The New Era of Regulatory Enforcement: A Comprehensive Guide for Raising the Bar to Manage Risk

Chapter 8 Unfair, Deceptive, and Abusive Consumer Finance Practices

Amy S. Matsuo

Amid the 2007–2008 financial crisis, rising mortgage foreclosures and consumer debt levels in the United States created a public outcry in favor of more protection for consumers. Investigations and supervisory and enforcement actions uncovered a variety of unfair, deceptive, abusive, and/or unethical practices that were deemed to be harmful to consumers.

Leading up to the crisis, federal oversight of consumer finance was a patchwork of regulations administered by multiple federal agencies. None of these agencies had sufficient jurisdiction to ensure that consumer financial markets as a whole functioned fairly for consumers. The fragmentation of regulatory authority made it difficult to coordinate policies. In addition, large parts of the consumer financial markets, such as the mortgage markets, operated without any significant federal oversight, though such distinctions were not readily apparent to consumers. When dramatic increases in consumer lending activity began in the early 2000s, this multifaceted oversight structure proved ineffective at highlighting or containing a variety of growing problems that were later found to put consumers at risk of financial harm.

In response, the Consumer Financial Protection Bureau (CFPB or the Bureau) was established in 2011 by the Dodd-Frank Wall Street Reform and Consumer Protection Act (Dodd-Frank). It was created to serve as an independent bureau in the Federal Reserve System dedicated to protecting consumers of credit, savings, payment, and other consumer financial products and services. It assumed oversight of consumer compliance functions from seven different federal agencies¹ and was designed to level the playing field of consumer financial products and services. It did so by being the single, primary federal regulator of providers of consumer financial products and services, including depository institutions (banks, thrifts, and credit unions—collectively, banks), as well as nonbank companies offering these types of products and services. Many of the nonbank companies had not previously been subject to federal oversight. As the single regulator, the goal of the CFPB is to “reduce gaps in federal supervision and enforcement; improve coordination with the states; set higher standards for financial intermediaries; and promote consistent regulation of similar products.”²

The CFPB is mandated to exercise its authority under federal consumer financial law for the purposes of ensuring that, with respect to consumer financial products and services: (1) consumers are provided with timely and understandable information to make responsible decisions about financial transactions; (2) consumers are protected from unfair, deceptive, or abusive acts or practices (UDAAP) and from discrimination; (3) outdated, unnecessary, or unduly burdensome regulations are regularly identified and addressed in order to reduce unwarranted regulatory burdens; (4) federal consumer financial law is enforced consistently, without regard to the status of an organization as a depository institution, in order to promote fair competition; and (5) markets for consumer financial products and services operate transparently and efficiently to facilitate access and innovation.³

The primary functions of the CFPB are to: (1) conduct financial education programs; (2) collect, investigate, and respond to consumer complaints; (3) collect, research, monitor, and publish “information relevant to the functioning of markets for consumer financial products and services to identify risks to consumers and the proper functioning of such markets”; (4) supervise “covered persons (anyone who engages in offering or providing a consumer financial product or service) for compliance with federal consumer financial law” and take “appropriate enforcement action to address violations of federal consumer financial law”; (5) issue rules, orders, and guidance “implementing federal consumer financial law”; and (6) perform “such support activities as may be necessary or useful to facilitate the other functions of the Bureau.”⁴

Since its inception, the CFPB has pursued its mandate to protect consumers from financial harm, initiating enforcement actions that have required both the payment of civil money penalties and restitution to harmed consumers. The breadth and significance of the CFPB’s actions have prompted many companies under its jurisdiction to reserve for the possibility of future consumer protection-related penalties. The establishment of the CFPB marks a new era in risk management and consumer protection.

The CFPB uses its authority to regulate against unfair, deceptive, or abusive acts or practices to target many of the products and services offered to consumers primarily for personal, family, or household purposes for which it has received many consumer complaints. These include, among other areas, mortgage servicing, debt collection, debt relief services, credit reporting, and student lending. It is also looking at those product and service areas where it perceives particular risks, such as third-party service provider oversight, add-on products, and payday lending.

The CFPB is not focused exclusively on the largest bank and nonbank providers or cases where large numbers of consumers were harmed. Rather, it is committed to pursuing all entities that violate UDAAP and place consumers at risk of financial harm, even when there are no funds available to pay restitution or penalties (some cases have resulted in $1 of civil money penalties). The aim is to send a message to the industry about the kinds of acts and practices that could be prohibited under the UDAAP provisions. Further, where violations have been identified, the CFPB has required all consumers associated with the product or service to receive restitution independent of whether they have benefited from the product or service at issue.

The CFPB coordinates its activities with other federal and state regulatory agencies, which greatly expands its ability to identify and take action against UDAAP violations. Violations of UDAAP may occur even if an entity is in technical compliance with other federal consumer financial laws. The CFPB has imposed restitution obligations, monetary penalties, and multiyear compliance requirements on entities subject to UDAAP enforcement action.

CFPB Director Richard Cordray sees UDAAP compliance as a straightforward exercise, where placing the needs of the consumer first and protecting the consumer from harm should guide a company’s business practices. In April 2014, he said, “Central to our mission here at the Consumer Bureau is the duty to identify and root out unfair, deceptive, and abusive practices in financial markets.”⁵ The creation of the CFPB, and the legislation that supports it, have changed the complexion of the regulatory compliance review from an assessment of technical compliance to an assessment of a company’s principles-based risk management.

