ABA Bank Compliance - July/August 2014

YOU’RE PROBABLY GETTING TIRED OF READING ABOUT UDAAP (Unfair, Deceptive, or Abusive Acts or Practices), but clearly it’s one of the most critical regula- tory risks impacting banks today. One need only look at the number of enforcement actions and consent agreements that incorporate UDAAP in one form or another, and the monetary penalties can be severe. This is not just a large bank phenomenon, either;

community banks are also hearing about UDAP (minus the second ‘A’ for “Abusive,” as only the CFPB has supervisory authority over UDAAP) from the prudential regulators.

Regulatory agencies expect banks to have strong risk management structures in place to proactively self-identify and mitigate regulatory risks, which in this case include acts or practices that could be considered unfair, deceptive, or abusive. A critical component of such a structure is an effective compliance management system, which includes robust testing. So how can a bank develop and implement such a program to test for UDAAP risk? The following is meant to provide some helpful ideas:

Traditional testing and audit programs

Much has been written about UDAAP (or UDAP; for purposes of this discussion they’re interchangeable), and how different it is from other banking laws and regulations. Rules such as Regulations Z (Truth in Lending) and X (RESPA) control specific conduct: provide disclosures ( 1) to particular parties; ( 2) at specific times; ( 3) that include mandated information, for instance. As compliance officers, we’re used to this. When a new rule is issued, we barricade ourselves in our offices to go through the Federal Register (with our reading glasses and highlighters), develop or amend policies and procedures, and then we come out and implement those changes by a set date.

Once that’s done, we develop compliance tests and audit processes to ensure the changes have been implemented properly. Often testing processes can be developed without much hassle since the questions are straightforward: ( 1) Was the disclosure given to the proper party? ( 2) Was the disclosure provided timely? ( 3) Did the disclosure include the proper content? And so forth.

Develop principles-based testing

But of course UDAAP is a rule unlike any other. Broad language is found in the Dodd-Frank and FTC Acts, and nowhere is there a definitive list of what’s acceptable and what’s not. This is perhaps the biggest difference between UDAAP and other banking laws and regulations. UDAAP is statute that articulates a principle and that seemingly simple concept makes testing for it extremely difficult. How do you test for a principle? Is it a simple question of “Would this practice be considered unfair, deceptive, or abusive”? If it were that easy, UDAAP testing programs and audits would be nothing more than second guessing the opinions of others in the bank.