(for ABA Bank Compliance magazine, Sept/Oct 2019 issue)
Compliance professionals are working hard these days, trying to help their financial institutions implement technology solutions that are transforming their delivery of products and services to meet heightened consumer expectations for speed, ease of access and efficiency. As these disruptive forces contribute to the demands of daily compliance responsibilities, it is critical that bank compliance officers remain mindful and diligent in managing emerging risks, especially more elusive risks that arise from Unfair, Deceptive or Abusive Acts or Practices (“UDAAP”). Using some old-fashioned techniques combined with a view towards high-tech analytics, here are some practical tips for managing UDAAP risks in a digital age.
UDAAP has always been consumer-centric, so a focus on the consumer is a good place to start. Follow the consumer’s journey throughout the lifecycle of your products and services and be especially attentive to any potential for consumer harm. “Consumer harm” can arise in many ways, direct or indirect; economic or non-economic; and can be short-term or longer-term. It may also be difficult to identify or quantify, and therein lies the challenge for compliance professionals.
Most UDAAP Risk Assessments are good at identifying more obvious types of quantifiable consumer harm, such as when there are overcharges or erroneous fees, and these result in direct economic harm that can be fairly easy to quantify. However, longer-term harm could occur if late or nonpayment of those fees resulted in negative reporting to credit agencies, and it could potentially have an effect not only on the price for other credit, but also result in non-economic harm from how the credit bureau report might be interpreted for employment or housing applications. Including the potential harm as a risk could result in more thoughtful controls and risk indicators to either prevent, detect, or remediate such occurrences much more quickly.
Potential consumer harm can be economic and somewhat indirect, such as arising from deceptive marketing practices that entice a consumer to purchase a product that is of little to no benefit, which has been identified in various credit card “add-on” enforcement actions. Potential consumer harm may also occur in the context of another law or regulation, such as when a financial institution implements a pricing structure that allows significant discretion without effective monitoring or controls, resulting in a protected class of borrowers being charged higher prices on average than similarly situated non-protected borrowers, in violation of the Equal Credit Opportunity Act (“ECOA”). The higher prices paid results in quantifiable harm, which can also further result in significant longer-term or non-economic harm as well.
Non-quantifiable consumer harm may be more difficult to identify or measure, such as discouragement to submit an application on a prohibited basis (also a potential violation of ECOA), or discouragement to file a complaint or dispute relating to error resolution Regulation E violations. It is also important to be aware of potential harm to vulnerable consumers, such as students, the elderly, servicemembers and those with limited proficiencies.
Therefore, the best place to start on a “consumer-centric” journey is with your Risk Assessment, and particularly a UDAAP Risk Assessment. Now may be a good time to refresh your perspective and integrate these considerations of “consumer harm” within definitions of risks and controls. A risk-based approach for identifying these risks and implementing controls and monitoring is important to the regulators as well. The Uniform Interagency Consumer Compliance Rating System was updated in 2017, and in addition to the two pillars relating to oversight and the compliance program, a third pillar was added to measure the dimensions of violations of consumer protection laws and regulations and any resultant “consumer harm.” Demonstrating actions taken to prevent consumer harm requires, at its core, a focused approach to defining the risk of potential harm, specification of controls to mitigate that risk, and key risk indicators to monitor those controls.
Evaluate cnique fintech risks
As if identifying and monitoring for UDAAP risks within your own institution isn’t hard enough, it is critical for compliance professionals to include a consideration of risks of consumer harm that may be caused by activities conducted through third-party relationships. This is especially true when establishing a relationship with vendors that do not have a history or experience of working with financial institutions.
Consider, for example, how to identify potential UDAAP risks that may emerge if your bank partners with a fintech to generate leads for lending products. There are several well-publicized cases that illustrate fines and penalties imposed for UDAAP violations against lead aggregators, so reviewing enforcement actions is a good place to start. For example, one lead aggregator sold its leads to the entity that would pay the most for the lead. So it is important to understand where you stand in the pecking order of referrals. And as with any third party, it is important to do your due diligence to evaluate their compliance management system and control framework. Be sure to understand any fintech data security protocols as well. Several entities have promised safe and secure data, but regulators later concluded that because they had no procedures to support these statements that they were deceptive.
To be more consumer-centric, track the consumer’s experience from the fintech through to your bank. Review all customer interfaces, from marketing, social media, call centers and websites through to servicing and collections. When you walk through the web experience, be mindful of how the information is presented. Are all benefits, costs and limitations explained? Does the consumer understand other basic information and next steps, such as when a credit report will be pulled? Will the consumer be surprised if you receive the lead and ask for duplicate information? Did the consumer think he or she was already approved? Also, review any scripts or Frequently Asked Questions (“FAQs”) to evaluate whether there appears to be anything that could be interpreted to be deceptive, unfair or abusive. And remember that the key is to provide consumers with enough information that they can make an informed decision for themselves about whether to move forward with the product.
