The UDAAP Trap: How Financial Institutions can Avoid Penalties when Using Third Party Services


In Part 1, we noted that financial institutions could find themselves potentially liable for committing an alleged Unfair, Deceptive, or Abusive Act or Practice (UDAAP) as a result of the actions of certain types of external service providers, particularly those that interface directly with customers.  In this Part 2, we will discuss how financial institutions can mitigate the risk of UDAAP enforcement actions through their contracting strategies with their service providers.

A New Wrinkle of Risk

In some ways, the CFPB’s UDAAP authority resembles other regulatory regimes in that it places compliance obligations on both the issuer of the product as well as the third-party service provider that helps effectuate a transaction involving such a product.  For example, export control laws place Office of Foreign Assets Control compliance obligations on both parties to a transaction.  Data protection laws apply both to the controller as well as the processor of data.  HIPAA protections for health information apply to the covered entity and its business associates.

In other ways, however,
the CFPB’s UDAAP authority differs from other regulatory regimes because it expressly imposes upon a financial institution an affirmative obligation to supervise closely the behavior of its service providers.  While some other regulators may also impose express obligations (e.g., Office of the Comptroller of the Currency), in many other regulatory contexts, any required supervisory role is typically either less onerous and/or only implied by the regulatory agency.

Of course, it is an outsourcing best practice for a customer to have good management and oversight over its service providers, but the CFPB’s requirements go further.  Indeed, this supervisory obligation may even undercut a financial institution’s rationale to outsource certain functions in the first place and lead an institution to forego pursuing the outsourcing relationship during an initial risk assessment if the institution believes the potential service provider could expose the institution to UDAAP liability.

All outsourcing relationships involve some level of risk.
Depending on the nature of the services, a bank may be handing over sensitive data, management of key processing functions, or responsibility to keep IT infrastructure safe and secure.

The CFPB, however,
appears to have added a new wrinkle of risk to what would otherwise be considered a “standard” level of outsourcing risk – for certain services related to consumer financial products or services, if a financial institution’s service provider engages in behavior that the CFPB finds unlawful under its UDAAP authority, then the financial institution itself is potentially liable for the conduct of its service providers and could be subject to substantial penalties.

A Delicate Balance

But this risk is not insurmountable.  A thoughtful vendor management/contracting strategy can mitigate a financial institution’s risk by incorporating UDAAP obligations into its service provider contracts and sensibly allocating the risk between the parties.
In addition to addressing the risk responsibility in the contract, the financial institution should consider establishing a service provider monitoring and governance framework that expressly addresses UDAAP risk.

Financial institutions will want to implement specific solutions (which may even vary service provider to service provider) to ensure that it sufficiently protects itself while at the same time not being too heavy handed with its business partner.  A financial institution and its counsel will need to maintain that delicate balance between seeking the necessary protection and creating obligations that can get in the way of doing business.

With this balance in mind, there are two high-level procedural approaches a financial institution’s counsel may want to consider.

Single Purpose Agreement

One method a financial institution could employ is to execute single purpose “UDAAP Agreements” with all of the relevant service providers across the enterprise.  This approach is analogous to a company requiring its service providers to enter into NDAs or (for HIPAA covered entities) Business Associate Agreements.

Such an initiative will likely take a fair amount of effort, but it could also bring significant benefits.  First, the institution is starting out with standard terms.
Assuming counsel is successful in limiting negotiation, then all the relevant service providers are signing up to more or less the same obligations,
which creates consistency with respect to meeting the CFPB’s duty to supervise.

Second, this approach gives the institution room to be specific about what is required.  Some service providers may not know their precise obligations with respect to the prohibition on UDAAP, and having such clear obligations may be beneficial to the financial institution in showing the CFPB that the institution is taking its affirmative obligations seriously.

Finally, with respect to those agreements already in place, a single purpose approach avoids having to reopen and amend the existing terms.
With respect to new agreements being negotiated, the single purpose approach allows the institution to segregate the risk terms (e.g., liability and indemnities) from the underlying commercial transaction, which may result in more efficient negotiations.

Integrate the Terms

Another approach is to integrate the UDAAP obligations into the underlying service provider contract.  Integrating the terms into an underlying agreement may enhance the institution’s leverage because each party has the “let’s get a deal done now” mentality if it is a new contract.

Integration of the terms into the underlying transaction is also similar to the way many outsourcing contracts deal with other regulatory issues like data protection and export controls, so the approach is unlikely to surprise the service provider.  Taking this approach may result in negotiating “fewer words” because some aspects of compliance (e.g., reporting and audit rights) may already be captured by other portions of the contract.

For those outsourcing transactions that, in the grand scheme of things, present a comparatively lower risk to the financial institution, a single purpose agreement may be too much when simpler integrated terms would suffice.
Compliance obligations with such low-risk transactions may simply be handled in a standard “compliance with laws” section in the agreement.

With respect to medium-risk to high-risk transactions, however, an institution will want to guard against taking a simplistic approach to integration.  In other words, the institution should resist trying to address UDAAP by simply inserting a “compliance with Dodd-Frank”
obligation or “compliance with bank policies” obligation into the contract.  Although the service provider may be more agreeable to closing the issue this way, the actual obligations to prevent UDAAP violations are not spelled out.
If CFPB examiners come looking for UDAAP violations, the bank may not have a good story to tell about its good faith effort to mitigate risky UDAAP behavior with that service provider.

Key Negotiation Points

In addition to deciding on the best approach as described above, the financial institution will need to able to negotiate the substantive UDAAP terms.  Of course, a bank’s negotiation strategy is highly dependent on the nature of the deal, the leverage each party has, and whether the particular relationship is high or low risk.

The financial institution should focus on the following key areas of risk when negotiating UDAAP terms.

1. Liability.  As we noted in Part 1, CFPB enforcement actions to date have resulted in fines and restitution obligations that could run into the hundreds of millions of dollars.
Such penalties likely would vastly exceed an agreement’s standard liability cap on direct damages.
Therefore, a bank’s counsel should attempt to exclude such regulatory fines from any liability caps. 

2. Indemnities.  A full indemnity from the service provider for regulatory fines may also be appropriate depending on the nature of the services, particularly for high-risk services that directly interface with an institution’s consumers. 

3. Termination.  An institution should also negotiate flexible termination rights with the service provider, so that the institution can exit a relationship in case the service provider engages in prohibited UDAAP activity.  CFPB examiners will likely look favorably upon an institution with such flexible termination rights.

4. Operational Oversight.  In addition to the traditional risk terms described above, other business and operational terms warrant consideration as well.  To ensure that the institution is able to exercise its heightened obligations to monitor and supervise, it should seek frequent reporting and good recordkeeping practices from its service providers.  Strong audit rights on behalf of the institution are also recommended by the CFPB.  A robust governance framework with the service provider may also be an important part of the financial institution’s ongoing monitoring and compliance efforts.

5. Performance Incentives.  In its guidance documents, the CFPB has noted that consumer complaints can serve as a leading indicator as to whether a UDAAP has occurred.  Not only should an institution look to implement a process for how customer complaints get analyzed and reported up to the bank, but also the institution should consider tailor-made service levels for incentivizing the service provider to limit such complaints in the first place.  Implementing such proactive performance measures will likely show CFPB examiners that the institution is looking to curb violations before they occur.


Implementing such a contracting strategy is an essential component of any financial institution compliance program.  Among other things, it likely will go a long way in showing the CFPB that a good faith effort has been made to comply with UDAAP rules and ultimately help the financial institution avoid enforcement actions.