UDAAP: Regulating the “Could’ve, Would’ve, Should’ve”

  • Email
  • Print
  • Printing Articles

    1. Click here to print!
    2. ...or print directly from your browser by choosing File > Print... from the menu or by pressing [Ctrl + P]. Our printer-friendly stylesheet will make sure extraneous website stuff isn't printed.
    3. You're done!

    Close this message.

  • Comments
  • RSS

This article was co-authored by Thomas A. Brooks and  Joann Needleman, of Clark Hill. It originally appeared as an Alert on ClarkHill.com, and is republished here with permission.

Yesterday’s Consumer Financial Protection Bureau’s (CFPB) Consent Order against Dwolla, Inc., a company that operates an online payment system, is yet more evidence of the murky world of Unfair, Deceptive, or Abusive Acts or Practices (UDAAP) enforcement. The CFPB alleged that Dwolla falsely claimed that its data security practices exceeded or surpassed industry security practices and falsely claimed that the consumer information that it held was securely encrypted and stored. The alleged conduct took place from 2011 to 2014. Dwolla agreed to pay a civil penalty of $100,000.00.

This is the CFPB’s first data security action and is based on its authority to prevent entities from engaging in unfair, deceptive or abusive acts or practices under the Dodd-Frank Act. Dodd-Frank states that the “Bureau may prescribe rules applicable to a covered person or service provider identifying as unlawful unfair, deceptive, or abusive acts or practices….” To date, the CFPB has not adopted any rules implementing its UDAAP authority.  It has chosen instead to bring actions based on UDAAP as it sees fit, with no regulatory guidance as to what types of actions would constitute a UDAAP.

Even more striking in the Dwolla Consent Order is that there was no finding by the CFPB of  any financial harm to any consumer as a result of Dwolla’s actions. Further, there was no finding that any security breach occurred or that any consumer data was compromised. The Consent Order only makes a tenuous conclusion that  Dwolla’s actions “were likely to mislead a reasonable consumer into believing that Dwolla had incorporated reasonable and appropriate data-security practices when it had not” and that Dwolla’s “representations were material because they were likely to affect a consumer’s choice or conduct regarding whether to become a member of Dwolla’s network.”  (Emphasis added.)

What’s happening here? Dwolla’s actions, if you believe them to be true, amount to nothing more than a failed audit, especially in light of the small civil fine. However, has the standard for UDAAP become so amorphous that we have to operate in the world of the subjective “what if”?  “Likely” is not an objective standard by which a company can conduct its business and should not be the basis for any UDAAP violation.

With no regulatory guidance, the financial services industry is left with little choice but to invest a disproportionate amount of resources to ensure that all their operations, policies and procedures are, at all times, not unfair, deceptive or abusive, which is a standard that is not defined and exists only in the minds of the CFPB enforcers.

About ClarkHill

Clark Hill’s Consumer Financial Services Regulatory & Compliance Group is a national leader in the field of consumer financial services law, providing strategic legal counsel to clients in all areas of consumer finance. We provide counsel, consultation and litigation services to financial institutions, law firms and debt buyers throughout the country. Our group can help you navigate this rapidly evolving regulatory environment. Our exceptional team of lawyers and government and regulatory advisors has extensive experience in – and an in – depth understanding of – the laws and regulations governing consumer financial products and services. We can assist you in developing and implementing compliance programs, as well as defending consumer litigation and regulatory enforcement actions.

For further information, please contact Thomas Brooks at 202.552. 2356, tbrooks@clarkhill.com or Joann Needleman at 215.640.8536, jneedleman@clarkhill.com.

  • Email
  • Print
  • Printing Articles

    1. Click here to print!
    2. ...or print directly from your browser by choosing File > Print... from the menu or by pressing [Ctrl + P]. Our printer-friendly stylesheet will make sure extraneous website stuff isn't printed.
    3. You're done!

    Close this message.

  • Comments
  • RSS

Posted in CFPB .

×
Subscribe to our email newsletters

Continuing the Discussion

We welcome and encourage readers to comment and engage in substantive exchanges over topics on insideARM.com. Users must always follow our Terms of Use. Also know that your comment will be deleted if you: use profanity, engage in any kind of hate speech, post an incoherent or irrelevant thought, make a point of targeting anyone, or do anything else we find unsavory. Your comment will be posted under your current Display Name, shown below. If you'd like to change your Display Name, you must update it on the My Profile page.

  • avatar denise-densmore says:

    I find it deceptive when someone calls me, says it is “a long shot” and asks me to deliver an urgent message to a neighbor. I know the law precludes them from discussing a debt, but this “long shot” and “personal favor” stuff is not right either.

Leave a Reply