In late June 2020, the Office of the Comptroller of the Currency issued a new booklet on “Unfair or Deceptive Acts or Practices and Unfair, Deceptive, or Abusive Acts or Practices” (the UDAAP booklet), setting forth a comprehensive analysis of UDAAP standards, risk factors and risk mitigation techniques. OCC, Comptroller’s Handbook for Consumer Compliance, Unfair or Deceptive Acts or Practices and Unfair, Deceptive, or Abusive Acts or Practices, Version 1.0 (June 2020). This article briefly discusses that booklet and some of its implications, both for institutions regulated by the OCC and those that are not.
* * *
In publishing the UDAAP booklet, the OCC has signaled that it will continue to emphasize UDAAP issues in supervisory and enforcement matters and that it expects supervised entities to be familiar with, and take appropriate steps to mitigate, applicable UDAAP risks. Prior to issuing the UDAAP booklet, the OCC had not addressed UDAAP requirements in its Comptroller’s Handbook for Consumer Compliance. This absence was notable, given the significant attention that the OCC has paid over the past several years to unfair or deceptive acts or practices in enforcement actions and supervisory matters. In fact, until the OCC issued the UDAAP booklet, the only formal publications by the agency relating to UDAAP were two relatively short advisory letters that had been published in 2002 and 2013 focusing on the scope of the unfair and deceptive prohibitions in the Federal Trade Commission Act. These publications contrasted — both in terms of length and depth of treatment — with publications by other prudential regulators and the CFPB.
With this new publication, however, the UDAAP booklet sets a new standard among the regulatory agencies relating to UDAAP guidance, providing 47 pages of detailed content addressing (i) the OCC’s supervisory approach; (ii) risks associated with UDAAP, such as compliance, operational, strategic and reputation risk; (iii) risk management expectations, including board and management oversight, bank operations and the parameters of an effective consumer compliance program; and (iv) examination procedures.
Also included in the booklet are several appendices that will be useful to almost all institutions, regardless of whether they are regulated by the OCC. Perhaps the most useful of these are the Red Flags (Appendix A) and UDAP and UDAAP Risk Indicators (Appendix B) appendices, which provide detail regarding specific areas where examiners should focus their attention, including:
- Consumer complaints — particularly those alleging that customers did not understand the terms of a specific product or service;
- Whistleblower referrals by bank employees — particularly those that focus on the bank’s marketing or sales practices;
- High levels of fee income — particularly fees that are higher than average or significantly increasing;
- High volumes of charge-backs or refunds — particularly any patterns of refunding fees associated with a specific product or service, which could indicate misleading or confusing marketing materials;
- Inadequate oversight and review of advertising, marketing scripts and sales practices;
- Weak servicing and collection practices — including activities performed by third parties;
- Inconsistencies between account disclosures and bank operating systems — particularly any inconsistencies that result in unanticipated fees. With respect to this risk factor, the booklet provides a specific example, where account disclosures state that a daily overdraft fee is charged each “business day” that an account is overdrawn, while the operating system is set up to charge the daily fee each “calendar” day the account is overdrawn.
- Weaknesses in risk management or internal controls over higher risk products or services — including inadequate use of billing or enrollment reports to monitor and verify customers are properly enrolled, and inadequate monitoring or review of denied debt-cancellation-product; and
- Inadequate board and management oversight over incentive compensation programs — such as compensation programs that are not aligned with the board’s risk appetite or not balanced with adequate controls.
Many of the risk factors in Appendix A overlap with factors that other regulators have included in similar publications. See CFPB, Supervision and Examination Manual, UDAAP (Oct. 2012); FDIC, Consumer Compliance Examination Manual, UDAP (Dec. 2018); Federal Reserve, Consumer Compliance Handbook, UDAP (Dec. 2016). However, a unique feature of the new OCC booklet is a set of risk assessment charts that the OCC has created for examiners to use in evaluating the quantity of risk and quality of risk management regarding UDAAP.
With respect to quantity of risk, the chart summarizes conduct that creates low, moderate or high risk, with each row loosely tied to the red flags identified in Appendix A. Thus, for example, the OCC believes that high risk of UDAAP violations may be present if product offerings include “extensive use of promotional periods or teaser offers” or marketing materials “do not adequately communicate applicable time frames or requirements for receiving promotional or teaser offers.” In contrast, the OCC believes there is a low risk of UDAAP violations relating to promotional offers where a bank has “limited or no offering of products or services with promotional periods or teaser offers” or “marketing materials … clearly and conspicuously communicate promotional or teaser time frames and requirements for obtaining promotional or teaser offers.”
With respect to quality of risk management, the chart summarizes four categories of risk management quality (strong, satisfactory, insufficient and weak) in 10 areas, ranging from how management monitors customer complaints to how it “anticipates and responds” to “changes in applicable laws or regulations, market conditions, and products or services offered.”
Another unique feature of the UDAAP booklet relative to similar publications published by other prudential regulators is that it addresses conduct that may violate the “abusive” prong of the Dodd-Frank UDAAP statute. See 12 U.S.C. § 5536(a). By way of background, Section 5 of the Federal Trade Commission Act has long prohibited unfair and deceptive acts or practices (UDAP), and the OCC and other prudential bank regulators have aggressively enforced the UDAP prohibition through enforcements actions and supervisory matters. 15 U.S.C. §45(a). In 2010, the Dodd-Frank Act created a new prohibition against “abusive” acts or practices, which is primarily enforced by the CFPB.
To date, none of the prudential regulators has publicly enforced the abusive prong under the Dodd-Frank UDAAP statute against entities or persons under its jurisdiction (generally banks with total assets less than $10 billion and institution-affiliated parties such as directors and officers). However, because the OCC and other prudential regulators may assess penalties against any insured depository institution or institution-affiliated party subject to its jurisdiction that violates “any law or regulation,” it is possible that the OCC could seek to enforce the abusiveness prong against regulated entities or persons. In any event, the UDAAP booklet provides a clear indication that it will evaluate compliance with the prohibition against abusiveness in the future.
* * *
While the OCC’s UDAAP booklet is a helpful guide, it is important to bear in mind that the UDAAP prohibition is very broad, and assessment and mitigation of UDAAP risk requires a fact-specific analysis tailored to each institution’s products and services.
Nonetheless, the new booklet provides useful information to all institutions regarding the risk factors that elevate UDAAP risk and techniques to mitigate these risks. Particularly useful are the appendices at the end of the booklet, which provide a framework for institutions to follow when assessing risk and the adequacy of their UDAAP compliance management systems. By publishing the booklet with such a high level of detail, the OCC is signaling that it will continue to closely monitor and enforce UDAAP compliance against regulated institutions.