The first 30 days after receiving a regulatory finding determine whether you close it cleanly or spend the next two exam cycles trying to dig out. This isn't a planning period, it's an execution window. By day 30, your board should be informed, root causes should be identified, a corrective action plan should be drafted and approved, and your evidence framework should be operational. Institutions that lose the first month to internal debate, unclear ownership, or the assumption that "we'll get to it" consistently produce the weakest remediation outcomes.
This guide provides a structured, day-by-day framework for the 30-day period following receipt of an examination finding, whether it's an MRA, MRIA, violation, or observation from the FDIC, OCC, Federal Reserve, or state regulator.
Key Takeaways:
- Board notification should occur within 5 business days of receiving findings, not at the next quarterly meeting
- Root cause analysis must go beyond symptoms to identify the actual process, system, or governance failure
- A corrective action plan without defined evidence requirements is an aspiration, not a plan
- The first 30 days set the tone for the entire remediation, examiners will review your response timeline at the next exam
Days 1-3: Receipt, Classification, and Initial Notification
Secure and Log the Findings
When the Report of Examination (ROE) or examination letter arrives, log the receipt date immediately. This date starts the clock on your response timeline. The transmittal letter typically specifies the response deadline, usually 45 days for FDIC-supervised institutions.
Distribute the findings section of the ROE to the chief compliance officer, the relevant business line heads, and legal counsel. Do not distribute the full ROE broadly, it's a confidential supervisory document protected under 12 CFR Part 309 (FDIC) or 12 CFR Part 4 (OCC).
Classify Each Finding
For each finding, document:
- Finding type: MRA, MRIA, violation, observation, or recommendation
- Regulatory citation: The specific regulation, statute, or guidance the finding references (e.g., 12 CFR § 1002.9, 31 CFR § 1020.210, FFIEC BSA/AML Manual)
- Business area affected: Which department, product line, or process
- Prior history: Has a similar finding appeared in a previous examination?
- Customer impact: Is there evidence of consumer harm requiring restitution?
Classification drives urgency. An MRIA with customer harm implications gets a fundamentally different treatment than an observation about documentation practices.
Notify the Board Chair
Within 24-48 hours, notify the board chair (or compliance committee chair) that findings have been received. This isn't the full board briefing, it's an initial notification that findings exist, their severity classification, and when a full briefing will occur.
For MRIAs: notify the full board or designated committee within 24-48 hours. If the next board meeting is more than 7 days away, convene a special session. The FDIC's Risk Management Manual expects the board to be actively engaged in overseeing supervisory concerns, not passively informed after the fact.
Days 3-7: Assignment, Root Cause Analysis, and Gap Assessment
Assign Finding Owners
Each finding needs a named individual owner, not a committee, not a department. The owner is responsible for:
- Completing the root cause analysis
- Drafting the corrective action plan
- Executing corrective actions or directing execution
- Providing progress reports
- Delivering evidence of completion
For complex findings that span multiple departments, designate a lead owner with supporting owners for specific corrective actions. Document the assignment formally, via email, memo, or system record.
Begin Root Cause Analysis
Root cause analysis is the most underinvested step in remediation. Most institutions stop at the first answer. The first answer is almost always a symptom.
Use the "five whys" approach:
| Level | Question | Example Answer |
|---|---|---|
| 1 | Why was the finding issued? | SAR filings were not completed within the required timeframe |
| 2 | Why were filings late? | The BSA analyst didn't identify the cases in time |
| 3 | Why didn't the analyst identify them? | Alert review was backlogged by 3 weeks |
| 4 | Why was alert review backlogged? | Alert volume increased 40% after a system upgrade, with no staffing adjustment |
| 5 | Why was there no staffing adjustment? | No process exists to monitor alert volumes against staffing capacity |
The root cause isn't "the analyst was slow." The root cause is "the institution lacks a process for adjusting BSA staffing based on alert volume trends." The corrective action for root cause #1 is retraining. The corrective action for root cause #5 is implementing a volume-capacity monitoring process, which actually prevents recurrence.
