There are lessons for all financial institutions from the Wells Fargo Case

sept27blogA Three Part Series- Part One- Understanding the Power of UDAAP

The recent news about a huge fine levied against Wells Fargo financial institution presents a cautionary tale for all financial institutions regardless their size. The law and regulation that were used to construct the enforcement actions against the financial institution and the subsequent fees and fines come from the Unfair, Deceptive, Abusive Acts or Practices Act (“UDAAP”). UDAAP is an extremely powerful regulation and it is important to remember that with these types of violations the considerations are different from other areas. A product or a practice can be technically in compliance with the spirits of a regulation, but still have UDAAP implications.

A brief description of UDAAP

At the end of the Great Depression, there was a public outcry for changes in regulations that dealt with all manner of financial institutions. During the financial crash consumers found many of the promises that had been made by business were not kept. Insurance companies did not pay as promised, department stores that had promised refunds for returns reneged, financial institutions closed overnight and business in general were able to avoid payments to consumers that they promised. Neither state governments nor individuals had many options when they found they had been misled or defrauded. A consumer who was defrauded often found fine print in the contract immunized the seller or creditor. Consumers could fall back only on claims such as common law fraud, which requires rigorous and often insurmountable proof of numerous elements, including the seller’s state of mind. Even if a consumer could mount a claim, and even if the consumer won, few states had any provisions for reimbursing the consumer for attorney fees. As a result, even a consumer who won a case against a fraudulent seller or creditor was rarely made whole. Without the possibility of reimbursement from the seller, consumers could not even find an attorney in many cases. [1]

Among the changes requested were laws that prevented practices that were deceptive or fraudulent. Eventually it fell to the Federal Trade Commission, FTC, to write regulations for consumer protection on a federal level. Unfair and Deceptive Act statutes were passed in recognition of these deficiencies. States worked from several different model laws, all of which adopted at least some features of the Federal Trade Commission Act by prohibiting at least some categories of unfair or deceptive practices. But all go beyond the FTC Act by giving a state agency the authority to enforce these prohibitions, and all but one also provides remedies consumers who have been cheated can invoke. In addition to the FTC regulations, state laws and court decisions help to shape the definition of unfair or deceptive business practices.

The Predecessor

The original UDAP (with one “A”) Unfair, Deceptive Acts or Practices is derived from Regulation AA, also known as the Credit Practices Rule. The regulation was divided into two subparts;

Subpart A outlines the process for submitting consumer complaints to the Board of Governors of the Federal Reserve System’s Division of Consumer and Community Affairs
Subpart B puts forth the credit practice rules pertaining to the lending activities of financial institutions. It defines certain unfair or deceptive acts or practices that are unlawful in connection with extensions of credit to consumers
Certain provisions in their consumer credit contracts, including confessions of judgment, waivers of exemptions, assignments of wages and security interests in household goods unfair or deceptive practices involving co-signers
Pyramiding late charges, in which a delinquency charge is assessed on a full payment even though the only delinquency stems from a late fee that was assessed on an earlier installment

Through the last half of the 20th century, UDAP regulation was largely the purview of the Federal Trade Commission. Financial institution regulatory agencies generally issued guidance for financial institutions to follow and some the practices that we mention above were specifically prohibited. However, the truth of the matter was that UDAP enforcement was not exactly a matter of grave concern in the financial institution industry.


The financial meltdown of 2009 lead to many changes in regulations including the passage of the Dodd-Frank Act. Among the changes brought about by Dodd-Frank, was the supercharging of UDAP. The regulation became the Unfair Deceptive Abusive Actions, Practices, or UDAAP.

UDAAP with two ‘A’s goes beyond extensions of credit and introduces an enterprise-wide focus on all the products and services offered by your institution. The CFPB has been given the authority to bring enforcement actions under UDAPP. Considered at a high level, UDAAP is more of a concept than an individual set of regulations. The idea is that dealings with the public must be fair and that financial institutions should in fact look after the best interests of its customers.

Another key difference is that UDAAP coverage makes it unlawful for any provider of consumer financial products or services to engage in unfair, deceptive or abusive act or practices; therefore, this regulation may be applicable far beyond financial institutions.

Under the new UDAAP regime, financial institutions can be liable for the actions of the third party processors that they hire. This is one of the many reasons why vendor management has become such an important area.

Even though there a great number of laws that deal with required disclosures on financial products such as loans and certificates of deposit, these laws generally do not deal with the fairness of the terms or the possibility that a consumer may unwittingly agree to additional fees and terms that go well beyond the agreed to interest rate. UDAAP is designed to address this problem.

The Basics

What is “unfair’?

The practice causes or is likely to cause substantial injury.
The injury cannot reasonably be avoided.
The injury is not outweighed by any benefits.
Briefly, what this means is if a customer has to pay fees or costs because of some act by the financial institution that is deemed unfair, then a substantial injury has occurred. The description of the regulation does say the injury does not necessarily have to be monetary, it can be emotional. However, there are no current examples of this second form of substantial injury. This is the section of the regulation that is most often applied to overdraft programs. Even in the cases where financial institutions allow overdrafts only after getting a customer’s permission and providing monthly statements that show the amounts of overdraft fees that have been paid, a substantial injury can be found.

