VII-1 Federal Trade Commission Act, Section 5 and Dodd-Frank Wall Street Reform and Consumer Protection Act, Sections 1031 and 1036

Introduction

These examination procedures inform examiners about activities that may constitute unfair, deceptive, or abusive acts or practices and how to evaluate the effectiveness of FDIC-supervised institutions’ processes for identifying, measuring, monitoring, and otherwise mitigating the risks associated with them. In this context, unfair, deceptive, or abusive acts or practices are legal standards established pursuant to Section 5 of the Federal Trade Commission Act (FTC Act) and the Dodd-Frank Wall Street Reform and Consumer Protection Act (the Dodd-Frank Act). Throughout these procedures these standards will be referred to, respectively, as “FTC UDAPs” and “Dodd-Frank UDAAPs.”  

The FDIC utilizes a risk-focused examination approach to promote, assess, and confirm institutions’ compliance with FTC UDAPs and/or Dodd-Frank UDAAPs.  While FTC UDAPs and/or Dodd-Frank UDAAPs occur infrequently, they may result in significant consumer harm and erode consumer confidence in the financial institution. Heightened risk may be present in situations involving: changes to a bank’s products or services; the offering of a complex or atypical product; and marketing and delivery strategies using one or more third party providers.

A FTC UDAP and/or Dodd-Frank UDAAP finding is dependent on the relevant specific facts and circumstances; each institution is different and presents distinct potential risks. Accordingly, examination staff should apply the instructions in these procedures consistently as part of their assessment of institutions.  In addition, the FDIC will conduct appropriate legal analysis based on the FTC UDAP and/or Dodd-Frank UDAAP standards, and consider the particular facts and circumstances at each institution to determine whether a violation has occurred.

Background

In 1938, Congress expanded the FTC Act to not only prohibit unfair methods of competition but to also prohibit “unfair or deceptive acts or practices” in or affecting commerce to allow the FTC to directly protect consumers. See 15 U.S.C. § 45(a) (Section 5 of the FTC Act). These procedures provide information regarding the applicability of Section 5 of the FTC Act.

In 2010, Congress passed the Dodd-Frank Act. Section 1036 of the Dodd-Frank Act prohibits a “covered person”¹ from engaging in unfair, deceptive, or abusive acts or practices (Dodd-Frank UDAAP). See 12 U.S.C. § 5536. Section 1031 of the Dodd-Frank Act provides authority to the Consumer Financial Protection Bureau (CFPB) to promulgate rules identifying such acts or practices as unfair, deceptive, or abusive in connection with consumer financial products and services generally. See 12 U.S.C. § 5531. These procedures also provide information regarding Sections 1031 and 1036 of the Dodd-Frank Act.²

The legal standards for “unfair” and “deceptive” under Section 5 of the FTC Act and the Dodd-Frank Act are substantially similar. Further, the legal standards for unfair, deceptive, or abusive are independent of each other. Depending on the facts, an act or practice may be unfair or deceptive or abusive or any combination of the three, or not constitute a violation.

Section 5 of the FTC Act

The banking agencies³ have authority to enforce Section 5 of the FTC Act for the institutions they supervise and their institution affiliated parties (IAPs). The FDIC has provided notice to state nonmember institutions of its intent to cite them and their IAPs for violations of Section 5 of the FTC Act, and of its intent to take appropriate action pursuant to its authority under Section 8 of the Federal Deposit Insurance Act (FDI Act) when a FTC UDAP violation is cited. The FTC has authority to take action against nonbanks that engage in a FTC UDAP. If a FTC UDAP involves an entity or entities over which more than one agency has enforcement authority such as, for example, the FDIC and the FTC, the agencies may coordinate their enforcement actions. Unlike many consumer protection laws, Section 5 of the FTC Act also applies to transactions that may impact business customers as well as individual consumers.⁴

On March 11, 2004, the FDIC and the Board of Governors of the Federal Reserve System (FRB) issued additional guidance regarding FTC UDAPs prohibited by Section 5 of the FTC Act.⁵ Following the release of the guidance, the FDIC issued examination procedures, which include:

• Standards used to assess whether an act or practice is unfair or deceptive
• Interplay between the FTC Act and other consumer protection statutes
• Examination procedures for determining compliance with the FTC Act standards, including risk assessment procedures that should be followed to determine if transaction testing is warranted
• Best practices for documenting a case
• Corrective actions that should be considered for violations of Section 5 of the FTC Act
• List of resources

NOTE:  In August 2014, the FDIC, FRB, CFPB, the National Credit Union Administration (NCUA), and the Office of the Comptroller of the Currency (OCC) (collectively, the Agencies) issued guidance regarding certain consumer credit practices as they relate to Section 5 of the FTC Act. The authority to issue credit practices rules under Section 5 of the FTC Act (e.g., Regulation AA, Credit Practices Rule) for banks, savings associations, and federal credit unions was repealed as a consequence of the Dodd-Frank Act.  

