■ ■ ■ Are product differences and alternatives fairly and equally
presented?
■ ■ ■ If an alternative product would be better for the consumer, are
those differences clearly explained?
■ ■ ■ Are marketing and advertising campaigns appropriately directed
at particular audiences?
■ ■ ■ If it becomes clear later that a different (for example, a newly-introduced) product would be more beneficial to the consumer’s
interests, does the bank take steps to offer that alternative?
Appropriateness has close ties to vulnerable populations. Just
as care must be taken to present understandable information
when dealing with a vulnerable population, careful thought
must be given to whether the choices given are appropriate, and
undue advantage is not taken.
Using data to test
UDAAP testing and audits need not only utilize subjective determinations; most banks have clear facts and figures available that
can signal trouble. These can be identified as Key Risk Indicators
(KRIs) or other forms of effective controls. An advantage of using data is that it is objective. However, the trick, as always with
data, is to determine where the lines are to be drawn between
acceptable and risky.
What types of data can be used? Here are a few examples:
■ ■ ■ Complaints. This is the most critical data to monitor, since
banks are expected to have robust complaint management
systems and regulators look closely at complaints as well. A
well-developed complaints program, with clear definitions and
comprehensive root cause analyses, is one of the best sources
of UDAAP hot spots within the bank.
■ ■ ■ Compensation. Information on how bank employees are compensated for various products and services can be telling, as
money can distort motivations and create disincentives to
treat consumers fairly. Comparisons of employee earnings
and bonuses to sales patterns can be an indicator as to what
employees are encouraged to offer or promote.
■ ■ ■ Fees, including waivers. Excessive fees are always a high UDAAP
risk indicator. Look to the amount of fees assessed, as well as
frequency. Are fees, especially penalty fees, being used to encourage certain behaviors (or prevent them) or as a revenue
generator for the bank? Fees are a great measure of the value
proposition discussed above. Similarly, fee waivers can be
telling, as oftentimes they are waived due to complaints from
consumers. Just because the consumer left the conversation
happy doesn’t mean there is no UDAAP risk.
■ ■ ■ Account closures. This could be an indicator of unhappy customers for a variety of reasons, including excessive fees or
the product not functioning in a way that was understood or
predicted. The consumer could also have felt it wasn’t a valuable product in the first place. Each of these reasons, among
others, could signify a UDAAP risk.
Where should a UDAAP testing program
be housed?
Is this a program that should be located within Audit? How about
Compliance Testing (if the bank has such a function), Quality
Control, or even the Business Lines? There is no one place UDAAP
testing has to be. In fact, an argument can be made that testing
should be performed in multiple areas of the bank to ensure appropriate integration of identifying and mitigating
UDAAP risks.
The real question is where in the bank is it most
appropriate to identify UDAAP risk? This article is
not intended to answer the first, second, or third
line of defense issue, but it is clear a truly effective
testing program will contain awareness of UDAAP
within each line. Hopefully the business (first line
of defense) will have processes in place to identify
whether a particular practice, product, or service is
risky, and banks typically have compliance testing
functions within the second line (Compliance) to validate whether
policies and procedures are being followed.
But it is often the third line of defense (Audit) that struggles
with UDAAP testing the most, simply because they’re asked to
evaluate whether significant risk is present that is not being effectively mitigated. And again since UDAAP is such a subjective
issue, what types of questions should be asked?
The Bottom Line
The inherent difficulty in identifying what UDAAP is in the first
place calls for a unified and coordinated approach between all
affected areas in the bank. It’s hard enough to establish UDAAP
as a critical concept within lines of business and compliance, and
to understand what it is and means, but the loop must be closed
by validating that controls put into place to mitigate UDAAP risk
are functioning as intended. ■
ABOUT THE AUTHOR
CARL G. PRY, CRCM, CRP, is managing director for Treliant Risk
Advisors in Washington, D.C., where he advises clients on a wide
variety of compliance, fair lending, corporate treasury, and risk
management issues. Over the last 18 years, Pry has held senior
leadership positions including senior vice president and compliance
manager for the Compliance and Control Department at KeyBank
in Cleveland, Ohio; vice president of regulatory services at Kirchman
Corp. in Orlando, Fla.; and manager in the Finance and Performance
Management Service Line at Accenture in Chicago, Ill. He also serves
on the ABA Bank Compliance Editorial Advisory Board. Reach him via
email at cpry@treliant.com or by telephone at (440) 320-4662.
UDAAP testing and audits need not only
utilize subjective determinations; most banks
have clear facts and figures available
that can signal trouble.
