MRA Remediation Playbook: How to Respond When You Get a Matter Requiring Attention

TL;DR

• An MRA from your regulator isn’t optional — it’s the OCC, FDIC, or Federal Reserve telling your board to fix a deficient practice in writing, with a deadline.
• Every MRA follows the OCC’s “Five Cs” format: Concern, Cause, Consequence, Corrective Action, Commitment. Your response must track all five — line for line.
• You have 30 days to deliver a board-approved action plan. The actual fix is usually 90–180 days for an MRA, 30–60 days for an MRIA, with interim controls expected within days.
• The October 2025 OCC/FDIC proposed rule (Bulletin 2025-29) raises the bar for issuing MRAs and ties them more tightly to CAMELS downgrades. Fewer MRAs — but the ones you get will hit harder.

You walked out of the exit conference, and your principal examiner handed you a letter. Three pages, single-spaced, with bullet points titled “Concern,” “Cause,” “Consequence,” “Corrective Action,” and “Commitment.” Your CRO is already in the parking lot calling outside counsel.

Welcome to your MRA. Now you have 30 days to make your board look like adults.

This is the playbook nobody hands you when you take the compliance officer job — what to do in the first 48 hours, how to write a remediation plan that doesn’t get rejected, and how to avoid the slow slide from MRA to MRIA to consent order. The cost of getting this wrong isn’t theoretical. The OCC’s December 2025 enforcement actions list reads like a parade of banks that fumbled MRAs and ended up in formal agreements 18 months later.

What an MRA Actually Is

A Matter Requiring Attention is a written supervisory finding. The OCC, FDIC, and Federal Reserve all issue them. It’s not an enforcement action — it doesn’t carry a civil money penalty, doesn’t go in the Federal Register, and doesn’t require a public consent order. But it is binding on your board, it shows up in your next exam, and it is the primary tool examiners use to drive remediation between exam cycles.

The OCC standardized MRA format in Q4 2014 (News Release NR-OCC-2014-150, “OCC Revises Process for Managing Matters Requiring Attention”). That’s where the “Five Cs” structure comes from. The Federal Reserve and FDIC use slightly different conventions but the substance is the same: identified deficient practice, root cause, why it matters, what you must do, and your committed timeline.

MRA vs. MRIA vs. Consent Order — The Escalation Ladder

The escalation isn’t automatic, but it is predictable. Banks that miss MRA deadlines or submit “checked the box” responses get MRIAs. Banks that miss MRIA deadlines get MOUs. The pattern is well-documented in the OCC’s PPM 5310-3 enforcement framework.

The October 2025 OCC/FDIC Proposed Rule — What’s Changing

In October 2025, the OCC and FDIC jointly proposed (OCC Bulletin 2025-29) a framework that would:

• Define “unsafe or unsound practice” in regulation for the first time, requiring a practice to be “likely to directly, clearly and predictably impact an institution’s capital, asset quality, earnings, liquidity, or sensitivity to market risk.”
• Require MRAs to meet minimum criteria — material financial harm or risk of loss — before being issued.
• Limit composite CAMELS downgrades to circumstances where a qualifying MRA or formal enforcement action has been issued.

The comment period closed December 29, 2025. If finalized as proposed, the rule will reduce MRA volume substantially. But the ones you do get will be harder to dismiss as “minor process matters” — they’ll be backed by a regulatory definition of material harm, and they’ll be more directly tied to your composite rating.

For practitioners: do not assume the proposed rule means your existing MRAs are softening. They aren’t.

The First 48 Hours After Receipt

What you do in the first two days sets the trajectory of the whole remediation cycle.

1. Acknowledge in Writing — Same Day

Send a brief written acknowledgment to your principal examiner. Confirm receipt, confirm the listed concerns, and state that the bank will deliver a board-approved action plan within the 30-day window. Don’t argue, don’t negotiate, don’t try to clarify scope. That comes later.

2. Get the Right People in a Room — Day Two

Pull your CEO, CRO, General Counsel, and the line-of-business owner of the cited concern into a single working session. The output of this session should be:

• A draft owner for each MRA item (named individual, not “the BSA team”)
• A preliminary root cause hypothesis for each item
• A list of any interim controls the bank can implement immediately (within 5 business days)
• A decision on whether to engage outside counsel or a consulting firm

3. Stand Up Interim Controls Before You Finalize the Plan

This is the single most underappreciated lever in MRA response. If your MRA cites inadequate suspicious activity reporting reviews, you don’t wait 90 days to fix it. You implement a daily senior-reviewer queue starting Monday. Document every interim control with the date implemented, the responsible owner, and the metric you’re tracking. Show this in your 30-day plan.