The first enforcement action announced by the CFPB a year after inception was a UDAAP-related case against Capital One Bank that concluded with nearly $140 million in restitution payments to roughly two million consumers and the payment of an additional $25 million civil money penalty.⁶ The action was quickly followed by two additional UDAAP cases of similar scale and scope. Since then, the CFPB has used its UDAAP authority to open investigations, initiate proceedings, and enter into a variety of consent orders that are focused on both large and small entities. It holds bank and nonbank companies and their third-party service providers to the same standards of compliance. Notably, however, the CFPB has not defined the scope of UDAAP, preferring to rely on the facts and circumstances of each enforcement action to serve as a guide to the industry.

Background

The establishment of the CFPB is a significant milestone in the regulation of business practices aimed at individual consumers. In 1914, Congress passed the Federal Trade Commission Act⁷ (FTC Act) to establish a standard making it unlawful to engage in “unfair methods of competition in or affecting commerce” and to form the FTC to define and enforce this standard. The law is a significant antitrust statute intended to protect consumers through the prohibition of anticompetitive business practices. In 1938, Congress passed the Wheeler-Lea Act⁸ to add prohibitions on “unfair or deceptive acts or practices,” commonly referred to as UDAP, to the FTC Act’s Section 5 prohibition against “unfair methods or competition.” The Wheeler-Lea Act also gave the FTC authority to impose civil money penalties for violations of these Section 5 standards.

Neither “unfair” nor “deceptive” was defined in the statute, and the types of acts and practices that came to be identified as “unfair” or “deceptive” evolved over time through FTC enforcement actions and court rulings. The terms were eventually defined by the FTC through policy statements issued in 1980⁹ and 1983,¹⁰ based on parameters set by criteria refined through regulatory and judicial processes. The definitions, however, remain broad and general, which facilitates their application to a range of facts and circumstances.

The Policy Statement on Unfairness was codified into the FTC Act in 1994¹¹ and defines an act or practice as “unfair” if it satisfies all of the following three tests:

The act or practice causes, or is likely to cause, substantial injury to consumers;
The injury is not reasonably avoidable by consumers themselves; and
The injury is not outweighed by countervailing benefits to consumers or to competition.¹²

The Policy Statement on Deception was never codified, but the standards remain in use.¹³ It defines an act or practice as a “deception” if it meets all of the following three tests:

The omission or misrepresentation is misleading or likely to mislead;
The consumer is acting reasonably in the circumstances; and
The omission or misrepresentation is material (i.e., the consumer would have chosen differently but for the deception).

Most of the FTC’s early enforcement activity was limited to sales and marketing practices, primarily related to advertising.¹⁴

Application to Financial Institutions

Banks,¹⁵ thrifts, and credit unions were specifically exempted from the Section 5 prohibitions until 1975, when the federal prudential regulators—the Federal Reserve Board (Federal Reserve), Office of the Comptroller of the Currency (OCC), Federal Deposit Insurance Corporation (FDIC), Office of Thrift Supervision (OTS), and the National Credit Union Administration (NCUA)¹⁶—were extended the authority to enforce the UDAP provisions for those institutions under their respective jurisdictions. Each of the prudential regulators was required to institute procedures for handling consumer complaints involving UDAP, and the Federal Reserve was given authority to write UDAP-related regulations.¹⁷

The Federal Reserve’s Regulation AA, Unfair or Deceptive Acts or Practices, was issued in 1985 and contained two subparts covering consumer complaints and credit practices.¹⁸ The bank regulatory agencies (Federal Reserve, OCC, and FDIC) subsequently released a variety of joint and institution-specific guidance covering UDAP risks generally as well as risks specific to certain products, such as debt cancellation and debt suspension contracts, title loans and payday loans, direct lending and loan purchases, overdraft protection, and mortgage lending, all of which continue to pose significant UDAP risks.

After gaining their authorities, the prudential regulators did not begin to enforce UDAP violations for nearly two decades. In the early 2000s, new products and new delivery and payment systems began to change the financial services markets. At that time, the consumer complaints process served as a way for the regulators to initially identify many of the potential problems and UDAP violations inherent in these market changes.¹⁹

Consumer Financial Protection Bureau and the Dodd-Frank Act

The Dodd-Frank Act was enacted in 2010 to address weaknesses in the financial markets highlighted by the financial crisis. Title X of the Dodd-Frank Act, also referred to as the Consumer Financial Protection Act (CFPA),²⁰ established the CFPB with a mandate to “regulate the offering and provision of consumer financial products or services under the federal consumer financial laws”²¹ and to make the markets for those products and services work for consumers. In particular, the CFPB is tasked with protecting consumers from harm by ensuring “that all consumers have access to markets for consumer financial products and services . . . [that] are fair, transparent, and competitive.”²²

Nonbanks supervised by the Bureau include:

Regardless of size:

Mortgage companies (originators, brokers, and servicers including loan modification or foreclosure relief services)
Payday lenders
Private student loan providers

Larger participants of a market identified and defined by the CFPB:

Consumer reporting agencies (receiving more than $7 million in annual receipts from consumer reporting activities)
Debt collectors (receiving more than $10 million in annual receipts from debt collection activities)
Student loan servicers (handling more than one million borrower accounts, including both federal and private student loans)
International money transfer companies (conducting at least one million international money transfers annually)
Automobile finance companies (completing at least 10,000 aggregate annual loan and lease originations)

Other nonbanks in which the CFPB has shown interest include:

Credit card companies
Leasing companies
Tax refund anticipation loan providers
Check cashers
Prepaid card companies
Debt relief service companies

The Dodd-Frank Act gives the CFPB the authority to supervise banks (traditional depository institutions—banks, thrifts, and credit unions) with more than $10 billion in assets and the affiliates of those banks.²³ The CPFB also has the authority to supervise certain nonbanks (nondepository companies) that offer consumer financial products and services. Many of these nonbanks were not previously subject to federal regulatory oversight.

