The CFPB & UDAAP: A “Know It When You See It” Standard?

Institutions regulated by the Consumer Financial Protection Bureau (CFPB) and subject to its enforcement authority are dealing with the agency’s sweeping authority to prohibit unfair, deceptive, and abusive acts or practices (UDAAP). ¹12 U.S.C. § 5536. To date, the CFPB has relied on this authority to open investigations, initiate proceedings, and enter into a number of broad-ranging consent orders requiring regulated entities to pay hundreds of millions of dollars in restitution and penalties. However, CFPB Director Richard Cordray has consistently indicated that the CFPB will not be issuing rules to define or describe acts or practices deemed to be UDAAP, choosing instead to define UDAAP through enforcement. ²See, e.g., Kate Davidson, “Trying to Stay Above Politics: A Conversation with Richard Cordray,” The American Banker (Mar. 23, 2012). Moreover, the CFPB has made it clear that complying with all applicable federal consumer financial protection laws and regulations is not enough to escape allegations of UDAAP. In the agency’s view, an act or practice may constitute UDAAP even if the regulated entity complies with all applicable legal and regulatory requirements.

The CFPB’s approach at first glance appears to be “we know it when we see it,” not only for actual acts or practices, but also for potential violations of UDAAP, given the CFPB’s emphasis on self-reporting. ³See CFPB Bulletin 2013-06, “Responsible Business Conduct: Self-Policing, Self-Reporting, Remediation, and Cooperation” (June 25, 2013), available at http://files.consumerfinance.gov/f/201306_cfpb_bulletin_responsible-conduct.pdf. Regulated entities must read the tea leaves, trying to understand how the CFPB will exercise its UDAAP authority based on the allegations in enforcement actions and CFPB statements in its Examination Manual and agency guidance. Although it’s still early, some patterns and take-home lessons are emerging from these sources.

The attached chart lists specific acts and practices that the CFPB has alleged or identified as unfair, deceptive, and/or abusive. The list is drawn from several sources, including:

CFPB Consent Orders based in whole or in part on alleged UDAAP violations;

Agency enforcement actions filed in federal court;

Specific prohibited practices cited in the CFPB’s Examination Manual, derived in part from substantive statutes and regulations and previous FTC guidance; and

Guidance in Bulletins and similar informal statements that reflect the CFPB’s UDAAP priorities. ⁴Specific acts and practices identified as unfair, deceptive, or abusive in substantive statutes and regulations, such as the Fair Debt Collection Practices Act and Regulation Z, and cited by the CFPB, are not included in this chart.

Thus far, binding legal precedent is scarce in the absence of instances of full adjudication of CFPB UDAAP enforcement actions and formal rulemaking. Nonetheless, financial services companies are well advised to take heed of the CFPB’s areas of focus to date.

We discuss below the UDAAP provisions in Title X of the Dodd-Frank Act and how the CFPB has exercised its UDAAP authority to date.

CFPB UDAAP Framework

The Dodd-Frank Act makes it unlawful for any covered person or service provider to “engage in any unfair, deceptive, or abusive act or practice.” ⁵12 U.S.C. § 5536. Congress granted the CFPB authority to take enforcement action to prevent any person or entity subject to its jurisdiction from engaging in or committing UDAAP. ⁶12 U.S.C. §5531(a).

An act or practice is “unfair” if the CFPB has a reasonable basis to conclude that: 1) it causes or is likely to cause substantial injury to consumers; 2) the injury is not reasonably avoidable by consumers; and 3) the injury is not outweighed by countervailing benefits to consumers or competition. ⁷12 U.S.C. § 5531(c)(1). The test is the same as the definition of “unfairness” developed by the FTC under the FTC Act. ⁸FTC Policy Statement on Unfairness (Dec. 17, 1980), available at http://www.ftc.gov/ftc-policy-statement-on-unfairness; 15 U.S.C. § 45(n). The CFPB indicates in its Examination Manual that determinations of unfairness by the FTC and other regulators “may inform” the Bureau’s determinations. ⁹CFPB Examination Manual v.2, UDAAP.1, n.2 (Oct. 2012).

