The UDAAP Trap: How Financial Institutions can Avoid Penalties when Using Third Party Services

by Pillsbury Global Sourcing Practice

In Part 1, we noted that financial institutions could find themselves potentially liable for committing an alleged Unfair, Deceptive, or Abusive Act or Practice (UDAAP) as a result of the actions of certain types of external service providers, particularly those that interface directly with customers. In this Part 2, we will discuss how financial institutions can mitigate the risk of UDAAP enforcement actions through their contracting strategies with their service providers.

A New Wrinkle of Risk

In some ways, the CFPB's UDAAP authority resembles other regulatory regimes in that it places compliance obligations on both the issuer of the product as well as the third-party service provider that helps effectuate a transaction involving such a product.  For example, export control laws place Office of Foreign Assets Control compliance obligations on both parties to a transaction. Data protection laws apply both to the controller as well as the processor of data. HIPAA protections for health information apply to the covered entity and its business associates.

In other ways, however, the CFPB's UDAAP authority differs from other regulatory regimes because it expressly imposes upon a financial institution an affirmative obligation to supervise closely the behavior of its service providers. While some other regulators may also impose express obligations (e.g., Office of the Comptroller of the Currency), in many other regulatory contexts, any required supervisory role is typically either less onerous and/or only implied by the regulatory agency.

Of course, it is an outsourcing best practice for a customer to have good management and oversight over its service providers, but the CFPB's requirements go further. Indeed, this supervisory obligation may even undercut a financial institution's rationale to outsource certain functions in the first place and lead an institution to forego pursuing the outsourcing relationship during an initial risk assessment if the institution believes the potential service provider could expose the institution to UDAAP liability.

All outsourcing relationships involve some level of risk. Depending on the nature of the services, a bank may be handing over sensitive data, management of key processing functions, or responsibility to keep IT infrastructure safe and secure.

The CFPB, however, appears to have added a new wrinkle of risk to what would otherwise be considered a "standard" level of outsourcing risk - for certain services related to consumer financial products or services, if a financial institution's service provider engages in behavior that the CFPB finds unlawful under its UDAAP authority, then the financial institution itself is potentially liable for the conduct of its service providers and could be subject to substantial penalties.

A Delicate Balance

But this risk is not insurmountable. A thoughtful vendor management/contracting strategy can mitigate a financial institution's risk by incorporating UDAAP obligations into its service provider contracts and sensibly allocating the risk between the parties. In addition to addressing the risk responsibility in the contract, the financial institution should consider establishing a service provider monitoring and governance framework that expressly addresses UDAAP risk. 

Financial institutions will want to implement specific solutions (which may even vary service provider to service provider) to ensure that it sufficiently protects itself while at the same time not being too heavy handed with its business partner. A financial institution and its counsel will need to maintain that delicate balance between seeking the necessary protection and creating obligations that can get in the way of doing business.

With this balance in mind, there are two high-level procedural approaches a financial institution's counsel may want to consider.

Single Purpose Agreement

One method a financial institution could employ is to execute single purpose "UDAAP Agreements" with all of the relevant service providers across the enterprise. This approach is analogous to a company requiring its service providers to enter into NDAs or (for HIPAA covered entities) Business Associate Agreements.

Such an initiative will likely take a fair amount of effort, but it could also bring significant benefits. First, the institution is starting out with standard terms. Assuming counsel is successful in limiting negotiation, then all the relevant service providers are signing up to more or less the same obligations, which creates consistency with respect to meeting the CFPB's duty to supervise.

Second, this approach gives the institution room to be specific about what is required. Some service providers may not know their precise obligations with respect to the prohibition on UDAAP, and having such clear obligations may be beneficial to the financial institution in showing the CFPB that the institution is taking its affirmative obligations seriously.

Finally, with respect to those agreements already in place, a single purpose approach avoids having to reopen and amend the existing terms. With respect to new agreements being negotiated, the single purpose approach allows the institution to segregate the risk terms (e.g., liability and indemnities) from the underlying commercial transaction, which may result in more efficient negotiations.

Integrate the Terms

Another approach is to integrate the UDAAP obligations into the underlying service provider contract. Integrating the terms into an underlying agreement may enhance the institution's leverage because each party has the "let's get a deal done now" mentality if it is a new contract.

Integration of the terms into the underlying transaction is also similar to the way many outsourcing contracts deal with other regulatory issues like data protection and export controls, so the approach is unlikely to surprise the service provider. Taking this approach may result in negotiating "fewer words" because some aspects of compliance (e.g., reporting and audit rights) may already be captured by other portions of the contract.

For those outsourcing transactions that, in the grand scheme of things, present a comparatively lower risk to the financial institution, a single purpose agreement may be too much when simpler integrated terms would suffice. Compliance obligations with such low-risk transactions may simply be handled in a standard "compliance with laws" section in the agreement.

With respect to medium-risk to high-risk transactions, however, an institution will want to guard against taking a simplistic approach to integration.  In other words, the institution should resist trying to address UDAAP by simply inserting a "compliance with Dodd-Frank" obligation or "compliance with bank policies" obligation into the contract. Although the service provider may be more agreeable to closing the issue this way, the actual obligations to prevent UDAAP violations are not spelled out. If CFPB examiners come looking for UDAAP violations, the bank may not have a good story to tell about its good faith effort to mitigate risky UDAAP behavior with that service provider.

Key Negotiation Points

In addition to deciding on the best approach as described above, the financial institution will need to able to negotiate the substantive UDAAP terms. Of course, a bank's negotiation strategy is highly dependent on the nature of the deal, the leverage each party has, and whether the particular relationship is high or low risk.

