An MRA (Matter Requiring Attention) is the FDIC's formal signal that something in your institution needs to change. It's not a suggestion. Failure to respond with a structured corrective action plan, supported by documented evidence and board oversight, puts your institution on a path toward escalation, potentially to an MRIA or formal enforcement action. The response you deliver in the first 45 days sets the trajectory for the entire remediation.
Most community banks receive MRAs at some point. The question isn't whether you'll get one, it's whether your response demonstrates the management discipline examiners expect. Institutions that treat MRAs as routine project management, with clear owners, hard deadlines, and evidence gates, close findings cleanly. Those that rely on informal efforts generate repeat findings that compound at the next exam.
Key Takeaways:
- An MRA requires a written corrective action plan submitted to the FDIC, typically within 45 days of report receipt
- Every corrective action must produce dated, attributable evidence, not assertions
- Board notification and ongoing oversight reporting are mandatory, not optional
- Failure to remediate an MRA on time frequently triggers escalation to an MRIA or formal enforcement action
What Is an MRA and Where Does It Come From
A Matter Requiring Attention (MRA) is a finding issued during an FDIC safety and soundness or compliance examination. It identifies a practice, condition, or violation that the FDIC considers a deficiency requiring corrective action. MRAs appear in the Report of Examination (ROE) under a dedicated findings section.
The FDIC's Risk Management Manual of Examination Policies (Section 1.1) defines the examination process as evaluating "the soundness of the institution's practices, the adequacy of its risk management systems, and its compliance with applicable laws and regulations." MRAs are the primary mechanism for communicating deficiencies identified during this evaluation.
MRAs can arise from any examination area:
- BSA/AML: Deficiencies in customer due diligence, suspicious activity monitoring, or CTR filing (31 CFR § 1020.210, 31 CFR § 1020.320)
- Consumer compliance: Disclosure timing failures, fair lending concerns, ECOA violations (12 CFR Part 1002)
- Credit risk: Underwriting policy deviations, concentration risk management gaps
- IT/Cybersecurity: Access control weaknesses, incident response deficiencies
- Capital and liquidity: Stress testing gaps, contingency funding plan weaknesses
Each MRA includes a specific description of the deficiency, the regulatory basis, and an expectation for corrective action. Some MRAs reference specific provisions of 12 CFR Part 337 (Unsafe and Unsound Banking Practices) when the issue rises to that level.
The Response Timeline
The clock starts when your institution receives the final ROE. Most FDIC regional offices expect a written response within 45 days of report receipt, though some transmittal letters specify different timelines. Read the transmittal letter carefully, the response deadline is stated explicitly.
Critical timeline milestones:
| Milestone | Timeframe | Action |
|---|---|---|
| ROE receipt | Day 0 | Log receipt date, distribute findings to responsible parties |
| Board notification | Days 1-5 | Present findings to the board or designated committee |
| Finding triage | Days 1-7 | Classify severity, assign owners, assess root cause |
| Corrective action plan draft | Days 7-21 | Develop specific actions, milestones, evidence requirements |
| Board approval of CAP | Days 21-30 | Board reviews and approves the corrective action plan |
| Written response to FDIC | Days 30-45 | Submit response with approved CAP |
Missing the response deadline, or submitting a vague plan that restates the finding without specifics, signals to examiners that management isn't taking the issue seriously. The FDIC's Supervisory Insights publication has repeatedly noted that institutions with delayed or inadequate responses are more likely to receive escalated findings at subsequent examinations.
How to Structure a Corrective Action Plan
The corrective action plan (CAP) is the core of your MRA response. A strong CAP contains five elements, and examiners know immediately when any are missing.
1. Root Cause Statement
State why the deficiency exists, not what the deficiency is. The FDIC already told you what's wrong. They want to know you understand why.
Insufficient: "Staff did not complete BSA reviews on time."
Sufficient: "The BSA review workflow relies on a manual tracking spreadsheet with no automated deadline alerts. When the BSA analyst was on medical leave for three weeks, no backup was assigned because the process has a single point of failure."
Root cause analysis should go at least two layers deep. If your first answer is "staff error," ask why the error occurred. The system, process, or oversight gap that allowed the error is the actual root cause.
2. Specific Corrective Actions
Each action must be discrete, measurable, and directly tied to the root cause. Vague commitments like "improve our monitoring process" are insufficient.
Example corrective actions for a BSA monitoring MRA:
- Implement automated 7-day advance alerts for upcoming BSA review deadlines by April 15, 2026
- Designate and train a backup BSA reviewer by April 30, 2026
- Conduct a 90-day lookback of BSA reviews completed during the gap period by May 15, 2026
- Revise the BSA review procedure to include backup assignment protocol by April 30, 2026
3. Responsible Owners
Name individuals, not departments. "The compliance department" doesn't own a corrective action; Sarah Chen, BSA Officer, owns it. When examiners see named owners, they see accountability. When they see department names, they see diffusion.
4. Target Completion Dates with Milestones
Set realistic dates. Proposing a 30-day timeline for a corrective action that requires vendor system changes and board approval guarantees a missed deadline. Missed deadlines generate more examiner scrutiny than longer-but-realistic timelines.
For multi-step remediations, set milestones. Each milestone has its own completion date and evidence requirement. This gives both your board and the FDIC visibility into progress before the final deadline.