The CFPB has the authority to supervise certain nonbanks regardless of their size, as well as certain other “larger participants” of consumer financial markets as identified and defined by the CFPB.²⁴ In addition, the CFPB has the authority to supervise any nonbank not otherwise under its supervisory authority when it has reasonable cause, based on consumer complaints or information from other sources, to determine that the nonbank is engaging, or has engaged, in conduct that poses risks to consumers.²⁵

Banks with total assets of $10 billion or less remain subject to the supervisory oversight of their primary federal banking regulator (Federal Reserve, OCC, FDIC, NCUA) for purposes of compliance with the federal consumer financial laws. However, the CFPB has rule-writing authority for these laws, as they apply to all providers of consumer financial products and services. What we see today, then, is that although the CFPB supervises the largest of the banks (in addition to the nonbanks), its reach is much broader because the laws for which it has authority apply to banks of all sizes, independent of the primary federal regulator, and its expectations for “best practices” to implement those laws are reflected across the full (bank and nonbank) financial services industry.

The CFPB UDAAP Framework

The CFPA specifically prohibits “any provider of consumer financial products or services or a service provider to engage in any unfair, deceptive, or abusive act or practice”²⁶ and provides the CFPB with rulemaking authority and enforcement authority (for those entities under its jurisdiction) to prevent UDAAP in connection with any transaction with a consumer for a consumer financial product or service, or the offering of a consumer financial product or service. (Note that the federal bank regulatory agencies retain their UDAP enforcement authority under the FTC Act, while the CFPB alone can enforce UDAAP under Dodd-Frank.)

For the CFPB, the CFPA defines an act or practice as “unfair” if the CFPB has a reasonable basis to conclude that: (1) it causes or is likely to cause substantial injury to consumers; (2) the injury is not reasonably avoidable by consumers; and (3) the injury is not outweighed by countervailing benefits to consumers or competition. This is the same three-part test that is in the FTC’s standard for unfairness as codified in Section 5 of the FTC Act.

The statute does not separately define a “deceptive” act or practice, though in its Supervision and Examination Manual the CFPB outlines a definition of “deceptive” that is consistent with, and refers to, the FTC’s Policy Statement on Deception. For the CFPB, a representation, omission, act, or practice is deceptive if: (1) it is material; (2) it is likely to mislead a consumer; and (3) the consumer’s interpretation is reasonable.²⁷ The CFPB states that the enforcement actions taken by the other federal regulators may serve to inform the CFPB’s determinations of acts or practices that meet the “unfair” or “deceptive” standards, with the caveat that the facts in a particular case are crucial to each determination.

The addition of a third standard, the “abusive” standard, expands the FTC’s UDAP analysis beyond complete and accurate disclosures. The CFPA gives the CFPB the authority to declare an act or practice “abusive” if the act or practice meets any one of the following tests:

It materially interferes with the ability of a consumer to understand a term or condition of a consumer financial product or service;
It takes unreasonable advantage of:
- A lack of understanding on the part of the consumer of the material risks, costs, or conditions of the product or service;
- The inability of the consumer to protect his interests when selecting or using a consumer financial product or service;
- The reasonable reliance by the consumer on a covered person to act in the interests of the consumer.

Much industry analysis and speculation has surrounded this definition, centering on what many have called the “subjectiveness” of the criteria, including reliance on a particular consumer’s understanding of a transaction. To some, the criteria appear to introduce a “suitability” standard, such as a fiduciary responsibility or a duty-of-care requirement, where a bank or nonbank providing or offering consumer financial products and services might be expected to bear the burden of demonstrating what the consumer actually understood at the time of the transaction. To others, the criteria would suggest the need to protect groups of people that, due to their circumstances, may not be able to protect themselves in financial transactions, such as older people, students, service members, and the financially distressed.²⁸

To date, the CFPB has cited “abusive” practices in few cases, though in each instance where it has, the Bureau appears to be acting to protect consumers that are “vulnerable” or unable to understand the products. The CFPB may prescribe rules to identify unfair, deceptive, or abusive acts or practices, but is not required to do so. And CFPB Director Richard Cordray has said he does not intend for the Bureau to write such rules but will allow the definitions to take shape through the CFPB’s enforcement actions. He has said, “We have given some exam guidance around these concepts, and I think maybe we’ll have more to say over time. I don’t anticipate us writing a rule around UDAAP. Again, I think a lot of the law is really clear in that area, and what is maybe not clear to people, because they haven’t had experience with it, has been specifically defined by Congress, so that is what it is. We’ll continue to develop as we go.”²⁹

