The honest answer: longer than most institutions plan for. A process-related MRA might close in 90 days. A system-dependent MRA with vendor involvement can stretch to 180 days or more. Consent order remediation runs 12-24 months. But those are execution timelines, the real question is how long until the FDIC considers the matter closed, which only happens after the next examination validates that the fix works and the issue hasn't recurred.
Institutions that underestimate remediation timelines create two problems: missed deadlines (which examiners treat as a management weakness) and rushed implementations that fail validation (which generate repeat findings). Both outcomes extend the actual remediation period far beyond the original estimate.
Key Takeaways:
- MRA remediation typically takes 90-180 days for execution, but formal closure requires examiner verification at the next exam
- MRIA remediation has a 30-60 day execution window, with potential interim follow-up before the next full exam
- Consent order remediation runs 12-24 months from effective date to termination
- The single biggest factor that extends timelines: vendor and system dependencies
Remediation Timelines by Finding Severity
Every finding has two timelines: the execution timeline (how long it takes to implement corrective actions) and the closure timeline (when the FDIC formally considers it resolved). These are different, and conflating them is a common planning error.
MRA Timelines
| Phase | Typical Duration | Notes |
|---|---|---|
| Triage and root cause | 7-14 days | Assign owner, classify severity, identify root cause |
| Corrective action plan | 14-21 days | Develop, review, and obtain board approval |
| FDIC response submission | 30-45 days from ROE receipt | Written response with approved CAP |
| Implementation (process/policy) | 60-90 days | Policy revisions, procedure updates, training |
| Implementation (system/technology) | 90-180 days | Vendor engagement, configuration, testing, deployment |
| Validation testing | 14-30 days post-implementation | Independent testing of corrective actions |
| Monitoring period | Ongoing until next exam | Demonstrate sustained compliance |
| Examiner verification | At next scheduled exam | FDIC verifies closure through own testing |
Total execution timeline: 90-180 days for most MRAs.
Total closure timeline: Execution period + time until next exam + examiner verification. For a community bank on an 18-month exam cycle, an MRA issued in January 2026 might not be formally closed until the next examination in mid-2027, even if corrective actions were completed by June 2026.
This is why continuous monitoring matters, the gap between completing corrective actions and examiner verification is when repeat findings are born. Institutions that stop paying attention after implementation often discover at the next exam that the fix didn't hold.
MRIA Timelines
| Phase | Typical Duration | Notes |
|---|---|---|
| Immediate triage and interim control | 1-3 days | Deploy interim control; notify board |
| Root cause and CAP | 3-10 days | Compressed timeline; senior owner required |
| Implementation | 30-60 days | Aggressive timeline; may require dedicated resources |
| Validation testing | 7-14 days post-implementation | Faster testing cycle |
| Interim FDIC follow-up | 60-120 days from finding | Targeted review before next full exam |
| Full examiner verification | At next scheduled exam | Final closure determination |
Total execution timeline: 30-60 days.
Total closure timeline: Shorter than MRAs because the FDIC may conduct an interim follow-up review specifically to verify MRIA remediation. This targeted review can occur 60-120 days after the finding, before the next full-scope examination.
For more on MRA vs. MRIA differences, see our detailed comparison of MRIA and MRA response requirements.
Consent Order Timelines
| Phase | Typical Duration | Notes |
|---|---|---|
| Order negotiation and execution | 30-90 days | From FDIC proposal to signed order |
| Initial corrective actions | 60-120 days from effective date | Policy, staffing, and governance requirements |
| System and process implementations | 120-180 days from effective date | Technology changes, third-party reviews |
| Independent review completion | 90-180 days from effective date | Required for many consent orders |
| Lookback review | 120-240 days from effective date | Retrospective review of affected period |
| Targeted compliance examination | 6-12 months from effective date | FDIC verifies compliance with order provisions |
| Termination request and review | 12-18 months from effective date | After all provisions satisfied |
| Formal termination | 12-24 months from effective date | FDIC issues termination order |
Total timeline: 12-24 months for community banks. Complex consent orders involving BSA/AML deficiencies or significant system overhauls can extend beyond 24 months.
For a full overview of consent order mechanics, see our guide on what an FDIC consent order means.
Factors That Extend Remediation Timelines
Some timeline extensions are foreseeable and manageable. Others are self-inflicted wounds that signal management weakness to examiners.
Legitimate Timeline Extensions
Vendor dependencies. System changes that require vendor development, configuration, and testing routinely exceed internal timeline estimates. A core banking system change might require 6-9 months of vendor queue time alone. Examiners understand vendor dependencies, but they expect interim controls during the wait and documented evidence that you're managing the vendor timeline.
Regulatory complexity. Findings that span multiple regulations or business lines require coordinated remediation across departments. A fair lending finding that affects underwriting, pricing, and marketing requires changes to three different systems and processes. Each has its own timeline.
Third-party review requirements. Consent orders frequently require independent third-party reviews. Engaging a qualified firm, defining scope, completing the review, and implementing recommendations adds 90-180 days to the timeline.
