In today's world of increasing regulatory scrutiny, the cost of compliance continues to rise. In particular, financial institutions are allocating resources such as new tools, technology, and people to focus on regulatory compliance more than ever before. The implementation of these resources stems from the heavy penalties associated with not abiding by regulations established in the Dodd-Frank Reform passed in 2010.

Dodd-Frank established the Consumer Financial Protection Bureau (CFPB) with the mission to promote fairness and transparency for mortgages, credit cards, and other consumer financial products and services. In the past, compliance may have been achieved through more automation, less human error, new risk management tools, and hiring of new subject matter experts. In our experience, we've found that adding people and technology can help support sustained compliance, but many of the changes have to start with process.

A process that doesn't ensure compliance won't magically have its gaps covered by the implementation of a tool. As an example, let's reference one of the CFPB's current hot topics. As part of its enforcement arm, the CFPB has specifically focused on Unfair, Deceptive or Abusive Acts and Practices (UDAAP). In short, UDAAP addresses how customers are treated through the entire lifecycle of a product.

While this act is not new, recent enforcement actions by the CFPB should place UDAAP compliance as a high priority item for many financial corporations. To avoid ‘Unfair, Deceptive, or Abusive' acts or practices, financial institutions must implement an appropriate risk assessment process which will determine any risk associated with a new or existing product, based on UDAAP guidelines. This is one of the many examples where compliance cannot be reached simply by adding automation or new tools. A customer-centric culture must be supported by the appropriate risk management processes. As new products are launched or updated, they will leverage the UDAAP Risk Assessment process prior to introduction to customers.

An initial Risk Assessment Process for the purposes of UDAAP may include the following phases:

Initial Assessment Planning

As with any project, initial planning will go a long way to ensure overall success. First, an inventory of products must be leveraged to determine which ones are subject to UDAAP. Understanding your products and how customers interact with them will provide a starting point for estimating the number of risk assessments needed and the level of complexity that each assessment will present. Once products are identified, assessment attendees need to be notified, and a proper base level of knowledge should be established.

Key Outcomes:

  • Product inventory
  • Assessment attendee list (per product)
  • Assessment schedule


The pre-assessment phase is primarily focused on performing initial research and preparing for the assessment session. Key information gathered may include existing customer complaints, proposed marketing material, and additional customer facing processes used to support the product. Typically, a template is used to ensure that a consistent level of detail is achieved during the initial preparations.

Key Outcomes:

  • Assessment materials relevant to the product
  • Completed pre-assessment template

Risk Assessment Session

This is a meeting where subject matter experts and compliance experts involved in the risk assessment come together to review a product, with the main goal of coming to an agreement on what UDAAP risks need to be addressed. In this session, the pre-assessment materials are reviewed and a risk assessment questionnaire is completed. The discussion should be facilitated to ensure strict attention is given to fleshing out and documenting UDAAP risks; non-UDAAP risks may be identified, but should be discussed separately.

Key Outcomes:

  • Completed assessment questionnaire
  • Detailed list of UDAAP risks that pertain to the product

Control Research

With the risks identified, focus needs to shift towards researching and evaluating controls. This will require joint effort between product experts and compliance experts. Each UDAAP risk should be tied to a control, and each control should be evaluated to determine if it sufficiently controls the risk. Where the control is either insufficient or does not exist, mitigation plans should be developed. Additionally, controlled risks must be monitored to maintain compliance.

Key Outcomes:

  • Evaluation of controls for identified UDAAP risks
  • Mitigation plans for UDAAP risks with insufficient controls

Assessment Approval

By this point, the product has been assessed for UDAAP risks and controls. The controls and mitigation plans should be reviewed and approved by appropriate levels throughout the organization. This ensures that risks are understood and appropriately controlled, or that the mitigation plans are approved for implementation. The assessment results should then be stored for tracking to ensure the mitigation of risks that are not adequately controlled.

Key Outcomes:

  • Approval of controls and mitigation plans
  • Completed assessment

When first implementing this process, the focus should be on building a human-driven process. Several popular risk management tools exist, but prior to looking for the right tool, it is critical to establish a well-run, manual process. 'Manual' is a hard word to say for a process engineer, but the value of compliance calls for the initial process to be driven not by a tool, but by a human. Upon demonstrating positive results, tools should be implemented to streamline the well-designed risk assessment process.

For more information on UDAAP, please refer to the blog Protecting Consumers by Preventing UDAAPs.