This approach is consistent with how the FTC and the federal bank regulatory agencies have continued to interpret and apply UDAP under the FTC Act, which allows the provisions to adapt to changes in the financial markets. Notably, CFPB guidance states that enforcement actions taken by other regulators to address acts or practices alleged to be unfair or deceptive pursuant to the FTC Act “may inform the CFPB’s determination.”³⁰ The CFPB has, on occasion, released guidance to coincide with the announcement of an enforcement action to highlight the Bureau’s supervisory expectations as well as the kinds of considerations it will entertain when evaluating potential violations of UDAAP.³¹

“Suitability” and Consumer Protection

In the financial services industry, suitability is a term generally associated with retail investment in securities and relates to the intersection of an investment strategy with an investor’s means and objectives. The Financial Industry Regulatory Authority (FINRA), a self-regulatory organization in the U.S. securities industry, has a mission to protect investors and keep markets fair. FINRA Rule 2111 (Suitability)³² requires brokerage firms and their associated persons to “have a reasonable basis to believe” that a transaction or investment strategy involving securities that they recommend is suitable for the customer. Such reasonable belief must be based on the information obtained through the “reasonable diligence” of the firm or associated persons to ascertain the customer’s investment profile. This is to be derived from information obtained by firms and associated persons about, among other things, the customer’s age, financial situation and needs, tax status, investment objectives, investment experience, investment time horizon, liquidity needs, and risk tolerance.³³

A broker is expected to have a firm understanding of both the product and the customer; the lack of such an understanding violates the Suitability Rule. Taken together with FINRA’s Rule 2090 (Know Your Customer), Rule 2111 is considered to be critical to ensuring investor protection and promoting fair dealing with customers, ethical sales practices, and high standards of professional conduct.

In the years following the financial crisis, suitability cases have been among the top enforcement actions taken by FINRA. Cases completed have involved situations where retail consumers were sold products, such as real estate investment trusts, unit investment trusts, and collateralized mortgage obligations, considered to be too complex and risky to be consistent with the investor’s investment profile, for example, they were unsophisticated investors, or elderly.

Current UDAAP Environment

The CFPB has exercised its UDAAP authority more broadly than either the FTC or the federal bank regulatory agencies. In fulfilment of its consumer protection mandate, the CFPB has introduced the concept that “fairness” must be employed across the spectrum of an institution’s processes. And it has applied UDAAP provisions to issues occurring over the life cycle of a product or service (from development to marketing, sales, and servicing) as well as across the operations of a company (considering the input from board of directors and senior management, corporate culture and “tone from the top,” compensation structures, and coordination across business lines). In doing so, it has effectively changed the complexion of the regulatory compliance review from an assessment of technical compliance to an assessment of a company’s principles-based risk management.

The enforcement actions the CFPB has taken under its UDAAP authority have been driven mostly by consumer complaints, which, for the Bureau, highlight issues across multiple products and services where large numbers of consumers are experiencing problems and serve to provide insight into the operations of the many nonbanks that were not previously subject to federal supervision but now fall within its jurisdiction.

Since its inception in July 2011, the CFPB has used consumer complaints as one of the cornerstones of its efforts to carry out the consumer protection mandate. More specifically, the Bureau has used consumer complaints to gain an understanding of risks in the consumer marketplace and to drive its regulatory investigations and exams. The CFPB first began accepting consumer complaints related to credit card products in July 2011, followed by mortgages in December 2011. Many other categories have been added since. (Refer to Figure 8.1.)

Figure 8.1. Types of Complaints Handled Over Time

Once received, the CFPB’s Consumer Response group screens the complaints, forwards them to the appropriate company, and monitors the company’s response to the consumer as well as the consumer’s response to the company’s handling of the complaint. The CFPB uses this information to prioritize complaints or areas of complaint for investigation.

The CFPB’s Consumer Complaint portal has experienced an increasing number of consumer complaints on a monthly basis since its launch. As shown in Figures 8.2 and 8.3, the Bureau has received, in total, more than 770,000 complaints as of December 1, 2015, with the highest percentage of total complaints received as of that date related to mortgage, debt collection, and credit card products and services.

Figure 8.2. Monthly Tends by Product Category

Figure 8.3. Total Complaint Volume by Product

The CFPB reports that through December 31, 2014, approximately 62 percent of all consumer complaints were referred to the companies named in the complaint. The companies have responded to approximately 94 percent of those complaints and have closed approximately 90 percent of them. The companies have 15 days to respond and 60 days to provide a final response, where applicable.³⁴ Consumer narratives related to a complaint are available in the database, and the CFPB currently produces a monthly report that identifies the companies most frequently named in consumer complaints.

The CFPB has been able to use its database of consumer complaints to identify issues, direct investigations and reviews, focus examinations, and inform its rulemaking. And the broadly defined terms (unfair, deceptive, and abusive) combined with the ability to interpret those definitions on a case-by-case basis make the UDAAP authority a flexible tool to adapt to the emerging supervisory focus that goes beyond strict technical compliance to consumer protection and related risk management.

The first five of the CFPB’s publicly announced enforcement actions addressed UDAAP violations. Two of these cases did not cite compliance violations of any federal consumer financial laws other than UDAAP. Three of these cases were joint actions with federal prudential regulators.³⁵ The role of third parties is a critical feature in each of these cases, serving to set the tone that bank and nonbank providers of consumer financial products and services are expected to hold their third-party service providers to the same compliance standards that they themselves are required to meet.

