Thank you for these weekly FAQs! My staff and I find them very informative. I am with the compliance department of a bank. We offer a full range of loan and savings products. We are preparing for a regulatory examination that will include UDAAP compliance. I was hoping you could let us know some review areas that we should include in our risk assessment. Specifically, what documentation should we be reviewing for our UDAAP risk assessment?
We appreciate your kind words about our weekly FAQs. We receive many questions and try to choose the ones that may be broad enough for our large readership. Thank you for submitting your question!
Preparing a risk assessment for Unfair, Deceptive, or Abusive Acts or Practices (UDAAP) requires a great deal of focus not only on the material subject to review but also a concerted effort by all stakeholders. I have written extensively on UDAAP, most recently in connection with advertising compliance. You might want to read my eBook on advertising compliance (viz.,visit our website), which includes a discussion on UDAAP.
Generally, there are four examination areas that regulators seek to audit. The examiner wants to determine whether the financial institution:
- Avoids unfairness, deception, and abuse in the context of offering and providing consumer financial products and services;
- Assesses the risk of its practices being unfair, deceptive, or abusive;
- Identifies unfair, deceptive or abusive acts or practices; and
- Understands the interplay between unfair, deceptive, or abusive acts or practices and other consumer protection statutes.
A risk assessment of the financial institution should take into account its marketing programs, product and service mix, customer base, and other factors, as appropriate. This risk assessment is extensive. In responding to the posed question, only the aspects involving certain documentation is here provided. For more information, review the CFPB’s Examination Manual on UDAAP.
The following is a list of documentation areas that should be compiled and reviewed for the purposes of a UDAAP risk assessment:
- Training materials.
- Lists of products and services, including descriptions, fee structure, disclosures, notices, agreements, and periodic and account statements.
- Procedure manuals and written policies, including those for servicing and collections.
- Minutes of the meetings of the Board of Directors and of management committees, including those related to compliance.
- Internal control monitoring and auditing materials.
- Compensation arrangements, including incentive programs for employees and third parties.
- Documentation related to new product development, including relevant meeting minutes of Board of Directors, and of compliance and new product committees.
- Marketing programs, advertisements, and other promotional material in all forms of media (including print, radio, television, telephone, Internet, or social media advertising).
- Scripts and recorded calls for telemarketing and collections.
- Organizational charts, including those related to affiliate relationships and work processes.
- Agreements with affiliates and third parties that interact with consumers on behalf of the entity.
- Consumer complaint files.
- Documentation related to software development and testing, as applicable.
Lenders Compliance Group