Consumer Compliance

UDAAP: Unfair, Deceptive, or Abusive Acts or Practices

The short version

UDAAP stands for unfair, deceptive, or abusive acts or practices, prohibited under Sections 1031 and 1036 of the Dodd-Frank Act and enforced by the CFPB. It is three separate standards, not one. An act is unfair if it causes or is likely to cause substantial injury that consumers cannot reasonably avoid and that is not outweighed by countervailing benefits. It is deceptive if a representation, omission, or practice is likely to mislead a reasonable consumer and the misleading information is material. It is abusive if it materially interferes with the ability to understand a term, or takes unreasonable advantage of a consumer's lack of understanding, inability to protect their interests, or reasonable reliance on the company. A practice can violate one prong without the others.

UDAAP is the broadest tool in consumer-financial regulation, because it does not depend on a specific product rule. A practice can comply with every line of the Truth in Lending Act and still be unfair, deceptive, or abusive. That breadth is what makes it the most-cited standard in CFPB enforcement and the hardest to bound. This guide covers the three standards, how they differ, how UDAAP relates to the older FTC Act, where it shows up, and how to control the risk.

Three standards, not one

The letters describe three independent prohibitions, each with its own legal test. A single practice can be unfair, deceptive, abusive, more than one, or only one. Conflating them is the most common analytical error, because each has different elements and different defenses.

Unfair

An act or practice is unfair if it causes or is likely to cause substantial injury to consumers, the injury is not reasonably avoidable by consumers, and it is not outweighed by countervailing benefits to consumers or to competition. All three elements must be present. Substantial injury is usually monetary, though it need not be; an injury that is small per consumer but spread across many can be substantial in the aggregate. Not reasonably avoidable means consumers could not have made a free and informed choice to avoid it.

Deceptive

An act or practice is deceptive if there is a representation, omission, or practice that is likely to mislead the consumer, the consumer is interpreting it reasonably under the circumstances, and the representation, omission, or practice is material. Materiality means it is likely to affect the consumer's conduct or decision about the product. Deception looks at the net impression, not just the literal words, so a technically true statement can still deceive if the overall impression misleads.

Abusive

The abusive standard is the one unique to Dodd-Frank. An act or practice is abusive if it materially interferes with the ability of a consumer to understand a term or condition, or takes unreasonable advantage of one of three things: a consumer's lack of understanding of the material risks, costs, or conditions; a consumer's inability to protect their interests in selecting or using a product; or a consumer's reasonable reliance on the company to act in their interests. Abusiveness can exist even where a disclosure is technically accurate, because it focuses on the company taking advantage of an imbalance.

How it differs from the FTC Act

Section 5 of the FTC Act has long prohibited unfair or deceptive acts or practices, often shortened to UDAP. Dodd-Frank carried the unfair and deceptive standards into the consumer-financial context and added the abusive prong, which the FTC Act does not have. So UDAAP is UDAP plus abusive, applied to consumer financial products and services and enforced by the CFPB and, for unfair and deceptive conduct, other regulators.

Where it shows up

UDAAP risk follows the consumer across the lifecycle: marketing that creates a misleading net impression, disclosures that bury a material term, servicing practices that make fees hard to avoid, fine print that contradicts the headline, and collection conduct that takes advantage of a consumer's situation. Because it is not tied to one rule, the analysis is the same everywhere: would this cause substantial unavoidable injury, mislead a reasonable consumer, or take unreasonable advantage.

How to control the risk

UDAAP is the standard that applies even where no specific rule does, which is why it sits at the center of a consumer-compliance program. For the structure that manages it, see the Compliance Management System guide; for the related fair-lending standards, see the fair lending guide.

Primary sources

Common questions

What does UDAAP stand for?
Unfair, Deceptive, or Abusive Acts or Practices. It is prohibited under Sections 1031 and 1036 of the Dodd-Frank Act and enforced by the CFPB. The three standards are independent: a practice can be unfair, deceptive, abusive, more than one, or only one.
What is the difference between unfair, deceptive, and abusive?
Unfair means causing substantial injury consumers cannot reasonably avoid and that is not outweighed by benefits. Deceptive means a material representation or omission likely to mislead a reasonable consumer. Abusive means materially interfering with a consumer's understanding, or taking unreasonable advantage of their lack of understanding, inability to protect their interests, or reasonable reliance on the company.
How is UDAAP different from the FTC Act?
Section 5 of the FTC Act prohibits unfair or deceptive acts or practices (UDAP). Dodd-Frank carried those two standards into the consumer-financial context and added the abusive prong, which the FTC Act does not have. UDAAP is UDAP plus abusive, enforced by the CFPB.
Can a practice be UDAAP if it complies with other regulations?
Yes. UDAAP does not depend on a specific product rule, so a practice can comply with every line of a regulation like the Truth in Lending Act and still be unfair, deceptive, or abusive. The analysis turns on injury, the net impression, and whether the company takes unreasonable advantage, not on a checklist.
From the team behind this guide

UDAAP risk, found before a regulator finds it

Compliance Command Center reviews marketing, disclosures, and servicing for the net impression and the unavoidable injuries that drive UDAAP risk, and documents the analysis. Practitioners build it, with a human reviewing every deliverable, so the program can show it tested the standard that applies even where no specific rule does.

See Compliance Command Center Talk to a Practitioner