Download A Field Guide to Taming the UDAAP Be

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
Document related concepts

Product planning wikipedia , lookup

Marketing channel wikipedia , lookup

First National Bank of Omaha wikipedia , lookup

Transcript 
By Meg Sczyrba, CRCM, and Phillip R. “Rick” Freer, Jr., CRCM
A Field Guide to Taming
I
Shutterstock / bonotom Studio, inc
t has been nearly 10 years since the unfair,
deceptive or abusive acts or practices (UDAAP) beast was first
hatched and began unleashing terror upon the banking industry.
Now that the beast is in its adolescence, bank compliance officers
mostly have been waiting to see what will provoke the next strike.
While most regulations provide detailed requirements, The Dodd–Frank Wall
Street Reform and Consumer Protection Act
(Dodd-Frank) says only that banks cannot
“engage in any unfair, deceptive or abusive
act or practice” [Dodd-Frank Act §1036]. In
addition, the Consumer Financial Protection
Bureau (CFPB) and prudential regulators
now consider whether any banking practices
will harm consumers. While the regulators have provided some insights through
the UDAAP examination procedures and
institution guidance, there is little other
concrete definition of the requirements.
Without any clear path to walk, compliance officers are finding it difficult to
apply their traditional tools to UDAAP
compliance. However, failing to develop
and maintain a risk assessment to understand the beast could result in high costs
for the bank including setting yourself
up for extended examinations, staring at
headlines exposing your bank’s UDAAP
violations, or simply letting your examiners
solely determine what your risks are and
how you should manage them.
10 | ABa BANK compliance | MAY-JUNE 2013
the
UDAAP Beast
MAY-JUNE 2013 | ABa BANK compliance | 11
A field guide to taming the udaap beast
A bank’s strategic direction can influence risk levels through
marketing strategy, new product and service development,
advertisements and solicitations, and pricing and profitability.
There are, of course, various ways to conduct any risk assessment, including one for UDAAP. One common method (which the CFPB also uses) is
to observe the level of risk in the undisturbed environment (inherent risk).
Then review the system and control traps set to tame the beast, document
those efforts, and rate their strength. At the end of this exercise, you’ll have
a snapshot of the remaining (residual) risk. From that, you can determine
if you have an acceptable amount of risk or if you need to bolster controls
to align with your bank’s stated risk tolerance. While determining inherent risk and controls for traditional compliance regulations is never an
exact science, their explicit requirements do provide a starting point that is
not available in the nebulous UDAAP world. This article aims to deliver a
starting point to assist you in attempting to tame the UDAAP beast. For a
full list (which is too numerous to document in this article), you can go to
aba.com/UDAAPmatrix. (Note: UDAAP risk will be used interchangeably
with the term consumer risk in the story).
Inherent Risk Factors
Your UDAAP adventure starts with an analysis of your inherent risk:
UDAAP in its natural habitat. There are four primary UDAAP risk sources: retail footprint, strategic direction, operations, and UDAAP environment. Remember, higher inherent risk is neither good nor bad.
Retail Footprint
How your board defines your bank, including the products and services it
will offer and geographic boundaries it sets, impacts the bank’s consumer
risk profile. Even slight changes to these variables or market demographics
may impact your institution’s inherent UDAAP risk level.
There are four components that make up a bank’s retail footprint: customer demographics, product and service offerings, complexity of products
are services, and delivery channels. Each should be evaluated separately and
then together to view the tracks left by the retail footprint overall.
whether customers can be shuffled between subsidiaries of your bank holding company and how each product is marketed and advertised in different
geographical areas:
■■ Does the bank offer credit card add-on products; subprime, high cost,
or non-traditional mortgages; or fee-based overdraft protection plans?
■■ Do various products or services penetrate geographic or consumer markets
in different ways?
Complexity of Products and Services
The complexity of your products and services creates potential concerns with
consumer understanding and if they must do something unique to participate.
Does your bank, for example, offer inexpensive and non-complex products?
How easy is it for a customer to obtain a benefit? Consider:
■■ Are inexpensive basic checking and savings products available?
