Here is a common scenario. A bank executive develops a new product, maybe a fee-generation concept. Properly following procedure, he consults the compliance officer, who performs a check-the-box review and signs off — but raises a "fairness" concern because the product is controversial with regulators and consumer groups.

The executive says, "show me where it says we can't do that."

The compliance officer shrugs. Nothing explicitly bars the practice.

The business manager ponders it. He is committed to ethics and great customer service. However, his team has planned this rollout for months and needs the revenue. Competitors already offer the product. If the regulators objected to it, wouldn't they ban it? And the practice is defensible. Some customers will want it, and the bank will disclose everything as required. Ultimately the manager chalks up another encounter with the "business prevention department" and moves ahead.

Historically, that logic usually worked for banks. The examiners, like the compliance officer, would eventually come and check off the boxes too. Revenue would rise. Any customer complaints would go onto the "resolved" stack since no rules were broken. If customers felt mistreated, the institution's compliance and business metrics would likely never even register it.

Using this traditional compliance process, most banks easily weathered controversies in recent years in areas like subprime lending, credit cards, and overdraft protection. Unless fair lending problems arose, activities that were technically compliant were legal. Litigation was unlikely. End of story.

Now though, suddenly, a new story is unfolding so fast most banks have not yet heard it. A rising regulatory focus on UDAAP — unfair, deceptive and abusive acts and practices — has made, "show me where it says we can't do that," a very dangerous sentence.

Why the change? After all, the FTC Act's ban on unfair and deceptive practices is over 70 years old, long enforced by bank regulators through routine Regulation AA reviews and by challenging activities at the industry's margins. Today's new element is a deep rethinking of the past regulatory approach that permitted subprime lending practices that are now widely deemed unfair despite usually meeting technical requirements. Congress has responded by creating the new Consumer Financial Protection Bureau and ordering it to write regulations on UDAAP — broadened by Dodd-Frank to add the second "A," for "Abusive." The other banking agencies, meanwhile, have escalated enforcement using the extensive powers they retain. Examiners (like bankers) often feel that the technical regulations don't always produce actual consumer protection. Many are picking up UDAAP as another tool.

It's a hard tool to wield, however, since the issues are subjective, complex, and often novel. In effect, the regulators are adapting the old but flexible UDAP law to a challenging new risk landscape.

So far, the impact is mostly invisible. There is nonpublic remediation with customer refunds, while enforcement cases are just beginning to emerge from the confidential agency pipeline. In July, the Federal Reserve imposed its largest-ever consumer regulatory civil penalty — $85 million — over a UDAP-related issue. One $3 billion bank has paid $30 million in fines and restitution. Escalating state enforcement and private litigation have produced awards reaching hundreds of millions of dollars. Both large and small institutions have faced effects like downgraded Camel and CRA ratings, blocked mergers, related fair lending enforcement, attention from class action litigators, and damaged brands. And all this is occurring before the CFPB begins to act.

UDAAP involves more than egregious or outlier behavior. Many cases challenge common industry practices or long-standing issues examiners never questioned before. One enforcement action affected only four customers. Cases have arisen over commercial accounts, operations protocols, foreclosed properties, third-party actions, routine fees — activities most banks do not view as compliance topics at all.

The traditional compliance program is built to meet technical regulations covering specific bank functions. It is not designed to produce "fairness." Most compliance programs do not even look at key areas now generating enforcement cases. In effect, UDAAP is becoming a mandate to make every practice fair, transparent, and appropriate for customers, including those considered "vulnerable" due to factors like income, age, and financial sophistication or distress. While all banks strive for fairness, few have built institution-wide processes and cultures to meet this standard. The compliance management model will need updating.

And so will the business executive's question to compliance, which will become, "How can we design this to meet both profit goals and fairness standards?"

Fortunately, consumers and banks both benefit when people make good financial choices. The CFPB will soon regulate non-banks that have historically been more lightly supervised than depository institutions. Banks that proactively move now to assure strong UDAAP performance along with technical compliance can potentially win and retain more customers while also sharply reducing regulatory risks.

Jo Ann S. Barefoot, former deputy comptroller of the currency, is co-chair of Treliant Risk Advisors.