Compliance & Regulation

Dood-Frank, UDAAP and the New Order for Industry Oversight

You Understand Your Products But Do Your Customers and Regulators?

by Anastasia Stull, Managing Director, Newoak

NewOak is an independent financial services company, which provides strategic counsel and services around structured credit, complex asset valuation, enterprise risk, and regulatory compliance. Visit

Compliance continues to be a top priority for regulated entities and for financial services executives, according to statistics that put compliance risk in first place over other business concerns such as credit risk, liquidity risk and market risk. Compliance departments, management and boards have had to transform the way they do business because achieving compliance is more difficult than ever.

This sea change can be largely attributed to the Consumer Financial Protection Bureau (CFPB), which has the authority to enforce numerous new financial services statutes under the Dodd-Frank Act, and which has relied most heavily on its authority to prosecute Unfair, Deceptive, and Abusive Acts and Practices (UDAAP) more than any other authority.

Over 50 percent of the violations alleged in the 40-plus enforcement matters the CFPB has brought to date are UDAAP violations, which is staggering. Even more staggering are the civil penalties totaling more than $150 million coupled with restitution paid by regulated entities of approximately $2 billion.

Considering the CFPB’s use of UDAAP as a primary enforcement tool, it is impossible to achieve a reasonable level of compliance with the new rules and regulations by simply applying a technical, check-the-box approach because the new regulatory landscape is more principles-based than rules-based. The application of principles differs from the application of rules in that it requires a different form and degree of reasoning and behavior.

A New Paradigm Requires a New Approach

Under the new regime, the CFPB expects the institutions it regulates to behave differently and to have a heightened understanding of their products and services. More importantly, institutions are expected to anticipate what the CFPB may view as troubling or problematic with very little guidance or interpretation from the Bureau as to what the new “abusive” standard applicable to UDAAP really means. The language in the statute is overly broad and vague, leaving institutions no choice but to defer to enforcement actions for elucidation of the CFPB’s UDAAP doctrine.

More importantly, institutions are expected to anticipate what the CFPB may view as troubling or problematic with very little guidance or interpretation from the Bureau as to what the new “abusive” standard applicable to UDAAP really means

Reading the enforcement tea leaves doesn’t tell the whole UDAAP story unfortunately because the CFPB’s application of UDAAP has been so wide ranging. For example, in August 2015, they took action against a lender offering deferred-interest loans in dental offices for allegedly misleading approximately 3,200 consumers about the interest terms, ordering the company to pay $700,000 in relief to victims of “deceptive credit enrollment tactics.” They also recently took action against a mortgage servicing company for blocking consumers’ attempts to save their homes from foreclosure, as well as against a payment company and their servicer for deceptive advertising. From dental offices to payday lenders to indirect auto finance companies, it is difficult to glean much more than a solid understanding that the road ahead is peppered with UDAAP landmines which put your institution at risk.

The lesson here is that everyone must think and behave differently to comply with UDAAP and the two elements of the abusive standard:

  • (1) whether a practice “materially interferes” with a consumer’s ability to understand a product or service; and
  • (2) whether the practice takes “unreasonable advantage” of consumers.

To survive in today’s principles-based regulatory environment there must be an integration of compliance and the lines of business that is focused on achieving the level of compliance necessary to succeed. Businesses must be objective and contemplate whether regulators and consumers will understand what they are offering and consider the consumer experience after they select a product.

Managing Compliance as Risk

The new era of enforcement is driven by data and risk analytics, so your organization can benefit from managing compliance as a risk discipline that employs the same methodology. Effective compliance risk management should incorporate regular testing and analysis of an institution’s compliance with all regulations and then go one step further to include reviews of areas such as the risk of a certain product design and sustainability as part of your UDAAP risk analysis.

Ensure your compliance risk management program is robust enough to adequately articulate each applicable risk, identify and measure risk, and then consistently monitor changes in the business. High-volume activities such as consumer complaints and third-party vendor management are also important areas to incorporate into your compliance risk assessments. In parallel, the right data-driven analytics can be particularly effective in revealing high-risk operational errors or business partners.