UDAAP Compliance Checklist: 12 Items Every Compliance Officer Needs

TL;DR — Use this 12-item UDAAP compliance checklist as a working document, not a wall poster. It maps the Consumer Financial Protection Bureau's UDAAP doctrine to the specific control points in your product, marketing, servicing, and collections workflows. Walk through it once before your next exam, then again every quarter.

Table of contents

• What "UDAAP" actually means
• Why this checklist matters in 2026
• The 12-item UDAAP compliance checklist
• How to operationalize the checklist
• Three recent enforcement patterns to learn from
• How leading fintechs automate UDAAP review with Sedric
• FAQ

Intro

You already know the Consumer Financial Protection Bureau (CFPB) does not publish a tidy UDAAP rulebook. There is no Reg X with neatly enumerated paragraphs you can hand to your QA team. Instead, you have the Dodd-Frank Act's three prongs — unfair, deceptive, abusive — plus a decade of consent orders, supervisory highlights, and circular guidance that you have to triangulate into actual controls.

That gap between principles and operations is where compliance officers lose sleep. A CCO at a mid-stage neobank told us recently that her last CFPB exam produced 14 separate "matters requiring attention" — and all but two of them traced back to ambiguous control ownership between marketing, product, and servicing.

This checklist is built to close that gap. Twelve items, every one of them mappable to a specific artifact, owner, and cadence. If you can confidently say "yes, we do that, here is the evidence" to all twelve, you are in much better shape than 90% of the fintechs the CFPB examines.

What "UDAAP" actually means

UDAAP stands for Unfair, Deceptive, or Abusive Acts or Practices. It comes from sections 1031 and 1036 of the Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010, codified at 12 U.S.C. § 5531 and § 5536.

The three prongs in plain English:

• Unfair: A practice is unfair if it causes or is likely to cause substantial injury to consumers, the injury is not reasonably avoidable, and it is not outweighed by countervailing benefits.
• Deceptive: A representation, omission, or practice that is likely to mislead a reasonable consumer acting reasonably under the circumstances, where the representation is material.
• Abusive: A practice that materially interferes with a consumer's ability to understand a product or service, or takes unreasonable advantage of a consumer's lack of understanding, inability to protect their interests, or reasonable reliance on the covered person.

The "abusive" prong was clarified in the CFPB's April 2023 Policy Statement on Abusive Acts or Practices, which is still the operative guidance.

Why this checklist matters in 2026

The CFPB's exam priorities for 2026 continue to emphasize fee transparency, dark patterns, servicing failures, and AI-driven consumer interactions. Recent supervisory highlights have flagged BNPL providers, neobanks, and lenders for the same recurring patterns: late-fee framing that buries the trigger, autopay enrollment that is harder to leave than to enter, and customer service representations that contradict the formal disclosures.

The penalties matter, but the operational disruption matters more. A consent order typically requires a third-party audit, expanded reporting cadences, board-level attestations, and product-level remediation that can freeze your roadmap for two to four quarters. That cost dwarfs the headline fine.

The 12-item UDAAP compliance checklist

Each item below has three components: the control, the artifact that proves it, and the owner.

1. Maintain a current UDAAP risk inventory

Every customer-facing process — origination, servicing, collections, marketing — has UDAAP exposure. Maintain an inventory that maps each process to inherent risk, residual risk, and the specific UDAAP prong (unfair, deceptive, or abusive) most relevant to it. Refresh quarterly. Artifact: risk register. Owner: CCO. For a full methodology, see our UDAAP risk assessment guide for fintechs.

2. Document the "reasonable consumer" standard for your audience

The deception test asks whether a reasonable consumer would be misled. Your firm should have a written articulation of who your "reasonable consumer" is — age, sophistication, language preferences, channels of interaction — so your QA team can apply the standard consistently. Artifact: documented reasonable-consumer profile. Owner: Head of Marketing Compliance.