■■ Do customers need to jump through complex hoops to obtain benefits
from any product?
■■ Do any traditional products or services have non-typical features or
requirements?
Delivery Channels
The delivery channels your bank uses to distribute its products and services
can create unintended product variations or customer segmentation. You
will want to examine whether your bank employs any higher risk methods,
whether delivery channels change by geography, or whether you have channels that generate business outside your general market area. Hone in on:
■■ Does the bank distribute its products in subsidiaries or loan production
offices?
■■ Do product and service terms vary by delivery channel?
Strategic Direction
A bank’s strategic direction can influence risk levels through marketing strategy, new product and service development, advertisements and solicitations,
and pricing and profitability. Let’s amble through each.
Customer Demographics
Your adventure promoters, the marketing and new product development
groups, have a firm understanding of the consumers in your market and the
target market for your institution. You also need to consult your Community
Reinvestment Act (CRA) assessment area. You will want to understand whether
either demographic includes a significant percentage of customers who have
been deemed less financially savvy. Here’s a sample of what to consider:
■■ Does the bank’s business or marketing plan target less financially savvy
customers or are there a significant percentage of the elderly, students, or
military in its market or CRA assessment area?
■■ Does the bank regularly review its customer demographics?
Marketing Strategy
Marketing and advertising campaigns must be clear and easy to understand.
The consumer should know what is being offered and what it costs. Banks
must know if their marketing reflects all consumers in their assessment area.
Document this and other marketing related concerns, including:
■■ Does the bank utilize social media to communicate with customers and
potential customers?
■■ Are telephone sales representatives scripted?
■■ Do advertising patterns or practices include all customer demographics?
Product and Service Offerings
Another important factor to track in the retail footprint is your bank’s
core product and service offerings, along with other customer interaction.
You will want to consider whether the bank offers any products that have
been the subject of frequent UDAAP cases. You will also want to document
New Product and Service Development
A bank’s new products and services should be consistent with its overall strategic
goals, provide value to intended consumers, and be well thought out to avoid
any unintended, embarrassing consequences. You should ask these questions:
■■ Have any new products or fee-based services recently been introduced?
12 | ABa BANK compliance | MAY-JUNE 2013
A Trail of
U DA A P
I
n July 2012, the
CFPB published
guidance on the
marketing of credit
card add-on
products.
That also marked the
beginning of a spate of
UDAAP cases that were
finalized and published:
July 2012: CFPB and The Office of
the Comptroller of the Currency (OCC)
fined Capital One $60 million in penalties and forced it to pay restitution of
$150 million. Regulators found that
Capital One’s outsourced customer
center was misrepresenting credit card
add-on products to subprime customers. Its telemarketing scripting contained many inaccuracies.
Traps
ing, and the operational practices of the
third party, which resulted in excessive
insufficient funds fees being charged on
accounts targeted to students.
July 2012: OCC told Urban Trust
Bank to eliminate its prepaid debit card
(which was issued in conjunction with
a payday lender) and to shore up its
vendor management.
September 2012: CFPB and FDIC
fined Discover $14 million in civil penalties and forced it to pay a restitution of
$200 million. Regulators found issues
with the telemarketing sales of credit
card add-on products, such as credit
insurance, credit score tracking, and
identity theft protection with claims
that customers were enrolled without
consent or that agents were suggesting
the products were free.
August 2012: The Federal Deposit
Insurance Corporation (FDIC) fined Bancorp Bank $172,000 and ordered a thirdparty program partner of the bank to pay
a fine and make restitution of approximately $11 million. Regulators were not
happy about Bancorp’s lack of monitor-
October 2012: CFPB fined American
Express $27.5 million and forced the
company to pay restitution of $85 million. Regulators found that agents were
misrepresenting debt to obtain payments
in the collection process and there were
anomalies with marketing bonus points.
community groups express concern about any of the products and
services that you might or might not offer?