Develop soft skills
Whether looking for UDAAP risks in new relationships with fintechs, with existing third parties, or simply within your own institution day-to-day, step back and take a moment to observe “how” things are being done. Is there an established culture of ethics and integrity in the approach to consumer interactions? Are your lines of business bringing your compliance team in early to discuss ideas for new products and services, and taking the time to communicate issues as they occur? It may be a good idea to employ more “soft skills” (for example, deliberative communication efforts) in solidifying internal relationships, as it sometimes takes time to uncover a potential UDAAP.
Also, consider a broad approach to gathering the data that you can use as key risk indicators for emerging UDAAP risks. For example, conduct periodic interviews with key personnel for your products and services, in-person if possible. Have an open agenda and take time to listen and cultivate a productive relationship and do your best to be excited about their new ideas and suggested changes. Managers will be more comfortable coming to you with questions if they feel you are all on the same page.
Mine your data
New technology also brings with it new data, so it’s a great idea to get to know your systems and IT personnel really well. Some compliance departments have an IT person available for limited use, such as when conducting fair lending analytics. With the emergence of big data and the concomitant risks that the expanded availability of data to regulators now presents to banks, there is a huge opportunity for banks to mine this information for identifying and managing compliance risks, particularly UDAAP.
One place to start is with the treasure trove of information that is currently available in consumer complaints. Information coming directly from a consumer or customer is of the highest value for identifying potential UDAAP risk. This is especially important when the bank has introduced a new product or is working with a new vendor to ensure there is no customer confusion. Yet many banks’ complaint management systems were put in place years ago with a primary focus on the operational aspects of complaints (e.g., timely and complete responses) and have not been updated with sophisticated consideration of how to improve data for mining purposes.
On a basic level, most institutions have a complaint management system that starts with an employee who manually flags a complaint as a potential UDAAP or Fair Lending issue. However, how do you know that initial flag is being applied correctly? At a minimum, there should be testing done to ensure you are filtering at this critical juncture to collect all relevant complaints. Next, are you looking at the complaint with a narrow focus, such as a point-in-time review of the consumer’s basic allegation; or do you have a broader focus to really understand root cause?
Root cause is critical, and many complaint management systems stop analytics after asking the first “Why?” Using the Six Sigma methodology, asking a series of repetitive “Why?” questions will offer a better approach to peel away at the layers that lead to the root cause of a problem—so keep asking “Why?”!
This initial phase of filtering and categorizing complaint data is important, and the data should be in a form that can easily be associated with metrics for tracking and trending. Some complaint management systems are burdened with long essays for each entry that make it difficult to translate findings into meaningful metrics. Clearly, a narrative providing context is important; however, the words should then be translated into binary or numerical factors—allowing for further filtering and categorization—to derive meaningful metrics your institution can track and trend.
When evaluating various types of data, there is a particular emphasis on the word “meaningful,” as regulators are looking for “pertinence,” i.e., how important is this data for understanding what may actually be a potential UDAAP violation? This approach takes into account data that can help your bank understand the volume, frequency, and repetition relating to types of complaints, products, services, systems, customers and consumers.
Much of this data analysis can be done to some degree now using low-tech tools and Excel spreadsheets. However, there is an emerging opportunity to use evolving technologies, including artificial intelligence approaches such as machine learning, as well as models to dig even deeper into the complaint data.
For example, a high-tech approach can analyze all complaints to filter for key words relating to “unfair,” “deceptive” and “abusive.” These words could include a vast array of synonyms or versions of UDAAP, such as “coerced,” “misled,” “deceived,” “unaware,” or “misunderstood.” Both the positive and the negative should be included in one’s filtering, such as “informed” (which might be preceded by some version of “not”) as well as “misinformed.”
As you think about it, machines and models today can search through this data much more quickly than we can. And it doesn’t stop there. Machines and models have the capability of searching through many types of data, beyond just complaint data. Potential data sources could include an entire array of data that cycles through your institution, such as fee income, fee refunds, and overdraft fees, as well as call monitoring testing results, system issues and other known issues.
Once these sources of data are identified—and assuming you have good data integrity—taxonomies can be applied to further categorize themes, consistencies or inconsistencies. These categories can then be tested to determine if there is validity, such as via mystery shopping; or via other testing protocols to determine whether the model results are reliable, or to further refine the models to improve validity.
Go forth and manage UDAAP
So now that you have a glimpse of the future, let’s return to the practical applications for identifying key risk indicators to better manage UDAAP risk right now. Identify emerging risks with an eye on “consumer harm”, and track the consumer’s journey through your institution, including wherever a third party or fintech interacts with your customer. Monitor emerging risks from enforcement actions and include activity that may be occurring in your state or in neighboring states.
Finally, consider how you can get more data to help you attune to areas of risk—strengthening key relationships can go a long way to giving you more context. And mine the data you have, to whatever degree you can, so you can track and trend metrics, especially as part of your complaint management system. It may also be a good time to start asking for a dedicated systems analyst to help you prepare for the future! With these practices aligned, your bank will be in a much better position to monitor and manage UDAAP risk as we continue to embrace this era of technology.