The Dodd-Frank Act does not define “deceptive,” but the CFPB has adopted a standard similar to the FTC’s definition of this term. Specifically, the CFPB states in its Examination Manual that a representation, omission, act, or practice is deceptive if: 1) it is material; 2) it is likely to mislead a consumer; and 3) the consumer’s interpretation is reasonable. ¹⁰Id. at 5. As with “unfairness,” the FTC issued a policy statement and developed a body of enforcement decisions regarding the meaning of “deceptive.” ¹¹See, e.g., FTC Policy Statement on Deception (Oct. 14, 1983), available at http://www.ftc.gov/ftc-policy-statement-on-deception. The CFPB has referenced these materials, for example, in explaining that the factors it will consider in evaluating whether disclosures are deceptive “track FTC guidance.” ¹²CFPB Bulletin 2012-06, “Marketing of Credit Card Add-on Products” (July 18, 2012) at 2-3 & n.5, available at http://files.consumerfinance.gov/f/201207_cfpb_bulletin_marketing_of_credit_card_addon_products.pdf.

The Dodd-Frank Act added the “abusive” prong to the traditional FTC UDAP analysis. According to the Act, an act or practice is “abusive” if it materially interferes with the consumer’s ability to understand a term or condition of a consumer financial product or service and takes unreasonable advantage of: 1) the consumer’s lack of understanding of the material risks, costs, or conditions of the product/service; 2) the consumer’s inability to protect his or her interests in selecting or using the product/service; or 3) the consumer’s reasonable reliance on a covered person to act in his/her interests. ¹³12 U.S.C. § 5531(d). Ever since this language was introduced in the legislation that became the Dodd-Frank Act, commenters have noted that determination of whether an act or practice is “abusive” is highly subjective and involves what a particular consumer understood about a particular transaction. The “abusive” standard appears to create a “suitability” standard, potentially with the burden on the financial institution to demonstrate what the consumer actually understood at the time of the transaction.

CFPB UDAAP – Regulation by Enforcement

So, how has the CFPB exercised its UDAAP authority so far? We point out in the attached chart specific acts and practices identified by the CFPB in enforcement actions and other means. A summary of what we know so far is provided below, along with preliminary observations about “lessons learned” from the CFPB’s actions and activities to date.

Unfair Acts and Practices

Marketing and Sale of Ancillary or “Add-On” Products. Five of the CFPB’s Consent Orders to date have targeted so-called add-on products provided by third parties, such as identify theft, debt protection, and credit score tracking services. The CFPB has alleged unfair practices in connection with these products, included enrolling and billing consumers without informing them they were not eligible for benefits unless they provided additional information, accepting payments from customers who were not eligible for benefits, and failing to send disclosures later in the language spoken during the telemarketing call with the consumer. These actions demonstrate that the CFPB takes third-party vendor management very seriously.

Mortgage Servicing. The CFPB has identified several “unfair” mortgage servicing acts and practices, including failing to honor trial or permanent loan modifications after a servicing transfer, requiring borrowers to waive all existing claims in order to qualify for a loan modification, failing to accurately assess borrower eligibility for loan modification programs, failing to apply payments promptly and accurately, and “robo-signing” affidavits supporting foreclosure proceedings. The practices the CFPB has identified as “unfair” are similar to the practices addressed in the National Mortgage Settlement. The CFPB may well expand its view of UDAAP in mortgage servicing in connection with its comprehensive mortgage servicing rules, which became effective in January 2014. These rules in part call for creation of “reasonable” policies and procedures, leaving room for the CFPB’s interpretation of the impact of servicer compliance on consumers.

Student Loans. The CFPB has initiated an enforcement proceeding involving student loans, alleging “predatory lending” by a for-profit educational services company, including by allegedly “rushing” students into decisions about entering into high-cost private loans and offering zero-interest temporary loans that were replaced by high-cost private loans if the students did not repay the original loans at the end of their first year. As with add-on products, the CFPB has focused here on products it believes consumers do not understand and on costs it believes outweigh benefits to consumers.