■■ Is the bank at the forefront of developing new and non-traditional products and services?
shutterstock
■■ Do
Advertisements and Solicitations
A bank’s enticements, advertisements, and solicitations represent another
aspect of its strategic direction. Are those marketing materials informative?
And are the materials reflective of what customers tend to receive? For this
factor, you should document the following types of activity:
■■ Do advertisements provide customers with all the information needed
to make an informed decision about the product in a clear, transparent,
and accurate manner?
■■ Are customers realistically able to obtain the products and services, in-
So what can you learn from these cases?
1. Credit card add-on products increase the level of inherent consumer risk and banks must take that into
account. Compliance officers will want to review
associated procedures and scripting to determine if
they have sufficient controls. The function should
also be subject to monitoring and auditing.
2. Vendor management was also at issue and can
increase inherent UDAAP risk. Compliance officers should determine what functions have been
outsourced. If a control is in place for in-house
operations, it should be in place for the vendor. If
customer service or telesales have been outsourced,
compliance officers should ensure there are procedures and scripting in existence for these functions.
They should also be reviewed for control sufficiency.
3. Overdrafts remain a high inherent risk as well. Regulators provided guidance indicating there should
be limits on the associated fees, especially with
regard to vulnerable customers. That means banks
should review pricing.
cluding interest rates and amounts of credit or rewards, as represented
in the advertisement?
■■ Are prescreened or “pre-approved” solicitations used?
Pricing & Profitability
Regulators now evaluate whether a bank’s adventures cost too much—whether
they make their money from fee-based products or take advantage of consumers through pricing models. Therefore, as a final aspect of strategic direction,
you will want to understand how pricing is set and how it compares to peer
banks. Among the questions to consider:
■■ Do all new products and services provide customers with a benefit that
will exceed their costs?
■■ Is pricing reasonable in relation to costs and risk?
■■ Is fee income from products and services a significant portion of net income?
MAY-JUNE 2013 | ABa BANK compliance | 13
A field guide to taming the udaap beast
UDAAP supervisory focus can come in the form of new regulations,
agency guidance, examination procedures, settlement agreements,
or specific notice to your bank about examination activities.
Operations
Bank operations will influence its consumer protection through the following paths: general operations, role of third parties, and compliance with
traditional regulations.
General Operations
Regulators expect banks to have an effective enterprise-wide consumer
protection function. Banks will want to consider operational issues such as
compensation practices, employee turnover, and other similar factors, including:
■■ Do the bank’s standard terms require mandatory arbitration?
■■ Does the bank have a high rate of employee turnover in key areas such as
marketing, underwriting, or delivery?
■■ Are staff compensated by sales volume, interest rates, or other methods that
could encourage steering to specific product offerings or other unfair practices?
Role of Third Parties
Under UDAAP, banks can be culpable for the actions of the third-party
vendors that accompany them on their UDAAP adventure. The greater the
number of third parties—broker/dealers, processors, and other vendors the
bank uses—the higher the level of associated inherent risk. Consider if the
company outsources any operational work:
■■ Are there frequent staff or customer complaints about third-party conduct,
including chargeback rates?
■■ Does the bank use third-party marketers or advertisers to develop programs
or scripts for any of its products or services?
Compliance with Traditional Regulations
A violation of a traditional regulatory requirement can lead to a concurrent
UDAAP violation. As a result, when determining your inherent UDAAP risk,
you will need to factor in how well you comply with traditional consumer
protection regulations. Consider this:
■■ Has the bank had recent system weaknesses or violations of traditional
lending regulations?
■■ Has the bank had recent system weaknesses or violations of traditional
deposit regulations?
■■ Does the bank keep customer information safe from hackers?
UDAAP Environment
Consider the environment of the UDAAP beast when you’re assessing risks.
How active are the regulators, what are consumers and consumer groups
saying about specific products or product features, and does the bank offer
products that have been receiving negative press? To assess this risk, consider
both supervisory focus and customer complaints.
Supervisory Focus
When analyzing inherent risk, one place to look is how the regulators are
viewing the rule. UDAAP supervisory focus can come in the form of new
regulations, agency guidance, examination procedures, settlement agreements, or specific notice to your bank about examination activities. Here
are some things to monitor:
■■ Are regulator publications emphasizing consumer issues that impact
your bank directly?
