payments and loans with excessive length of repayment terms. Monitor all add-on products including those sold by the automobile dealer. Develop an ongoing monitoring program for indirect auto dealer and portfolio loans to address any disparities in pricing.
• Credit Cards: The fees and interest rates/annual percentage rates should be clearly disclosed. The fees associated with the card should be understandable. The credit card servicing system should be tested to make sure that the fees, rates, and features disclosed coincide with how the system handles them. Promotional rates and corresponding balances are other areas that could trigger UDAAP risk—controls should be in place and tested, validating that the promotional offers are calculated as disclosed.
• Rewards: Disclose all terms before the consumer applies for the product or service. Terms should not be too complex to understand what is needed to obtain the rewards. Disclosures must coincide with practices. Only market what is possible to obtain.
• Add-on Products or Services: Receive consent from customers before enrollment in any product or service. Be cautious of products or services that require a two-step enrollment process. Customers should not be charged for any product or service until full enrollment is completed. Disclosures should be clear and include all terms. Any limitations should be clearly disclosed. Ongoing monitoring will help identify any concerns with enrollment, activation, and the customer’s ability to obtain benefit.
• Student Loans: Make sure that billing statements provide clear information to the customer. For example, they should explain how customers can avoid late fees. Be cautious about automatically defaulting loans such as when one of the borrowers goes into bankruptcy. Student loans typically have a co-borrower that can be considered. And of course, always notify the borrower if the loan has defaulted. You will also want to clearly disclose how cosigners can be released. One bank delayed eligibility if the student requested forbearance but did not disclose how that would impact cosigners.

The Final Analysis
To recap some of the most important points on UDAAP issues in lending:

• Know and understand the lending products and services offered.
• Have checkpoints through-out the entire lifecycle with particular attention given to the interplay with other compliance programs.
• Develop and implement a UDAAP awareness and training program.
• Monitor and test all aspects of products and services offered.
• Do not forget about the UDAAP risk assessment—this is essential in managing UDAAP risk. It will help guide you in areas within your bank that pose higher risk.

There really are fifty shades of confusion when it comes to UDAAP issues in lending. The reasons include the complexity of lending products and services, the many different laws and regulations that apply, the various stages of the product and service lifecycle, and the interplay with other existing compliance requirements such as complaints and third-party oversight. However, following a methodical approach to addressing the challenges and requirements within each stage of the product and service lifecycle will help you rein in the confusion