Avoiding UDAAP

Historically, credit unions have used a member-focused approach in their operations with products/services and an overall strategic plan designed to serve members’ needs. This business model has served credit unions (and their members) incredibly well, and has in particular made credit unions an unlikely environment for unfair, deceptive, abusive acts or practices, also known as “UDAAP.”

Nevertheless, the Dodd-Frank Wall Street Reform and Consumer Protection Act and the creation of the Consumer Financial Protection Bureau heightened risks for all providers of financial products and services in this area. Below are seven steps credit unions should take to understand, monitor and reduce their risks of being cited under these rules.

1. Understand UDAAP.

Credit unions have historically been subject to the interpretation of the National Credit Union Administration (and the Federal Trade Commission) of “unfair or deceptive acts or practices.” Over the years, there have been very few situations where credit union practices were brought into question under the UDAP tests.

However, the Dodd-Frank Act changed the landscape and added a new “abusive” test – expanding the acronym to “unfair, deceptive or abusive acts or practices.” This expansion – along with UDAAP being named a priority of the CFPB – has required credit unions to conduct a comprehensive review of their products and services.

Importantly, a particular act or practice does not need to be a regulatory violation for it to be considered a UDAAP violation. Thus, credit unions need to be sure to have a strong risk management program to review, analyze and mitigate potential UDAAP risks.

2. Draft a UDAAP policy.

A UDAAP policy should be the starting point for all credit unions. It should outline the credit union’s commitment to refrain from acts or practices that could be considered unfair, deceptive or abusive. The policy should also discuss the steps the credit union will take to review and prevent UDAAP concerns. For example, the UDAAP policy should provide a general outline of how the credit union will address steps 3 through 7 below.

The policy does not need to go into the details. Rather, your existing procedures – vendor management or addressing member complaints, for example – will explain the precise steps the credit union is taking. The UDAAP policy highlights those existing practices and reiterates that products and services offered are understandable and fair to members.

3. Review marketing content.

A key component in reducing UDAAP risk is clear, understandable marketing language. This goes beyond the technical advertising disclosure requirements and extends to the overall message conveyed to members and potential members. Credit unions should set up consistent procedures to review marketing and advertising content to ensure regulatory compliance and review for potential UDAAP concerns. Additionally, credit unions should monitor members’ actual usage of each product or service and determine if usage matches how the product or service was described in the advertisement.

4. Review the fine print.

In most UDAAP situations, the financial institution’s practice differed from its written disclosure or contract. And, in most cases, the marketing of the product or service differed as well. Credit unions need to ensure their marketing language matches their disclosures and that both of these are consistent with their actual practices.

The easiest way to increase UDAAP risk is to market a product or service in a manner that is inconsistent with the credit union’s full disclosures or practices. Credit unions that consistently review their actual contractual terms and existing procedures will be able to easily identify situations where the marketing approach is inconsistent and take actions to align all three aspects: marketing, disclosures and practices.

5. Monitor your vendors.

A common theme in UDAAP violations is unmonitored third-party service providers. Your credit union’s reputation is on the line every time a member conducts a transaction with you – and your third-party partners. A credit union’s vendor management program should include a UDAAP risk assessment and there should be ongoing monitoring of the relationship over time.

6. Manage complaints.

Member complaints are the No. 1 way regulators learn of potential UDAAP violations. Therefore, robust member complaint procedures should be part of the credit union’s overall UDAAP policy. Complaints (both formal and informal – such as Facebook and Twitter) are the perfect place to determine if there is something about the product or service that is not straightforward or clear. And, rather than just address the complaints and fix the errors, credit unions should track the information and monitor the trends over time. Are certain third-party service providers generating more complaints? If so, that is a clear indicator that additional monitoring is required.

7. Train staff.

When it comes to UDAAP, there are not black-and-white regulatory requirements. The issues are more subjective and open to interpretation. This only heightens the need for staff training, so employees are aware of UDAAP risks. Credit unions also need to empower employees to speak up if they identify an area that needs to be reviewed more thoroughly to ensure the credit union’s marketing, disclosures and practices are properly aligned.

Steve Van Beek is an attorney and counselor at Howard & Howard Attorneys PLLC in Royal Oak, Mich. He focuses his practice on helping credit unions serve their members by successfully managing their compliance, legal and strategic risks.