■■ Have your bank’s product and service types been the focus of news coverage?
■■ Has the bank been investigated by a regulatory agency for a consumer
protection violation?
Customer Complaints
Internal information is also a good source for evaluating the UDAAP environment. Complaints received directly from customers and through regulatory
agencies can raise UDAAP risk concerns. Litigation is another good litmus
test. For example:
■■ Is there litigation concerning products or services offered by the bank?
■■ What is the level of complaints for the bank, operating subsidiaries, or
third parties?
■■ What is the level of complaints as a percentage of product or service
volume?
Summary: Inherent Risk
After you have observed each of the natural risk sources in the
UDAAP inherent risk spectrum, summarize your results and
add any observations, findings, and individual conclusions.
Make sure to weigh each risk source so that you can determine your inherent risk level. Create a summary table that lists
each of the factors you have reviewed and your findings. You
will want to rate each source and its categories. Also, list any
compensating factors that you think are relevant to the analysis.
A field guide to taming the udaap beast
For loans, you should review application, underwriting, closing,
and collections practices to ensure they remain customer friendly.
For deposits, you will want to review account opening and maintenance processes,
as well as controls in place for overdrafts, gift cards, and payroll cards.
Once summarized, you can rate the total inherent risk using the
same standards you apply to other risk assessments.
RISK CONTROLS AND MITIGATIONS
After you understand the natural environment of your UDAAP risk, you will
want to review the traps you have laid to catch the beast. Consider both your
general compliance program controls as well as UDAAP-specific controls.
General Compliance Program Controls
As with any risk assessment, consider the overall health of your compliance
program and ask a lot of questions. For instance, do your board and senior
management set the appropriate tone at the top? Do they firmly establish that
each business line is responsible for its own compliance? Do you have solid
policies, procedures, and training in place for UDAAP and other consumer
protection requirements? Do you also have a monitoring and audit program
to ensure the policies and procedures and training are working?
UDAAP Controls
Your program will also need to have controls to catch the more elusive UDAAP
issues that can occur. They should encompass marketing, disclosures, customer
service, vendor management, complaint response, and customer friendly features.
Let’s explore what kinds of traps to review as part of each element:
Marketing
The veracity and clarity of marketing materials lie at the heart of many
traditional UDAAP issues. Your bank must set tight controls to ensure that
its messaging isn’t misleading. It can do this by requiring that all pertinent
information is located where customers can find it and that offer dates
are clearly stated. You will also want to consider whether your compliance
program supports these marketing controls:
■■ Most consumers receive the rates “up to” or “as low as” as advertised.
■■ All claims made, especially in regard to fees, can be substantiated.
■■ All bank testimonials or endorsements are genuine.
Disclosures
Disclosures have also been at issue in many traditional UDAAP cases. They
must be clearly and accurately written and provide customers with all the
information needed, regardless of whether it is specified by regulation. They
should encompass all terms, benefits, and material limitations such as fees,
penalties, interest, and prerequisites. Are controls in place to ensure:
■■ All disclosures are worded in a way that customers can understand.
■■ Complicated disclosures draw attention to key terms, including limitations and conditions.
■■ Disclosures clearly explain when product or service terms may be changed.
Customer Service
Some UDAAP cases allege difficulties with customer service teams that
steered customers to expensive products or were otherwise not clear about
the products they were selling. You will want to document the controls your
16 | ABa BANK compliance | MAY-JUNE 2013
bank has in place to prevent such beastly mishaps. Consider these questions:
■■ Does the bank ensure customers will obtain the specific product or service
they have requested rather than a more expensive substitute?
■■ Do counteroffers provide a clear, prominent, and accurate explanation in
the difference between the requested and offered product?
clear and affirmative assent required before enrolling customers in a
new product or service?