Notwithstanding the repeal of such authority, the guidance indicated that the Agencies continue to have supervisory and enforcement authority regarding unfair or deceptive acts or practices, which could include those practices previously addressed in the former credit practices rules. Such practices included: (1) the use of certain provisions in consumer credit contracts, (2) the misrepresentation of the nature or extent of cosigner liability, and (3) the pyramiding of late fees.

The guidance clarifies that institutions should not construe the repeal of these rules to indicate that the unfair or deceptive practices described in these former regulations are permissible. The guidance makes clear that these practices remain subject to Section 5 of the FTC Act and Sections 1031 and 1036 of the Dodd-Frank Act.

Standards for Determining What is Unfair or Deceptive

The legal standard for unfairness is independent of the legal standard for deception. Depending on the facts, an act or practice may be unfair, deceptive, both, or neither.

Section 5 of the FTC Act also applies to commercial transactions and businesses. In applying these statutory factors, the FDIC will identify and take action whenever it finds conduct that is unfair or deceptive, as such conduct that falls well below the high standards of business practice expected of banks and the parties affiliated with them.

FTC UDAPs may also violate other federal or state laws. However, practices that fully comply with consumer protection or other laws may still violate Section 5 of the FTC Act. For additional information, please refer to the “Relationship to Other Laws” section further in this document.

Unfair Acts or Practices

The FDIC applies the same standards as the FTC in determining whether an act or practice is unfair. These standards were first stated in the FTC Policy Statement on Unfairness. An act or practice is unfair when it (1) causes or is likely to cause substantial injury to consumers, (2) cannot be reasonably avoided by consumers, and (3) is not outweighed by countervailing benefits to consumers or to competition. Congress codified the three-part unfairness test in 1994.⁶  Public policy may also be considered in the analysis of whether a particular act or practice is unfair. All three of the elements necessary to establish unfairness are discussed further below.

• The act or practice must cause or be likely to cause substantial injury to consumers. Substantial injury usually involves monetary harm, but can also include, in certain circumstances, unquantifiable or non-monetary harm. An act or practice that causes a small amount of harm to a large number of people, or a significant amount of harm to a small number of people, may be deemed to cause substantial injury. 

  An injury may be substantial if it raises significant risk of concrete harm. Trivial or merely speculative harms are typically insufficient for a finding of substantial injury. Emotional impact and other more subjective types of harm will not ordinarily make a practice unfair.

• Consumers must not be reasonably able to avoid the injury. An act or practice is not considered unfair if consumers may reasonably avoid injury. Consumers cannot reasonably avoid injury from an act or practice if it interferes with their ability to effectively make decisions or to take action to avoid injury. This may occur if material information about a product, such as pricing, is modified or withheld until after the consumer has committed to purchasing the product, so that the consumer cannot reasonably avoid the injury. It also may occur where testing reveals that disclosures do not effectively explain an act or practice to consumers.⁷ A practice may also be unfair where consumers are subject to undue influence or are coerced into purchasing unwanted products or services. 

  Because consumers should be able to survey the available alternatives, choose those that are most desirable, and avoid those that are inadequate or unsatisfactory, the question is whether an act or practice unreasonably impairs the consumer’s ability to make an informed decision, not whether the consumer could have made a wiser decision. In accordance with FTC case law, the FDIC will not second-guess the wisdom of particular consumer decisions. Instead, the FDIC will consider whether an institution’s behavior unreasonably creates an obstacle that impairs the free exercise of consumer decision-making. 

  The actions that a consumer is expected to take to avoid injury must be reasonable. While a consumer could potentially avoid harm by hiring independent experts to test products in advance or bring legal claims for damages, these actions generally would be too expensive to be practical for individual consumers and, therefore, are not reasonable.

