After the cataclysmic financial meltdown of 2008, Congress reacted with the Dodd-Frank Act to correct market misbehavior, stabilize the economy and shield consumers from exploitation by financial institutions. Out of this far-reaching legislation emerged a new, independent consumer protection agency with the potential to transform the relationship between financial institutions and consumers. The Consumer Financial Protection Bureau (CFPB), America’s first federal agency focused solely on consumer financial protection, is spearheading a fundamental culture shift in financial compliance and operation. With its single director and insulation from executive and legislative control, the CFPB is vested with broad and sweeping power to control, supervise and enforce promulgated rules for consumer financial providers. One of the CFPB’s primary goals, and the source of most controversy and risk for covered persons, is the prevention of “unfair, deceptive or abusive [consumer financial] acts or practices.” Armed with powerful regulatory and enforcement abilities and an arsenal of loosely-defined statutory terms, the CFPB is leading a crusade against unfairness toward consumers with respect to financial products, the extent of which is yet to be determined.

What has come to be known as “UDAAP” is Dodd-Frank’s prohibition of the use of an “unfair, deceptive, or abusive act or practice” by “any covered person,” defined as any person (or entity) that “engages in offering or providing a consumer financial product or service,” and that person’s “service provider.” “Service provider” means “any person that provides a material service to a covered person” in connection with the covered person’s offering of a financial product or service.

Dodd-Frank defines “unfairness” and “abusive” acts or practices, but curiously leaves the term “deceptive” undefined. An act or practice is unfair when it “causes or is likely to cause substantial injury to consumers which is not reasonably avoidable by consumers and such substantial injury is not outweighed by countervailing benefits to consumers or to competition.” An abusive act or practice “materially interferes with the ability of a consumer to understand a term or condition of a consumer financial product or service or takes unreasonable advantage of” a consumer’s lack of understanding, the inability of the consumer to protect his own interests or the “reasonable reliance by the consumer on a covered person to act in the interests of the consumer.”

Although Dodd-Frank does not include a definition of “deceptive,” the CFPB has issued guidance in the form of a supervision and examination manual outlining a three-part test for deceptiveness, and providing examples. For an act or practice to be deceptive, it must mislead or be likely to mislead the consumer, it must be material and the consumer’s interpretation of the act or practice must be reasonable. Despite this guidance, the lack of any definition in the statute itself appears to give the CFPB extra leeway to expand the scope of “deceptiveness” either through application of the current guidance or the issuance, at any time, of additional guidance redefining the deceptiveness standard with no statutory limitation.

The inherent subjectivity and indistinctness of each component of UDAAP is likely to create numerous difficulties for financial institutions. The UDAAP definitions are replete with vague and nebulous terms, such as “substantial,” “likely” and “reasonable,” that allow the CFPB unfettered discretion to declare acts or practices unfair, deceptive or abusive. Actual harm is not required for an act to be unfair or deceptive. Thus, the CFPB can target practices that are not harming consumers, but that create a significant risk of harm. For example, when a consumer is not misled into purchasing a certain financial product or service, but a covered person did something that was likely to mislead that consumer, the practice is deceptive. Conversely, if a consumer does not understand the product or service, the covered person may not take “unreasonable advantage” of that lack of understanding. According to the manual, even emotional effects can amount to substantial injury in some cases. Financial institutions now have to gauge the myriad diverse personalities and comprehension levels of each of their customers.

Most problematic, however, is the definition of abusive, the extra “A” that has been added to make UDAAP. Despite its newness, the CFPB provides no examples of the term in its manual, and offers only a riddle-like caveat that each component of UDAAP is separate yet overlapping. While a covered person seemingly can minimize the risk of consumer misunderstanding through disclosures, the idea in the second prong of the definition that a consumer can reasonably rely on a financial institution to act in the interests of the consumer is a clear departure from past precedent. With the introduction of an “abusive” standard with this reliance component, the CFPB has singlehandedly transformed the relationship between financial institutions and consumers from one of arms-length dealing to one with fiduciary overtones.