The regulatory concept of “unfair or deceptive acts or practices” is hardly a new one.

The Federal Trade Commission Act, enacted in 1914, used similar language to empower the eponymous agency it created to protect consumers and businesses. That standard, known as UDAP, was more recently applied to the Consumer Financial Protection Bureau when the CFPB was created by the Dodd-Frank Act in 2010—and it is causing financial firms all sorts of trouble.

The Dodd-Frank Act not only embedded UDAP into the CFPB’s mandate; it added an extra A, for “abusive.” The problem is that those loaded words carry only broad definitions, with little clarity about their meaning offered by the Bureau aside from hints that might be gleaned from enforcement actions.

“UDAAP really is a different kind of animal,” says Samuel Friedman, shareholder with the law firm Sirote & Permutt. “Compliance officers and attorneys are used to thinking in clear black-and-white rules. We are used to laws like the Fair Credit Reporting Act and Truth in Lending Act that say thou shall or thou shall not.”

UDAAP, however, has no list of clear rules, “and that’s what makes it especially challenging,” Friedman continues. “A company can be in technical compliance with every other state and federal law, but still be breaking the law because you are doing something that, in the eyes of the CFPB, is unfair, deceptive, or abusive.”

A high-profile case where the CFPB flexed its UDAAP muscle came in May, when online payment service PayPal agreed to a $25 million settlement related to allegations that the company wrongfully pushed consumers to use its credit product, “Bill Me Later.” The CFPB alleged that PayPal signed consumers up for credit without their permission or clear understanding of what they were agreeing to. The practices were deemed “abusive.”

Because PayPal is a mainstream, well-known company, the enforcement action puts other companies on notice that the CFPB is not afraid to target large companies with “abusive” enforcement actions, says Timothy McTaggart, a partner with law firm Pepper Hamilton.

“There is no list of clear black-and-white rules, and that’s what makes it especially challenging.”
Samuel Friedman, Shareholder, Sirote & Permutt

Since 2013, the CFPB has filed nearly a dozen enforcement actions involving allegations of abusive conduct under UDAAP, with settlements totaling more than $130 million, according to a recent breakdown by Pepper Hamilton. The details of these settlements, however, do little to illustrate how those actions might translate to a broad set of facts and circumstances that might be applied to other companies.

In McTaggart’s view, the CFPB should provide formal guidance and bright-line standards, but it has been reluctant to do so. “They may have a genuine belief that they are incapable of writing a coherent regulation on this and, by necessity, the contours of what is or isn’t abusive or permissible will only develop over time through enforcement actions or a delineation of fact patterns,” he says.

As for the guidance that is available, much of it directly geared to specific interests like debt collectors and credit card companies, is mostly “just platitudes and a regurgitation of the statutory language,” McTaggart says. “It doesn’t give you more content or guide you. It’s the same language as in the statute so you won’t comprehend it in any more meaningful a way, and they don’t put a context around it.”

Adding to corporate consternation is the CFPB’s controversial complaint database, an online depository of consumer grievances and responses from the financial institutions involved. The database accepts complaints on many consumer financial products, including credit cards, mortgages, bank accounts, loans, credit reporting, money transfers, debt collection, and payday loans. In June, more than 7,700 complaint narratives, initially held from the database, were added and made public.

Will the CFPB review these narratives to bolster UDAAP enforcement? The limited guidance the Bureau has issued regarding UDAAP suggests that could be the plan, with its enforcement handbook noting that complaints “are the number one indication … a violation is occurring.

“Analyzing consumer complaints really could be the CFPB’s primary litmus test,” Friedman says. “A disproportionate number of consumer complaints in one specific area, at one specific branch, or regarding a specific issue is a pretty clear indication that you have a problem.”


