This past October, the Consumer Financial Protection Bureau (“CFPB”) took action against Navy Federal Credit Union, the largest credit union in the country. In doing so, the CFPB relied upon one of its favorite enforcement tools, “UDAAPs,” or, more specifically, the CFPB’s authority under the Dodd-Frank Act to prosecute Unfair, Deceptive, or Abusive Acts and Practices.

For some brief background basics:

The Dodd-Frank Act—which created the CFPB--gave the CFPB authority to enforce federal consumer financial laws. Additionally, Dodd-Frank transferred consumer protection jurisdiction for credit unions and banks to the CFPB (previously, consumer protection jurisdiction for banks and credit unions was in the hands of their regulators). Actually, Dodd-Frank gave the CFPB very broad consumer protection jurisdiction, giving it jurisdiction over any type of company in the financial sector that’s in the business of providing consumer financial products or services. For example, it used to be up to HUD to enforce RESPA violations by the various types of businesses associated with the buying and selling of residential real estate (such as mortgage lenders, title insurance companies). That job—enforcing RESPA—has now shifted from HUD to the CFPB.

But Dodd-Frank did more than give the CFPB broad jurisdiction to enforce federal consumer financial laws. Put another way, Dodd-Frank was not going to limit the CFPB to enforcing very specific, black letter consumer protection legislation already on the books. Rather, Dodd-Frank also provided the CFPB with a new, very flexible weapon: the authority noted above to prosecute Unfair, Deceptive, or Abusive Acts and Practices—UDAAPS—committed by anyone in the business of providing consumer financial products or services.

The relevant sections of the two particular statutes--12 USC § 5531 and 12 USC § 5536—used by the CFPB to prosecute UDAAPs are remarkably short and simple. 12 USC § 5536 provides the overall prohibition against anyone engaging in UDAAPs, stating that it is unlawful for any “covered person” to “engage in any unfair, deceptive, or abusive act or practice.” 12 USC § 5531 sets forth the CFPB’s authority (and limits on that authority) to pursue UDAAPs violations, providing, in part, that the CFPB

“…may take any action…to prevent a covered person or service provider from committing or engaging in an unfair, deceptive, or abusive act or practice under Federal law in connection with any transaction with a consumer for a consumer financial product or service...”

As for the limits on the CFPB’s authority to pursue UDAAPs violations on the basis of “unfairness,” 12 USC § 5531 provides, in part, that the CFPB

“shall have no authority…to declare an act or practice in connection with a transaction with a consumer for a consumer financial product or service…unlawful on the grounds that such act or practice is unfair, unless…the (CFPB) has a reasonable basis to conclude that (A) the act or practice causes or is likely to cause substantial injury to consumers which is not reasonably avoidable by consumers; and (B) such substantial injury is not outweighed by countervailing benefits to consumers or to competition.”

As for the limits on the CFPB’s authority to pursue UDAAPs violations on the basis that certain acts are “abusive,” 12 USC § 5531 provides, in part, that the CFPB

“shall have no authority…to declare an act or practice abusive in connection with the provision of a consumer financial product or service, unless the act or practice--(1) materially interferes with the ability of a consumer to understand a term or condition of a consumer financial product or service; or (2) takes unreasonable advantage of-- (A) a lack of understanding on the part of the consumer of the material risks, costs, or conditions of the product or service; (B) the inability of the consumer to protect the interests of the consumer in selecting or using a consumer financial product or service; or (C) the reasonable reliance by the consumer on a covered person to act in the interests of the consumer.”

So there you have it: legislation that is simple, broad, and some would say vague, to empower the CFPB to pursue UDAAPs violations when the CFPB sees acts or products that it has determined are unfair, deceptive or abusive. As you might imagine, UDAAPs comes in especially handy when there isn’t more specific federal legislation at issue that the CFPB can rely upon. And even if there is specific federal legislation at issue, UDAAPS allows the CFPB to broaden the impact of its case when there’s evidence of unfairness, deception, and abusive acts.

Now let’s take a look at how the CFPB used UDAAPs in the CFPB’s enforcement action against Navy Federal Credit Union.

The Consent Order was filed 10-11-16, providing for a civil money penalty of $5.5 million and $23 million for the purpose of providing redress to eligible consumers.

Relevant Findings from the Consent Order are as follows:

NFCU generally handles its debt collection activities internally, using NFCU employees, “…up to the point of litigation. Its primary collection activities are telephone calls and letters to delinquent and overdrawn members.”

Letter templates “…contained material representations that were likely to mislead reasonable consumers, including the following:”

“Some letters stated that legal action had ‘been recommended.’”

Many of the letters threatened garnishment of wages—a remedy generally unavailable to Respondent [NFCU] without a court judgment against the consumer.”

“Respondent sent letters…creating the net impression that Respondent intended to sue the consumers if they failed to remit payment as instructed in the letter… The reality, however, was that Respondent seldom recommended or took legal action against its members.”

One letter template used by NFCU “threatened to contact consumers’ military commanding officers about their delinquencies if consumers did not promptly make a payment.”

“Respondent had a practice of freezing consumers’ electronic account access and disabling certain electronic services after consumers became delinquent on a NFCU credit account.”

“The account restrictions were applied at the member level, meaning that a delinquency or overdraft on one account would trigger a freeze of the consumer’s electronic account access and certain electronic services for all of the consumer’s NFCU accounts.

Now, setting aside for the moment NFCU’s acts in restricting its members accounts, the above acts by NFCU pertaining to its written communications would constitute violations of the Federal Fair Debt Collection Practices Act (“FDCPA”) had these communications come from a third party debt collector working on behalf of NFCU instead of from the NFCU directly. However, the FDCPA does not cover a creditor collecting its own debts. “The term ‘debt collector’…does not include…any officer or employee of a creditor while, in the name of the creditor, collecting debts for such creditor.” 15 U.S.C.A. § 1692a. Nevertheless, the CFPB, with its authority under Dodd-Frank to prosecute UDAAPs, was able to bring an enforcement action directly against NFCU for these written and oral communications from NFCU to its members.

So let’s pause and think about this for a moment: The FDCPA does not apply to a creditor collecting its own consumer debts. But the types of communications that would get a third party debt collector into hot water under the FDCPA (which a creditor is exempt from) can bring a creditor into the CFPB’s crosshairs for UDAAPs violations if those communications are deemed deceptive and/or abusive. And one only needs to compare the limited statutory damages allowed under the FDCPA for violations by third party debt collectors (15 U.S.C.A. § 1692l) with the $5.5 million civil penalty levied against NFCU in the CFPB’s enforcement action to understand which set of violations carries a higher price tag.

Credit Unions collecting their own debts need to ensure they have collection policies and procedures in place to avoid the types of communications (written and oral) that were at issue in the NFCU case. With the NFCU enforcement case as its paradigm for these types of UDAPPs violations, the CFPB will be looking for more, and smaller targets.