inform. educate. connect. Issue #2 - March 2012  

Best Practices in Developing your UDAAP Risk Management Program

By Linnea Solem, Deluxe Corp.

The heightened focus on consumer protection in today’s regulatory landscape brings scrutiny to all aspects of marketing financial products and services. Multiple and converging market factors require banking organizations of all sizes to assess the risk of potential unfair or deceptive practices. With the expanded enforcement power of the Consumer Financial Protection Bureau (CFPB) to identify Unfair, Deceptive And Abusive Practices (UDAAP), banking organizations need to revamp their current risk assessment processes. Updated examination procedures set the tone for risk management priorities regarding consumer protection across all prudential regulators.

A starting point for any risk assessment is ensuring common language on UDAAP fundamentals which introduced a new standard for compliance. Differentiating the level of fairness between deceptive or abusive can be viewed from three points of view: (1) How the offer is made; (2) How the consumer perceives the offer; (3) How the consumer is affected. 

UDAAP Fundamentals

  • Unfairness: The standard for unfairness focuses on practices likely to cause substantial injury to consumers that can not be reasonably avoided and that is not outweighed by countervailing benefits to the consumer.

  • Deceptive: The standard for deceptive focuses on a material misrepresentation or omission of information that it is likely to mislead consumers acting reasonably.

  • Abusive:The highest bar for a practice to be considered abusive is that it materially interferes with the ability of a consumer to understand a term or condition that takes unreasonable advantage of the consumer’s lack of knowledge, or inability to protect themselves, based on the consumer’s reliance on the institution to act in the consumer’s interest.

The common theme in assessing a particular practice is to look at the practice through the eyes of your customer. Assess the particular product or service and its’ specific features or attributes: Is there a fair balance between the benefits to the customer and the benefits to your financial institution? The challenge is that by their very nature financial products and services are based on complex rules and regulations that can perplex consumers. An organization’s ability to educate the customer through use of simple, transparent and understandable terms can avoid UDAAP red flags.

Emerging Market Factors
There are disruptive market factors and technologies that complicate the risk assessment of particular practices. It’s not enough to simply look at the product or service offering alone – UDAAP risk must be assessed in the context of channel marketing, and the customer’s knowledge and usage of technology. In today’s fast paced connected  world, new technologies can trigger customer confusion including the ability to ensure privacy protections in mobile marketing; online behavioral advertising and unanticipated usage of customer data; negative option marketing programs for enrollments, and fundamental electronic payments knowledge. As technology and self service channels expand, identifying appropriate notice and consent options becomes a component of your UDAAP risk assessment. And remember that the consumer chooses which channel based upon the consumer’s preference.

One of the hottest topics in the recent fairness debate is the variability and overlap in overdraft protection rules for different payment types – and ensuring the customer truly understands which rules apply for a particular transaction. The focus needs to be on the overall net impression left with the average consumer and the customer experience.

Don’t underestimate the power of social media in conveying and reporting the customer backlash to changes in financial products or services. Customer advocacy and the power of public opinion can quickly derail the launch plan of a new financial product or service or a restructure of your current accounts.

Building your UDAAP Roadmap
Any UDAAP focused risk assessment builds upon your existing compliance programs for consumer protection compliance – the “Alphabet Soup” or A to Z’s of consumer regulatory compliance. It extends the compliance disclosure “check the box” mentality, to a more holistic assessment of the manner in which the customer was offered the product or service and their ability to comprehend the features and benefits.  

Any risk assessment of marketing practices for financial products or services, starts with building a plan to assess your practices from multiple viewpoints. The following building blocks can serve as a starting point in developing your UDAAP risk assessment program:

  1. Conduct your risk assessment based on the nature and structure of the offer: Review each financial product or service with respect to the entire offer and the individual terms/conditions or offer attributes. When bundling products or services, ensure that costs and benefits are embedded in accountholder agreements and disclosures. Research product profitability and penalties to understand the fee income and cost structure for each offer. Inventory your disclosures and benchmark customer understanding. Prioritize your assessment by focusing first on the products or services with the greatest volume of customers who could be at risk. 

  2. Assess your marketing and advertising practices: Conduct an inventory of all channel marketing and advertising collateral. Inspect your offers for targeting to vulnerable populations. Analyze your advertising spend to avoid advertising only the higher cost products. Broaden your existing data analytics models – focused on FCRA/FACTA compliance to avoid potential discrimination or fairness issues. Make sure your compliance team is at the table for new campaigns or major shifts in product offers both to assess risk prior to changes, and to assess risk after the changes based on customer reaction. 

  3. Integrate the financial measures into your review: Implement daily dashboards for credit portfolio analysis to monitor risk for higher risk lending products. Use technology solutions for management reporting on higher risk products to spot variances in current practices. Conduct a spot check or internal audit of incentive plans. Monitor and measure your refunds/return ratio as compared to overall sales of a particular product. Update your board reporting packages to account for all types of risk. 

  4. Embed UDAAP into your standard practices: Embed the “Four P’s” (prominent, presented, placement, proximity) found in the UDAAP section of the CFPB’s Supervision and Examination Manual) into your web privacy policy and web site content review and approval process. Measure readability scores for key compliance documents, and adapt or create customer education tools to simplify understanding.  Adapt your customer service training for employees to transform their “complaint” radar to spot customer issues. Sample a set of your customer credits/disputes to perform customer perception research on potential UDAAP issues. 

  5. Build a repeatable customer communication model:  Managing and maintaining compliance in your offers is an iterative process. As new features are added to products and services, the entire cycle must be repeated. Build a sustainable and consistent method to communicate the change; provide the disclosure; capture the decision if needed; educate and confirm understanding; monitor results, feedback and complaints.

Customers will have complaints, and may easily not like the terms, conditions or fees that apply to financial products or services. The new bullseye is on managing consumer complaints and assessing the root cause to uncover the risk of potentially unfair, deceptive or abusive marketing practices. Bottom line: The key is reviewing your selling strategies and ensuring your customer communication accurately describes the product or service, both benefits and drawbacks, so that the message “Know Before You Buy” is as familiar as “Think Before You Click” in the eyes of the customer.

<back to March 12 Compliance Digest>

Linnea Solem, CIPP, CIPP/C is chief privacy officer and director of business risk & privacy management for Deluxe Corp. ( She can be reached at 651-483-7740 or