Banks that show interim controls in week one almost always get more leeway on the formal remediation timeline. Banks that wait for the formal plan get marked as not taking the matter seriously.

4. Notify the Board — At the Next Regular Meeting at the Latest

Some MRAs require board notification before the next regular meeting. Read yours carefully. If it doesn’t, brief the board chair within five business days and put a formal MRA briefing on the next board agenda. The board’s role isn’t optional — under the OCC’s framework, the board is the responsible party for the remediation commitment.

Decoding the Five Cs in Your MRA

Every line of your remediation plan should map to one of these. If your response doesn’t address all five for each cited concern, examiners will send it back.

1. Concern — What the Examiner Identified

The concern is the deficient practice. Read this literally. If the MRA says “the bank’s BSA risk assessment does not adequately consider correspondent banking risk,” your response must address correspondent banking specifically — not “we will improve our BSA risk assessment generally.”

The most common mistake here is scope creep. Banks try to bundle the MRA fix into a broader BSA program overhaul. Examiners hate this. Address what was cited. Do the broader work separately.

2. Cause — Why It Happened

The cause is the root cause of the concern. If the OCC didn’t include one in the MRA, the corrective action must include identifying it. This is where most MRA responses fall apart.

Bad: “The cause was an oversight in the BSA program.” Good: “Root cause analysis identified three contributing factors: (1) the BSA Officer position was vacant for 4 months in 2024; (2) the risk assessment template last updated in 2021 did not include correspondent banking as a separate risk category; (3) board reporting did not include correspondent activity volume metrics that would have surfaced the gap.”

The “Bad” version gets your response sent back. The “Good” version gets accepted because it’s specific, plausible, and points to identifiable controls you can fix.

3. Consequence — Why It Matters

The consequence is what happens if the concern isn’t fixed. The examiner wrote this in the MRA. Your response should explicitly acknowledge it — and explain what controls you’re putting in place to prevent that consequence from materializing.

Don’t argue with the consequence. Even if you disagree, fighting the consequence in your response is how banks turn an MRA into a formal agreement.

4. Corrective Action — What You’re Going to Do

This is the meat of your plan. For each concern, structure corrective actions as a numbered list with:

• Action description (specific, observable)
• Owner (named individual + title)
• Target completion date
• Evidence of completion (what artifact will the examiner review at validation?)
• Validation method (internal audit testing, independent review, board attestation)

Examiners want to see corrective actions that fix the cause, not just the symptom. If your cause analysis identified a vacant BSA Officer position, your corrective actions should include succession planning and back-up coverage, not just “hired a new BSA Officer.”

5. Commitment — Your Board’s Promise

The commitment is the formal action plan, signed off by the board, with milestones and accountable staff. The OCC’s Five Cs framework requires this to be a board-level commitment, not a management memo.

Practical advice: don’t promise dates you can’t hit. Examiners understand that complex remediation takes time. Asking for a 180-day timeline and delivering on it beats promising 90 days and slipping to 120.

The 30-Day Action Plan — What Examiners Look For

Your 30-day board-approved plan is the document that determines how the rest of the remediation cycle goes. Get it right.

Structure

1. Executive Summary (1 page)
   - List of MRAs being addressed
   - Summary of root causes
   - Summary of remediation approach
   - Board sign-off statement and date

2. For each MRA item:
   2.1 Concern (verbatim from the MRA)
   2.2 Cause (your root cause analysis)
   2.3 Consequence (verbatim from the MRA + interim mitigation)
   2.4 Corrective Action (numbered list with owners, dates, evidence)
   2.5 Commitment (target completion date + validation method)

3. Governance and Reporting
   - Who owns the overall remediation program
   - Reporting cadence to the board
   - Reporting cadence to the regulator
   - Independent validation approach

4. Appendices
   - Interim controls implemented
   - Project plan / Gantt chart
   - Resource commitments (FTEs, budget)

What Gets Plans Sent Back

• Vague action items (“strengthen the BSA program”)
• No named owners (everything assigned to “the BSA team” or “Compliance”)
• No evidence-of-completion definition (how will the examiner know it’s done?)
• Missing interim controls
• No independent validation step
• Timelines longer than 180 days without a phased deliverable schedule

What Gets Plans Accepted

• Specific, observable corrective actions tied to specific causes
• Named individual owners with title and seniority appropriate to the action
• Evidence artifacts identified (e.g., “updated BSA risk assessment, dated and approved by board”)
• Interim controls already in place with metrics
• Phased deliverables every 30 days
• Independent validation by internal audit or external party

Building the Tracker

You need a single source of truth that maps every MRA item to its status, owner, deadline, and evidence. This is not a spreadsheet you build the night before the next exam.

