UDAAP — unfair, deceptive, or abusive acts or practices — is one of the broadest and most flexible consumer protection standards in financial regulation. Here are real examples of UDAAP violations in fintech and what to watch for in your own product.
UDAAP Examples: What Counts as Unfair or Deceptive in Fintech
UDAAP — the prohibition on unfair, deceptive, or abusive acts or practices — is one of the most important and most broadly applied consumer protection standards in U.S. financial regulation. The Consumer Financial Protection Bureau's authority to prohibit UDAAP applies to virtually all consumer financial products and services, including fintech products, even where no specific regulatory rule has been violated.
What makes UDAAP especially important for fintechs is its flexibility. The CFPB does not need a specific rule to bring a UDAAP action — it needs to show that a practice is unfair, deceptive, or abusive under the standards established by the Dodd-Frank Act. This means practices that technically comply with every specific rule can still violate UDAAP.
The Three Standards
Unfair
A practice is unfair if it causes or is likely to cause substantial injury to consumers, that injury is not reasonably avoidable, and the injury is not outweighed by benefits to consumers or competition. The injury does not have to be physical — financial harm, excessive charges, or being locked into harmful terms can all constitute substantial injury.
Deceptive
A practice is deceptive if it involves a material representation, omission, or practice that is likely to mislead a consumer acting reasonably under the circumstances. The CFPB focuses on whether a consumer was misled — whether the company intended to deceive is less relevant than whether consumers were actually or likely to be misled by the representation or omission.
Abusive
A practice is abusive if it materially interferes with a consumer's ability to understand a term or condition of a product or service, or takes unreasonable advantage of a consumer's lack of understanding, inability to protect their interests, or reasonable reliance on the institution to act in their interest.
Real UDAAP Examples From Fintech
Junk Fees and Hidden Charges
The CFPB has brought multiple enforcement actions against financial companies — including fintechs — for charging fees that consumers did not reasonably understand they would be charged. Examples include charging a monthly maintenance fee that was not disclosed clearly in marketing materials, charging fees for services that were implied to be free, or adding account fees after account opening without adequate notice. These practices can be unfair (consumers cannot avoid charges they do not know about) and deceptive (the fee terms were misrepresented).
Misleading Advertising About Interest Rates
Advertising a high annual percentage yield without adequate disclosure of the conditions required to earn that rate — minimum balances, limited-time promotional periods, or account type restrictions — is a common deceptive practice in fintech deposit product marketing. UDAAP requires that material conditions attached to advertised rates be disclosed clearly and prominently.
Misleading Overdraft Practices
The CFPB has repeatedly targeted overdraft practices it considers unfair or deceptive — including charging overdraft fees on transactions that the consumer's account balance appeared sufficient to cover at the time of authorization, or presenting account balance information in ways that cause consumers to reasonably believe they have more funds available than they actually do.
Dark Patterns in Subscription or Fee Authorization
Designing app interfaces or checkout flows that make it easy to sign up for services with recurring fees and difficult to cancel — using confusing language, buried cancellation options, or pre-selected opt-ins — is a UDAAP concern. The CFPB has signaled significant interest in digital dark patterns that exploit consumers' interface familiarity biases.
Inadequate Dispute Resolution
Failing to provide meaningful error resolution or dispute processes — or making those processes so burdensome that consumers cannot practically use them — can be an unfair practice. If consumers cannot practically recover unauthorized charges, the inability to protect themselves constitutes substantial injury that they cannot reasonably avoid.
Misrepresentations About FDIC Insurance
Implying or stating that consumer funds are FDIC-insured when they are not — or failing to clarify the specific conditions under which FDIC insurance pass-through coverage applies — is a material deceptive practice with significant consequences for consumers.
UDAAP in the Fintech Context
Fintechs are not exempt from UDAAP. The CFPB has taken enforcement actions against nonbank fintech companies for UDAAP violations, and its authority to do so has been upheld by courts. The CFPB's larger participant rule for digital payment companies — and its ongoing supervisory expansion — means that more fintechs are subject to direct CFPB examination, increasing the probability that UDAAP issues in their products will be identified and acted upon.
For fintechs operating in BaaS or sponsor bank structures, UDAAP risk is also a sponsor bank concern — banks are responsible for ensuring that their fintech program managers are not engaging in UDAAP violations in products offered through the bank's charter. Sponsor banks increasingly include UDAAP compliance representations in their program agreements and conduct compliance assessments that include UDAAP review.
Frequently Asked Questions
How do I know if my marketing materials are UDAAP compliant?
Evaluate each material claim from the perspective of a reasonable consumer — is the representation accurate and complete? Are material conditions and limitations disclosed clearly and prominently? Would a reasonable consumer reading this marketing material form an accurate understanding of what the product offers and what it costs? If not, UDAAP risk is present.
Is UDAAP a federal or state standard?
The UDAAP prohibition as enforced by the CFPB is a federal standard under the Dodd-Frank Act. Most states also have analogous state UDAP (Unfair or Deceptive Acts or Practices) laws that apply to consumer financial products. State attorneys general can enforce both state UDAP laws and some aspects of federal UDAAP. For fintechs, both the federal and applicable state consumer protection standards must be considered.
Does UDAAP apply even if no one has complained?
Yes. UDAAP enforcement does not require consumer complaints. The CFPB can identify UDAAP violations through its own supervisory examination process, market monitoring, or referrals from other regulators. The standard is whether the practice is likely to mislead or cause injury to consumers — not whether consumers have yet complained about it.
How ComplyOne Helps
ComplyOne helps fintechs identify and remediate UDAAP risks in their products and practices — from marketing review and fee disclosure analysis to product design assessment and sponsor bank compliance preparation — through advisory services, compliance technology, or both.
Talk to the ComplyOne team to get started.
The information in this article is for general educational purposes and does not constitute legal or regulatory advice. Consult qualified legal counsel for guidance on UDAAP compliance specific to your product and practices.