Court Requires CFPB Update of UDAAP Exam Manual

Unfairness might be discriminatory, but Congress needs to amend the language of Dodd-Frank's UDAAP provisions to clarify this point before the Consumer Financial Protection Bureau (CFPB) can label discrimination outside the realm of credit an unfair practice. That’s what the United States District Court of the Eastern District of Texas said on September 8 when it ruled that the CFPB’s decision to revise the language of UDAAP guidance to include discrimination exceeded its authority.

Here’s a closer look at the ruling, UDAAP requirements, and what it all means for institutional compliance

Understanding the UDAAP ruling

Under the Equal Credit Opportunity Act (ECOA), the CFPB has authority to target discrimination only for consumer credit products. In March 2022, the CFPB used its authority under the Dodd-Frank Act to update UDAAP protections in its exam manual, with language labeling discrimination as an “unfair” practice.

This expansion of its UDAAP enforcement authority grants the CFPB the power to assess noncredit offerings for associated discriminatory conduct.

The CFPB stated, “discrimination can be unfair...in cases where ECOA does not apply. For example, denying access to a checking account because the individual is of a particular race could be an unfair practice even in those instances where ECOA may not apply.” The U.S. Chamber of Commerce and several banking trade associations sued, arguing the CFPB overstepped its statutory authority. The Court agreed.

Given the existing statutory language of laws protecting consumers from unfair banking practices, the Court noted the absence of text specifying discriminatory conduct. In its decision, the Court pointed out that while the “unfairness language in Dodd-Frank might be viewed broadly to embody protection against discrimination,” its language could also be interpreted to “vindicate” consumer choice.

The CFPB removed the updated UDAAP language from its exam manual, striking a significant reversal in the agency’s ability to offer guidance to examiners outside the rulemaking process.

Within its current statutory authority, the CFPB cannot act against a financial institution that engages in discriminatory practices outside of lending.

Legal challenges to the CFPB

The UDAAP judgment in Texas also referred to the CFPB’s “violation of the Appropriations Clause” in amending its exam manual. Subsequently, the Eastern District of Texas used this to connect this case with other suits brought seeking to challenge and delay implementation of 1071. The Texas Bankers Association, in a suit joined by the American Bankers Association, won a preliminary injunction against 1071 implementation in July, and the Kentucky Bankers Association won a similar injunction in September.

The legal foundation of these cases hinges on the constitutionality of the CFPB, as it receives funding directly from the Federal Reserve versus through Congress’s appropriations process.  Many agencies, including the Federal Reserve, OCC, FDIC, the U.S. Postal Service, and the Social Security Administration, receive funding outside the appropriations process.

However, the Federal Reserve is also exempt from Congress’s funding structure, giving the CFPB double-insulation. This question now lies with the Supreme Court to ultimately decide on the constitutionality of the agency’s funding.

Regardless of the ruling, the CFPB isn’t going anywhere. A prior case debating the removability of the CFPB director ‘for cause’ versus ‘at will’ established precedent that provisions of Dodd-Frank are severable. This means the unconstitutionality of a clause or two does not require demolishing the CFPB.

Related: 1071 Update – October 2023

Despite these legal setbacks, the CFPB shows no sign of slowing enforcement. In 2022, the CFPB won more in consumer restitution than the prior two years combined – over $2 billion. Additionally, on October 5, 2023, the CFPB reported a planned hiring spree, increasing enforcement attorneys and support staff by 50%.

Current interpretations of UDAAP compliance

UDAAP stands for “unfair, deceptive, and abusive acts and practices.” Financial institutions, lawmakers, and regulators have worked to define and understand the terms “unfair,” “deceptive,” and “abusive” in banking practice.

Unfair Banking Practices

An act or practice is “unfair” when:

• It causes or is likely to cause substantial injury to consumers; 
• Consumers cannot reasonably avoid the injury; and 
• The injury is not outweighed by a “countervailing” benefit to consumers or competition.