What is “deceptive” ?

The practice misleads or is likely to mislead.
A “reasonable” consumer would be misled.
The presentation, omission or practice is material.
According to the CFPB, to determine whether an act or practice has actually misled or is likely to mislead a Consumer, the totality of the circumstances is considered. Deceptive acts or practices can take the form of a representation or omission. The Bureau also looks at implied representations, including any implications that statements about the consumer’s debt can be supported. Ensuring claims are supported before they are made will minimize the risk of omitting material information and/or making false statements that could mislead consumers.

Any programs that have the possibility of late fees or additional fees as the result of balances, usage charges or any fees that are in addition to the initial fees all have the possibility being misleading. We have found this section is most often cited when the language used in disclosures does not match the language in advertisements or on the website. For example, in one case, a financial institution called a fee a “maintenance fee” in its advertisements, but called the fee a “monthly” fee in the disclosures it gave customers at the time they opened the accounts. This was cited as a deceptive disclosure.

What is “abusive” ?

The practice materially interferes with the consumers ability to understand a term or condition of a product or service.
The practice takes unreasonable advantage of a consumer’s lack of understanding of the risk, costs and conditions of a products or service.
The CFPB description of this portion of the regulation notes a consumer can have a reasonable reliance on a financial institution to act in his or her best interests. This means for products or services which are offered that have the ability to add fees or costs, there is an affirmative duty to make sure the customer knows what it is they are getting into. It is also critical to pay particular attention to the second part of rule which defines abusive; a practice that takes advantage of a customer’s lack of understanding of fees and costs of a product. This part of the rule requires Financial institutions to be vigilant not only about disclosures they give to customers, but also about the level of fees being charged to the customer. An add-on interest charge may make economic sense. It may also be designed with a legitimate business purpose in mind. The fee can be applied to all customers that have a specific type of account and therefore, not a violation of fair lending or equal credit opportunities laws. However, these types of fees can adversely impact customers of limited means. As a result, these sorts of additional charges on an account can represent a UDAAP concern.

Part Two-The role management must play in preventing UDAAP violations

The Beneficial Ownership Rule: Part Two – Due Diligence

bor-part2In the first part of this series we described the new beneficial ownership rule. We talked about the reasons that the rule was passed and we noted that the central idea of this rule is making sure that financial institutions get complete information when an account is opened for a legal entity. This is especially true when a legal entity has a complex ownership structure. There is a second aspect of the rule that changes the due diligence process for legal entities to a dynamic one. This portion of the rule is being called the “fifth pillar” of BSA/AML compliance programs.

Due Diligence
Under the new Beneficial Ownership rule, the definition of due diligence is essentially changed, especially for accounts that are opened for legal entities. The rule specifically requires institutions to obtain background information on any person that owns, or controls the legal entity. For purposes of this rule, ownership is defined as anyone who maintains an ownership stake of 25% or more of the entity. Control means anyone who has a significant responsibility to manage or direct the entity. A controlling person could have zero ownership interest in an entity.

Currently information about the persons who control or own legal entities is not necessarily required, although as a best practice, this information should often be considered important to the due diligence process. The Beneficial Ownership rule makes obtaining the ownership and control information a requirement of the account opening and due diligence process. The rule also requires that financial institutions should write policies and procedures that reflect these requirements. The rule notes that the policies and procedures should be risk based and should detail the various steps taken based upon the risk rating of the account. The types of documentation that can be considered acceptable for meeting the requirements of the rule are described.

Due Diligence as a dynamic process
When developing your compliance program to meet the requirements of the new rule, consider that due diligence for legal entities should become a dynamic process. It won’t be enough to obtain ownership and control information at the time the account is opened and then stop. There must be ongoing monitoring of accounts for changes in the ownership or control and analysis of what those changes mean.
In recent years, one of the tactics that money launders have employed is to take over legitimate long standing business to hide “dirty money”. For example, in late 2014, the Los Angeles area garment industry was overrun by a scheme known as “Black Market Peso Exchanges. Drug money was used to purchase goods and then the goods were shipped to other countries where they were resold and converted back to cash. In many cases, the reason that this scheme was able to proceed was that the person or persons that desired to launder the money became a part owner of what was once a legitimate business.

In a similar manner, when a person who has bad intentions is able to control an entity, then the possibility that suspicious activity might occur goes up exponentially. An important part of ongoing monitoring for suspicious activity must be continuing due diligence on both the ownership and controlling persons of an entity.

