|Danger Ahead (June 2010)|
The spotlight has been on financial reform legislation. But banks’ biggest compliance risk ahead is a new focus on “unfair and deceptive acts and practices”—UDAP, for short. The regulatory tool has highly subjective standards. Read 11 risk points you should be looking at now.
Every bank is navigating the stormy seas of consumer compliance. New rules are raining down and a new consumer protection entity looms on the horizon (at this writing, pending financial reform will either create an agency or, at the very least, sharply heighten scrutiny by existing regulators). The biggest risk ahead, however, is barely a blip on most banks’ sensors, despite being huge, close, and coming fast.
A new focus on “unfair and deceptive acts and practices”—UDAP—is about to transform bank risk. Most of the industry hasn’t yet spotted it, since examiners rarely raise concerns and enforcement cases are few. This issue, nevertheless, will soon be one of the toughest compliance challenges banks have ever faced.
Arguably, UDAP caused the financial crisis and recession. That’s an oversimplification, obviously, but the meltdown started in subprime loans, and it involved products that largely met technical legal requirements. Despite this, they enticed millions of people to take loans carrying huge and hidden dangers. Sales tactics mixed with product design left these borrowers, investors, and ultimately the financial system, vulnerable to a drastic misperception of risk. The technical legal rules, the whole disclosure regime, failed.
Regulators did issue guidance on some of these practices. The industry did self-police. Most banks never touched these kinds of products. Nevertheless, things went wrong in plain sight—inside the lines of explicit legal rules. In such an environment, a vigorous regulatory response is inevitable. And on consumer issues, regulators have in their hands a highly potent tool—UDAP. There is no possibility that they will not use it.
Unfair and deceptive practices were outlawed in the Federal Trade Commission (FTC) Act nearly 70 years ago. For much of that period, bank regulators essentially argued that their supervisory obligations excluded the FTC Act, other than through Regulation AA—the Credit Practices Rule. Gradually, however, the banking agencies began issuing supervisory guidance on UDAP and related issues. They also began to bring enforcement cases. Then the Fed took the ground-breaking step of citing UDAP as statutory authority in proposing new regulations.
Caught between “suitable” and “discriminatory”
All this has intensified since the financial crisis. The bank regulators face calls to strip them of consumer protection jurisdiction. Their pushback includes, at this writing, development of unprecedented joint examination procedures for UDAP. The pending reform legislation, meanwhile, will quite probably add the term “abusive” to the statutory mix. A new agency, if created, will likely be charged broadly with “monitoring developments in markets” to identify “risks to consumers” from unfair, deceptive, or abusive products, services, or sales practices. These would include activities and pricing the agency considers too complex for consumers to understand, and situations where it thinks lenders take “unreasonable advantage of” the consumer’s trust.
This language effectively embraces the concept of “suitability,” which has (so far) been too controversial to legislate outright. It posits a bank obligation to make its products and prices appropriate for every customer. That in turn puts the bank on a knife’s edge, barred from denying credit in ways that might be discriminatory, and also from extending services too liberally to financially-challenged customers.
On top of all this, banks must prepare for state enforcement—potentially even banks with national charters. Almost all states now have UDAP laws, and federal preemption has been weakened in the wake of court rulings and the pending reform legislation.
Highly subjective standards
So the UDAP challenge is inevitable. It is also uniquely difficult to meet.
First, it’s a moving target, growing faster than most banks realize. Second, its scope is limitless, covering every nook and cranny of every bank and all its relationships.
Worst, its standards are unclear. The guidelines, derived from the FTC, are as follows:
To be “unfair,” a practice or product must cause “substantial” consumer injury; the injury must be something the consumer could not have reasonably avoided; and the product’s harm must outweigh consumer benefits, such as enhanced competition that produces advantageous pricing or availability. “Substantial injury” can be something that greatly injures a few people or mildly harms many. Harm focuses especially on practices that prevent good decision-making, that provide information too late, or that involve undue influence or coercion.
A “deceptive” action meanwhile, is a representation, omission, or practice that is likely to mislead a consumer who is acting reasonably and that materially impacts consumer decisions and behavior.
These are highly subjective standards. Every bank does many things that could theoretically be challenged under them, simply because financial products are intrinsically hard for consumers to understand. Discretionary application of UDAP mandates, in a climate of inevitably aggressive enforcement, will make it impossible for banks to know whether they are complying, until someone tells them they are not.
Many community banks assume these risks will only affect large or specialized institutions, and/or that their own examiners will provide fair warning if UDAP concerns arise, allowing time to change a questionable practice. The reality is different. UDAP is already threading its way into exams. And it frays the very fabric of the examiner/bank relationship, because UDAP is about being…unfair or deceptive. It makes examiners not trust a bank, triggering cascades of other problems. This is happening now, invisibly, in scenarios that are not yielding formal enforcement. When enforcement actions do occur, they are onerous, creating not only bad publicity and fines, but requirements like a new consumer compliance program, new board compliance committee, frequent special reporting, disclosures, and the like.
How You Can Prepare Now
Now is the time to clean up any potential UDAP problems—before any new agency or new examination procedures come online. Here is a checklist to work on.
Make sure solicitations match what customers actually get, and are timely
This was a key lesson of the formative bank case—the OCC’s cease and desist action in 2000 against Providian. The lender was charged with omitting limiting terms from upfront material. Fees were disclosed and charged too late to permit customers to protect themselves. If products have limiting terms, say so in initial materials. Make them obvious.
Retool audits to check for UDAP
Audit should verify whether most customers do in fact receive the advertised product terms that attracted them to the bank. If a substantial number end up with less favorable terms, it’s a UDAP red flag.
Don’t incent temptation
Be careful of sales incentives like yield-spread premiums, for either employees or third parties, that reward charging customers extra or that might tempt employees to make misleading statements. Also consider adding a component to manager compensation that gives weight to strong performance on ethics and compliance.
Cover everything in the bank
UDAP cases in banking have focused on credit, but the legal requirement has no limits. Deposit accounts are subject to it. One non-bank case involved data security. And all activities are covered, from product design to marketing to underwriting and on to collections.
Focus on the controversial
Even if the bank’s products seem to sit well within common industry practice, it makes sense to review those that are sparking controversy, like overdraft protection.
Listen to customers
The key here is an active system to gather, centralize, and analyze complaints. The typical UDAP situation is that customers complain and the bank determines that the matter did not involve any violation of laws or regulations. This is the classic UDAP trap. Practices and product terms that are technically legal but possibly “unfair” are precisely what UDAP is about.
Listen to employees
UDAP situations often create concern among employees, which gets overridden or is never even voiced to senior management. It’s smart to open channels that invite staff to raise qualms without fear of blowback.
Focus on vulnerable customers and de facto “suitability”
Again, suitability is seeping into enforcement. Is a product specifically targeted to a “vulnerable” customer segment—the elderly, the young, people with limited income, education, or language skills, people with few financial options? If so, use extra care.
Manage third parties
In 2008, the OCC fined a bank $144 million over third-party actions by telemarketers and payment processors. The lender failed to do due diligence appropriately, and lacked policies and monitoring procedures. Third-party actions matter.
Screen all new products
Banks should create a broad net that identifies new products, pricing, advertising, promotions, and sales practices and funnels them into a central process that checks for possible UDAP issues.
Use the “smell test”
While UDAP is complex, the worst risks are easy to find through a simple “smell test.” When activities fail it, the bank should reconsider, redesign, or prepare to defend its actions. n
The electronic version of this article available at: http://www.nxtbook.com/nxtbooks/sb/ababj0610/index.php?startid=28
| TechTopics Plus