5. Evidence Requirements
Define upfront what evidence each corrective action will produce. This prevents the scramble-to-document problem that plagues institutions during follow-up exams.
| Corrective Action | Required Evidence |
|---|---|
| Policy revision | Approved policy document with version date, approver signature, board resolution |
| System configuration change | Change management ticket, before/after screenshots, test results |
| Staff training | Training materials, attendance records, comprehension assessment results |
| Lookback review | Sample selection methodology, review results, exception summary |
Board Reporting Requirements
The FDIC expects the board of directors to exercise active oversight of examination findings. This isn't discretionary. The FDIC's Risk Management Manual (Section 4.1) states that the board is responsible for ensuring that "management takes prompt corrective action to address supervisory concerns."
Board responsibilities include:
- Initial notification: The board must be informed of MRA findings within the first board meeting after ROE receipt. Document this in board minutes.
- CAP approval: The board should formally approve the corrective action plan. Record the approval in minutes with the specific motions and votes.
- Progress reporting: Provide quarterly updates (monthly for high-severity MRAs) on remediation status, including milestones completed, evidence collected, and any timeline modifications.
- Escalation review: If deadlines are missed or corrective actions fail validation, the board must be informed and must approve revised plans.
Examiners review board minutes specifically for evidence of MRA oversight. Minutes that show the board was informed but asked no questions, requested no updates, and took no action suggest inadequate oversight, which can itself become a finding.
Evidence Requirements for MRA Closure
An MRA isn't closed when you complete the corrective action. It's closed when examiners at the next examination verify, through their own testing, that the deficiency was corrected and hasn't recurred.
To prepare for that verification, assemble a remediation package for each MRA:
- Original finding: Verbatim text from the ROE
- Root cause analysis: Documented analysis with supporting evidence
- Approved corrective action plan: Board-approved, with milestones and owners
- Implementation evidence: Dated, attributable evidence for each corrective action
- Validation testing: Post-implementation testing results showing the fix works
- Monitoring plan: How you'll detect recurrence, who reviews, and how often
- Board reporting records: Minutes showing oversight throughout the remediation
Provide this package to examiners proactively on day one of the next examination. Institutions that hand over organized remediation packages set a positive tone for the entire exam. Those that make examiners request documents piecemeal create friction that colors the rest of the review. Building this discipline into your exam preparation process pays dividends every cycle.
What Happens If You Don't Respond Adequately
An inadequate MRA response, whether late, vague, or lacking evidence, triggers a predictable escalation path:
MRA → Repeat MRA → MRIA → Formal Enforcement Action
The FDIC's Statement of Policy on Enforcement Actions outlines factors that influence the decision to pursue formal actions. These include:
- Whether prior supervisory actions were effective
- Whether the institution demonstrated good faith in corrective efforts
- Whether the deficiency poses risk to depositors or the Deposit Insurance Fund
A single MRA, promptly addressed, rarely escalates. A repeat MRA, one that appears in consecutive examinations, is a different matter. The FDIC views repeat findings as evidence of management weakness and a compliance management system failure. Under 12 U.S.C. § 1818(b), the FDIC has authority to issue cease-and-desist orders when institutions fail to correct unsafe or unsound practices.
For a detailed comparison of MRA escalation paths, see our guide on MRIA vs MRA differences.
How Compliance Teams Manage MRA Responses
The institutions that close MRAs cleanly share a common approach: they treat findings like project management, not crisis management. Each MRA becomes a tracked workflow with phases, owners, evidence gates, and automatic escalation on missed deadlines.
Canarie turns each MRA into a structured workflow, root cause, corrective actions, milestones, evidence collection, validation testing, and board reporting, all tracked in one place. When the next exam arrives, the remediation package is already assembled because evidence was captured as the work happened, not reconstructed weeks later.
See how compliance teams track MRAs from receipt to validated closure →
Frequently Asked Questions
How long does an institution have to respond to an FDIC MRA?
Most FDIC regional offices expect a written response within 45 days of receiving the final Report of Examination. The exact deadline is stated in the transmittal letter accompanying the ROE. Some MRAs, particularly those involving consumer harm or BSA deficiencies, may have shorter response windows specified by the examiner. Always check the transmittal letter rather than assuming a standard timeline.
What's the difference between an MRA and a violation?
An MRA identifies a deficiency in practice, policy, or risk management that requires corrective action. A violation means a specific law or regulation was breached, such as a Regulation B disclosure failure (12 CFR § 1002.9) or a BSA reporting violation (31 CFR § 1020.320). Both require remediation, but violations carry greater legal exposure and may trigger consumer restitution requirements. An MRA can exist without a violation, and a violation may or may not be accompanied by an MRA.
Does the board need to approve the corrective action plan?
Yes. The FDIC expects board-level oversight of MRA remediation. The board should formally approve the corrective action plan, and that approval should be documented in board minutes. Ongoing progress reports should also appear in board minutes at least quarterly. Examiners specifically review minutes for evidence of active board engagement, not just notification, but questions, discussion, and directed action.
Can an MRA lead to a consent order?
Not directly from a single MRA, but the escalation path is clear. An unresolved or repeat MRA can escalate to an MRIA. Persistent unresolved MRIAs, combined with other supervisory concerns, can lead to formal enforcement actions including consent orders. The FDIC considers the institution's responsiveness to prior supervisory actions when determining whether to pursue formal enforcement under 12 U.S.C. § 1818(b).