Asking the second Question
Once information is obtained about the owners and/controllers of a legal entity there is an additional review process that should occur. Does the owner or controller of the legal entity increase the likelihood or potential for money laundering? In the alternative, does the information that you have obtained about the owner or controller leave more questions than answers? For example, suppose your corporate customer runs a small flower shop on main street. One day, a 30 % interest in the flower shop is purchased by a man who is the owner of the local casino. Why would the owner of a casino want a flower shop business? Since a casino is a high cash, high risk, business, and people do still buy flowers with cash, there is an increased risk that the new controlling person may try to move some of his money through the deposits of the flower shop. In this case, the best practice would be to find out all that you could about the new owner and why this controlling interest makes sense. Moreover, now is the time to determine whether or not your BSA department still has the capability to monitor the flower shop now that it has a new owner. Do you have the ability to determine whether suspicious activity might be occurring? Not only should due diligence be dynamic, it should also include the analysis necessary to make the most efficient use of the information obtained.

The Beneficial Ownership Rule- A Two Part Series

borpart1Part One – What is the rule and What Does it mean to Me?

On May 11, 2016, the Financial Crimes Enforcement Network (FinCEN) announced its final rule strengthening the due diligence requirements for covered financial institutions. This rule is generally known as the beneficial ownership rule. This rule represents a significant change in the overall administration of Bank Secrecy Act/Anti-Money laundering (BSA/AML) compliance programs. The purpose of the change was made clear in FinCEN’s announcement of the final rule.

“Covered financial institutions are not presently required to know the identity of the individuals who own or control their legal entity customers (also known as beneficial owners). This enables criminals, kleptocrats, and others looking to hide ill-gotten proceeds to access the financial system anonymously. The beneficial ownership requirement will address this weakness.”

Put another way, the purpose of this rule is to address one of the biggest weaknesses in the current system for identifying suspicious activity. The fact that that financial institutions have been required to obtain information about a legal entity without considering the ownership and /or control of the legal entity has allowed many a “bad guy” to effectively hide his/her illicit activity. The preamble to the rules lists out several examples of how legal entities have been taken over by criminals in an effort to launder money. Some of the more interesting examples included:
• A series of shell companies that were used to take over and loot a publicly traded mortgage company.
• Using a series of small legal entities to cover a drug smuggling ring
• Using a series of companies that were ostensibly for movie production to hide large amounts of cash that was being used for human trafficking

In all of the cases that were cited, the common feature was the ownership and control of the legal entities was obscured by a complex holding structure. The beneficial ownership rule is designed to addresses this practice. The rule requires that a financial institution doing business with a legal entity should know who owns and controls the entity. This is the enumerated requirement. However, it should be the understood that simply knowing this information is not enough. Once the due diligence information is obtained, it is critical to ensure that it makes sense in context. For example, does it really make sense that a flower shop owner also owns a casino? These business are entirely unrelated except for the fact that they are both often cash intensive businesses.

The Rule Itself
The final rule creates a “fifth pillar” in the standard group of expectations for a comprehensive BSA/AML compliance program. Ongoing and risk based due diligence for customers will now be considered an essential part of the compliance program. The rule makes due diligence a dynamic process rather than the traditional process that essentially ended at the time the account was opened. Financial institutions are expected to stay abreast of who the beneficial owners of a legal entity are and how their ownership might impact ongoing monitoring of the account. As the beneficial owners change, then the manner in which the account is viewed should change accordingly.

Beneficial Ownership is a broad definition that includes both ownership and control.
Ownership – is denied as any person who directly or indirectly owns more than 25 percent of the equity of a legal entity
Control – The term “beneficial owner” means a single individual with significant responsibility to control, manage, or direct the legal entity customer (e.g., a Chief Executive Officer, Vice President, or Treasurer).

These two prongs are critical because there are many times when a person or persons could actually have a minimal ownership stake in a firm or even no actual legal ownership, but still have the ability to control the firm. The rule requires all covered institutions to obtain information on all people who own or control a legal entity.

Financial institutions are expected to design policies and procedures that detail how staff will use their best efforts to establish and maintain written procedures that are reasonably designed to identify and verify beneficial owners of a legal entity customer. The procedures must allow the financial institution to identify all beneficial owners of each legal entity customer at the time of account opening unless an exclusion or exemption applies to the customer or account.

Why Wait?
The rule requires all covered institutions to be in compliance by May of 2018. Covered institutions in this case means:
“For purposes of the CDD Rule, covered financial institutions are federally regulated banks and federally insured credit unions, mutual funds, brokers or dealers in securities, futures commission merchants, and introducing brokers in commodities”

Though this rule only technically only applies to covered institutions, it will be prudent for all financial institutions to become familiar with the requirements of the regulations and to apply the standards enumerated therein. Financial institutions will expect that their Money Service Businesses meet the same standards because the risks for undetected suspicious activity is the same.

There is absolutely no reason to wait to implement the principals detailed in the rule. By developing policies and procedures that are able to determine beneficial ownership, a financial entity can have more effective risk mitigation of its customer base. At the end of the regulatory day, knowing your customers and what it is that they do is the heart of any string AML Compliance program

In Part Two- we will discuss the details of a strong beneficial ownership program.

Your Partner in Balancing Compliance