Enforcement actions by many different regulators including the CFPB, OCC and FDIC make it clear how important UDAAP (Unfair, Deceptive or Abusive Acts or Practices) is to a solid third party risk management program. It’s often quoted as a primary regulation violation, so it’s a worthy regulation of any risk management professional to be aware of.
Common Reasons UDAAP Is Violated Most Often
Here are 2 reasons we commonly see:
- The acronym becomes a buzzword. This is a frequent danger with regulatory oversight and the many federal consumer protection laws to be aware of. It’s easy to quote “UDAAP” during a conversation but vendor managers need a much deeper understanding about the regulation itself as it’s more than just a throwaway line.
- Vendor managers aren’t sure what to look for when verifying if the regulation has been violated. Knowing, understanding and then testing against will quickly differentiate you from the pack. Don’t try to fake it until you make it! Having performed many assessments in our careers, your vendor counter party contact will soon realize the level of expertise you bring to the assessment process when you interact with them.
How Vendor Managers Can Prevent UDAAP Violations
There are many great resources available for examiners to assist in their review of UDAAP compliance which can also be leveraged in third party risk management. It’s encouraged to review the resources to have a solid foundation of regulatory compliance in your repertoire and to help you mitigate risk. After all, the CFPB’s concern is the consumers’ harm caused by the violation of federal consumer lending regulations.
Vendors have also fallen foul of UDAAP; so, while the regulation is a key factor that you should be reviewing in your annual assessment, there are clear advantages to perform a UDAAP review during initial due diligence. Remember, the vendor is an extension of your organization and may be interacting directly with the end customer.
Here are 4 P’s to think about when it comes to UDAAP:
- Is the statement prominent enough for the customer to notice?
- Is the information presented in an easy-to-understand format that does not contradict other information in the package and at a time when the customer’s attention is not distracted elsewhere?
- Is the placement of the information in a location where customers can be expected to look or hear?
- Is the information in close proximity to the claim it qualifies?
The 4 P’s were developed for examiners by the Federal Trace Commission. Check out the FTC Policy Statement on Deception here for an overview.
Stay Updated on Regulatory Compliance for a Successful Third Party Risk Program
Reviewing regulatory agency enforcement actions for UDAAP issues and reviewing the vendors’ own advertising and disclosure practices can really help align your vendor panel selection with your organization’s compliance standards. Simply asking how a vendor complies with UDAAP really is nothing more than a check-the-box exercise.
We recommend that as your third party risk management program matures, looking deeper into regulatory compliance will help further protect your organization from risks outside of your immediate line of business. The relationship between third party risk management and a good vendor is vital to a successful program.
Dive deeper into UDAAP and what else you need to know. Download this infographic to get started.