The largest of the CFPB’s UDAAP actions, announced in December 2013, involved charges against a nonbank mortgage loan servicer, Ocwen Financial Corporation, and its subsidiary to “address misconduct at every stage of the mortgage servicing process.”³⁶ The consent order required the companies to provide $2 billion in relief, pay $125 million in restitution to 185,000 borrowers that had been foreclosed upon, plus spend $2.3 million to administer the process.

Other UDAAP actions taken by the CFPB have addressed the activities of payday lenders, student lenders, auto lenders, debt relief companies, and debt collectors. In addition to addressing violations of UDAAP, some of these cases have also sought to protect certain groups for which the CFPB has heightened responsibility, such as service members, older consumers, and students.³⁷

A number of cases highlight that the CFPB is using its UDAAP authorities to address unfair, deceptive, or abusive acts or practices engaged in by entities that are not what consumers might think of as traditional bank or nonbank providers of consumer financial products or services. In particular, the CFPB has taken UDAAP actions against a retailer of consumer goods that provides financing for customer purchases; a telecommunications company that provides credit and payment processing for third parties in association with the consumer billings prepared for its own goods and services; and a number of for-profit postsecondary educational institutions that extend credit to their students.

The CFPB Examination

Supervision and Examination. The CFPB monitors and examines supervised entities’ operations and markets for compliance with the federal consumer financial laws and their implementing regulations along with risks to consumers in key regulatory areas. Bank and nonbank financial institutions under the CFPB’s supervisory authority that offer the same types of consumer financial products or services or that conduct similar activities will be held to the same standards and supervised using the same procedures. The Bureau has acknowledged that large, complex entities have different compliance oversight and management systems than smaller entities or those offering fewer products or services.³⁸

Monitoring and examination will include questioning, data collection from transaction records, and observation of operations to assess institutional compliance with applicable law and the quality of the internal processes for ensuring compliance with federal consumer financial laws and promoting consumer protection. Challenges for financial institutions include noncompliance risks that derive from unique proprietary processes, the scope of CFPB responsibilities (such as information requests and consumer complaint processing), an evolving CFPB examination manual, and penalties for noncompliance.

The Bureau has established multiple examination modules that it may apply to key areas to ensure that financial institutions are meeting CFPB objectives.³⁹ These modules are organized into three main sections covering the compliance management system, product-based procedures, and statutory- and regulation-based procedures.

Compliance Management System. The CFPB expects every regulated entity under its supervision and enforcement authority to have an effective compliance management system (CMS) adapted to its business strategy and operations.⁴⁰ Each CFPB examination will include the review and testing of components of the supervised entity’s CMS. Each provider of consumer financial products or services is expected to comply with federal consumer financial laws and “address and prevent violations of law and associated harms to consumers through its compliance management process.”⁴¹

The CFPB expects that serious and systemic violations of federal consumer financial law are likely to occur without such a system, and that a deficient CMS may make a financial institution unable to detect its own violations. This may render it unaware of resulting harm to consumers and unable to adequately address consumer complaints.⁴²

The common control elements of an effective CMS are identified as:

Board of directors and management oversight
The compliance program (policies and procedures, training, monitoring and corrective action)
Response to consumer complaints
Audit coverage of compliance matters (testing and reporting)⁴³

The examination objectives are:

To assess whether the board of directors and management have developed and communicated clear expectations regarding compliance throughout the financial institutions as well as to its third-party vendors and service providers.
To assess whether the institution has an effective compliance program (policies and procedures, training, oversight, and monitoring and corrective action) that is consistent with policies approved by the board of directors. Each of these program elements must be relevant, clear, timely, and effectively communicated.
To test and assess whether the financial institution’s consumer complaint processes are responsive to consumers, properly escalate potential legal issues related to consumer harm, and result in corrective actions to consumers and within the operations of the financial institution.
To test, consistent with the financial institution’s size and its consumer products and services offerings, that the financial institution is in compliance with federal consumer financial laws, and that such testing is communicated to the board of directors and management.

Product-Based Procedures. The Product-Based Procedures in the CFPB’s Supervision and Examination Manual contain examination procedures that are specifically designed to address those nonbank entities under the CFPB’s supervisory authority, including those that it can examine regardless of size and those that are larger participants of a consumer market defined by the Bureau. Some examination procedures also focus on certain specific products or lines of business that can be applied, as appropriate, to banks or nonbanks. The procedures outline risks and supervisory considerations related to the specific product or service as they relate to the relevant statutes and implementing regulations, which are separately covered in detail under the Statutory- and Regulation-Based Procedures.

Most nonbank providers of consumer financial products and services had generally not been subject to federal regulatory oversight until the CFPB began its nonbank supervision program in January 2012, following the appointment of its first director. The Bureau stated at that time that nonbanks will be subject to individual examinations, the frequency and depth of which will depend on the CFPB’s analysis of risks posed to consumers based on factors such as the nonbank’s volume of business, types of products or services, and the extent of government oversight.

Presently, the Product-Based Procedures address:

Consumer reporting (larger participants)
Mortgage servicing
Mortgage origination
Short-term, small Dollar lending (payday lending)
Debt collection (larger participants)
Education loans
Automobile finance

Statutory- and Regulation-Based Procedures. The CFPB Supervision and Examination Manual incorporates procedures developed under the support of the Federal Financial Institutions Examination Council (FFEIC) for many of the federal consumer financial laws now enforced by the CFPB. In addition, it provides CFPB examiners with guidance to determine whether financial institutions are complying with the federal consumer financial laws, as well as whether their policies and procedures adequately detect, prevent, and correct practices that increase the risk of violating those laws or causing harm to consumers.

