Between UDAP and UDAAP, an “A” makes a world of difference.

For decades, community bankers followed the guidance of Federal Reserve Regulation AA: Unfair or Deceptive Act or Practice (UDAP) for loan cosigner rules on unfair credit practices. Then entered the Dodd-Frank Act of 2010 and the Unfair, Deceptive, or Abusive Acts or Practices (collectively, UDAAPs), which bears little resemblance to its namesake. Unlike many other regulations, UDAAP has no objective checklist that can be summarily evaluated and addressed or dismissed.

Quick Stat

$1 billion

of UDAAP-related fines the CFPB and OCC brought against Wells Fargo in 2018

What, then, is UDAAP? According to the law, unfair, deceptive, or abusive acts or practices can cause significant financial injury to consumers, erode consumer confidence and undermine the financial marketplace. The potential for UDAAP issues is extensive, and, because the law could apply to virtually any inconsistent, inaccurate or omitted information, the threat of UDAAPs is open-ended.

To effectively manage UDAAP compliance, community bankers must understand the meaning of the key terms unfair, deceptive and abusive, as well as the standards by which they are measured. These standards are spelled out in the Dodd-Frank Act and summarized here.


An act or practice is unfair when:

  • it causes or is likely to cause substantial injury to consumers

  • the injury is not reasonably avoidable by consumers

  • the injury is not outweighed by countervailing benefits to consumers or to competition.

An example of an unfair practice could include a lender’s refusal or unreasonable delay in releasing a lien after the consumer has made a final payment on a mortgage, preventing the consumer from obtaining credit, obtaining credit on the most favorable terms or clearing the credit record of the lien.


A representation, omission, act or practice is considered deceptive when:

  • it misleads or is likely to mislead the consumer

  • the consumer’s interpretation of it is reasonable under the circumstances

  • the misleading representation, omission, act or practice is material.

An example of a deceptive practice could be using descriptions the consumer would not understand and not providing clear explanations.


An abusive act or practice materially interferes with the ability of a consumer to understand a term or condition of a consumer financial product or service. Alternatively, it takes unreasonable advantage of:

  • a lack of understanding on the part of the consumer of the material risks, costs or conditions of the product or service

  • the inability of the consumer to protect his or her interests in selecting or using a consumer financial product or service

  • a reasonable reliance by the consumer on a covered person, such as a bank, to act in the interests of the consumer.

Because UDAAP requirements and at-risk products or services cannot be objectively defined, the federal regulatory agencies have taken a know-it-when-you-see-it approach. In recent years, UDAAP enforcements have stemmed from deceptive marketing practices for debt cancellation and credit monitoring products, mortgage loan servicing misconduct and deceptive sales practices, deceptive overdraft service marketing, opening accounts without accountholder consent and more.

An enterprise-wide UDAAP risk-management system should include:

  • a written, comprehensive assessment of all consumer financial products and services, re-evaluated and updated on at least an annual basis

  • a robust consumer complaint process to assess, respond to and address issues that may stem from UDAAP-covered errors or omissions

  • policies and procedures designed to manage, prevent, detect and address UDAAP risks

  • training for employees and third-party service providers on unfair, deceptive or abusive acts or practices

  • comprehensive policies and procedures for compliance monitoring, internal audit and compliance management programs to identify and remedy UDAAP issues.

UDAAP evaluations should be paired with all other regulatory checks across the compliance management system for robust regulatory implementation and monitoring at community banks.

[UDAAP] is a slippery fish that requires community bankers to cast a broad net to cover technical requirements, institutional policies and actual practices to find gaps or errors.

Beyond process and record-keeping requirements and technical disclosure, UDAAP asks, “Is this accurate? Is it true? Is it complete?” It’s a slippery fish that requires community bankers to cast a broad net to cover technical requirements, institutional policies and actual practices to find gaps or errors.