As detailed in its Supervision and Examination Manual, standards the Consumer Financial Protection Bureau will use when assessing UDAAPs.
A representation, omission, act, or practice is deceptive when: the representation, omission, act, or practice misleads or is likely to mislead the consumer; the consumer’s interpretation of the representation, omission, act, or practice is reasonable under the circumstances; and the misleading representation, omission, act, or practice is material.
An act or practice is unfair when: it causes or is likely to cause substantial injury to consumers; the injury is not reasonably avoidable by consumers; and the injury is not outweighed by countervailing benefits to consumers or to competition.
An abusive act or practice: materially interferes with the ability of a consumer to understand a term or condition of a consumer financial product or service or takes unreasonable advantage of:  a lack of understanding on the part of the consumer of the material risks, costs, or conditions of the product or service; the inability of the consumer to protect its interests in selecting or using a consumer financial product or service; or the reasonable reliance by the consumer on a covered person to act in the interests of the consumer.
Consumer complaints play a key role in the detection of unfair, deceptive, or abusive practices. While the absence of complaints does not ensure that unfair, deceptive, or abusive practices are not occurring, complaints may be one indication of UDAAPs. For example, the presence of complaints alleging that consumers did not understand the terms of a product or service may be a red flag indicating that examiners should conduct a detailed review of the relevant practice. This is especially true when numerous consumers make similar complaints about the same product or service. Because the perspective of a reasonable consumer is one of the tests for evaluating whether a representation, omission, act, or practice is potentially deceptive, consumer complaints alleging misrepresentations or misunderstanding may provide a window into the perspective of the reasonable consumer.
Examiners should consider the context and reliability of complaints; every complaint does not indicate violation of law. When consumers repeatedly complain about an institution’s product or service, however, examiners should flag the issue for possible further review. Moreover, even a single substantive complaint may raise serious concerns that would warrant further review. Complaints that allege, for example, misleading or false statements, or missing disclosure information, may indicate possible unfair, deceptive, or abusive acts or practices needing review.
Source: CFPB.

The complaints could also help the CFPB determine that a problem was not isolated. “UDAAP is based on the perspective of a ‘reasonable’ consumer, therefore if several customers complain and allege misrepresentations or misunderstandings, those complaints may provide a window into the perspective of the reasonable consumer,” says Erin Illman of the law firm Bradley Arant Boult Cummings. “When customers repeatedly complain about an organization’s product or service, the organization may want to flag those issues for further review.”

As the CFPB monitors consumer complaints to detect violations of consumer financial laws, firms should consider using a process to monitor and track consumer complaints to stay ahead of any potential violations, Illman says.

Beyond waiting for fresh enforcement actions that may provide a few more tea leaves to read, McTaggart suggests that financial firms tread carefully when launching new products or services.

“Before you do anything new or enter into a new relationship you really need to vet it against these CFPB standards and use compliance and legal professionals to do that,” he says. “Arguably, you should be doing the same thing with your existing product lines, but the reality is you have a depth of expertise with your existing relationships and products, and you are trying to run a solid business without looking to trick or trap consumers, so they should hold up on their own.”

He cautions that, even with what might be viewed as adequate disclosures, changes to how fees are assessed is likely to be a UDAAP red flag for the CFPB.

Ultimately, the best advice for avoiding this new breed of enforcement action is to ensure that your firm addresses the risk actively. “If you have a strong compliance culture in place, it should carry you through CFPB exams, scrutiny, and agency developments,” McTaggart says. “The challenge is to maintain that strength if you have it, and to the extent there is a vulnerability or weakness, build it up. It means bringing in regulatory expertise at the board level, having regulatory expertise on staff, and having a centralized risk assessment committee that is aware of the risk across the organization as a whole.”

Every finance company should have a compliance management system, Friedman says, calling it “the first thing the Bureau expects to see if your company is subject to supervision or enforcement.”

That system should incorporate board and management oversight, written policies and procedures, response to consumer complaints, and a compliance audit. “Going through the process of implementing a compliance management system is a valuable exercise on its own because it gives the company a framework to evaluate internal policies and procedures,” he says.

Other suggestions: Regularly review the features of all products and services, looking for language, especially in promotional materials, that might be misinterpreted; and evaluate third-party service providers to ensure their activities don’t raise UDAAP concerns.