UDAAP Risk Assessment: How to Evaluate Products Before the Examiner Does

TL;DR

• UDAAP enforcement isn’t going away — it’s shifting from the CFPB to state AGs and other regulators, and exam findings from bank partners and the OCC haven’t slowed
• A real UDAAP risk assessment evaluates products across all three prongs (unfair, deceptive, abusive) across the full product lifecycle
• Navy Federal paid $95M in December 2024 for surprise overdraft fees — a textbook “unfair” violation that a proper product review should catch
• The abusive prong is the most underestimated UDAAP risk — it doesn’t require consumer harm, only that you exploited a structural advantage
• Your compliance management system (CMS) review is where UDAAP program gaps get found — if you don’t have documented product reviews, you’ll hear about it

The CFPB dropped its lawsuit against Capital One in February 2025. It terminated consent orders early. It dismissed cases. By any measure, federal UDAAP enforcement intensity has dropped significantly under the current administration.

And yet: state attorneys general filed UDAAP-based consumer protection cases throughout 2025. The OCC updated its own UDAAP examination procedures in December 2024. Bank compliance partners are still asking for your UDAAP program documentation. And Navy Federal Credit Union paid $95 million to the CFPB in December 2024 for surprise overdraft fees.

The risk shifted. It didn’t disappear.

If your UDAAP risk assessment is a checkbox at product launch and a brief reference in your compliance policy, you’re carrying more exposure than you think. Here’s how to build a UDAAP product review that actually protects you.

The Three Prongs: Legal Standards Every Practitioner Needs Cold

These aren’t just abstract legal concepts — they’re the criteria an examiner applies to every product you offer. Know them as well as your product team knows your features.

Unfair: Substantial Injury Consumers Can’t Avoid

A practice is unfair if it:

1. Causes or is likely to cause substantial injury to consumers
2. The injury is not reasonably avoidable by consumers
3. The injury is not outweighed by countervailing benefits to consumers or competition

The key word is reasonably avoidable. Navy Federal’s surprise overdraft fees were unfair precisely because consumers couldn’t reasonably avoid them — the fee was triggered by authorized-positive transactions where the consumer had reason to believe sufficient funds were available. From the CFPB’s December 2024 consent order: Navy Federal charged at least $80.2 million in these fees between 2017 and 2022 before the CFPB acted.

What “unfair” looks like in a product review:

• Fees triggered by circumstances the consumer cannot predict or prevent
• Terms that change adversely after enrollment without clear notice
• Product structures where the consumer bears the downside of institutional processes they can’t observe or control
• Pricing models that penalize behaviors the product implicitly encourages

Deceptive: Material Misleading Representations

A practice is deceptive if:

1. The representation, omission, or practice is likely to mislead a reasonable consumer
2. The misleading information is material to the consumer’s decision

Deception doesn’t require intent. It doesn’t require that a consumer was actually misled. It only requires that a reasonable consumer could be misled, and that the misleading element was material.

The Apple/Goldman Sachs case is the clearest recent example. The CFPB’s October 2024 consent order found that Apple and Goldman Sachs misled consumers about interest-free installment financing for Apple devices — consumers were led to believe they would automatically receive interest-free terms when they didn’t. Goldman Sachs paid $19.8 million in consumer redress and a $45 million civil penalty; Apple paid $25 million.

What “deceptive” looks like in a product review:

• Marketing language that emphasizes benefits while burying material costs
• “If-then” offer terms with the “if” in fine print
• Default opt-ins that consumers reasonably don’t realize apply to them
• Benefit descriptions that apply only in conditions typical customers won’t meet
• Comparison claims that are technically true but create a misleading overall impression

Abusive: Taking Unreasonable Advantage of a Power Imbalance

A practice is abusive if it:

1. Materially interferes with a consumer’s ability to understand a product’s terms, conditions, features, or costs; OR
2. Takes unreasonable advantage of:
   • A consumer’s lack of understanding of material terms
   • A consumer’s inability to protect their own interests
   • A consumer’s reasonable reliance on a covered person

The abusive standard is the most underused and most underestimated UDAAP prong. Unlike unfair and deceptive, abusive doesn’t require that a consumer was harmed — only that you exploited an asymmetry.

