inform. educate. connect. Issue #1 - December 2011  

10 Steps Your Bank Should Take to Comply with the Tricky UDAAP

By Stan Mattice, AuditOne LLC

The Dodd-Frank Act added the word “abusive” to the UDAP regulation making it UDAAP (Unfair, Deceptive, Abusive Acts or Practices). This is a change regulators are watching closely, so bankers need to pay attention and take appropriate action.

“Abusive” was added to provide a wider and more subjective standard for bank compliance. This new subjective standard may increase the likelihood of a UDAAP violation. Abusive practice is basically a representation, omission, or practice that misleads or is likely to mislead the consumer. Banks must now be certain that customers understand everything, and the liability for customers’ bad choices can fall upon the bank.

UDAAP intends to ensure that all consumer financial products and services are fair. It covers just about everything banks do, including marketing materials, pricing notices, disclosures, loan products, credit cards, fees of any kind, and information reporting and sharing.

To give you a better sense of its broad scope, some (but not all) of the areas of the bank impacted by UDAAP include:

  • Truth in Lending Act (TILA)

  • Equal Credit Opportunity Act (ECOA) and Regulation B

  • Privacy Regulations

  • Fair Debt Collection Practices Act

  • Truth in Savings Act (TISA)


  • Risk-based pricing notices

  • Mortgage Loan Originator compensation

  • Mortgage loan products and pricing

  • Credit card programs and pricing

  • Overdraft protection programs

  • Debit card practices and pricing

  • Fees of any kind

  • Information reporting and sharing: FCRA to Privacy Act

  • Customer complaints

  • New products

  • Marketing

  • Disclosures

Here are 10 steps your bank should take to ensure compliance with this tricky regulation.

  1. Update your current UDAP policy to reflect UDAAP. Be sure to include the new sections pertaining to Unfairness: (a) cause substantial harm to consumer, (b) not reasonably avoidable by consumer, and (c) a practice not outweighed by benefits to consumers or competition; and Deception: (a) representation, omission, act or practice that is likely to mislead, (b) act or practice would be deceptive from the perspective of a reasonable consumer, (c) representation, omission, act or practice that is material.

  2. Include UDAAP as a regular agenda item for your Compliance Committee to provide the necessary level of scrutiny and oversight. 

  3. Review your loan policy and procedures to ensure any loan or other compensation incentives are clearly communicated to lending and other affected personnel.

  4. As part of the review process of advertisements and current/new consumer agreements, include your in-house compliance officer as part of the approval process.

  5. Also, utilize the Compliance Committee and compliance officer as control points to perform due diligence reviews for third-party vendors who provide, but are not limited to, advertisement copy, loan agreements, product development and/or debt collection.

  6. Implement immediate and periodic training to make sure all employees are familiar with the new provisions of UDAAP, and perform periodic monitoring to ensure compliance and their understanding and application of the regulation.

  7. Strengthen internal efforts to identify possible customer complaints, and implement controls to ensure they are timely and appropriately addressed, including periodic monitoring.

  8. Have your Compliance Committee (with assistance from the compliance officer) review all current and prospective consumer disclosures, products and services to make sure they address and conform with all areas of UDAAP. The review must ascertain that customers are fairly guided in their choice of products or services.

  9. Analyze the loan application process and sales delivery systems to identify any conflicts with unfairness, deception or abusive treatment of consumer rights.

  10. Allocate sufficient resources to ensure and demonstrate your bank embraces the regulation. Document your activity with more than adequate Compliance Committee minutes and documentation of products, services, advertisements analyses. Provide evidence of training/review/monitoring and periodic independent testing of the control environment (including timely action taken of deficiencies).

In the coming months, we'll be following how regulators interpret these requirements and will share with you any concerns or warnings that may help you prepare to comply with UDAAP.

<back to December 2011 Compliance Digest>

Stan Mattice is compliance practice director for AuditOne LLC (  His expertise covers the full range of lending and operations compliance; BSA/AML; deposit and lending operations and controls; and SOX and FDICIA controls and testing.  He can be reached at