QUESTION
Thank you for these weekly FAQs! My staff and I find them very
informative. I am with the compliance department of a bank. We offer a full
range of loan and savings products. We are preparing for a regulatory examination
that will include UDAAP compliance. I was hoping you could let us know some review
areas that we should include in our risk assessment. Specifically, what
documentation should we be reviewing for our UDAAP risk assessment?
ANSWER
We appreciate your kind words about our weekly FAQs. We receive many
questions and try to choose the ones that may be broad enough for our large
readership. Thank you for submitting your question!
Preparing a risk assessment for Unfair, Deceptive, or Abusive Acts or
Practices (UDAAP) requires a great deal of focus not only on the material
subject to review but also a concerted effort by all stakeholders. I have
written extensively on UDAAP, most recently in connection with advertising
compliance. You might want to read my eBook on advertising compliance (viz.,visit our website), which includes a discussion on UDAAP.
Generally, there are four examination areas that regulators seek to
audit. The examiner wants to determine whether the financial institution:
- Avoids unfairness, deception, and abuse in the context of offering and providing consumer financial products and services;
- Assesses the risk of its practices being unfair, deceptive, or abusive;
- Identifies unfair, deceptive or abusive acts or practices; and
- Understands the interplay between unfair, deceptive, or abusive acts or practices and other consumer protection statutes.
A risk assessment of the financial institution should take into account
its marketing programs, product and service mix, customer base, and other
factors, as appropriate. This risk assessment is extensive. In responding to
the posed question, only the aspects involving certain documentation is here
provided. For more information, review the CFPB’s Examination Manual on UDAAP.
The following is a list of documentation areas that should be compiled
and reviewed for the purposes of a UDAAP risk assessment:
- Training materials.
- Lists of products and services, including descriptions, fee structure, disclosures, notices, agreements, and periodic and account statements.
- Procedure manuals and written policies, including those for servicing and collections.
- Minutes of the meetings of the Board of Directors and of management committees, including those related to compliance.
- Internal control monitoring and auditing materials.
- Compensation arrangements, including incentive programs for employees and third parties.
- Documentation related to new product development, including relevant meeting minutes of Board of Directors, and of compliance and new product committees.
- Marketing programs, advertisements, and other promotional material in all forms of media (including print, radio, television, telephone, Internet, or social media advertising).
- Scripts and recorded calls for telemarketing and collections.
- Organizational charts, including those related to affiliate relationships and work processes.
- Agreements with affiliates and third parties that interact with consumers on behalf of the entity.
- Consumer complaint files.
- Documentation related to software development and testing, as applicable.
Jonathan Foxx
Managing Director
Lenders Compliance Group
