CSI Resources

man in the middle of a maze

Surviving UDAAP: CSI’s Guide to Compliance

  • by Amber Goodrich
  • Apr 02, 2015

Since its introduction in the Dodd-Frank Act, Unfair, Deceptive or Abusive Acts or Practices (UDAAP) has had financial institutions jumping through flaming hoops, trying to avoid penalties and enforcement actions. And unlike its predecessor, Unfair or Deceptive Acts or Practices (UDAP), which will likely be eliminated, UDAAP is here to stay.

So how is your financial institution supposed to stay compliant with vague rules that are often hard to understand? These tips for staying UDAAP compliant can make your compliance efforts more successful.  

UDAAP Has Only 1 Rule: There Are No (Clear) Rules

The hardest thing about UDAAP is that there are no clear rules. The Consumer Financial Protection Bureau (CFPB) has offered little guidance about what they’re looking for in exams, and enforcement actions span every aspect of financial institution practices. In an industry where guidance for federal regulations is typically well defined, UDAAP makes planning for exams a new challenge for financial institutions.

The CFPB has now made its UDAAP exam manual public, and financial institutions can look to existing enforcement actions to help inform what practices to avoid and what practices to follow. But UDAAP guidelines remain very gray compared to other federal regulations, which are more black and white in their definitions.

7 Tips for Prepping for Your UDAAP Exam  

When preparing for your next UDAAP exam, there are a few things you should keep in mind:

  1. Conduct a Risk Assessment

    The first thing regulators expect is for financial institutions to complete a risk assessment. And though UDAAP makes it hard to do because you don’t always know what you’re looking for, showing that you’re making an effort to protect your IT assets and your customers’ confidential data is a great place to start.

  2. Create a Formal UDAAP Policy

    In addition to a UDAAP risk assessment, regulators also want to see a formal UDAAP policy. Whether that’s stand-alone or incorporated into your existing policies, it’s helpful to include language about how you do comply with UDAAP and how you do not implement unfair, abusive or deceptive practices.

  3. Review Your Products and Services

    Audit your product and service features to ensure that terms and conditions are properly disclosed. You’ll need to provide even more detail than you think is necessary, just to make sure all consumers can understand. And don’t forget to include new products and services in this process. When you’re starting a new rewards program or overdraft program, UDAAP needs to be considered.

  4. Implement Compliance Review for Advertising Materials

    All advertisements should undergo both marketing review and some form of compliance review. For example, if you have a smaller financial institution, perhaps your compliance officer reviews all ads. Whatever your process, make sure all proper disclosures are included and nothing appears misleading or could be considered deceptive advertising.

  5. Evaluate Vendor Relationships

    You’re not only responsible for ensuring your financial institution is UDAAP compliant, you must ensure your third-party service providers are too. Any third-party providers—like CSI or any other vendor you’re working with—are subject to the same UDAAP laws. Help avoid vendor management compliance violations by including UDAAP compliance expectations in your contracts and maintaining proper service provider oversight.

  6. Monitor Enforcement Actions

    Learn from your peers’ mistakes. Take a proactive approach to exam planning by actively monitoring the compliance issues addressed in UDAAP enforcement actions. Then take strides to ensure your financial institution mitigates risks to avoid similar penalties for deception and abuse.

  7. Pay Attention to Consumer Complaints

    Like monitoring enforcement actions, paying attention to what’s buzzing with consumers can help inform your UDAAP preparations. Check out the CFPB’s public complaint database, which features unfiltered complaints against financial institutions. And don’t be surprised if new rules surface as the result of common complaints.

Getting Used to UDAAP Compliance

It may seem hard to comply with something when you don’t know exactly what you’re looking for, but UDAAP is something we’re going to have to get used to. That means we need to consider UDAAP in everything we do. We have to stop thinking of UDAAP as an isolated federal regulation because UDAAP can target any aspect of your financial institution’s practices. 

So make sure you’re abiding by the core consumer protection rules you understand, and go above and beyond to implement proper disclosures. And even though program disclosures may seem like common sense, UDAAP wants to see your terms and conditions spelled out. Don’t let the nitty-gritty details put pressure on your organization—use these tips as your guide to UDAAP compliance.


Amber Goodrich, consumer strategist for CSI Regulatory Compliance, has more than 10 years of financial industry experience. She is a Certified Regulatory Compliance Manager (CRCM) and Certified Bank Secrecy Act (BSA) Professional (CBAP).