In two recent interviews, CFPB Journal spoke with Jo Ann Barefoot, co-chair of Treliant Risk Advisors and former Deputy Comptroller of the Currency. Read Part 1 for more information.
CFPB Journal: Can you talk more about the meetings you’ve had with the CFPB on the subject of unfair, abusive and deceptive practices? Have you gained insight into how the CFPB might define it?
Barefoot: [The Consumer Financial Protection Bureau] is required by Dodd-Frank to define “abusive” and issue regulations. … I think that these rules and their enforcement approach are going to be broader than what the banks are accustomed to. What we’re seeing already from the other agencies is that the UDAAP enforcement issues are arising in areas of the bank or the company that are not within the traditional compliance scope.
I do think also that the CFPB will be very focused on – as are the other regulators – finding UDAAP matters from complaints; that is, following a trail of customer complaints to identify potential UDAAP issues. It’s too early to know how they’re going to proceed, but the message for the industry is that it’s not going to match up with the traditional compliance review function. It’s going to be necessary for banks to put everything that they’re doing to sort of a fairness and UDAAP screening process.
I think also that the CFPB is very focused on being fact-based and research-based. I think they’re going to be doing a lot of research on what customers do and don’t understand about current disclosures and practices and they’ll probably be issuing regulations and taking enforcement in those areas.
CFPB Journal: Do you have any idea of the timeline of when these rules will be introduced? Is it your feeling that it will be within the next year?
Barefoot: I am sure that the CFPB will be actively raising UDAAP issues sooner rather than later. As they’ve been emphasizing, they have multiple tools available to them. They’ve got enforcement, they’ve got regulation writing, they have examinations of the large banks, they have guidance, and sort of public moral persuasion.
They also have a very complicated situation, obviously, with not having a permanent director in place, and that really is creating a great deal of timing uncertainty with everything as to what their priorities are going to be and what actions they can and cannot take in the short run. I would predict that they would probably issue guidance within the next year but I think it’s too early to know for sure.
CFPB Journal: Do you find that banks, especially the larger banks, are more mindful of UDAAP in creating and marketing new products?
Barefoot: Absolutely, much more mindful. … The message that I’ve been trying to get out to the industry is: don’t wait for regulations before you begin preparing for UDAAP. I wrote an article for American Banker (Nine Dangerous Words: “Show Me Where It Says We Can’t Do That,” Sept. 13, 2011) that lays out the argument that even before the CFPB begins to act, UDAAP is really ramping up with the other agencies. Even without defining “abusive,” there’s already the unfair and deceptive standards already out there, and it’s at the heart of the mission of the CFPB. Even if they don’t issue formal regulations within the next year, they will be putting pressure on banks to respond to the UDAAP mandate.
So having said that, do we find that the big banks are ramping up? Yes. One of the unique things about UDAAP is that it is emerging so quickly. The basic FTC Act prohibition on unfair and deceptive practices is over 70 years old. So UDAAP has existed for a long time, but it was not really enforced for banks until a few years ago. When it began to be enforced for banks, it was mostly aimed at sort of marginal practices in the industry.
What we’re seeing now is that the other regulators, not the CFPB, are very actively enforcing it and are catching the industry by surprise by challenging practices that are common, that they’ve seen before and never questioned. Now they’re questioning them.
The large banks are already moving very rapidly to prepare for UDAAP enforcement and scrutiny. It’s challenging because what it takes to do UDAAP right isn’t really easy to do using the current compliance model that banks use. The current compliance model is built to create disclosures and technical compliance and UDAAP is about the subjective question of whether you’re being “fair.” It’s a big shift; it’s a big challenge.
CFPB Journal: Can you talk more about what kind of model banks will need to adapt to comply with UDAAP requirements going forward?
Barefoot: First of all, the most important element is that the CEO and the business side executives need to play a leadership role with this, because UDAAP issues are arising in basic decisions about product design and marketing and pricing that are not normally within the scope of the compliance group. So top leadership is going to have to engage in understanding these new risks and getting the bank positioned to make sure they’re not going to run afoul of UDAAP problems. Some penalties are very, very high in the UDAAP area already. Active rather than passive engagement by CEO and the senior executives is one huge change.
Another is that they need to shift the whole compliance function to being highly proactive and strategic rather than reactive and tactical. Banks already do that, to some extent, but traditionally banks have kind of waited for their examiner to tell them what they’re doing wrong and then fixed it – that’s kind of the traditional model.
Going forward, they’re going to have to anticipate these risks that are not clear-cut in the regulation. UDAAP is an overlay on top of the technical role, and it’s raising questions and problems on practices that are not technically illegal. So to manage that risk, you’re going to have to build a very proactive approach that’s thinking through, What can we do to make sure that we’re going to meet fairness standards? One example: some banks are appointing a “consumer champion” or “consumer advocate,” usually on the business side of the company.
Those are two areas where the model needs changing. They also need to develop better metrics on these risks because current compliance metrics don’t really measure these kinds of risks.