The New "A" in UDAAP

The New “A” in UDAAP

The new regulatory “abusive acts” standard introduces additional considerations for financial services internal auditors.

Steven Stachowicz, CRCM, CFA
Senior Manager  

Thomas Giltrow, CRCM 

The Dodd-Frank Wall Street Reform and Consumer Protection Act alters significantly the framework that regulates consumer financial products and services. Among its requirements are the introduction of a nebulous and formidable standard regarding abusive acts or practices and the authority of the new Consumer Financial Protection Bureau (CFPB) to prohibit financial institutions from engaging in such behaviors. Financial institutions should be aware of this new requirement and be alert to any regulatory interpretations and actions. 


The Federal Trade Commission (FTC) has the authority to protect consumers against unfair or deceptive acts or practices (UDAP) in commerce generally. This responsibility is delegated to the federal banking regulators for national banks, savings associations, and credit unions. This authority has been used to address troublesome practices related to advertising, telemarketing, debt servicing and collection, predatory lending, and consumer privacy, either through the adoption of new rules and regulations or through individual enforcement actions.   

The terms unfair or deceptive are not defined by statute or regulation; rather, these terms are interpreted through FTC Policy Statements. The FTC Policy Statement on Unfairness defines an unfair act or practice as including all of the following: 

  • The injury must be substantial.
  • The injury must not be outweighed by any offsetting consumer or competitive benefits that the sales practice also produces.
  • The injury must be one that consumers could not reasonably have avoided.

The FTC Policy Statement on Deception defines a deceptive act or practice one that meets all of the following criteria:  

  • There must be a representation, omission, or practice that is likely to mislead the consumer.
  • The act or practice must be considered from the perspective of the reasonable consumer.
  • The representation, omission, or practice must be a material one.

The authority to prohibit UDAP is a powerful regulatory tool, but identifying UDAP is no easy task. For years, financial institutions and regulators alike have grappled with how to address UDAP and the subjectivity of defining an act or practice as potentially unfair or deceptive. It is often thought that “I’ll know it when I see it,” but reasonable minds may have differing opinions and perspectives. As a result, the FTC guidance has been tested and defined over the years through various forms of litigation and enforcement actions.   

In part to address industry concerns and better define UDAP, the FTC and federal banking agencies have adopted rules regulating specific acts and practices. For instance, the Federal Reserve Board, using the authority under the Home Ownership and Equity Protection Act (HOEPA), published regulations to prohibit certain unfair and predatory acts and practices related to the origination and servicing of certain high-cost home mortgage loans. Recently, the FTC adopted rules prohibiting misrepresentations in mortgage loan-related advertisements for non-bank institutions. 



The recent — and some say ongoing — financial crisis and mortgage meltdown have shined a spotlight on certain financial services industry practices. Critics have questioned the clarity of advertisements, disclosure of loan terms and conditions, and the complexity of the loan modification and foreclosure processes. They argue that consumers may not have been, nor are they currently, equipped to understand the risks associated with financial products and services. Questions have arisen regarding not just whether products, services, and practices are unfair or deceptive, but whether they are fair or abusive. This is, in part, the genesis of the CFPB, and its regulatory powers to prevent unfair, deceptive, or abusive acts or practices (UDAAP).  

Dodd-Frank establishes that an abusive act or practice is one that materially interferes with the ability of a consumer to understand a term or condition of a consumer financial product or service or takes unreasonable advantage of one or more of the following:

  • A lack of understanding on the part of the consumer of the material risks, costs, or conditions of the product or service.
  • The inability of the consumer to protect the interests of the consumer in selecting or using a consumer financial product or service.
  • The reasonable reliance by the consumer on a covered person to act in the interests of the consumer.

The addition of the term abusive creates a third dimension to the existing standards that may pose significant compliance implications for financial service companies to consider as they seek to introduce new and unique product or service offerings, or even against which to evaluate current offerings.   

Dodd-Frank provides the CFPB with the ability to prevent UDAAP, including rule-writing, examination, and enforcement authority. However, the CFPB is prohibited from taking certain actions against the institutions it regulates related to, or promulgating rules to implement, the newly established standard until a director has been confirmed by the Senate. In the absence of rules or other guidance from the CFPB, however, it would seem that there is no clear path for institutions to address the abusive standard in their day-to-day operations. Fundamental questions remain regarding materiality and reasonableness, and how far institutions should go in their assessment of what is in the interests of the consumer, which sounds like, but stops short of, imposing a fiduciary responsibility or duty of care on the institutions.  