Conduct a Gap Assessment
Evaluate whether the finding is isolated or symptomatic of a broader issue. A disclosure timing finding in your mortgage origination process may indicate a systemic disclosure management gap across all products. A BSA monitoring finding may reflect inadequate technology investment across the entire compliance function.
The gap assessment should determine:
- Does the same control weakness exist in other business lines or products?
- Are there related findings from internal audit that weren't fully remediated?
- Does the root cause suggest a governance, technology, or staffing gap that affects multiple areas?
If the gap assessment reveals systemic issues, expand the corrective action plan to address them proactively. Examiners notice when institutions fix the specific finding but ignore the broader weakness, and they'll cite that broader weakness at the next exam.
Days 7-14: Corrective Action Plan Development
Draft the Corrective Action Plan
The corrective action plan (CAP) is the deliverable that examiners evaluate first at the next examination. A strong CAP contains:
For each finding:
- Finding reference, The finding number and verbatim text from the ROE
- Root cause statement, The actual cause identified through root cause analysis
- Corrective actions: Specific, measurable actions that address the root cause
- Interim controls: For remediations exceeding 60 days, what controls mitigate the risk during implementation
- Responsible owner: Named individual for each action
- Milestones and deadlines: Discrete phases with completion dates
- Evidence requirements: What documentation each action will produce
- Success criteria: How you'll determine the fix worked
- Board reporting schedule: When and how progress will be reported
For detailed CAP structure guidance, see our guide on how to write a corrective action plan for a bank examiner.
Set Realistic Timelines
Timelines must be achievable. Common timeline benchmarks:
- Policy/procedure revisions: 30-60 days
- Training design and delivery: 30-45 days
- System configuration changes: 60-120 days (include vendor lead time)
- New system implementation: 90-180 days
- Third-party review engagement: 60-90 days for engagement, plus review timeline
- Lookback reviews: 90-180 days depending on scope
If a corrective action will take longer than the FDIC's typical 90-day expectation for MRAs, document why and include interim controls for the gap period. Examiners accept longer timelines when they're justified and mitigated. They don't accept missed deadlines for timelines the institution proposed itself. For context on realistic timelines by finding type, see our breakdown of FDIC remediation timelines.
Days 14-21: Board Review, Resource Allocation, and Evidence Framework
Present to the Board
Prepare a board presentation that includes:
- Finding summary with severity classifications
- Root cause analysis for each finding
- Proposed corrective action plan with timelines and owners
- Resource requirements, staff time, vendor costs, technology investments
- Risk of inaction, what happens if the finding isn't remediated (escalation path)
- Approval request for the corrective action plan and associated resources
The board should formally approve the CAP and allocate resources. Document the approval in board minutes, including the specific motions, votes, and any board directives. Minutes that say "the board was informed" are insufficient, examiners want to see "the board approved the corrective action plan and directed management to report progress monthly."
Allocate Resources
Resource allocation is where remediation efforts frequently stall. Common resource requirements:
- Staff time: Remediation competes with day-to-day operations. Dedicate specific staff capacity to corrective actions, and document the allocation.
- Budget: System changes, vendor engagements, third-party reviews, and lookback analyses all cost money. Board-approved budget allocation is a remediation milestone.
- External support: For complex findings (BSA program deficiencies, fair lending concerns), external consultants or legal counsel may be necessary. Engage early, consultant availability is not always immediate.
Establish the Evidence Framework
Before corrective actions begin, define how evidence will be captured, stored, and organized. Every remediation action should produce evidence at the time of completion, not after the fact.
The evidence framework should specify:
- Where evidence is stored: A centralized repository, not individual email inboxes
- Naming conventions: Consistent naming that links evidence to specific corrective actions
- Metadata requirements: Date, author, approver, version, finding reference
- Access controls: Who can view, edit, and approve evidence
- Review process: Who validates that evidence is complete and adequate before the file is closed
Days 21-30: Execution Begins, FDIC Response Submitted, Monitoring Established
Begin Executing Corrective Actions
By day 21, execution should be underway for at least the initial corrective actions. Quick wins, policy revisions, procedure updates, staffing assignments, should be targeted for completion within the first 30 days. More complex actions (system changes, third-party engagements) should have milestones set and vendor engagement initiated.