• The injury must not be outweighed by countervailing benefits to consumers or to competition. To be unfair, the act or practice must be injurious in its net effects — that is, the injury must not be outweighed by any offsetting consumer or competitive benefits that are also produced by the act or practice. Offsetting consumer or competitive benefits may include lower prices or a wider availability of products and services. Nonetheless, both consumers and competition benefit from preventing unfair acts or practices because prices are likely to better reflect actual transaction costs, and merchants who do not rely on unfair acts or practices are no longer required to compete with those who do. Unfair acts or practices injure both consumers and competitors because consumers who would otherwise have selected a competitor’s product are wrongly diverted by the unfair act or practice. 

  Costs that would be incurred for remedies or measures to prevent the injury are also taken into account in determining whether an act or practice is unfair. These costs may include the costs to the institution in taking preventive measures and the costs to society as a whole of any increased burden and similar matters.

Public Policy May be Considered

Public policy, as established by statute, regulation, judicial decision, or agency determination, may be considered with all other evidence in determining whether an act or practice is unfair. Public policy considerations by themselves, however, will not serve as the primary basis for determining that an act or practice is unfair. For example, the fact that a particular lending practice violates a state law or a banking regulation may be considered as evidence in determining whether the act or practice is unfair. Conversely, the fact that a particular practice is permitted by statute or regulation may, under some circumstances, be considered as evidence that the practice is not unfair. The requirements of the Truth in Lending Act (TILA), the Truth in Savings Act (TISA), the Fair Credit Reporting Act (FCRA), or the Fair Debt Collection Practices Act (FDCPA) are examples of public policy considerations. However, an institution’s compliance with another statute or regulation does not insulate the institution from liability for an unfair act or practice under Section 5 of the FTC Act. Fiduciary responsibilities under state law may clarify public policy for actions, especially those involving trusts, guardianships, unsophisticated consumers, the elderly, or minors. State statutes and regulations that prohibit FTC UDAPs are often aimed at making sure that lenders do not exploit the lack of access to mainstream banking institutions by low-income individuals, the elderly, and minorities.

Deceptive Acts or Practices

A three-part test is used to determine whether a representation, omission, or practice is deceptive. This test was first laid out in the FTC Policy Statement on Deceptive Acts and Practices.⁸ First, the representation, omission, or practice must mislead or be likely to mislead the consumer. Second, the consumer’s interpretation of the representation, omission, or practice must be reasonable under the circumstances. Third, the misleading representation, omission, or practice must be material.⁹ As a general matter, the standards for establishing deception are less burdensome than the standards for establishing unfairness because, under deception, there is no requirement of substantial injury or the likelihood of substantial injury, or the other elements of unfairness related to consumer injury. The following discusses all three of the elements necessary to establish deception.¹⁰

• There must be a representation, omission, or practice that misleads or is likely to mislead the consumer.

   An act or practice may be found to be deceptive if there is a representation, omission, or practice that misleads or is likely to mislead a consumer. Deception is not limited to situations in which a consumer has already been misled. Instead, an act or practice may be found to be deceptive if it is likely to mislead consumers. A representation may be in the form of express or implied claims or promises and may be written or oral. Omission of information may be deceptive if disclosure of the omitted information is necessary to prevent a consumer from being misled. An individual statement, representation, or omission is not evaluated in isolation to determine if it is misleading, but rather in the context of the entire advertisement, transaction, or course of dealing. Acts or practices that have the potential to be deceptive include: making misleading cost or price claims; using bait-and-switch techniques; offering to provide a product or service that is not in fact available; omitting material limitations or conditions from an offer; selling a product unfit for the purposes for which it is sold; and failing to provide promised services.

• The act or practice must be considered from the perspective of the reasonable consumer.

   In determining whether an act or practice is misleading, the consumer’s interpretation of or reaction to the representation, omission, or practice must be reasonable under the circumstances. In other words, whether an act or practice is deceptive depends on how a reasonable member of the target audience would interpret the marketing material. When representations or marketing practices are targeted to a specific audience, such as the elderly or the financially unsophisticated, the communication is reviewed from the point of view of a reasonable member of that group.

  If a representation conveys two or more meanings to reasonable consumers and one meaning is misleading, the representation may be deceptive. Moreover, a consumer’s interpretation or reaction may indicate that an act or practice is deceptive under the circumstances, even if the consumer’s interpretation is not shared by a majority of the consumers in the relevant class, so long as a significant minority of such consumers is misled. 

