Does Your Bank Have a UDAAP Policy?
It seems everywhere bankers look these days they are inundated with warnings about the possibility of the dreaded “UDAAP” claim – that somewhat nebulous concept requiring that banks avoid being “unfair,” “deceptive” or “abusive” toward their customers. Bank regulators have the authority to allege unfair, deceptive or abusive acts or practices violations against banks even when the banks are following other banking laws and regulations to the letter.
Since UDAAP requirements appear more subjective than most other banking laws, bankers may wonder how to go about ensuring compliance with these requirements. Of course, having a culture within the bank that focuses on treating customers with respect and giving them all the information needed to make informed decisions goes a long way. Beyond that, however, bankers should approach UDAAP compliance much the same way they approach other areas of compliance: perform a risk assessment, prepare a policy, train staff, audit compliance and report to the board.
Applying normal bank compliance program concepts to UDAAP will not only ensure compliance is regularly monitored and provide bank staff with useful tools to approach this area, but it will signal to the bank’s regulators that the bank is taking a thoughtful, strategic and comprehensive approach to adhering to the UDAAP standards.
While the compliance program applied to UDAAP should generally be consistent with other compliance requirements, the UDAAP policy itself is likely to look a little different than most other bank policies due to the fact that UDAAP is more of a principles-based set of rules than the technical rules addressed in other bank regulations.
Further, UDAAP crosses traditional boundaries between deposit and lending services and even reaches into the marketing area. Senior management and the board must also be familiar with UDAAP concerns as they make strategic planning decisions regarding new products and services, vendor and other third-party relationships, incentive compensation initiatives, and other decisions that may directly or indirectly affect how the bank treats its consumer customers.
So what should be included in a UDAAP policy? As with other policies, it would be good to start with the bank’s policy statement, stating in a couple sentences what the bank aims to accomplish with its policy. For example, the policy might state the bank’s desire to treat customers fairly, to provide clear and complete communications regarding products and services, and to respond to customer concerns promptly and courteously.
Second, the policy should include brief descriptions of the “unfair,” “deceptive” and “abusive” concepts. These descriptions should be based on the definitions set forth in the UDAAP statute and might include certain general actions to be avoided (e.g., making false statements).
This may be the most difficult portion of the policy to prepare because the UDAAP law does not provide a laundry list of prohibited activities. Instead, the descriptions need to carefully communicate the principles UDAAP promotes. This principled approach to compliance is a departure from traditional bank compliance, so it might feel uncomfortably vague; however, the intent is to encourage the staff to think about these concepts as they go about their day-to-day activities, to ask questions and to point out potential UDAAP compliance problems for compliance personnel or other responsible personnel to review.
The next section of the policy should set forth specific steps to be taken by bank personnel to prevent or uncover UDAAP issues. This might include regular reviews of customer disclosures, marketing materials, contracts and other materials provided to customers. These documents need to be clear, concise, complete and consistent, with an aim to fully inform customers of their rights and obligations in connection with a particular bank product or service. The policy should provide for reviews of new products and features for UDAAP compliance. The policy should also address topics such as customer complaints, vendor management and fee structures.
In addition, the policy should provide for periodic employee training and discuss the ramifications to employees for UDAAP policy violations. The policy should also discuss the bank’s policy regarding risk assessments, audits and board reporting and their frequency.
UDAAP involves a new layer of compliance that affects every facet of a bank’s activities that touch its consumer customers. More and more, the public and the regulators expect banks to help consumers fully understand the financial choices they make and the potential consequences of their decisions. Banks will find it easier to fulfill this increased responsibility with a formal, uniform approach. Further, preparing a formal compliance program and UDAAP policy will demonstrate to regulators that the bank takes UDAAP compliance seriously, has given this topic significant thought and is doing what it can to comply with these sometimes uncertain standards.
A UDAAP policy is an important tool for promoting compliance and demonstrating the bank’s commitment to treating customers fairly and helping them make informed decisions.