The components of a defensible issues management tracker:

Banks that walk into the next exam with a clean tracker, evidence ready, and validation already complete close out MRAs faster — and avoid having “stale” findings escalate. For a deeper walkthrough of how to structure the tracker and what examiners look for at validation, see our building a compliance management system that survives a CFPB exam post.

Validation — How an MRA Actually Closes

An MRA is not closed when management says it’s closed. It’s closed when the regulator validates closure. There are three validation paths, and they’re not interchangeable.

Path 1: Examiner Validation at Next Targeted Exam

The most common path. Examiner returns at the next targeted or full-scope exam, reviews evidence, tests effectiveness, and either closes the MRA or carries it forward. If carried forward, the MRA may be reissued — and reissuance is a strong signal of escalation.

Path 2: Independent Validation Submitted to Regulator

For complex or material MRAs, banks often engage internal audit or an external firm to validate closure. The validation report is submitted to the regulator with a request for closure. Examiners review the validation report and either accept it, request additional testing, or schedule their own follow-up.

Path 3: Self-Attestation with Documentation

For lower-severity matters, the bank submits closure documentation (typically including evidence artifacts and management attestation) and the regulator either confirms closure or requests follow-up. This is more common in FDIC and FRB practice than OCC practice.

The validation step is where many MRAs that look “closed” actually fail. The most common failure mode: management implements the corrective action but doesn’t generate evidence that the action is effective and sustainable. Examiners are explicit that an MRA is past-due not just if the action wasn’t implemented, but if it wasn’t effective. A new policy that nobody follows is a failed MRA.

What Happens If You Miss the Deadline

Missed MRA deadlines escalate. The path varies by agency but the pattern is consistent:

1. First missed deadline + reasonable explanation: Examiner extends or reissues with a tighter scope.
2. Second missed deadline OR no reasonable explanation: MRA escalates to MRIA (FRB), repeated MRA (OCC/FDIC), or MOU.
3. MOU non-compliance: Formal Agreement or Cease and Desist Order — public and reportable.
4. Continued non-compliance: Civil money penalties, individual orders against officers and directors, prompt corrective action requirements, or in extreme cases, charter revocation.

The OCC’s December 2025 enforcement actions release included Formal Agreements with First National Bank of Pasco and The National Iron Bank that cited unsafe or unsound practices around BSA/AML, board oversight, and capital planning — all areas that almost certainly started as MRAs in earlier exams. The escalation pattern is documented and predictable.

Common MRA Categories — What Examiners Are Citing in 2025–2026

Based on recent OCC and FDIC enforcement actions and supervisory letters, the most common MRA categories right now:

If you got hit on board oversight or governance, see our annual compliance risk assessment methodology post for what regulators expect to see in a defensible risk assessment.

So What? — The Practitioner’s Calculus

Three things are true at the same time in 2026 supervision:

1. The OCC and FDIC are publicly committed to refocusing on material risks and reducing low-value MRAs.
2. Existing MRAs in your supervisory file are not going away — they’re being validated under the same framework that issued them.
3. The MRAs you receive going forward will be harder to dismiss because they’ll meet the proposed “material harm” standard.

The practitioner play: treat every MRA like it’s going to escalate, because the cost of overpreparing is small and the cost of underpreparing is a public consent order. Build the tracker. Run the root cause analysis. Stand up interim controls. Get the board on the record.

If you’ve just been handed an MRA and you’re trying to build the tracking infrastructure from scratch in 30 days, our Issues Management Tracker & Template gives you the schema, fields, and severity scoring that examiners look for — pre-built so your team can spend the time on the remediation, not on the spreadsheet.

Quick Reference: MRA Response Timeline

Your board signature and the 30-day deadline are not negotiable. The interim controls and the validation discipline are what determine whether the MRA closes cleanly — or escalates.