The financial institution should focus on the following key areas of risk when negotiating UDAAP terms.

1. Liability. As we noted in Part 1, CFPB enforcement actions to date have resulted in fines and restitution obligations that could run into the hundreds of millions of dollars. Such penalties likely would vastly exceed an agreement's standard liability cap on direct damages. Therefore, a bank's counsel should attempt to exclude such regulatory fines from any liability caps. 

2. Indemnities. A full indemnity from the service provider for regulatory fines may also be appropriate depending on the nature of the services, particularly for high-risk services that directly interface with an institution's consumers.

3. Termination. An institution should also negotiate flexible termination rights with the service provider, so that the institution can exit a relationship in case the service provider engages in prohibited UDAAP activity. CFPB examiners will likely look favorably upon an institution with such flexible termination rights.

4. Operational Oversight. In addition to the traditional risk terms described above, other business and operational terms warrant consideration as well. To ensure that the institution is able to exercise its heightened obligations to monitor and supervise, it should seek frequent reporting and good recordkeeping practices from its service providers. Strong audit rights on behalf of the institution are also recommended by the CFPB. A robust governance framework with the service provider may also be an important part of the financial institution's ongoing monitoring and compliance efforts.

5. Performance Incentives. In its guidance documents, the CFPB has noted that consumer complaints can serve as a leading indicator as to whether a UDAAP has occurred. Not only should an institution look to implement a process for how customer complaints get analyzed and reported up to the bank, but also the institution should consider tailor-made service levels for incentivizing the service provider to limit such complaints in the first place. Implementing such proactive performance measures will likely show CFPB examiners that the institution is looking to curb violations before they occur. 


Implementing such a contracting strategy is an essential component of any financial institution compliance program. Among other things, it likely will go a long way in showing the CFPB that a good faith effort has been made to comply with UDAAP rules and ultimately help the financial institution avoid enforcement actions.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Pillsbury Global Sourcing Practice | Attorney Advertising

Written by:

Pillsbury Global Sourcing Practice

Pillsbury Global Sourcing Practice on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign up using*

Already signed up? Log in here

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
Privacy Policy (Updated: October 8, 2015):

JD Supra provides users with access to its legal industry publishing services (the "Service") through its website (the "Website") as well as through other sources. Our policies with regard to data collection and use of personal information of users of the Service, regardless of the manner in which users access the Service, and visitors to the Website are set forth in this statement ("Policy"). By using the Service, you signify your acceptance of this Policy.

Information Collection and Use by JD Supra

JD Supra collects users' names, companies, titles, e-mail address and industry. JD Supra also tracks the pages that users visit, logs IP addresses and aggregates non-personally identifiable user data and browser type. This data is gathered using cookies and other technologies.

The information and data collected is used to authenticate users and to send notifications relating to the Service, including email alerts to which users have subscribed; to manage the Service and Website, to improve the Service and to customize the user's experience. This information is also provided to the authors of the content to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

JD Supra does not sell, rent or otherwise provide your details to third parties, other than to the authors of the content on JD Supra.

If you prefer not to enable cookies, you may change your browser settings to disable cookies; however, please note that rejecting cookies while visiting the Website may result in certain parts of the Website not operating correctly or as efficiently as if cookies were allowed.

Email Choice/Opt-out

Users who opt in to receive emails may choose to no longer receive e-mail updates and newsletters by selecting the "opt-out of future email" option in the email they receive from JD Supra or in their JD Supra account management screen.


JD Supra takes reasonable precautions to insure that user information is kept private. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. However, please note that no method of transmitting or storing data is completely secure and we cannot guarantee the security of user information. Unauthorized entry or use, hardware or software failure, and other factors may compromise the security of user information at any time.

If you have reason to believe that your interaction with us is no longer secure, you must immediately notify us of the problem by contacting us at In the unlikely event that we believe that the security of your user information in our possession or control may have been compromised, we may seek to notify you of that development and, if so, will endeavor to do so as promptly as practicable under the circumstances.

Sharing and Disclosure of Information JD Supra Collects

Except as otherwise described in this privacy statement, JD Supra will not disclose personal information to any third party unless we believe that disclosure is necessary to: (1) comply with applicable laws; (2) respond to governmental inquiries or requests; (3) comply with valid legal process; (4) protect the rights, privacy, safety or property of JD Supra, users of the Service, Website visitors or the public; (5) permit us to pursue available remedies or limit the damages that we may sustain; and (6) enforce our Terms & Conditions of Use.

In the event there is a change in the corporate structure of JD Supra such as, but not limited to, merger, consolidation, sale, liquidation or transfer of substantial assets, JD Supra may, in its sole discretion, transfer, sell or assign information collected on and through the Service to one or more affiliated or unaffiliated third parties.

Links to Other Websites

This Website and the Service may contain links to other websites. The operator of such other websites may collect information about you, including through cookies or other technologies. If you are using the Service through the Website and link to another site, you will leave the Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We shall have no responsibility or liability for your visitation to, and the data collection and use practices of, such other sites. This Policy applies solely to the information collected in connection with your use of this Website and does not apply to any practices conducted offline or in connection with any other websites.

Changes in Our Privacy Policy

We reserve the right to change this Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our privacy policy will become effective upon posting of the revised policy on the Website. By continuing to use the Service or Website following such changes, you will be deemed to have agreed to such changes. If you do not agree with the terms of this Policy, as it may be amended from time to time, in whole or part, please do not continue using the Service or the Website.

Contacting JD Supra

If you have any questions about this privacy statement, the practices of this site, your dealings with this Web site, or if you would like to change any of the information you have provided to us, please contact us at:

- hide
*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.