Lookback reviews. Retrospective reviews of transactions, accounts, or decisions during the deficiency period are time-intensive. A BSA lookback of 18 months of account activity can require thousands of hours of analyst time. Under 31 CFR § 1020.320, if the lookback identifies suspicious activity that should have been reported, SAR filings must follow, adding another workstream.
Self-Inflicted Timeline Extensions
Vague root cause analysis. If the root cause is wrong, the corrective action won't fix the problem. The finding recurs, adding an entire exam cycle to the remediation timeline.
Unrealistic initial timelines. Proposing a 60-day timeline for a corrective action that requires board approval, vendor engagement, and system testing guarantees a missed deadline. The extension request and revised timeline add 30-60 days to the process.
Evidence gaps. Completing corrective actions without capturing evidence means reconstructing the evidence later, if it can be reconstructed at all. Evidence that can't be produced is treated as work that wasn't done.
Staffing turnover. When the finding owner leaves and there's no documented handoff, the replacement starts from scratch. Knowledge transfer gaps can add 30-60 days to the timeline.
Inadequate interim controls. For remediations exceeding 60 days, the FDIC expects interim controls. Not deploying them doesn't make the finding go away faster, it makes the finding worse at the next review, because the risk was unmitigated during the entire remediation period.
Documentation Requirements for Finding Closure
The FDIC doesn't close findings based on assertions. Closure requires evidence that satisfies examiner testing at the next review.
Minimum documentation for closure:
- Root cause analysis: Documented analysis showing you identified the actual cause, not a symptom
- Corrective action plan: Board-approved plan with specific actions, owners, milestones, and deadlines
- Implementation evidence: Dated, attributable evidence for each completed action
- Validation testing results: Post-implementation testing by someone other than the implementer
- Monitoring results: Evidence from ongoing monitoring showing the issue hasn't recurred since implementation
- Board reporting records: Minutes showing board oversight throughout the remediation process
Assemble this into a single remediation package per finding. At the next examination, provide it proactively. Institutions that make examiners hunt for documentation extend the examination timeline and create friction that can color examiner assessments. A disciplined exam preparation process makes this routine.
Follow-Up Exam Scheduling and What It Means for Timelines
The FDIC doesn't wait for the next scheduled full-scope examination to follow up on severe findings. Several factors can trigger earlier follow-up:
- MRIAs may trigger a targeted follow-up review within 60-120 days
- Consent orders include specific compliance examination milestones
- CAMELS downgrades (composite 3 or worse) shorten the examination cycle from 18 months to 12 months
- Material events, such as a BSA-related MRIA or a significant growth in risk profile, can trigger off-cycle examinations
For community banks rated CAMELS 1 or 2, the standard examination cycle is 18 months under FDIC examination frequency guidelines. A CAMELS downgrade to 3 shortens this to 12 months. A rating of 4 or 5 may result in continuous examination presence.
This means that for a well-rated bank receiving its first MRA, the closure timeline extends to the next scheduled exam (up to 18 months). For an institution with CAMELS concerns, the timeline compresses because examinations occur more frequently. See our guide on what triggers a follow-up examination for a complete breakdown.
How Teams Track Remediation Timelines
The institutions that close findings on schedule share one trait: remediation milestones are tracked with the same discipline as any other project deadline, with automatic escalation when milestones are approaching, owner accountability, and evidence captured at every step.
Canarie assigns each finding a remediation workflow with severity-appropriate timelines, milestone deadlines, evidence gates, and automatic escalation when deadlines approach. Board reporting is generated from the same data, and the remediation package assembles itself as evidence is captured through the workflow.
See how compliance teams close findings on schedule with tracked milestones →
Frequently Asked Questions
How long does it take the FDIC to formally close an MRA?
The FDIC formally closes an MRA at the next examination, when examiners verify through their own testing that the corrective action was implemented and effective. For community banks on an 18-month exam cycle, this means an MRA could remain technically "open" for up to 18 months after you completed all corrective actions. The key is maintaining monitoring evidence during this gap period, examiners will test for recurrence, not just implementation.
Can you request a timeline extension from the FDIC for an MRA?
Yes. If you've proposed a corrective action timeline in your response and realize you can't meet it, notify your examiner-in-charge before the deadline passes. Provide justification for the extension, a revised timeline, and documentation of interim controls that mitigate the risk during the extended period. Proactive communication is treated differently than a missed deadline discovered at the next exam. Examiners generally accept reasonable extensions, they don't accept surprises.
What's the fastest an FDIC consent order has been terminated?
There's no published minimum, but termination in under 12 months is rare for community banks. The FDIC needs to complete a targeted compliance examination to verify all order provisions are satisfied, and scheduling that examination takes time. Additionally, examiners want to see evidence of sustained compliance, not just point-in-time fixes. Most consent orders for community banks are terminated in the 12-24 month range, assuming all provisions are satisfied and the compliance examination confirms full compliance.
Does remediation progress affect the institution's CAMELS rating?
Yes. Demonstrated progress on MRA and MRIA remediation is a positive factor in the management (M) component assessment. Conversely, unresolved or repeat findings negatively affect the management rating and can contribute to a composite downgrade. Active consent orders typically prevent a management rating above 3. A strong audit remediation process directly supports a favorable management assessment.