A Retroactive Approach to Avoiding UDAAP
History has taught us that when it comes to compliance, a proactive approach is always the best approach. Whether it’s related to corruption, misconduct or UDAAP, companies that actively monitor for compliance issues and investigate every possible violation are in a better position when it comes to enforcement.
One of the best ways for financial services organizations to be proactive about compliance with CFPB regulations for avoiding UDAAP is to make sure that not only current and future acts and practices contain no hint of deception or abuse, but also acts and practices instituted before Dodd-Frank. In other words, just because it’s not happening now, doesn’t mean you can’t get into trouble for it.
It’s a lesson banks are learning from enforcement actions.
“Notwithstanding the fact that the Dodd-Frank Act has been around only a few years, practices that predate Dodd-Frank are still subject to UDAAP enforcement authority and have in fact been the subject of enforcement actions,” says Andrea Mitchell, a partner in the Washington, DC office of BuckleySandler LLP “Because the Bureau is asserting jurisdiction over UDAAP violations that pre-date enactment of Dodd-Frank and the ambiguity about the statute of limitations for UDAAP violations, some institutions have decided to take a retroactive lookat their practices to understand their UDAAP risk for prior practices. While taking corrective action to address potential UDAAP violations can help mitigate the risk of a public enforcement action, no amount of voluntary remediation or compliance program enhancements can “undo” a violation of law. So, it is important to understand that you can’t un-ring the bell,” she says.
“If you find what you perceive to be acts or practices at your institution that may run afoul of UDAAP, you have the option of proactively remediating and taking other corrective action or waiting to see if the potential violation goes un-detected by the regulators and enforcement agencies. It is important to remember that voluntary remediation alone does not insulate an institution from a targeted examination, investigation or enforcement action. It is just one piece of the puzzle, ” says Mitchell.
“The Bureau issued a bulletin about responsible business conduct in 2013 that encourages institutions within the Bureau’s enforcement jurisdiction to engage in self-policing, self-reporting, remediation and cooperation with the CFPB. Under this guidance, institutions are expected to adhere to all of the principles set forth in the bulletin to receive favorable consideration in an enforcement investigation. A critical element of the bulletin centers on self-reporting the potential violation to the Bureau, but many banks or companies don’t have an appetite for proactively reporting an issue to the CFPB in exchange for the mere prospect of receiving favorable treatment in a potential investigation down the road, ” she says.
3 Lines of Defense
As with the prudential federal banking regulators, the CFPB expects institutions under its jurisdiction to maintain a compliance program that includes three lines of defense.
1. Business unit: The first level of review should be conducted by the business unit. When creating new products, developing marketing and advertising strategies, drafting sales or account servicing scripts, or determining the terms and conditions of products, companies should be using a UDAAP filter in all of these activities, says Mitchell.
2. Legal and compliance: The second level of review is by the legal and compliance units, to ensure compliance with applicable laws, regulations, and company policy.
3. Audit: The third level of review is internal audit. On a retroactive basis, audit makes sure the company has been doing what it should be doing and is consistent with applicable laws, regulations, and company policy.
When assessing the proper course of action in response to a potential UDAAP violation, the decision to take voluntary and proactive corrective action requires a cost-benefit analysis, says Mitchell.
“It depends on the number of people harmed and the magnitude of the harm,” she says, adding that certain institutions might offer more extensive restitution due to the existence of an open Memorandum of Understanding or Matter Requiring Attention and the heightened consequences of committing another violation while a related matter is pending before the Bureau.
Another aspect of risk involves the severity of the potential UDAAP violation. If it’s not a clear UDAAP violation, and there’s a very low likelihood that it is ever going to come to the regulators’ or consumers’ attention, a company may decide to sit tight.
“There are many factors to consider in how a company will act in response to a potential UDAAP violation, so the discussion should be elevated to the appropriate level of management in the company,” says Mitchell, but she warns that it’s a sensitive issue from a legal and reputational standpoint and should only include those who are essential to making a decision about the proper course of action.