Due Diligence and Ongoing Monitoring

Need help from the group!  We had a recommendation from an outside auditor relating to managing UDAAP risk from third parties.  Hoping to get thoughts and suggestions from other financial institutions on how best to measure and mitigate UDAAP risk.  

My first question, how do you determine that UDAAP risk applies to a vendor's products or services:

> Have you scoped specific kinds of products and services as inherently risky from a UDAAP perspective?
> Have you developed questions/questionnaire for your relationship owners in order to establish UDAAP risk?
> Something else (the above two are what I am thinking in terms of determining UDAAP risk but would love to hear what others are doing).

Second question, what kinds of due diligence and risk mitigation do you require from third parties or perform to try to mitigate UDAAP risk- review UDAAP violations, contract provisions etc. 

Thanks in advance, this group is always a great resource.
Shelly

To begin, I would like to recommend two regulator documents that provide a good foundation for all things UDAAP. These documents provide a lot of good information and will be very helpful as you define your processes.

OCC - Unfair or Deceptive Acts or Practices and Unfair, Deceptive, or Abusive Acts or Practices

CFPB- Unfair, Deceptive, or Abusive Acts or Practices

To answer your questions, A good rule of thumb is that any vendor with direct contact with your customers or consumers must be reviewed for UDAAP (Unfair, Deceptive, Abusive Acts or Practices)  risk.

·         UDAAP risk is most typically associated with vendors providing loan servicing or collection services

·         UDAAP risk may also be present when vendors provide marketing services or materials. However, most organizations have internal marketing reviews that include UDAAP. If your organization does not have that process in place for some reason, all marketing vendors must be reviewed.

Regarding UDAAP due diligence, here are some essential documents to collect (Remember that your organization will need to further refine or add to this list based on the actual products and services.)

·         Compliance policy  (The entity has policies to ensure compliance with the standards under the Fair Debt Collections Practices Act to prevent abusive, deceptive, or unfair debt collection practices)

·         Evidence of employee compliance training

·         Discipline policies and records of disciplinary actions;

·         Procedure manuals and written policies, including those for servicing and collections.

·         Internal control monitoring and auditing materials

·         Compensation arrangements, including incentive programs for employees and third parties.

·         Marketing programs, advertisements, and other promotional material in all forms of

·         media (including print, radio, television, telephone, Internet, or social media advertising).

·         Scripts and recorded calls for telemarketing and collections

·         Organizational charts, including those related to affiliate relationships and work processes.

·         Agreements with affiliates and third parties that interact with consumers on behalf of the

·         entity

·         Consumer complaint files

I hope these suggestions are helpful, but I would love to hear from other members.

Best,

Hilary