This is why the abusive prong has particular salience for:

• Products sold to financially vulnerable populations
• Complex financial products where information asymmetry is structural
• Servicing practices where consumers have no meaningful alternative
• AI-driven decisioning where consumers don’t understand why decisions were made

Building Your UDAAP Product Review: The Lifecycle Framework

The CFPB’s UDAAP examination procedures (updated September 2023) evaluate products across their entire lifecycle. Your internal review should mirror this structure.

A UDAAP product risk assessment isn’t a one-time launch review — it’s a lifecycle evaluation covering six stages:

Stage 1: Product Design and Pricing

Questions for your review:

• Is pricing transparent and predictable? Can consumers calculate their total cost before committing?
• Are there fee structures that only trigger under conditions the consumer can’t observe (e.g., payment processing timing, batch cutoff effects)?
• Does the product structure create conditions where the consumer bears disproportionate downside?
• For add-on products: is enrollment clearly opt-in, or could a consumer reasonably believe they enrolled without intending to?

Red flags at this stage:

• Fees tied to bank processing cycles the consumer can’t monitor
• “Free” features with automatic paid conversion after a trial
• Penalty pricing that applies when consumers make reasonable decisions based on available information

Stage 2: Marketing and Advertising

This is where most “deceptive” findings originate. Evaluate every consumer-facing marketing communication:

For digital products: your mobile app UX, push notification language, and onboarding flow all constitute “marketing” for UDAAP purposes. The complaint that “we disclosed it in the terms and conditions” rarely succeeds as a defense if the typical consumer wouldn’t read or understand it there.

Stage 3: Sales and Enrollment

Key questions:

• Does your sales process create pressure to enroll quickly without adequate time to review terms?
• Are add-on products presented in ways that make them seem mandatory when they’re optional?
• For direct sales: what are frontline staff incentivized to do, and does that incentive structure create pressure to mislead?
• For digital enrollment: does the enrollment UX use dark patterns (pre-selected checkboxes, confusing opt-out language, hidden default terms)?

Complaints about enrollment are a leading indicator of UDAAP risk at this stage. Pull your complaint data specifically for patterns around “I didn’t know I was signing up for X” — that’s the signal you’re looking for.

Stage 4: Servicing

Key questions:

• When consumers have questions about their account, do they receive accurate and complete information?
• When consumers try to exercise rights (cancel, opt out, dispute charges), is the process clear and not designed to discourage them?
• Is account statement information sufficient for a consumer to verify charges and understand their account status?
• For dispute processes: are investigation timelines and consumer notification requirements being met? (The Apple Card case was, in part, a dispute processing failure.)

Unfair prong risk areas in servicing:

• Prolonged hold times or complicated procedures for cancellation
• Dispute processes that effectively deny consumers their rights through complexity
• Adverse account actions with inadequate notice

Stage 5: Complaint Handling

Your complaints database is a real-time UDAAP signal generator. Most compliance teams process complaints for resolution — fewer use them for proactive risk identification. That’s the gap.

For UDAAP purposes, your complaint handling process should:

1. Categorize complaints by product and issue type — not just status (resolved/unresolved)
2. Track complaint volume trends — a rising complaint volume for a specific product feature is a UDAAP signal
3. Analyze complaint language for patterns suggesting confusion about terms, unexpected fees, or inability to exercise rights
4. Escalate patterns to product or compliance teams for evaluation against UDAAP standards
5. Feed complaint trends into your UDAAP product risk assessment annually

The CFPB’s exam manual explicitly evaluates your complaint management process. Examiners will ask for your complaint data, your categorization methodology, and evidence that complaint trends trigger compliance review.