3. Pre-publication review of all marketing communications

Every advertisement, push notification, email, in-app prompt, landing page, and partner-promoted asset must go through a documented review with sign-off before it goes live. The review must check claims against product reality, required disclosures for proximity and prominence, and the absence of dark-pattern design choices. Artifact: pre-publication review log. Owner: Marketing Compliance.

4. Fee disclosure proximity and prominence test

For every fee — late, NSF, returned payment, expedited, account maintenance, paper statement — verify the disclosure appears on the same screen or page as the action that triggers it, in a font size and contrast that is not buried. The CFPB has repeatedly cited "back-end" fee disclosures as deceptive even when technically present. Artifact: fee disclosure inventory with screenshots. Owner: Product + Marketing Compliance.

5. Autopay and recurring-charge enrollment review

Verify that any autopay, subscription, or recurring-charge enrollment meets a symmetry test: it should be no harder to cancel than it was to enroll. Document the cancellation flow with screenshots. The CFPB Circular 2023-01 on negative-option marketing is the operative guidance. Artifact: enrollment vs. cancellation flow comparison. Owner: Product Compliance.

6. Customer service script and call recording controls

Your customer service representatives are making material representations under the deceptive prong every time they speak. Maintain approved scripts, a quality-monitoring program with documented sampling rates, and a corrective-action workflow when reps go off-script. For phone channels, ensure your call-recording disclosure complies with state two-party consent laws — see our TCPA call recording disclosure script guide. Artifact: QA sampling report. Owner: Servicing Compliance.

7. Complaint analysis with UDAAP categorization

Every complaint — from CFPB portal, BBB, state AG, internal channels, social media — gets categorized against the three UDAAP prongs and tracked for root cause. Trend analysis runs monthly, with material trends escalated to the compliance committee. The CFPB explicitly uses complaint trends to prioritize exams. Artifact: complaint categorization log + trend report. Owner: Complaints Manager.

8. Third-party and partner-merchant oversight

If you have lead generators, marketing affiliates, partner merchants, or service providers making representations about your product, you own the UDAAP risk. Maintain a vendor inventory, contractual UDAAP representations, periodic communications sampling, and remediation rights. Artifact: vendor UDAAP attestation file. Owner: Vendor Management + Compliance.

9. Dark-pattern design audit

UI choices that obscure, mislead, or pressure the consumer — confirmshaming, false urgency, hidden costs, friction asymmetry — are increasingly treated as UDAAP violations. Run a quarterly dark-pattern audit across all consumer-facing surfaces. See our dark patterns CFPB enforcement catalog for the typology to test against. Artifact: dark-pattern audit log. Owner: Product Compliance + Design.

10. Servicing communication consistency

The most common UDAAP finding is a customer-facing representation that contradicts the formal disclosure. Run a quarterly reconciliation: pull a sample of customer service transcripts, servicing emails, and collection notices, and check that material claims are consistent with your terms and conditions. Artifact: reconciliation report. Owner: Servicing Compliance.

11. Override and exception logging

When a compliance reviewer flags a communication and the business overrides — or when an automated rule is bypassed — the override and the reasoning must be logged. Examiners will ask. "I don't remember" is a finding. Artifact: override log with reasoning. Owner: CCO.

12. Annual UDAAP training with completion tracking

Every employee whose role touches consumer-facing decisions — marketing, product, servicing, sales, customer success — completes annual UDAAP training with assessment. Track completion at 100%, not 95%. Artifact: training completion report. Owner: HR + Compliance.

How to operationalize the checklist

A checklist is a planning artifact, not a control. To turn this into a working program:

1. Assign each item to a single named owner. Joint ownership is no ownership.
2. Define the cadence. Items 1, 9, and 10 are quarterly. Items 4 and 5 trigger on product change. Items 7 and 11 are continuous. Items 3 and 6 are event-driven.
3. Set the evidence standard. "We do this" is not evidence. The artifact name in each item is the minimum.
4. Wire it to the board calendar. The Compliance Committee should review items 1, 7, and 11 quarterly. The full Board should see the consolidated UDAAP report annually.
5. Make it inspectable. When a CFPB examiner asks for the checklist, you should be able to produce the most recent attestation in under 24 hours.