  Written disclosures may be insufficient to correct a misleading statement or representation, particularly where the consumer is directed away from qualifying limitations in the text or is counseled that reading the disclosures is unnecessary. Likewise, oral disclosures or fine print are generally insufficient to cure a misleading headline or prominent written representation. Finally, a deceptive act or practice cannot be cured by subsequent truthful disclosures.

• The representation, omission, or practice must be material. 

  A representation, omission, or practice is material if it is likely to affect a consumer’s decision to purchase or use a product or service. In general, information about costs, benefits, or restrictions on the use or availability of a product or service is material. When express claims are made with respect to a financial product or service, the claims will be presumed to be material. While intent to deceive is not a required element of proving that an act or practice is deceptive, the materiality of an implied claim will be presumed if it can be shown that the institution intended that the consumer draw certain conclusions based upon the claim. 

  Claims made with knowledge that they are false will also be presumed to be material. Omissions will be presumed to be material when the financial institution knew or should have known that the consumer needed the omitted information to make an informed choice about the product or service.

Sections 1031 and 1036 of the Dodd-Frank Act (Dodd-Frank UDAAP)

Title X of the Dodd-Frank Act provides exclusive supervisory authority and primary enforcement authority to the CFPB for insured depository institutions with total assets over $10 billion for the Dodd-Frank UDAAP provisions of Sections 1031 and 1036 of the Dodd-Frank Act.¹¹ The Dodd-Frank Act provides the FDIC with supervisory and enforcement authority for Dodd-Frank UDAAP, as well as other Federal consumer financial laws, for state, nonmember banks with total assets of $10 billion or less.¹² As a result of the provisions contained in the Dodd-Frank Act and Section 5 of the FTC Act, the FDIC has supervisory or enforcement authority that includes both FTC UDAP and Dodd-Frank UDAAP in certain situations.¹³

The standards for determining whether an act or practice is unfair or deceptive under the Dodd-Frank Act are substantially similar to the FTC Act standards.¹⁴ Section 1036 of the Dodd-Frank Act prohibits unfair, deceptive, or abusive acts and practices with respect to consumer financial products and services generally.¹⁵ An abusive act or practice is one that:

• Materially interferes with the ability of a consumer to understand a term or condition of a consumer financial product or service or
• Takes unreasonable advantage of:
  • A lack of understanding on the part of the consumer of the material risks, costs, or conditions of the product or service; or
  • The inability of the consumer to protect its interests in selecting or using a consumer financial product or service; or
  • The reasonable reliance by the consumer on a covered person¹⁶ to act in the interests of the consumer.¹⁷

Unlike the standards for unfair or deception under Section 5 of the FTC Act, where all prongs of the test must be met for there to be a violation, the abusive standard lays out individual, stand-alone tests to determine if an act or practice is abusive. Although abusive acts also may be unfair or deceptive, examiners should be aware that the legal standards for abusive, unfair, and deceptive are independent of each other.

The Role of Consumer Complaints in Identifying Unfair, Deceptive, or Abusive Acts or Practices

Consumer complaints play a key role in the detection of a FTC UDAPs and Dodd-Frank UDAAPs. Consumer complaints have often been an essential source of information for possible FTC UDAPs and Dodd-Frank UDAAPs and can also be an indicator of weaknesses in elements of the institution’s compliance management system, such as training, internal controls, or monitoring.

While the absence of complaints does not ensure that FTC UDAPs or Dodd-Frank UDAAPs are not occurring, the presence of complaints may be a red flag indicating that a more detailed review is warranted. This is especially the case when similar complaints are received from several consumers regarding the same product or service. One of the three tests in evaluating an apparent deceptive practice is: “The act or practice must be considered from the perspective of the reasonable consumer.” Consumer complaints provide a window into the perspective of the reasonable consumer.

Complaint Resolution Procedures

Examiners should interview institution staff about consumer complaints and the institution’s procedures for resolving and monitoring consumer complaints. Examiners should determine whether management has responded promptly and appropriately to consumer complaints. The FDIC expects institutions to be proactive in resolving consumer complaints, as well as monitoring complaints for trends that indicate potential FTC UDAP or Dodd-Frank UDAAP concerns. Institutions should centralize consumer complaint handling and ensure that all complaints are captured, whether they are made via telephone, mail, email, in person, the institution’s regulator, text message, live chat, or other methods. In addition to resolving individual complaints, an institution should take action to improve its business practices and compliance management system, when appropriate. The institution’s audit and/or monitoring function should also include a review of consumer complaints.