■■ Is
Vendor Management
Vendor management issues have caused banks to run afoul of UDAAP. Since
a bank is responsible for any third party to whom it outsources, any needed
bank control must also be present and monitored at the third party. Vendors
should have the same or similar policies and procedures and training and
monitoring programs that you would require of your in-house staff. And,
they should be willing to let you review their compliance operations. Ask
these questions:
■■ Do third parties have a complaint process? Is it clear who customers
contact with questions?
■■ Will the bank discontinue using a third party that is treating customers
unfairly?
■■ Are vendor chargeback rates tracked and escalated when that rate exceeds
a certain percentage?
Complaint Response
Just as complaints are a key indicator of the UDAAP inherent risk, your
bank’s response to those complaints sets the tone for its controls. Does
your bank respond well to complaints? Is it timely? Is a root cause analysis
performed? Is there a formal process for the escalation of possible UDAAP
claims? You can also ask yourself:
■■ Is feedback from consumer response programs shared with managers to
correct staff mistakes?
■■ Is social media monitored for statements regarding the bank, its subsidiaries, or the vendors it uses?
■■ Are customer appeals readily available, consistently provided, and clearly
explained?
Customer Friendly Features
Last, but certainly not least, you will want to consider process- and productspecific controls that can snare problems. For loans, you should review
application, underwriting, closing, and collections practices to ensure
they remain customer friendly. Also, monitor the controls in place with
credit cards, secured credit cards, mortgages, credit card add-on products,
payday loans, and tax refund loans. For deposits, you will want to review
account opening and maintenance processes, as well as controls in place for
overdrafts, gift cards, and payroll cards. Samples of these requirements are:
■■ Loans
• Application Processing
■■Loan applications are straightforward and easy to understand.
■■All application fees are clearly disclosed prior to application.
A field guide to taming the udaap beast
The following loan features are fully explained to customers:
… … Negative amortization.
… … Balloon payments.
… … All loan costs.
Credit
Card Add-On Products
• ■■If there is an upfront fee, then the benefits and downsides of this
product are clearly explained before the fee is charged.
■■It is clear whether this product is included with the card or required
to obtain one.
■■If customers must pay in advance for this product, any unearned
amounts are returned to the customer.
■■ Deposits
• Account Maintenance
■■All fees and penalties are clearly labeled in periodic statements.
• Overdrafts
■■More than one overdraft product is available.
■■The bank is clear when it will charge fees and when it will pay
overdrafts.
■■The bank clearly and neutrally explains the consequences of opting in to overdraft protection, including what transactions will be
covered.
■■The bank does not advertise an account as “free” if there could be
overdraft charges.
■■
Summary: Risk Mitigation and Controls
After you have observed all of the UDAAP traps, it is time to document each control factor and its effectiveness along with any
observations, findings, and individual factor conclusions. Remember to weight factor (traps are not of equal concern) and how well
these traps worked in catching UDAAP issues because strengths
are also not equal. After showing your findings, you will want
to document additional compensating factors and the ultimate
strength of your control program. Once summarized, you are
ready to rate your residual risk.
THE LAST STEPS
Now that you’ve explored inherent risk indicators and risk mitigation and
controls, you are almost done. But first, it’s time to identify the UDAAP
gaps you detected.
Identify Risk Gaps
Your risk mitigation and controls probably do not address every inherent
risk factor you identified. This is typical and not necessarily a problem. But
these issues represent gaps in the mitigation and control process and you
need to decide what, if anything, needs to be done to address them. Consider
your board’s risk appetite when completing this exercise.
On your summary table, identify those inherent risk factors that are not
addressed or adequately addressed by risk mitigation and controls. These
issues represent risk gaps. Your table should also include a chart that lists
each gap, how great a risk concern each represents, what needs to be done,
any observations you have, and a column for follow-up.
Based upon your risk tolerance objectives, ask yourself these questions:
1) How risky are the deficiencies?
2) What needs to be done and by whom?
3) How will changes be evaluated and monitored?
Not every risk gap requires action, but others may require significant
changes. Focus on those risks of greatest significance to your program; and for
all risks gaps, document your decisions and actions on your summary table.
