Institutions regulated by the Consumer Financial Protection Bureau (CFPB) and subject to its enforcement authority are dealing with of the agency’s sweeping authority to prohibit unfair, deceptive, and abusive acts or practices (UDAAP). To date, the CFPB has relied on this authority to open investigations, initiate proceedings, and enter into a number of broad-ranging consent orders requiring regulated entities to pay hundreds of millions of dollars in restitution and penalties. However, CFPB Director Richard Cordray has consistently indicated that the CFPB will not be issuing rules to define or describe acts or practices deemed to be UDAAP, choosing instead to define UDAAP through enforcement. Moreover, the CFPB has made it clear that complying with all applicable federal consumer financial protection laws and regulations is not enough to escape allegations of UDAAP. In the agency’s view, an act or practice may constitute UDAAP even if the regulated entity complies with all applicable legal and regulatory requirements.

The CFPB’s approach at first glance appears to be “we know it when we see it,” not only for actual acts or practices, but also for potential violations of UDAAP, given the CFPB’s emphasis on self-reporting. Regulated entities must read the tea leaves, trying to understand how the CFPB will exercise its UDAAP authority based on the allegations in enforcement actions and CFPB statements in its Examination Manual and agency guidance. Although it’s still early, some patterns and take-home lessons are emerging from these sources.