Stage 6: Collections and Account Closure

Often overlooked in UDAAP reviews, collections and closure processes carry meaningful risk:

• Abusive prong: Consumers in collections are often in financial distress — precisely the population with diminished ability to protect their interests. This is where the abusive standard is most acute.
• Deceptive prong: Settlement offer language that obscures material terms; representations about credit reporting impact; misstatements about legal status
• Unfair prong: Fees that accrue after the consumer has lost the ability to manage them; account closure procedures that create traps

Compliance Management System: What Examiners Actually Review

When the CFPB — or a bank compliance partner or the OCC — reviews your UDAAP compliance, they’re evaluating your compliance management system (CMS), not just your product terms. Your CMS should demonstrate four things:

1. Board and Management Oversight

Is UDAAP risk identified at the board level? Does your risk appetite statement address consumer harm? Is UDAAP part of your regular compliance reporting to senior management and the board?

If the answer to any of these is no, that’s an exam finding before an examiner ever looks at a product.

2. UDAAP-Specific Policies and Procedures

Documented, updated, and accessible to the people who need them:

• A UDAAP risk assessment policy covering when assessments are required
• New product review procedures that include UDAAP evaluation
• Marketing review procedures with explicit UDAAP checklist
• Escalation procedures for identified UDAAP concerns

The absence of documented UDAAP procedures is itself a CMS finding.

3. Training

UDAAP training should be:

• Role-specific (product teams, marketing, frontline staff, and compliance each need different content)
• Updated when regulations or enforcement priorities change
• Documented (completion records, content versions, test scores if applicable)
• Supplemented with real enforcement examples — not just definitions

4. Consumer Complaint Analysis

As described above: complaint data must feed back into your UDAAP risk assessment. A CMS that tracks and resolves complaints but doesn’t analyze them for program-level UDAAP implications is incomplete.

The State AG Risk You May Be Underestimating

Under Dodd-Frank Section 1042, state attorneys general can bring civil actions to enforce federal UDAAP standards. As the CFPB has scaled back enforcement, state AGs have stepped forward.

In 2025:

• New York AG brought enforcement against EWA (earned wage access) providers under state usury laws, characterizing the fee structures as potentially deceptive
• Morgan Lewis noted in May 2025 that state AG enforcement of consumer financial protection laws was accelerating
• State-level UDAP (Unfair or Deceptive Acts or Practices) statutes — analogs to federal UDAAP — remain fully active in every state

If your compliance program was calibrated to CFPB enforcement risk and you haven’t assessed your state-level exposure, you have a gap. The AGs of New York, California, Illinois, and Massachusetts have the authority, the resources, and the political incentive to act where the CFPB has retreated.

So What: Before Your Next Product Launch or Exam

A UDAAP risk assessment is not a one-time event. It’s a lifecycle process. Before your next product launch, answer these questions in writing:

Design/Pricing: Can consumers predict their total cost before enrolling? Are there fees triggered by conditions they can’t observe?

Marketing: Does every consumer-facing communication create an accurate impression? Would a reasonable person who sees only the marketing — not the fine print — understand what they’re signing up for?

Sales/Enrollment: Are add-ons clearly optional? Does enrollment UX use dark patterns?

Servicing: Can consumers easily exercise their rights? Are dispute procedures clear and followed?

Complaints: Are complaint patterns reviewed for UDAAP signals quarterly?

If you can’t answer these in writing, you’re not ready for an exam.

For teams conducting formal UDAAP assessments as part of new product approval, the New Product Risk Assessment includes a product lifecycle review framework with UDAAP-specific evaluation criteria across all three prongs.

Related Reading

• Onemain Financial and the 13 AG Lawsuit: Junk Fees and Loan Packing in Consumer Lending
• AI and Fair Lending: UDAAP Risk in Algorithmic Decisioning
• Regulatory Change Management: How to Track New Rules and Stay Ahead of Deadlines