Reading the UDAAP ‘tea leaves’

A lack of clarity persists about the ‘abusive’ standard.

August 27, 2021

While most compliance professionals know “UDAAP” stands for Unfair, Deceptive, or Abusive Acts or Practices, few truly understand this standard due to the lack of statutory language and regulatory guidance on the subject.

UDAAP became a familiar acronym for the credit union industry after passage of the Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010, but its origins long predate Dodd-Frank. The first version, originally referred to as Section 5 of the FTC Act, was introduced in 1938.


  • An act or practice is unfair when it causes substantial injury to consumers and can’t be reasonably avoided.
  • A new CFPB policy statement is a direct pushback on the lighter enforcement that occurred during the previous administration.
  • Board focus: A significant uptick in UDAAP enforcement actions may be on the horizon.

In 2004, the Federal Trade Commission (FTC) expanded the section to include Unfair and Deceptive Acts and Practices, and “UDAP” was born.

Under the FTC Policy Statement on Unfairness, an act or practice is unfair when it causes or is likely to cause substantial injury (usually monetary) to consumers, can’t be reasonably avoided by consumers, and isn’t outweighed by countervailing benefits to consumers or to competition.

An act or practice is deceptive when it involves a material representation, omission, or practice that is likely to mislead a consumer acting reasonably in the circumstances. We use the same language today to define unfair and deceptive practices.

Adding a second ‘A’

In 2010, the FTC’s UDAP underwent a drastic transformation when the Dodd-Frank Act added the second “A” for “abusive,” transforming UDAP into UDAAP. This change led to a huge wave of UDAAP enforcement actions without a clear standard to determine what, exactly, constitutes a UDAAP violation. All we had to go on was the definition of “abusive acts or practices” that Congress defined in section 1031(d) of the Dodd-Frank Act. This section prohibits companies from:

  • Materially interfering with someone’s ability to understand a product or service.
  • Taking unreasonable advantage of someone’s lack of understanding. 
  • Taking unreasonable advantage of those who can’t protect themselves.
  • Taking unreasonable advantage of someone who reasonably relies on a company to act in their interests.

The limited definitions and lack of clearly defined products and services that are at-risk for UDAAP violations created a scary environment for covered institutions as the regulators applied a “know it when you see it” standard of enforcement in the years following Dodd-Frank.

Credit unions were expected to stay on top of all new enforcement actions the Consumer Financial Protection Bureau (CFPB) issued to try to determine what constituted an abusive practice and, more important, how to avoid a similar fate at their own institutions.

NEXT: Enforcement slows

Enforcement slows

Fast forward to 2016 when UDAAP enforcement slowed significantly during President Donald Trump’s administration. In January 2020, the CFPB released the Statement of Policy regarding Prohibition on Abusive Acts or Practices, which served as a framework for the bureau’s authority to exercise supervisory and enforcement power over acts or practices deemed “abusive.”

This statement outlines three guiding principles the bureau intended to apply to its supervision and enforcement:

  1. Cite conduct as abusive if the bureau concludes the harm to consumers from the conduct outweighs any benefits of the conduct.
  2. Avoid “dual pleading” of abusiveness and unfairness or deception violations arising from all or nearly all of the same facts, and instead alleging “stand-alone” abusiveness violations.
  3. Seek monetary relief for abusive acts or practices only when there’s a lack of a good-faith effort to comply with the law.

The purpose of this 2020 statement was to provide much-needed clarity the Director Richard Cordray-era CFPB lacked by implying a meaning of “abusive” through an onslaught of enforcement actions rather than defining it with a rulemaking or guidance.

This left us reading the tea leaves, trying to discern the meaning of the standard. It also implied a shift toward less UDAAP enforcement in general, although that may not be the case for much longer.

Credit union implications

In March 2021, the CFPB issued a new policy statement rescinding the 2020 Trump-era policy statement that sought to define an “abusive” act or practice.

That’s because the bureau believes the statement is inconsistent with the definition of abusive acts or practices in the Dodd-Frank Act, and it would limit the bureau’s ability to issue enforcement actions based on the abusive prong.

Where does that leave us now? And what does this mean for credit unions? Only time will tell.

It seems that the bureau’s decision to rescind the 2020 statement issued under former CFPB Director Kathy Kraninger is a direct pushback on the lighter enforcement that occurred under her leadership.

Additionally, rescinding the statement seems to indicate we could be moving back toward reading the tea leaves to define the abusive standard, and it seems unlikely we will receive a clear definition anytime soon.

This also could be a sign that a significant uptick in enforcement actions is on the horizon.

The best thing credit unions can do is continue to comply with what we know about UDAAP while watching the bureau’s enforcement actions and supervisory statements for tidbits of insight.

WHITNEY NICHOLAS is senior federal compliance counsel for Credit Union National Association. Contact the CUNA compliance team at



  1. Compliance resources
  2. Training and education

This article originally appeared in the Fall 2021 issue of Credit Union Magazine.