In general, the examination objectives for each of the individual statutory- and regulation-based procedures are:

To determine compliance with the federal consumer financial law and its implementing regulations;
To assess the quality of the compliance risk management systems;
To assess the reliability of internal controls and policies and procedures intended to ensure compliance with federal consumer financial law and its implementing regulations;
To determine the accuracy and timeliness of required reporting; and
To determine whether corrective actions, including supervisory or enforcement actions as well as restitution to consumer accounts, are appropriate when violations of law or regulation are detected.

The CFPB evaluates compliance with these statutes as part of a financial institution’s relevant products and services, such as deposit accounts, and lending and servicing activities. The CFPB’s consumer protection focus, especially with regard to UDAAP, has highlighted consumer protection concerns in consumer financial products and services not directly under the CFPB’s authority, such as retail retirement savings and pension-related products. In this regard, the CFPB has expressed UDAAP and related consumer protection concerns for certain consumer groups, including seniors (consumers who are 62 or older) and service members, working with other federal regulators to develop an understanding of the consumer protection issues. The CFPB is able to evaluate these products through its consumer complaint websites (reinforcing the need for strong consumer complaint intake and resolution processes) as well as its financial education outreach efforts.

Consequences of Noncompliance. Financial institutions that do not comply with the federal consumer financial laws and their implementing regulations will be subject to civil actions or administrative enforcement proceedings. Under Section 1055 of the Dodd-Frank Act, these may include:

Rescission or reformation of contracts;
Refunds of money or return of real property;
Restitution;
Disgorgement or compensation for unjust enrichment;
Payment of damages or other monetary relief;
Public notification regarding the violation, including the costs of notification;
Limits on the activities or functions of the person; and
Civil money penalties.

Violations are subject to fines ranging from $5,000 for first-tier violations and up to $1 million per day for third-tier violations for knowingly violating a federal consumer financial law. Penalties may vary based on the gravity of the violation, the severity of the loss to the consumers, the organization’s financial resources, and whether there is a history of previous violations.

The CFPB considers many factors in the exercise of its enforcement discretion, including:

The nature, extent, and severity of the violations identified;
The actual or potential harm from those violations;
Whether there is a history of past violations;
A party’s effectiveness in addressing violations.⁴⁴

Relationship with State Laws

Each of the states has enacted UDAP-type laws that prohibit unfair and deceptive acts or practices. These laws are similar to those of the FTC Act but may differ in some respects, such as enforcement authorities (e.g., the authorities granted to regulators or State Attorneys General), the rights afforded consumers, or the basis for interpretation of unfairness.

In a unique turn, Section 1042 of the CFPA permits state Attorneys General (AGs) and state regulatory authorities to bring civil actions to enforce the provisions of the CFPA and implementing regulations, including the UDAAP provisions, against state-chartered entities under their respective supervisory authorities. This provision effectively extends the reach of the CFPB’s UDAAP authorities, including the breadth and depth of its enforcement remedies, to state-chartered banks and state-supervised nonbanks that might otherwise fall outside of the CFPB’s authorities. In 2014, five state AGs and one state regulator initiated actions alleging UDAAP violations under this part of the statute. Director Cordray has said it is not important whether the regulator is federal or statewide: “We frankly do not care what color uniform the prosecutor is wearing, as long as the bottom line is that we enforce the law vigorously and make things right for consumers.”⁴⁵

Prevention

The concepts of fairness and suitability are currently evolving beyond compliance to the broader concept of ethics. Spurred in large part by recent scandals in the trading markets⁴⁶ and the mortgage servicing industry,⁴⁷ financial services regulators and practitioners in the United States and around the world have begun to ask whether something should be done just because it can be done (i.e., because it is legal) or because it always has been done (i.e., standard procedures not flagged through internal or supervisory reviews). They are only just beginning to develop expectations about the way business should be conducted, including the types of products and services that should be offered and the types of customer relationships that should be maintained, and embedding those requirements into their codes of conduct and policies and procedures. The evolution has led to the creation of a new risk category called conduct risk.

Conduct risk assesses how institutions treat customers and investors, which is sometimes termed culture. This focus on culture takes a broader perspective to risk management that includes key aspects of compliance, strategic, organizational, and reputational risk. A strong risk culture will be multifaceted and vary by institution, but will, on the whole, indicate if an institution is conducting its business in a fair manner. Features of a strong risk culture include the presence of a focus on the customer; tone from the top; the promotion of “effective challenge”; accountability at all levels; and a properly aligned incentives structure.

Compliance models are generally built to align the delivery of consumer financial products and services with the technical and disclosure requirements of the federal consumer financial laws and their implementing regulations. Consumer financial laws are basically prescriptive in nature, and compliance reviews have generally been designed to assess an institution’s technical compliance with the required rules and statements through a “check-the-box” approach.

In contrast, UDAAP (and also the FTC’s UDAP) is principles-based and is defined broadly using subjective terms (such as “reasonably avoidable,” “substantial injury,” and “unreasonable advantage”), making technical compliance indeterminate. And, as noted earlier, no guidelines have been, or will be, forthcoming to offer additional clarity. Similarly, UDAAP is intended, by its nature, to ensure that institutions treat consumers “fairly,” and “fairness” varies, depending on the context of specific facts and circumstances, and so is not readily measurable through traditional compliance metrics.