Deceptive Acts and Practices

Credit Card and Auto Loan Marketing. The CFPB has identified as “deceptive” alleged misrepresentations regarding the terms, eligibility requirements, and cost of financial products. Promises of benefits that were never provided, assertions that a product was a benefit associated with a credit product when it actually was optional, and implying a product was free all have caught the CFPB’s attention. The CFPB has alleged that certain deceptive representations resulted from third-party telemarketers going “off script,” or speeding through important disclosures in the approved scripts.

Debt Collection. The CFPB has identified as “deceptive” misrepresentations that unreported debt would appear on the consumer’s credit report or that payment of unreported debt would improve a consumer’s credit report. The CFPB also issued a Bulletin indicating it will rely on its authority to prohibit “deceptive” acts and practices to impose the obligations of the Fair Debt Collection Practices Act (FDCPA) on covered persons collecting their own debt. ¹⁴CFPB Bulletin 2013-07, “Prohibition of Unfair, Deceptive, or Abusive Acts or Practices in the Collection of Consumer Debts” (July 10, 2013), available at http://files.consumerfinance.gov/f/201307_cfpb_bulletin_unfair-deceptive-abusive-practices.pdf , and CFPB Bulletin 2013-08, “Representations Regarding Effect of Debt Payments on Credit Reports and Scores” (July 10, 2013), available at http://files.consumerfinance.gov/f/201307_cfpb_bulletin_collections-consumer-credit.pdf.

Abusive Acts and Practices

Debt Settlement/Debt Relief. The CFPB’s first exercise of its authority to prohibit “abusive” acts and practices focused on a debt relief company the CFPB alleged was enrolling customers despite knowing that their financial condition made it highly unlikely they could complete the program, collecting enrollment fees despite this knowledge, and failing to provide any services. It would appear the CFPB concluded these practices were abusive because the provider took unreasonable advantage of vulnerable consumers who did not understand that their financial condition made it highly unlikely they would receive any benefits and who believed the company would act in their best interests by trying to settle their debt.

Payday Loans. In its first enforcement action against an online payday loan servicer, the CFPB attempted to avoid tribal sovereignty issues for loans originated by an online lender affiliated with an Indian tribe. The CFPB alleged the servicer’s practice of servicing and collecting on these loans, which allegedly exceeded state-law usury caps, was “abusive.”

Student Loans. The CFPB alleged “predatory” loan practices intended to persuade low-income students to enter into high-cost loans the educational services company knew the students would not be able to repay were “abusive.” The company allegedly took advantage of the students’ inability to protect themselves, including by controlling the complex student loan process and using aggressive repackaging practices, including the threat of expulsion.

These first examples of alleged “abusive” practices, then, involved products targeted at consumers the CFPB believed were vulnerable and unable to understand the products at issue, and a belief by consumers that they could rely on the regulated entity to protect their interests.

CFPB UDAAP —What Do We Know So Far?

The current CFPB UDAAP “body of law” is quite limited, but common themes include:

Compliance alone is not enough to fully mitigate the risk of CFPB UDAAP concern. The CFPB has used and likely will continue to use its UDAAP authority to effectively expand the scope and application of statutes and regulations such as the FDCPA, TILA, and RESPA.

The CFPB is a “numerator” agency — in any number of the enforcement cases, actual incidences of non-compliance with laws, regulations, or policies and procedures appeared to be few. It follows that even if only a few consumers are or could be affected, the CFPB may well pursue UDAAP claims.

Related to this, actual harm to consumers need not be shown for the agency to initiate an action, as is the case under previous FTC and bank regulatory agency UDAP precedent. For the CFPB, even the possibility of consumer harm warrants investigation and can lead to significant fines, penalties, and restitution requirements. In a number of settlements with credit card issuers relating to add-on products, for example, the CFPB required refunds of all premiums to affected customers without regard to whether any of those customers actually benefited from the products and services at issue.

The CFPB’s known “hot button” issues included credit cards, debt collection, student lending, payday lending, and mortgage servicing, along with a heavy emphasis on vendor management. Speaking of which, following in the footsteps of the OCC and the FDIC, the CFPB has held and likely will continue to hold regulated entities responsible for the acts or omissions of third parties.

The agency’s UDAAP focus, particularly under the “abusive” prong, appears to be on consumers or populations of consumers believed to be vulnerable, such as consumers in debt, low/moderate-income consumers, service members, students, and the elderly.