Document everything as it happens. A policy approved on day 25 should have the approved version, the board resolution, and the distribution record captured on day 25, not reconstructed on day 60 when someone asks for the evidence.
Submit Written Response to the FDIC
By day 45 (for FDIC-supervised institutions), submit your written response. The response includes:
- Acknowledgment of each finding
- Root cause analysis for each finding
- Board-approved corrective action plan
- Interim controls already in place
- Proposed timeline with milestones
- Evidence of actions already completed (if any)
The written response is the institution's formal commitment. Everything in it becomes a benchmark that examiners will verify at the next examination.
Establish Ongoing Monitoring
Set up the ongoing monitoring and reporting cadence that will run through the remediation period:
- Monthly progress reports to the compliance officer or remediation project lead
- Quarterly board reports (monthly for MRIAs) with milestone status, evidence collected, and timeline adherence
- Automated deadline alerts, 14-day and 7-day warnings before milestone deadlines
- Escalation triggers: Automatic notification to the CCO and board committee if a milestone is at risk of being missed
Building a disciplined tracking and remediation process at this stage prevents the chaos that arises when follow-up exams approach and evidence is scattered.
The 30-Day Checkpoint: What Should Be Done
By day 30, verify that these elements are in place:
- All findings classified by type and severity
- Finding owners assigned (named individuals, not departments)
- Root cause analysis completed for each finding
- Board notified, briefed, and has approved the corrective action plan
- Resources allocated (staff, budget, external support)
- FDIC response in progress or submitted (within 45-day deadline)
- Evidence framework operational
- Interim controls deployed for high-severity findings
- Monitoring and reporting cadence established
- Quick-win corrective actions completed or in progress
If any of these items are incomplete at day 30, the remediation is already behind. Course-correct immediately, reassign resources, escalate to the board, or seek external support. The next 60 days will only get harder if the foundation isn't set.
How Teams Execute the First 30 Days
The institutions that execute the first 30 days well don't rely on ad hoc coordination. They treat findings intake as a structured workflow: classify, assign, analyze, plan, approve, execute, evidence, report. Each step has an owner and a deadline.
Canarie maps every finding to a remediation workflow from day one, triage, root cause, corrective action, milestones, evidence gates, and board reporting. The 30-day ramp is built into the workflow template, not invented each time a new ROE arrives.
See how compliance teams execute structured remediation from day one →
Frequently Asked Questions
What if the board can't meet within the first 5 days to be notified?
For standard MRAs, notifying the board chair immediately and scheduling a full board briefing within 14 days is acceptable, though sooner is always better. For MRIAs, the urgency is higher. If the next regular board meeting is more than 7 days away, best practice is to convene a special session or conduct a telephonic board meeting. Document whatever notification method is used, including the date, attendees, and information conveyed.
Should we start corrective actions before the board approves the plan?
For MRIAs and findings involving active consumer harm, yes, deploy interim controls immediately and begin corrective actions that don't require board approval (such as assigning resources and initiating root cause analysis). For standard MRAs, obtaining board approval before committing to specific corrective actions and timelines is appropriate. The key is not losing time on the administrative process when there is immediate risk.
How detailed should the root cause analysis be for a minor observation?
Even observations deserve a brief root cause analysis, 1-2 paragraphs identifying why the gap exists and what you'll do about it. Observations that are ignored can become MRAs at the next examination if the underlying issue persists. The depth should be proportionate to severity, but the discipline of documenting a root cause applies to all findings.
What if we disagree with a finding: do we still start remediation during the first 30 days?
Yes. Start the remediation process in parallel with any formal response or dispute. Filing a response or appeal does not suspend the expectation that you'll address the concern. If the finding is ultimately modified or withdrawn, you can adjust or terminate the corrective action. But if you wait 60 days to start remediation while disputing the finding, and the dispute isn't resolved in your favor, you've lost two months. See our guide on whether you can negotiate FDIC exam findings for the full dispute process.