While most substantial injuries consumers suffer are monetary, the 2013 CFPB Bulletin on UDAAP clarifies that in “certain circumstances, emotional impact” might amount to a substantial injury. This may have been a basis for including discriminatory conduct as an unfair act.

Deceptive banking practices

Deception occurs when an act, representation, omission, or practice is:

• Misleading or is likely to mislead consumers; 
• Reasonably interpreted by the consumer under the circumstances; and 
• Material.

But how does a financial institution or regulatory agency determine when a statement or omission is “likely to mislead consumers”?

Examiners often look at disclosures in financial products and services' terms and conditions, among other factors. Burying important details in the fine print can trigger a UDAAP violation.

Related: UDAAP Compliance: Defining Unfair, Deceptive, and Abusive Acts and Practices

Abusive banking practices

What is an abusive practice in banking?

Under Dodd-Frank, abusive practices interfere with a consumer’s ability to understand the terms and conditions of a financial product or take unreasonable advantage of them.

For UDAAP violations, regulators consider:

• Consumers’ inability to protect their interests in buying financial products; 
• Their lack of understanding of the material risks involved in a financial product; and 
• Failure by institutions to reasonably protect vulnerable consumers.

Building controls for UDAAP violations

Institutions must take actionable steps to develop a worthwhile control environment for UDAAP risk.

Compliance requires much more than following basic procedures. Examiners loathe manual compliance processes because it means less efficiency and more room for human error. Automation is key, and a compliance system that actively monitors controls and requires adjustment when new regulatory guidance drops, such as the update to the CFPB’s UDAAP exam manual, is vital.

Showing examiners a robust and strategic compliance management system goes a long way.

What are the key features of safe and sound compliance management?

Document Management: Compliance laws and regulations are complex. When financial institutions don’t have a central repository for compliance-related documents, policies, and procedures, the outcome is chaos. A major part of staying exam-ready is embracing an orderly process for document management.

Regulatory Updates: Regulatory guidance, rules, and laws consistently change. Systems with large regulatory libraries updated in real time give you a leg-up over other institutions. Tracking regulations empowers you to quickly and efficiently adjust your compliance control environment.

Do you have a system that instantly alerts you to changes in laws, regulations, and guidance?

Reporting: Have examiners asked you to explain your compliance risk controls, processes, and policies? FIs require regulatory cost breakdowns, timelines for implementing new compliance controls, policy management protocols, a method of handling consumer complaints and questions, etc.

A successful compliance management solution delivers this information to your board, management, and examiners in a few keystrokes.

Centralized Communication: Regulators often talk about a culture of compliance, but what do they mean? Creating a culture of compliance breaks down business silos – it holds employees accountable by giving them the tools to succeed.

When your compliance management solution exists on a single dashboard, your compliance team will understand and execute their responsibilities. Your frontline employees working directly with consumers can refer to your institution’s compliance policies and avoid costly errors. Finally, your management and board will be involved in the compliance strategy process.

Final thoughts on UDAAP

In a recent webinar with two former OCC examiners, Ncontracts SVP of Industry Engagement Rafael DeLeon and his colleague Kathy Dick discussed compliance management technology as the dividing line between financial institutions that will thrive and those that won’t.

“Examiners are trained to find problems. They’re watching for storm clouds on the horizon – they're following the weather report. When financial institutions show they’re aware of these storm clouds, too, it makes it so much easier for us. Giving us the compliance materials we need makes for a much smoother exam. We don’t want to see your work; we want to see your system,” explained Kathy Dick of Salt of the Earth Consulting.

Rafael and Kathy predicted that 2023 and 2024 would be blockbuster years for regulators, with compliance risk playing a significant role.

Start focusing on compliance now. UDAAP language might be settled, but more guidance, regulations, and laws will always be on the horizon – rain or shine.

What Goes into a Strong Compliance Management System (CMS)?
Find out!