It is this subjectivity and uncertainty that make UDAAP violations very difficult to detect. Considering the increasing regulatory focus on UDAAP and the significant costs associated with related violations, prevention becomes the optimal tack. Compliance models, therefore, must be modified to incorporate an expectation that consumers are to be treated fairly and that their interests are a business priority. An assessment of “fair” treatment should embrace compliance with the spirit, as well as the letter, of the law. It should also be integrated with all aspects of the product life cycle, including product development, marketing, sales, servicing, and complaints management. The potential for UDAAP violations exists at every point of the cycle.

CFPB guidance states⁴⁸ that to remain competitive and responsive to consumer needs in the dynamic financial services environment, supervised entities must continuously assess their business strategies and modify product and service offerings and delivery channels. Ultimately, compliance should be part of the day-to-day responsibilities of management and the employees of a supervised entity; issues should be self-identified; and corrective actions should be initiated by the entity. Supervised entities are also expected to manage relationships with service providers to ensure that these third parties effectively comply with the federal consumer financial laws applicable to the product or service provided. Supervised entities are expected to incorporate into their compliance management systems adequate measures to prevent the violation of federal consumer financial laws, including the Dodd-Frank Act’s prohibitions on unfair, deceptive, or abusive acts or practices.

A preventive stance toward UDAAP requires entities to define the principles of “fairness” to be used enterprise-wide and to guide a UDAAP compliance program.⁴⁹ They should convey the principles to all employees, management, and board members through recurring training and reinforce the message through policies, procedures, and processes, including recourse for failure to comply with the principles. Fairness principles should be understandable to the consumer as well as predictable, valuable, and appropriate.

The development of a culture of compliance across the enterprise requires the CEO, executive management, and board of directors to set the “tone from the top,” ensuring the integration of compliance with business line functions and assigning direct responsibility for UDAAP compliance with those officers reporting to executive management. Senior management should support credible challenges of business line practices and decisions, with stated and direct support from the board. Compensation and incentives to achieve “fairness” outcomes should also be established.

These steps require regular enterprise-wide training on the principles of fairness, UDAAP requirements and current developments, and consumer protection and the related rules (such as the laws and implementing regulations for the Truth in Lending Act, Fair Debt Collection Practices Act, and Equal Credit Opportunity Act). Areas of particular regulatory concern should be highlighted in the training, including selected products and services (e.g., debt collection, payday lending) and “vulnerable” groups (e.g., students, elderly, service members). Third-party service providers are to be held to the same standard of compliance.

The management of consumer complaints will need to be reviewed and strengthened, starting by tracking the intake of complaints and their resolution, ensuring that all complaints are addressed and closed. All complaints lodged against the entity, its subsidiaries, affiliates, and third-party service providers should be included, as well as all those received directly, referred through a regulatory agency, or posted on social media sources. Care must be taken to define what complaints should be reviewed for UDAAP issues, such as complaints related to certain products or services, or complaints received by certain consumer groups.

In addition, the entity must define what constitutes a possible UDAAP complaint, such as complaints where consumers indicate they “don’t understand,” or say their experience is inconsistent with what they were told or read, or when they say they were treated unfairly. Products, services, or practices that can be linked to UDAAP complaints need to be identified and analyzed for trends and root causes to develop risk metrics. “Emerging risks” need to be identified, based on new business plans (e.g., products, vendors, and acquisitions), new regulatory guidance or enforcement actions, and complaints identified in the industry.

When entities conduct a periodic UDAAP review to identify potential risks and conduct remediation as needed, particular attention should be given to the mix of products or services as well as the end users. Emphasis should be placed on any products or services that have the potential to trigger UDAAP challenges, such as those that contain complex terms or features that might be difficult to understand, or that are targeted to “vulnerable” groups. All promotional, marketing, and advertising materials should be evaluated for potential misrepresentations, omissions, or errors. The entity should proactively address any potential violations and, if necessary, curtail activities, instituting monitoring and internal controls, fully remediating any identified harm to consumers, and notifying regulatory agencies, as appropriate. In addition, the compliance risk management system should be strengthened through testing and gap analyses.

Detection

Without specific rules to define “unfair,” “deceptive,” or “abusive” acts or practices, it is challenging to develop methods to detect and measure potential UDAAP violations using a traditional compliance model designed to measure technical compliance with the federal consumer financial laws. In addition, the standards by which acts or practices are measured as potentially unfair, deceptive, or abusive are complex, steeped in legal adjudications and enforcement actions, and ultimately unique to a given set of facts and circumstances.

Entities should, however, look to consumer complaints activity to identify possible UDAAP-type issues (e.g., the misrepresentation of terms in advertising or a failure to acknowledge affiliate relationships or to obtain consumer consent for billed products) and trends in complaints related to specific products or services. The analysis should include all consumer complaints activity, including complaints received directly, posted on social media, received by a third-party provider, and referred by the CFPB.

In addition, some entities might want to consider developing data analytics that can predict potential compliance violations, including UDAAP violations, based on established performance “standards.” For example, to predict possible “robo-signing” of foreclosure documents (an employee of a mortgage servicing company who signs foreclosure documents without reviewing them), volume metrics could be used to detect instances when the number of foreclosures completed in a given day is significantly higher than would be reasonably possible.