Sources for Identifying Complaints

Consumer complaints can originate from many different sources. The primary sources for complaints are those received directly by the institution and those received by the FDIC National Center for Consumer and Depositor Assistance Consumer Response Unit (Consumer Response Unit). Secondary sources for complaints include State Attorneys General or Banking Departments, the Better Business Bureau, the FTC’s Consumer Sentinel database, the CFPB’s Consumer Complaint Database, consumer complaint boards, and web blogs. In many cases, complaints have been identified through simple Internet searches with the institution’s name or particular product or service that it offers. At times, former employees may post complaints. These can be an important information source. For institutions that have significant third-party relationships, complaints may have been directed to the third party, rather than to the institution. Examiners should determine if the institution is provided with copies of complaints received by third parties. If they are not, this would be a red flag and should be examined further.

Analyzing Complaints

Examiners should consider conducting transaction testing when consumers repeatedly complain about an institution’s product or service. However, even a single complaint may raise valid concerns that would warrant transaction testing. Complaints that allege misleading or false statements, missing disclosure information, excessive fees, inability to reach customer service, or previously undisclosed charges may indicate a possible FTC UDAP or Dodd-Frank UDAAP.¹⁸

If a large volume of complaints exists, examiners should create a spreadsheet that details the complainant, date, source (i.e., institution, website, etc.), product or service involved, summary of the issue, and action taken by the institution. The spreadsheets can then be used to identify trends by type of product or issue. The Consumer Response Unit can be of assistance during this process by creating spreadsheets for complaints that were received by the FDIC.

When reviewing complaints, examiners should look for trends. While a large volume of complaints may indicate an area of concern, the number of complaints alone is not dispositive of whether a potential FTC UDAP or Dodd-Frank UDAAP exists. Conversely, a small number of complaints does not undermine the seriousness of the allegations that are raised. If even a single complaint raises valid concerns relative to a FTC UDAP or Dodd-Frank UDAAP, a more thorough review may be warranted. It is important to focus on the issues raised in the complaints and the institution’s responses, and not just on the number of complaints.

Note also that high rates of chargebacks or refunds regarding a product or service can be indicative of potential FTC UDAP or Dodd-Frank UDAAP violations. This information may not appear in the consumer complaint process.

When reviewing complaints, also look for any complaints lodged against subsidiaries, affiliates, third-parties, and affinity groups regarding activities that involve the institution, a product offered through the institution, or a product offered using the institution’s name. While the institution may not be actively involved in the activity, if it is a branded product or product offered through a third-party relationship, the institution can be held responsible and face the same risks as if the activity was housed within the institution. In re Columbus Bank and Trust Company, First Bank of Delaware, First Bank and Trust (Brookings, South Dakota), and CompuCredit Corporation ¹⁹is an example of where complaints against a third-party directly related to the institutions and the institutions were held accountable for the activities of the third-party.

Relationship to Other Laws

Unfair, deceptive, or abusive acts or practices that violate the FTC Act or the Dodd-Frank Act may also violate other federal or state laws. These include, but are not limited to, TILA, TISA, the Equal Credit Opportunity Act (ECOA), the Fair Housing Act (FHA), the FDCPA, the FCRA, and laws related to the privacy of consumer financial information. On the other hand, certain practices may violate the FTC Act or the Dodd-Frank Act while complying with the technical requirements of other consumer protection laws. Examiners should consider both possibilities. The following laws may warrant particular attention in this regard:

Truth in Lending Act (TILA)

Pursuant to TILA, creditors must “clearly and conspicuously” disclose the costs and terms of credit. An act or practice that does not comply with these provisions of TILA may also violate the FTC Act or the Dodd-Frank Act. Conversely, a transaction that is in technical compliance with TILA may nevertheless violate the FTC Act or the Dodd-Frank Act. For example, an institution’s credit card advertisement may contain all the required TILA disclosures, but limitations or restrictions that are obscured or inadequately disclosed may be considered a FTC UDAP or Dodd-Frank UDAAP.

Truth in Savings Act (TISA)

TISA requires depository institutions to provide interest and fee disclosures for deposit accounts so that consumers may compare deposit products. TISA also provides that advertisements cannot be misleading or inaccurate or misrepresent an institution’s deposit contract. As with TILA, an act or practice that does not comply with these provisions may also violate the FTC Act or the Dodd-Frank Act, but transactions that are in technical compliance with TISA may still be considered as unfair, deceptive, or abusive. For example, consumers could be misled by advertisements of “guaranteed” or “lifetime” interest rates when the creditor or depository institution intends to change the rates, even if the disclosures satisfy the technical requirements of TISA.