Despite these challenges, financial institutions are risk managers and they should proactively address UDAAP as part of their compliance risk management program. Financial institutions should be aware of the new “abusive” standard, monitor CFPB developments closely, and begin to assess their practices — new and old — against the new standard. 



Two factors may complicate internal audit’s role in reviewing for unfair, deceptive, or abusive acts or practices: 

  • An unfair, deceptive, or abusive act or practice can exist and occur anywhere throughout the organization. The standards by which acts or practices are measured as potentially unfair, deceptive, or abusive are complex, steeped in legal adjudications and enforcement actions and, for the abusive standard, not necessarily defined. 
  • Declaring an act or practice as definitively unfair, deceptive, or abusive may have negative reputational, regulatory, and financial consequences for the institution. Internal audit, therefore, should consider consulting with in-house legal counsel before making such a declaration.

The role of internal audit should be to assess the processes by which the institution manages the compliance risks associated with UDAAP and identify potential risks that management should address to prevent such acts or practices. It is important for internal auditors to understand how their institutions have implemented controls to prevent and detect acts or practices that may be considered potentially unfair, deceptive, or abusive.  

Specifically, internal audit should evaluate the strength of their institution’s compliance risk management program, and the integration of the new abusive standard, as well as consider UDAAP in the evaluation of certain marketing, origination, servicing, and vendor management activities.


Compliance Risk Management    

  • Evaluate the institution’s implementation plans regarding the abusive standard, including updates to its compliance risk management framework.  
  • Determine how the institution evaluates its products, services, and operations for potential UDAAP-related risks. 
  • Review the institution’s policies, procedures, and training for accuracy and consistency with the regulatory requirements and guidance provided to employees to avoid UDAAP, particularly to those personnel in departments subject to increased UDAAP-related risk (e.g., marketing, customer service, advocacy, servicing, and collections, etc.).
  • Determine how the institution reviews and monitors its own practices for UDAAP, including the regular monitoring of high risk areas and evaluation of potential deficiencies for potential UDAAP impact.
  • Assess the institution’s process for identifying, tracking, and responding to consumer complaints and how these complaints are evaluated for potential UDAAP. For complaints determined by management to have potential UDAAP implications, determine if management researched root cause, identified the scope and impact of the deficiency noted, and took appropriate corrective action(s). 
  • Determine how the institution evaluates change to existing, or the introduction of new, products and services for potential UDAAP. 

Marketing and Advertising

  • Evaluate how the institution exercises diligence to ensure that it avoids violating applicable standards concerning UDAAP in marketing of its products and services (e.g., marketing-related standards, guidance, and procedures; documented approval processes that involve appropriate compliance or legal representatives, etc.). Internal auditors should be sure to address telemarketing and call scripts, as well as website and other forms of Internet and social media advertisements. 
  • Where such information is available, determine if customers that responded to direct or broader, publicly-available advertisements or promotional materials did in fact receive the product rates, terms, and features advertised.

Product Terms and Servicing   

  • Evaluate how the institution develops customer agreements and disclosures that fairly represent the terms, conditions, benefits, costs, and limitations associated with the product and service and that all representations are factual and consistent with how the institution intends to service the product.
  • Evaluate how the institution develops customer service and collections scripts, written communications (including periodic statements), and strategies to avoid misleading statements and servicing or collections efforts that are inconsistent with product terms and conditions (e.g., payment application, late fees, etc.). 
  • For high-risk terms and conditions (e.g., variable rate loans, late fees, overdraft fees, etc.), conduct targeted testing to evaluate if the products and services are offered in a manner consistent with disclosed terms and conditions. 

Vendor Management 

  • Determine how the institution assesses UDAAP-related risks associated with its third-party service providers and how it monitors periodically, as possible, for UDAAP compliance (e.g., reviewing consumer complaints, performing onsite visits, or call monitoring, etc.).  
  • Determine how the institution avoids establishing compensation arrangement with third-party service providers that create incentives for potential UDAAP. 

While the abusive standard in the absence of implementing rules and regulations may be challenging to audit, internal auditors and their financial institutions should proactively evaluate the institution’s products, services, and operations for potential unfair, deceptive, and abusive acts or practices. Internal audit is an important component of an institution’s risk management function, and understanding requirements related to, and reviewing for, UDAAP may mitigate reputational, regulatory, and financial risk. 


To comment on this article, email the FSA Times editor at .