Wipfli logo
Back to Articles

How to proactively manage UDAAP risks

Blaser_Melissa
Melissa D. Blaser
Oct 24, 2024
3 min read

While many have assessed unfair, deceptive or abusive acts or practices (UDAAP) as one of the riskiest compliance areas for financial institutions, many have not developed a program to mitigate UDAAP risks. There are many reasons for this; perhaps the task seems overwhelming, or they just don’t know where to begin. But like many other areas within financial institutions, UDAAP risks can be effectively managed. The necessary components of an effective UDAAP program are discussed below.

Board and management oversight

The board and management must oversee the organization’s UDAAP risk to avoid potential violations and penalties, which may include restitution, civil money penalties, financial losses, reputational damage, legal action and enforcement actions. By overseeing the UDAAP risk management program, the board and management can effectively manage the risk.

Risk assessment

A UDAAP risk assessment identifies and evaluates current and emerging UDAAP risks and determines whether internal controls appropriately mitigate risks across all products, services and lines of business. The quantity of UDAAP risks should be assessed within products and services, servicing and collections, marketing, compensation, third parties, systems and complaints. 

In addition, the quality of internal controls should be assessed, considering:

  • Board and management oversight
  • Auditing and monitoring
  • Policies and procedures
  • Change management practices
  • Training
  • Issues tracking procedures
  • Third-party risk management
  • Complaint management programs

The residual risk scores assigned should be used to assist management in directing additional resources and to enhance controls in higher risk areas.

Third-party risk management

Oversight of relevant third parties should include assessing the risk of UDAAP within the services provided, conducting ongoing monitoring to help ensure the risk is mitigated, ensuring written contracts adequately define duties and allow for oversight and access to information needed to monitor UDAAP risks and ensuring third parties receive training and regular audits of the products or services provided by third parties.

Policies and procedures

Standards and guidelines for managing UDAAP risk within products, services and activities should be incorporated into policies and procedures to direct employees in carrying out their duties without violating UDAAP.

Change management

Effectively preparing for changes to products, services and operations by assessing UDAAP risk prior to implementation, during implementation and again after implementation will reduce the risks of violations.

Incentive compensation programs

Ensure incentives offered to employees do not promote behavior that could result in UDAAP violations. Verify that incentives offered properly balance risks and rewards and do not promote consumer harm. Testing new accounts opened due to the incentive compensation program may also help ensure that the program has not resulted in consumer harm.

Complaint management

Develop a robust complaint management program that ensures UDAAP risk is identified in both written and oral complaints and that complaints are escalated, consolidated and analyzed to identify UDAAP trends. For identified UDAAP concerns, tracking of corrective action should occur. 

Training

UDAAP training should be provided to employees and relevant third parties with content that includes the definitions of UDAAP, UDAAP-related policies, procedures and controls, product and service terms and conditions, complaint management procedures and whistleblower procedures.

Audit and monitoring

Regular monitoring of areas that may have heightened risks for UDAAP violations should occur. This includes ongoing reviews of marketing materials, disclosures, new accounts, system parameters and complaints. An audit of this program should be conducted to identify any weaknesses in controls that may result in UDAAP violations, including a review of disclosures, system parameters, incentive compensation programs, policies and procedures, training materials, the third-party risk management program and related contracts, complaints, new products and services, marketing, operations, servicing and collection practices and the whistleblower program.

Bringing the pieces together

While these components can be included in a standalone UDAAP program, they can also be embedded in the CMS programs within your business units. No program is guaranteed to protect you against all risks, but taking these steps to proactively mitigate the risks of violations will allow you to minimize serious consequences and help protect your financial institution and your customers from harm. 

How Wipfli can help

If your financial institution is ready to get serious about mitigating UDAAP risks, Wipfli can help. Our dedicated professionals combine real-world experience and industry-specific knowledge to help design programs that can help you stay in compliance. We understand the realities of an ever-changing regulatory environment and can help you manage your risk. Speak with an advisor today.

Author(s)

Blaser_Melissa
Melissa D. Blaser
CPA, CRCM, CAMS, CFSA, CFIRS, Partner
View Profile

Fill out the form below, and we’ll be in touch to discuss your financial institution’s needs.

2024 banking outlook

Fewer mergers, tighter margins

Download research report

TOP PICKS

Matthew Hovis
Matthew Hovis 11/18/2024
Mind the gaps: Recent enforcement actions and what they say about AML/CFT data management
Read full story
Luke Soper
Luke Soper 10/21/2024
Regulatory pressure mounts for interest rate risk and liquidity management
Read full story
Matthew Hovis
Matthew Hovis 09/30/2024
Reassess your risk assessment: The AML/CFT program rule proposal
Read full story