Equal Credit Opportunity (ECOA) and Fair Housing (FHA) Acts

ECOA prohibits discrimination in any aspect of a credit transaction against persons on the basis of race, color, religion, national origin, sex , marital status, age (provided the applicant has the capacity to contract), the fact that an applicant’s income derives from any public assistance program, and the fact that the applicant has in good faith exercised any right under the Consumer Credit Protection Act. The FHA prohibits creditors involved in residential real estate transactions from discriminating against any person on the basis of race, color, religion, sex , handicap, familial status, or national origin. Moreover, some state and local laws address discrimination against additional protected classes, e.g., handicap in non-housing transactions, or sexual orientation. Such conduct may also violate the FTC Act or the Dodd-Frank Act.

Fair Debt Collection Practices Act (FDCPA)

The FDCPA prohibits unfair, deceptive, and abusive practices related to the collection of consumer debts. Although this statute does not apply to institutions that collect their own debts in their own name, failure to adhere to the standards set by the FDCPA may violate FTC UDAP.²⁰ Moreover, institutions that either affirmatively or through lack of oversight permit a third-party debt collector acting on their behalf to engage in deception, harassment, or threats in the collection of monies due may be exposed to liability for participating in or permitting a FTC UDAP.

Fair Credit Reporting Act (FCRA)

The FCRA contains significant responsibilities for institutions that obtain and use information about consumers to determine the consumer’s eligibility for products, services, or employment; share such information among affiliates; and furnish information to consumer reporting agencies. The FCRA was substantially amended with the passage of the Fair and Accurate Credit Transactions Act (FACT Act) in 2003, which contained many new consumer disclosure requirements as well as provisions to address identity theft. Violations of the FCRA may also be considered as a FTC UDAP or Dodd-Frank UDAAP. For example, obtaining and using unsolicited medical information (outside of the exceptions provided by the rule) to make credit decisions may also be considered as unfair.

Privacy of Consumer Financial Information

Regulation P (12 CFR Part 1016.12) prohibits an institution or its affiliates from disclosing a customer’s account number or similar access code for a credit card, deposit, or transaction account to a nonaffiliated third party for use in telemarketing, direct mail marketing, or other marketing through electronic mail. There are only three exceptions to this prohibition. A financial institution may disclose its customers’ account numbers to: (1) a consumer reporting agency; (2) its agent to market the institution’s own products or services, provided that the agent is not authorized to directly initiate charges to the account; or (3) another participant in a private label credit card or an affinity or similar program involving the institution. Depending upon the totality of the circumstances, an institution that does not comply with these requirements may be also engaging in FTC UDAPs.²¹

Examination Procedures

Examination Objectives

1. To assess the quality of the financial institution’s compliance management systems, internal controls, and policies and procedures for avoiding unfair, deceptive, or abusive acts or practices.
2. To identify products, services, or activities that materially increase the risk of being unfair, deceptive, or abusive.
3. To gather facts that help determine whether a financial institution’s products, services, programs, or operations are likely to be unfair, deceptive, or abusive.

General Guidance

During pre-examination planning, examiners should determine if transaction-related testing is warranted for one or more of the institution’s products or services. Also, examiners should be alert to possible FTC UDAPs and Dodd-Frank UDAAPs throughout an examination, including when reviewing specific products or services for compliance with other consumer compliance regulatory requirements.

The following risk assessment and transaction-related examination procedures should be used, as appropriate, to assist examiners in recognizing potential FTC UDAPs and Dodd-Frank UDAAPs, analyzing potential issues, and determining an appropriate response.

Risk Assessment Procedures

The risk assessment process should begin during the pre-examination planning stage, when the institution is first contacted to discuss the Compliance and Information Document Request (CIDR). The CIDR can then be customized to request information that is needed to determine the institution’s risk profile for potential FTC UDAPs and Dodd-Frank UDAAPs.

Institutions with increased risk: Institutions may have a higher risk profile for potential FTC UDAP or Dodd-Frank UDAAP violations if they introduce new products or services, especially those targeting individuals who are financially unsophisticated, vulnerable to financial abuse, or financially distressed. Risks may increase when an institution introduces a new delivery channel, a complex product, or a new activity, or when staff is not sufficiently qualified or trained.  As in other areas, the strength of an institution’s CMS, such as strong management controls, effective training, and on-going monitoring, is a mitigating factor.

