Brenda Baylor, a Director with Treliant, is a Certified Regulatory Compliance Manager (CRCM) with 25 years of experience in regulatory compliance, risk management, and banking. Her specialties include fair lending laws and regulations; the Community Reinvestment Act (CRA); Home Mortgage Disclosure Act (HMDA); and Unfair, Deceptive, or Abusive Acts or…
The Dodd-Frank Act is the first federal law extending beyond prohibitions of unfair and deceptive practices to include abusive behaviors in the provision of consumer financial products and services. While Dodd-Frank defines a standard for what constitutes abusive acts and practices, financial services institutions have struggled with compliance efforts to meet their obligations under the rules. Many industry constituents consider the standard too vague and subjective. Others cite limited regulatory guidance and legislative history as challenges to the
development of industry standards and best practices.
On January 21, 2020, nearly a decade after Dodd-Frank was signed into law, the Consumer Financial Protection Bureau (CFPB) released a policy statement1 describing a “common-sense framework” that the bureau will use to apply the abusive standard to supervision and enforcement actions. The guidance also sets forth principles to address uncertainty around the scope and meaning of the abusive standard. However, the question remains whether the policy statement is sufficient to resolve the lingering compliance ambiguities.
Abusive Acts and Practices Under UDAAP
Abusive behaviors were first defined under Dodd-Frank as part of the prohibitions against unfair, deceptive, and abusive acts and practices (UDAAP). Under section 1031(d) of Dodd-Frank, the CFPB has the authority to assert that an act or practice is abusive if it meets the following criteria2:
- The act or practice materially interferes with the ability of a consumer to
understand a term or condition of a consumer financial product or service;
- The act or practice takes unreasonable advantage of:
- A lack of understanding on the part of the consumer of the material
risks, costs, or conditions of the product or service,
- The inability of the consumer to protect the interests of the consumer
in selecting or using a consumer financial product or service, or
- The reasonable reliance by the consumer on a covered person to act
in the interests of the consumer.
- A lack of understanding on the part of the consumer of the material
Once the statute took effect, financial institutions qualifying as covered persons incorporated abusiveness criteria into their UDAAP compliance efforts. However, many found the task burdensome and challenging due to, at least in part, the general terms used in the above provisions and the lack of examples or a representative list of qualifying activities.
Higher-Risk UDAAP Activities
Since its inception, the CFPB has applied the abusive standard in more than 30 enforcement actions. This trend continues in 2020 with a focus on sales practices and incentive compensation plans as a potential root cause for bad behaviors. Some key questions to ask when monitoring sales practices for UDAAP risks include:
- Does the institution have a formal incentive compensation review process that includes a review by a compliance team member with UDAAP expertise?
- Do incentive compensation plans reward behaviors that could lead to opening accounts and activating services without proper consumer consent?
- Do third-party contracts contain provisions to ensure that brokers or originators are not motivated to treat borrowers in a discriminatory manner or otherwise unfairly?
- Are controls in place for managing the risk of incentive-driven UDAAP behaviors (both intended and unintended) in each stage of the product life cycle?
- Does the bank administer job-specific sales and customer service training that addresses:
- Expectations for incentives and ethical behavior;
- Common risky behaviors;
- Effective communication of terms and conditions of the institution’s products and services to consumers; and
- Requirements for demonstrating consumer consent?
- Does the UDAAP-related risk assessment cover sales practices and incentive compensation plans
- Are consumer complaint trends monitored for indications that incentives are leading to violations of law or harm to consumers?
- If add-on products are offered, are guidelines or controls in place to ensure employees provide accurate information about add-on products?
Under ongoing regulatory supervision, institutions should remain diligent in their efforts to protect consumers from unfair, deceptive, and abusive behaviors in all of the products and services they offer. In addition to sales practices and incentive compensation plans, the following areas have recently been observed as trouble spots for a number of institutions:
CFPB Policy on Abusive Acts and Practices
The policy statement is the product of a symposium on abusive acts and practices held by the CFPB last summer.3 During the event, the CFPB gathered perspectives and testimony from eight legal and industry experts on issues associated with the abusive standard. One resounding outcome was the need for the CFPB to resolve the uncertainty surrounding the standard, which the experts claimed was not beneficial to financial institutions or consumers.
The policy statement is intended to promote compliance and clarify how the CFPB intends to apply the abusive standard. The following supervision and enforcement principles are outlined in the statement:
- The CFPB will focus on abusive conduct where the harm to consumers outweighs the benefits.
- The CFPB will seek to allege or cite “stand alone” abusiveness violations that do not overlap with unfair or deceptive violations arising from all or nearly all of the same facts.
- The CFPB will not seek monetary fines for abusiveness violations as long as good-faith efforts to comply with the law were made.
The CFPB qualified the third principle by stating it will continue to seek restitution for consumer harm in all cases and pursue all avenues of monetary remedies for anyone not acting in good faith. The policy cites CFPB Bulletin 2013-06 on responsible business conduct4 as one basis (but not the only basis) for determining whether a covered person acted in good faith.
What Does the Policy Statement Mean for Financial Institutions?
First, the policy statement governs the actions of the CFPB during examination and enforcement processes. It does not force legal requirements or regulatory burdens on any financial institution, nor does it provide rights to external parties that could be exercised during administrative or civil proceedings.
Second, a number of regulators continue to examine and investigate financial institutions for violations of the unfair and deceptive standards, including the CFPB, the Department of Justice, state attorneys general, prudential regulators, the National Credit Union Administration, and the Federal Trade Commission (FTC). While the line between abusiveness and unfairness has historically been blurred, the policy statement is intended to minimize the overlap so that one set of facts results in only one citation (either unfairness or abusiveness) instead of two (unfairness and abusiveness), which may result in lower civil money penalties. However, the policy statement does not excuse institutions from being diligent in their efforts to prevent consumer harm in all aspects of their business transactions.
Finally, the policy statement may not alleviate all of the regulatory uncertainty and compliance challenges. After all, the unfair and deceptive standards under UDAAP have evolved over the past 80 years, starting with Section 5(a) of the FTC Act. In addition, the CFPB reserves the right in its policy statement to further define the abusive standard with future rule-making. It seems inevitable that over time more comprehensive regulatory clarification and legal precedents will lead to greater understanding of the scope and meaning of the abusive standard. In turn, such insights will aid institutions in building and maintaining more beneficial UDAAP compliance programs that meet regulatory expectations. For now, banks must continue (at a minimum) to (1) perform a UDAAP risk assessment5, (2) incorporate UDAAP testing into the second and third
lines of defense, (3) ensure proper oversight and reporting on UDAAP compliance, (4) train employees on UDAAP risks and responsibilities, (5) maintain policies and procedures outlining the institution’s UDAAP program, and (5) implement timely corrective action when UDAAP issues are identified.