Three recent enforcement patterns to learn from

Rather than name specific firms, here are three patterns that have driven CFPB consent orders in the last 18 months. For specifics, see our CFPB consent order list for 2026.

Pattern 1: Deceptive savings claims. Neobanks marketing "high-yield" savings products whose rates applied only to a portion of the balance, or only after specific qualifying actions. The "deceptive" prong was triggered because the headline rate was material and the qualifying conditions were not reasonably prominent. [Verify with Reg Lookup]

Pattern 2: Junk-fee framing. Lenders and BNPL providers framing late fees as a "courtesy" or "grace" feature while structuring the underlying contract so the fee was effectively the business model. The "abusive" prong was triggered because the framing materially interfered with the consumer's understanding. [Verify with Reg Lookup]

Pattern 3: Autopay cancellation friction. Subscription-style fintech products requiring phone calls, multi-step navigation, or retention-team transfers to cancel autopay, where enrollment was a one-click action. Typically resolved as unfair under Circular 2023-01. [Verify with Reg Lookup]

How leading fintechs automate UDAAP review with Sedric

Most compliance teams hit a wall around item 3 of this checklist. Pre-publication review of every marketing asset, in-app prompt, and partner communication is straightforward to describe and brutal to execute. A typical mid-stage fintech ships 200+ marketing variants per quarter across email, paid social, in-app, and partner channels. Human review at that volume produces either bottlenecks or rubber-stamping.

Sedric runs your marketing communications through a compliance-dedicated large language model that scores each asset against UDAAP risk in real time, links every flag to the specific underlying regulation or supervisory highlight, and produces an audit trail your examiner can read. Real-time guardrails, not retrospective archives. Every override is logged with the reviewer's reasoning, which closes the gap that produces "matters requiring attention" in exams.

Try the Marketing Comms Audit — upload up to 10 recent marketing assets and get a scored UDAAP risk report back. It is the fastest way to find out where this checklist is breaking down in your firm today.

FAQ

Is there an official CFPB UDAAP checklist? No. The CFPB publishes the Supervision and Examination Manual, which includes UDAAP modules, but it is not formatted as a control checklist. Practitioners build their own from the manual, consent orders, and supervisory highlights.

How often should we run a UDAAP audit? A full UDAAP audit annually, with quarterly updates to the risk inventory and continuous monitoring of marketing communications and complaints. Material product changes trigger an event-driven review.

Who owns UDAAP at a fintech? The CCO owns the program. Operational ownership is distributed across marketing compliance, product compliance, servicing compliance, and vendor management. The board owns oversight.

Does UDAAP apply to business-to-business products? Generally no — UDAAP under Dodd-Frank covers consumer financial products and services. However, products that are nominally B2B but used by individuals (sole-proprietor lending, certain BNPL configurations) can fall in scope. Treat the question as fact-specific.

What is the difference between UDAP (FTC) and UDAAP (CFPB)? UDAP is the older FTC standard under Section 5 of the FTC Act, covering "unfair or deceptive" acts or practices. UDAAP adds the "abusive" prong and is enforced by the CFPB for consumer financial products. The standards overlap significantly but the abusive prong is unique to CFPB jurisdiction.

How do dark patterns fit into UDAAP? The CFPB has increasingly treated UI dark patterns as deceptive or abusive depending on the specific design. Confirmshaming and false urgency tend to be analyzed as deceptive; friction asymmetry on cancellation tends to be analyzed as abusive or unfair.

Can AI-generated marketing copy create UDAAP risk? Yes, and the firm is on the hook regardless of the source. The CFPB has been explicit that automation does not shift responsibility. AI-generated copy must go through the same pre-publication review as human-drafted copy.

Closing CTA

If you adopt this checklist, item 3 — pre-publication review of every marketing communication — is where the wheels usually come off. Upload your 10 most recent marketing assets to Sedric's free Marketing Comms Audit and get a scored UDAAP risk report back within 24 hours. You will know, before your next exam does, where the checklist is breaking down.