Institutions with limited risk: Many institutions have low risk profiles for potential FTC UDAP or the Dodd-Frank UDAAP violations and would not generally require transaction testing. These include institutions that do not offer products associated with increased incidence of complaints, violations, chargebacks, or risk of consumer harm; have not introduced any new products; and have no consumer complaints (or a limited number of consumer complaints that are unrelated to FTC UDAP or Dodd-Frank UDAAP). However, examiners should be alert to possible FTC UDAPs or Dodd-Frank UDAAPs throughout an examination, including when reviewing specific products or services for compliance with other consumer compliance regulatory requirements.

Transaction-Related Examination Procedures

If, upon conclusion of the risk assessment procedures, risks requiring further investigation are noted, examiners should conduct transaction testing, as necessary. Use examiner judgment in deciding whether to sample individual products, services, or marketing programs. Increase the sample to achieve confidence that all aspects of the financial institution’s products and services are sufficiently reviewed.

An FTC UDAP or Dodd-Frank UDAAP analysis is fact-specific and cannot be based on a particular checklist; however, transaction-related examination procedures fall into the following general categories: marketing and disclosures, availability of credit, availability of advertised terms, repricing and other changes, servicing, and collections.

The following are examples of items that should be reviewed, as applicable:

• Advertisement and marketing documentation
• New product development documentation
• Documentation of software testing
• Procedural manuals, including those for servicing and collections
• Customer disclosures, notices, agreements, and periodic statements for each product and service reviewed
• Account statements
• Agreements with third-parties
• Compensation programs
• Promotional materials
• Telemarketing and customer service scripts
• Recorded calls for telemarketing or collections
• Organization charts and process workflows
• Relevant marketing and advertising materials, including website pages
• Relevant disclosures and customer contracts
• Collection scripts and notices
• Relevant training materials
• Relevant software algorithms or parameters
• Consumer complaint files

Collaboration with Others

Regional Examination Specialists

Examiners should follow field office, regional, and national consultation procedures, including contacting the appropriate Regional Examination Specialists for assistance in determining whether unfair, deceptive, or abusive acts or practices have occurred.

Legal Division (Legal)

Following applicable protocol, examiners are encouraged to consult with Regional or Washington Office Legal, as appropriate, as early as possible when potential violations of the FTC Act or the Dodd-Frank Act are identified. Legal staff can provide valuable assistance to examiners during the onsite examination, including advising examiners on the types of documentation that should be obtained and developing interview questions.

Risk Management Supervision

Following regional protocol, examiners should consider if a potential violation of the FTC Act or the Dodd-Frank Act could have an impact on the safety and soundness of the bank and alert risk management staff accordingly. This may warrant a joint onsite presence at the institution, request for additional information or other appropriate supervisory action.

Policy and Research Branch

The Policy and Research Branch can provide assistance in conducting an analysis of large amounts of customer data. Examiners should follow regional and Washington consultation procedures in seeking assistance from Policy and Research.

Documentation

Documentation of potential FTC UDAP or Dodd-Frank UDAAP violations is extremely important. The following guidance should be used to facilitate review of a potential violation:

1. Create an inventory of documentary evidence gathered and interviews conducted.
2. Create chronologies or charts to explain complex fact patterns.
3. For printed materials (marketing, solicitations, disclosures), an original, unmarked copy should be maintained.
4. For websites, print copies or save the webpages electronically as soon as possible. Websites are easily altered, so versions of the website that support the case must be preserved by the examiner. When possible save webpages electronically such as a PDF. The electronically saved copy should be formatted such that the following information is included: window title, URL, date, time, page number, total number of pages. In cases where the website includes links for additional information, notate the page succession.
5. If consumer complaints are voluminous, create spreadsheets or summaries. Refer to the Analyzing Complaints section for additional guidance.
6. Indicate the type of institution reports that are available. For those documents received, notate why it was obtained, how it was received, when, and from whom.
7. Maintain a final, typed version of the interview notes. All examiners that participated in the interview should review the notes and attest to their accuracy.  Consider having the interviewee review the notes.
8. During the examination, the examiner should consider the types of corrective actions that may be pursued. For cases where restitution to consumers may be necessary, the examiner should obtain information needed to identify and estimate restitution.
9. If the potential violation involves an affiliate or third party, obtain the information and documentation needed to determine whether an affiliate is an IAP. Refer to the IAP examination procedures for further information and guidance.
10. The following includes a list of other documents that are generally needed:
    • Income reports
    • Third-party contracts
    • Relevant board minutes
    • Relevant audit reports
    • Due diligence records
    • Training materials
    • Telemarketing and customer service scripts
    • Software parameters
    • Account agreements
    • Collection scripts and notices
    • Consumer communications and notifications
    • Billing Statements

