The UDAAP Trap: Avoiding CFPB Penalties for Financial Institutions Using Third Party Services
In response to the financial crisis and recession in the United States that began in 2007, Congress passed the Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010 (now commonly known as "Dodd-Frank"). Dodd-Frank created a vast array of new financial regulations, including the new and independent Bureau of Consumer Financial Protection designed to "regulate the offering and provision of consumer financial products or services under the Federal consumer financial laws."
Now known by its alphabet soup moniker, the CFPB has jurisdiction to enforce one of the simplest, yet most powerful, provisions in Dodd-Frank: "It shall be unlawful for any covered person or service provider to engage in any unfair, deceptive, or abusive act or practice." These "unfair, deceptive, or abusive" acts or practices have become commonly known in the legal and financial industries as "UDAAPs." The CFPB has not implemented formal rulemaking with respect to the prohibition on UDAAPs. Instead, it has made the conscious decision to largely implement its UDAAP rules via its enforcement actions and a series of guidance documents, including the "Supervision and Examination Manual," which articulates CFPB's expectations for how this law is to be enforced.
Much has been written about the impacts of Dodd-Frank, including the prohibition against UDAAPs. This blog, however, focuses solely on potential penalties to financial institutions based on the actions of their third party service providers. Because Dodd-Frank primarily holds the large financial institutions supervised by the CFPB responsible for service provider behavior, these institutions should be aware of and guard against the UDAAP trap.
Third Party Service Providers Can Create UDAAP Risk
Dodd-Frank defines "service provider" as "any person that provides a material service to a covered person in connection with the offering or provision by such covered person of a consumer financial product or person." A service provider also includes a party that "participates in designing, operating, or maintaining" financial products as well as one that "processes transactions" relating to financial products. Such a broad definition could capture almost every type of third party service provider with whom a financial institution has a relationship.
While the CFPB has not been explicit about which third party services are subject to scrutiny, the agency has given some high-level guidance on the topic. For example on July 10, 2013, the CFPB issued a bulletin in which it focused almost exclusively on a financial institution's debt collection practices. Based on this initial guidance, it appears that the CFPB is most concerned about those practices that directly interface with the institution's individual customers. Financial institutions have similar direct interactions with their customers through other activities, such as telemarketing services, loyalty programs, and other services that involve a customer's interaction with representatives in a customer service center. Many financial institutions outsource these functions, and such services would likely subject large financial institutions to similar CFPB scrutiny.
Early enforcement actions have confirmed this approach. For example, the CFPB - sometimes in conjunction with other federal and state regulators - has ordered several banks to pay millions of dollars in restitution to consumers, as well as civil monetary penalties to the government, for "deceptive" marketing practices related to add-on products for credit cards and installment loans. In several of these cases, regulators concluded that telemarketers hired by bank service providers deceptively marketed the cost and coverage of the add-ons. In another enforcement action, the CFPB found that a bank engaged in "unfair" billing practices for credit card add-on products by charging consumers for credit-monitoring services they did not receive. Additionally, the CFPB obtained a judgment against a non-bank debt relief company for its alleged "abusive" practice of collecting advance fees from consumers who the company knew could not afford to complete the debt relief program.
Because UDAAP enforcement is in a nascent stage, financial institutions should consider how other third party relationships may trigger UDAAP concerns. For example, if a provider servicing a bank's mortgage portfolios makes systemic errors that cause "substantial injury" to a group of the bank's consumers, it might trigger UDAAP violations, particularly if the bank failed to properly monitor those services. The same could be said for (i) payment card processors that handle customer credit card transactions; (ii) online bill pay service providers that handle bill payments, late fees, and credit reporting; (iii) ATM service providers that process retail banking transactions that are required to post in a timely manner; or (iv) remote deposit capture service providers that manage check scanning and posting.
One type of services, however, that is unlikely to impact directly the interaction between a financial institution and its customers are those services that provide backend IT functions. Examples could include traditional IT managed services, application development and maintenance services, system implementation services, and other back office support services.
Again, the CFPB has not expressly outlined the type of third party services that may subject a financial institution to the highest scrutiny, so each financial institution should carefully review and consider each third party service relationship on a case-by-case basis.
Mitigating the UDAAP Risk
Best practices dictate that each financial institution have in place robust policies and procedures to prevent the occurrence of UDAAP violations within its enterprise. Once such policies and procedures are in place, institutions should also train their employees to ensure maximum compliance.
Because its own policies and procedures are within its control, a financial institution can ensure a certain level of UDAAP compliance, but the behavior of its service providers can be a wild card. In Part 2, we will look at various approaches as to how financial institutions can leverage its third party contracts to mitigate its own UDAAP risk. We will also take a substantive look at some of the key terms that should be considered when negotiating such contracts with third party service providers.