The key to surviving the CFPB’s scrutiny is knowing what it considers unfair deceptive or abusive acts and practices or UDAAP. The following is an abridged version of the CFPB Supervision and Examination Manual detailing the manner in which the CFPB will search an agency for UDAAP. The elaborated version of UDAAP examination procedures along with the rest of the CFPB Supervision and Examination Manual can be found here.
Part II – Examination Procedures (Page 3)
A. Compliance Management System
B. Product-Based Procedures
C. Statutory- and Regulation-Based Procedures Unfair, Deceptive or Abusive Acts or Practices
• Narrative
• Examination Procedures Fair Debt Collection Practices Act
• Narrative
• Examination Procedures Privacy of Consumer Financial Information (Gramm-Leach-Bliley Act)
• Narrative
• Examination Procedures
• Examination Procedures Attachment
• Checklist
Part III – Examination Process Templates (Page 5)
Templates
• Entity Profile
• Risk Assessment
• Supervision Plan
• Examination Scope Summary
• Compliance Management Review
• Examination Report – Cover Letter
• Examination Report
• Supervisory Letter – Cover Letter
• Supervisory Letter
Examination Objectives (Page 184)
• To assess the quality of the regulated entity’s compliance risk management systems, including internal controls and policies and procedures, for avoiding unfair, deceptive, or abusive acts or practices (UDAAP).
• To identify acts or practices that materially increase the risk of consumers being treated in an unfair, deceptive, or abusive manner.
• To gather facts that help determine whether a regulated entity engages in acts or practices when offering or providing consumer financial products or services that are likely to be unfair, deceptive, or abusive.
• To determine, in consultation with Headquarters, whether an unfair, deceptive or abusive act or practice has occurred and whether further supervisory or enforcement actions are appropriate.
General Guidance (Page 184)
1. Document Review
a. To initially identify potential areas of UDAAP concerns, obtain and review copies of the following to the extent relevant to the examination:
b. Training materials.
c. Lists of products and services, including descriptions, fee structure, disclosures, notices, agreements, and periodic account statements.
d. Procedure manuals and written policies, including those for servicing and collections.
e. Minutes of the meetings of the Board of Directors and of management committees, including those related to compliance. f. Internal control monitoring and auditing materials.
g. Compensation arrangements, including incentive programs for employees and third parties. h. Documentation related to new product development, including relevant meeting minutes of Board of Directors, and of compliance and new product committees.
i. Marketing programs, advertisements, and other promotional material in all forms of media (including print, radio, television, telephone, Internet, or social media advertising).
j. Scripts and recorded calls for telemarketing and collections.
k. Organizational charts, including those related to affiliate relationships and work processes.
l. Agreements with affiliates and third parties that interact with consumers on behalf of the entity.
m. Consumer complaint files.
n. Documentation related to software development and testing, as applicable.
Management and Policy-Related Examination Procedures
1. Identify potential UDAAP concerns by reviewing all relevant written policies and procedures, customer complaints received by the entity or by the CFPB, internal and external audit reports, statistical and management reports, and examination reports. Determine whether:
a. The scope of the entity’s compliance audit includes a review of potential unfair, deceptive, or abusive acts or practices.
b. The compliance audit work is performed consistent with the audit plan and scope.
c. The frequency and depth of audit review is appropriate to the nature of the activities and size of the entity.
d. Management and the Board of Directors are made aware of and review significant deficiencies and their causes.
e. Management has taken corrective actions to follow up on any identified deficiencies.
f. The entity’s compliance programs ensure that policies are being followed through its sampling of relevant product types and decision centers, including sales, processing, and underwriting.
g. The entity has a process to respond to consumer complaints in a timely manner and determine whether consumer complaints raise potential UDAAP concerns.
h. The entity has been subject to any enforcement actions or has been investigated by a regulatory or law enforcement agency for violations of consumer protection laws or regulations that may indicate potential UDAAP concerns.
2. Through discussions with management and a review of available information, determine whether the entity’s internal controls are adequate to prevent unfair, deceptive or abusive acts or practices. Consider whether:
a. The compliance management program includes measures aimed at avoiding unfair, deceptive, or abusive practices, including:
• Organization charts and process flowcharts;
• Policies and procedures; and
• Monitoring and audit procedures.
b. The entity conducts prior UDAAP reviews of advertising and promotional materials, including promotional materials and marketing scripts for new products.
c. The entity evaluates initial and subsequent disclosures, including customer agreements and changes in terms, for potential UDAAP concerns.
d. The entity reviews new products and changes in the terms and conditions of existing products for potential UDAAP concerns.
e. The entity has a thorough process for receiving and responding to consumer complaints and has a process to receive complaints made to third parties, such as the Better Business Bureau or the CFPB.
f. The entity evaluates servicing and collections for UDAAP concerns.
g. The entity has established policies and controls relating to employee and third-party conduct, including:
• Initial and ongoing training;
• Performance reviews or audits;
• Discipline policies and records of disciplinary actions;
• Third-party agreements and contractual performance standards;
• Compensation programs; and
• Monitoring.
h. The entity’s internal control processes are documented.
i. Computer programs are tested and documented to ensure accurate and timely disclosures to consumers.
Transaction-Related Examination Procedures (Page 187)
5. Servicing and Collections
Evaluate whether servicing and collections practices raise potential UDAAP concerns, by considering whether:
a. The entity has policies detailing servicing and collection practices and has monitoring systems to prevent unfair, deceptive or abusive acts or practices.
b. Call centers, either operated by the entity itself or by third parties, effectively respond to consumers’ calls.
c. The entity ensures that employees and third party contractors:
• represent fees or charges on periodic statements in a manner that is not misleading;
• post and credit consumer payments in a timely manner;
• apply payments in a manner that does not unnecessarily increase customer payments, without clear justification;
• only charge customers for products and services, such as insurance or credit protection programs, that are specifically agreed to;
• mail periodic statements in time to provide the consumer ample opportunity to avoid late payments; and
• do not represent to consumers that they may pay less than the minimum amount without clearly and prominently disclosing any fees for paying the reduced amount.
d. The entity has policies to ensure compliance with the standards under the Fair Debt Collection Practices Act to prevent abusive, deceptive, or unfair debt collection practices.
e. Employees and third party contractors clearly indicate to consumers that they are calling about the collection of a debt.
f. Employees and third party contractors do not disclose the existence of a consumer’s debt to the public without the consent of the consumer, except as permitted by law.
g. The entity avoids repeated telephone calls to consumers that annoy, abuse, or harass any person at the number called.
6. Interviews with Consumers
If potential UDAAP issues are identified that would necessitate interviews with consumers, consult with regional management who will confer with Headquarters.