The Consumer Financial Protection Bureau (CFPB) ordered First National Bank of Omaha (FNBO) to pay a $4.5 million civil money penalty and $27.75 million in customer restitution for violations of engaging in deceptive marketing tactics and illegally billing consumers for add-on credit productions under the Dodd-Frank Act, which prohibits unfair, deceptive or abusive acts or practices (UDAAP). In addition to the monetary assessments, the CFPB took the novel step of ordering FNBO to develop “a written, enterprise-wide UDAAP risk-management program for any consumer financial products or services” it offers. In making the UDAAP risk-management program a part of the consent order, the CFPB is undoubtedly signaling its expectation that financial services institutions develop and implement a UDAAP risk-management component as part of the company’s broader compliance management system.

What Should Be Included in a UDAAP Risk-Management Program?

While there is no universal, one-size-fits-all approach to developing a UDAAP compliance plan, the FNBO consent order provides a good road map of the components the CFPB is focused on.

First and foremost, a financial services company should analyze the types of financial products it offers and the consumer segments to which it markets. One crucial element in preventing UDAAP violations is understanding how your products and services may pose risks to your consumer base. A key component of this risk analysis should focus on consumer complaint monitoring, which should be done by a sufficiently autonomous department within the organization or an outside vendor. This comprehensive approach is particularly important in light of the consumer-facing nature of UDAAP, which places significant emphasis on consumer understanding, as opposed to more disclosure-focused, traditional regulatory provisions.

With this background, a company can more fully establish a compliant UDAAP program. The CFPB expects the following components to be included in an enterprise-wide UDAAP risk- management system:

1. A written comprehensive assessment, to be conducted on an annual basis, of the UDAAP risk associated with the governance, control, marketing, sales, delivery, servicing, and fulfillment of consumer financial products and services;
2. Development and maintenance of written policies and procedures to effectively and systematically manage, prevent, detect, mitigate, and report the UDAAP risks;
3. Comprehensive written training procedures for employees and service providers on unfair, deceptive, or abusive acts or practices; and
4. Written policies and procedures to ensure that risk management, internal audit, and corporate compliance programs have the requisite authority and status so that appropriate reviews of products and services marketed or sold by the financial institution or its service providers may occur and deficiencies are identified and properly remedied.

In addition, even after a UDAAP risk-management program is implemented, financial institutions must actively monitor and analyze trends in consumer complaints, new products and services and customer demographics, and make periodic adjustments to the program. Analyzing the consumer experience and understanding how those experiences may violate UDAAP is the key to a successful UDAAP risk-management program.

The FNBO consent order continues the CFPB’s trend towards utilizing UDAAP as a tool to regulate via enforcement. In light of this trend, financial institutions under the CFPB’s oversight would be wise to develop and implement a comprehensive UDAAP risk-management program.