Internal Audit. The role of internal audit should be to assess the processes by which an entity manages the compliance risks associated with UDAAP and to identify potential risks that management should address to prevent such acts or practices. Recognizing that an unfair, deceptive, or abusive act or practice can occur anywhere in an organization, internal audit should evaluate the strength of an entity’s compliance risk management program. It should also assess the degree of integration of UDAAP considerations into the evaluation of new product and services development as well as certain marketing, origination, servicing, and vendor management activities.

Response

Entities subject to a CFPB enforcement investigation should consult with their counsel to develop a course of action and response. Entities will want to consider whether they may be able to favorably affect the ultimate resolution of the investigation by “meaningfully” engaging in what the Bureau refers to as “responsible conduct.” As outlined in CFPB Bulletin 2013-06, “responsible conduct” is the combination of the four categories. The first category is proactively self-policing for potential violations of consumer financial laws. An entity should consider the nature, pervasiveness, and duration of the violation and its significance to profitability or the business model. It should ask what compliance procedures or mechanisms were in place to prevent, identify, or limit the violation as well as whether senior management participated or knew of the conduct at issue.

The second category of conduct is promptly self-reporting to the Bureau when potential violations are identified. The entity should provide complete and effective disclosure to the Bureau and other regulators and explain whether affected consumers received appropriate and timely information. The Bureau’s consideration of the reporting will weigh whether the reporting was proactive or prompted by another impending disclosure (such as supervisory activity, public reporting, or consumer complaints or actions).

The third category is quickly and completely remediating the harm resulting from the violations (even if it is a potential rather than actual violation). The Bureau will want to know how long after identification of the matter did the violations cease and what consequences, if any, were imposed on the responsible individuals. The entity should promptly determine the extent of harm to consumers and make an appropriate recompense, providing a detailed assurance to the Bureau that the misconduct is unlikely to recur.

Fourth, the entity should cooperate with any Bureau investigation, substantially and materially, above and beyond what is required by law. Cooperation should be provided to the Bureau and other regulatory enforcement bodies throughout the course of the investigation. The entity should share fully all findings, including a review of the nature, extent, origins, and consequences of the misconduct and related behavior. And the information should be provided promptly with supporting documentation.

To date, CFPB enforcement activities have focused primarily on the mortgage industry, credit cards, auto loans, and debt collection/relief organizations.⁵⁰ The CFPB will generally commence an enforcement action by issuing a Civil Investigative Demand (CID) to the company targeted for documents or testimony. The CID can require a company to respond within certain specified deadlines, even within days of service.

As a result, it is essential that companies quickly develop a response plan, identifying deadlines, implementing a legal hold, and ensuring effective management and oversight of the company’s response. CFPB regulations require the recipient of a CID to meet with CFPB staff to discuss and resolve all issues. Companies will need to determine within a specified time period whether they will seek to set aside the CID⁵¹ and what other response strategies they will need to develop.

Given the CFPB’s broad mandate, companies under the authority of the Bureau need to ensure that they have the ability to react in a prompt and responsive manner to a CID. They will have to manage the cost of a potentially expensive investigation and effectively mitigate the risks associated with potential enforcement actions.

Conclusion

By its nature, the prohibitions against UDAAP—unfair, deceptive, or abusive acts or practices—are intended to ensure that consumers are treated fairly by all bank and nonbank participants in the market for consumer financial products and services. However, a principles-based approach is needed to adequately address the management of UDAAP risk because the UDAAP terms are broadly defined and may vary depending on specific facts and circumstances.

The optimal approach to preventing UDAAP violations is to establish a strong UDAAP program that follows the key elements of a rigorous compliance program and places governance and culture at the core. Such a program should reflect the expectation that consumers are to be treated fairly at all points along the product life cycle. At a minimum, the program should incorporate identification of the regulatory requirements for UDAAP compliance, related consumer protection requirements, and current and emerging industry issues; identification of product and service areas with potentially heightened UDAAP risk and assessment of the design and effectiveness of controls to mitigate that risk; policies, procedures, and processes that reinforce fair treatment of consumers; required ongoing and enterprise-wide training on UDAAP risk at every level of the entity; and analyses and reporting of consumer complaints intake, resolution, and trends.

The strength of the UDAAP program will rest on strong governance and culture, which together can foster an environment conducive to timely recognition, escalation, and control of emerging risks and risk-taking activities. The board of directors and senior management must champion serving the needs and interests of consumers as a core value of the entity and as a strategic business priority, as well as mirror that focus in their own behavior and in their expectations for the behavior of each individual working on behalf of the entity. Similarly, incentives structures should be designed to support the consumer-focused values, and accountability for failure to uphold those values should be clearly and conspicuously enforced.

The CFPB’s UDAAP authority is central to its mission and will continue to be a primary investigative and enforcement tool for the regulator long into the future. It has also invigorated the efforts of other regulatory authorities, such as the FTC and the Federal Communications Commission (FCC), to heighten their attention on the fair treatment of consumers. Fundamentally, it has changed the complexion of the regulatory compliance review from an assessment of technical compliance to an assessment of a company’s principles-based risk management.

________________

Karen S. Staines was a major contributor to the content of this chapter. Ms. Staines is a Director in KPMG’s Americas Financial Services Regulatory Center of Excellence in Washington, DC.