Corrective Actions to be Considered for Violations of Section 5 FTC Act or Sections 1031 and 1036 of the Dodd-Frank Act

As with any violation of law or regulation, the response to a violation of Section 5 of the FTC Act and Sections 1031 and 1036 of the Dodd-Frank Act will depend on a number of factors, including:

• The nature of the violation;
• Whether it is a repeat violation or a variation of a previously cited violation;
• The harm, or potential harm, suffered by consumers;
• The number of parties affected; and
• The institution’s overall compliance posture and history, both in general and with respect to FTC UDAP and Dodd-Frank UDAAP.

Level 3 or Level 2 violations may result in a downgrade of the institution’s compliance and CRA ratings and potentially, the institution’s risk management rating. In determining the overall CRA rating for an institution, examiners consider evidence of discrimination or other illegal acts, including violations of Section 5 of the FTC Act or Sections 1031 or 1036 of the Dodd-Frank Act.

In addition to determining a violation’s impact on the institution’s compliance and CRA ratings, examiners must consider corrective actions that should be taken. These may include requiring the discontinuance of the act or practice, restitution to consumer and business customers, informal or formal enforcement actions, and assessment of a civil money penalty. Examiners should refer to the Formal and Informal Enforcement Actions Manual in the references section below for additional guidance.

List of Resources

This list includes references that are cited in the text, as well as additional resources that may be useful to examiners.

Agency Issuances

• Interagency Guidance: Deposit-Reconciliation Practices (FIL 35-2016).
• Interagency Guidance Regarding Unfair or Deceptive Credit Practices (FIL 44-2014).
• FDIC, Supervisory Insights, Winter 2008, Vol. 5, Issue 2, From the Examiner’s Desk: Unfair and Deceptive Acts and Practices: Recent FDIC Experience
• FDIC, Supervisory Insights, Winter 2006, Vol. 3, Issue 2, Chasing the Asterisk: A Field Guide to Caveats, Exceptions, Material Misrepresentations, and Other Unfair or Deceptive Acts or Practices.
• FIL 26-2004: Unfair or Deceptive Acts or Practices by State-Chartered Banks.
• FTC Policy Statement on Deceptive Acts and Practices.
• FTC Policy Statement on Unfairness.
• FTC's Dot Com Disclosures: How to Make Effective Disclosures in Digital Advertising
• Joint Guidance on Overdraft Protection Programs, 70 Fed. Reg. 9127 (Feb. 24, 2005).
• CFPB Unfair, Deceptive, or Abusive Acts or Practices (UDAAPs) examination procedures

References

FDIC Formal and Informal Enforcement Actions Manual

FIL-44-2008 Third-Party Risk: Guidance for Managing Third-Party Risk

CFPB Enforcement Actions Involving Unfair, Deceptive or Abusive Acts or Practices

FTC Enforcement Actions Involving Unfair or Deceptive Acts or Practices

FTC’s Subprime Lending Cases

FTC Unfair or Deceptive Acts or Practices Enforcement Actions: Mortgage Servicing

FTC Unfair or Deceptive Acts or Practices Enforcement Actions: Collection Practices

Other Regulations with Provisions that Relate to Accurate Advertising

12 CFR Part 1026: Regulation Z Truth in Lending

12 CFR Section 1026.16: Open-end advertising

12 CFR Section 1026.24: Closed-end advertising

12 CFR Part 1030: Regulation DD, Truth in Savings Advertising: 12 CFR Section 1030.8

12 CFR Section 1030.11: Additional disclosure requirements for institutions advertising the payment of overdrafts

12 CFR Part 328, Subpart A – Advertisement of Membership

12 CFR Part 328, Subpart B – False Advertising, Misrepresentation of Insured Status, and Misuse of the FDIC’s Name or Logo

12 CFR Part 343: Consumer Protection in Sales of Insurance

12 CFR Section 343.40(d): Advertising