UDAAP Risk Direction
As you prepare to conclude your UDAAP adventure, you will want to determine your level of residual risk (inherent risk + controls = residual risk).
But don’t stop now. Ask yourself whether this same journey will be more or
less risky in 12 to 18 months and what changes might affect your residual
risk. Consider such issues as national or local economic events, proposed
changes to products, policies or procedures, new regulatory requirements,
staff turnover, or the bank’s strategic direction. Again, document your observations and conclusion on your summary table.
Find Your Own Path
We have presented one way in which you can perform a UDAAP risk assessment. You can utilize many of the factors presented in this article and
document them in any way that allows you to get a picture of your UDAAP
compliance adventure. Whatever path you choose, be sure to make it your
own. Ultimately, that’s the best way to tame the UDAAP beast. And please
join us next time when we boldly monitor areas of the bank where few
compliance souls have dared to tread. ■
A bou t the Au thors :
Meg Sczyrba, CRCM, is an industry principal at Infosys Technologies Limited,
working on how to implement regulatory requirements in its integrated
banking platform core processing system Finacle. Sczyrba previously worked
for PayPal, Washington Mutual, Union Bank of California, U.S. Bank, and as
a compliance consultant. She sits on several ABA Boards including the ABA
Compliance School board and the ABA Bank Compliance magazine board. She is
a former member of the CRCM Advisory Board and the Compliance Executive
Committee. Sczyrba has published several articles on topics ranging from
Regulation AA/UDAP to Regulation O and wrote the recurring Training Room
column in the ABA Bank Compliance magazine. She is also a frequent speaker at
industry compliance conferences and schools. Sczyrba was honored as ABA’s
2011 Distinguished Service Award recipient. She graduated from the University
of Missouri at Columbia with degrees in psychology and law. Reach her at
[email protected].
Phillip R. “Rick” Freer, Jr., CRCM, is senior director of Exam and
Compliance Programs at the American Bankers Association (ABA). He retired
from the Office of the Comptroller of the Currency (OCC) in February 2011,
after 41 years at the agency. He served most recently as a national bank
examiner in the Compliance Policy Division. Freer joined the OCC in 1969 as
an assistant national bank examiner. He was commissioned as a national bank
examiner in 1976. From 1976 through 1978, he served as a regional training
officer and regional director for the Human Resources Division. From 1978
through 1990, he held various positions in the OCC’s Washington office. From
1990 through 1997, he was director for compliance management and handled
CRA and fair lending examination programs, consumer complaints, and
compliance training and administrative programs. In 1997, Freer joined the
OCC’s Resource Cadre. He was a senior internal consultant and participated
in such tasks as CRA and compliance appeals with the OCC’s Ombudsman’s
Office, large bank CRA exams, and the development of examiner recruitment
training, the OCC’s contract examiner hires program, and examination
handbooks and policy positions for the Community and Consumer Policy Unit.
He served as a member of the ABA Bank Compliance magazine and the ABA
Compliance Schools Advisory Board and frequently instructs and presents at
the schools and ABA conferences. Reach him by telephone at (202) 663-5056 or
via email at [email protected].
MAY-JUNE 2013 | ABa BANK compliance | 19
Related documents
Chapter 4 Study Guide
Chapter 4 Study Guide
Social Media Marketing Specialist
Social Media Marketing Specialist
Inherent Project Risk Factors Checklist
Inherent Project Risk Factors Checklist
Teaching Tools in Plant Biology 12 – Abscisic Acid – Study
Teaching Tools in Plant Biology 12 – Abscisic Acid – Study
Role of Plant Growth Regulator in Horticulture Nursery
Role of Plant Growth Regulator in Horticulture Nursery
11th January 2017 Dear Parents, On 19th January we have booked
11th January 2017 Dear Parents, On 19th January we have booked
senior honors literary terms
senior honors literary terms
Slide 1
Slide 1
Request For Speaking Proposals
Request For Speaking Proposals
Bio07_TR_U03_CH10.QXD
Bio07_TR_U03_CH10.QXD