A corrective action plan is the single most important document in the remediation process. It's the contract between your institution and your regulator, a written commitment to fix what's broken, by when, and how you'll prove it. Examiners at the FDIC, OCC, Federal Reserve, and state banking departments evaluate CAPs against a consistent set of expectations. Plans that meet those expectations close findings. Plans that don't generate repeat findings, examiner frustration, and escalation.
The difference between a CAP that works and one that fails isn't length or formality, it's specificity. "We will improve our BSA monitoring process" is not a corrective action plan. It's a vague intention. A plan that specifies exactly what changes, who makes the change, when each step completes, what evidence it produces, and how you'll verify it worked, that's what examiners are looking for.
Key Takeaways:
- A CAP must address root cause, not symptoms, examiners test for this
- Every corrective action needs a named individual owner, a deadline, and a defined evidence requirement
- Milestone-based plans with phase gates outperform monolithic "fix everything by date X" approaches
- Examiners evaluate the CAP before evaluating the implementation, a weak plan undermines good execution
What Examiners Evaluate in a Corrective Action Plan
Before reviewing your remediation evidence, examiners evaluate the plan itself. A CAP that's vague, incomplete, or doesn't address root cause tells the examiner that the institution doesn't fully understand the problem, even if the actual corrective work was solid.
Examiners assess five elements:
1. Does It Address Root Cause?
This is the first and most critical test. Examiners compare your root cause statement against the finding and their own analysis. If your root cause is "staff error" for a systemic process failure, the examiner knows the corrective action won't prevent recurrence.
The FFIEC Compliance Management System framework expects institutions to identify "the root cause of any issue identified, not just the symptoms." Root cause analysis should go at least two layers deeper than the initial explanation.
2. Are Corrective Actions Specific and Measurable?
Each action should describe a discrete, verifiable change. Examiners apply a simple test: can you determine whether this action was completed by reviewing a single piece of evidence?
Too vague: "Enhance our transaction monitoring capabilities."
Specific and measurable: "Reconfigure the AML transaction monitoring system to reduce the alert aging threshold from 45 days to 15 days, add automated escalation for alerts exceeding 10 business days without disposition, and validate the configuration through a 30-day parallel run comparing alert generation under old and new parameters."
3. Are Owners Named and Accountable?
Examiners want to see named individuals, not departments or committees. "The compliance department will implement..." is diffused accountability. "Maria Gonzalez, BSA Officer, will implement..." is personal accountability.
For corrective actions that require cross-departmental coordination, designate a lead owner who is accountable for the overall action and supporting owners for specific components. Document who owns what.
4. Are Timelines Realistic and Milestoned?
A single deadline for a multi-step corrective action is a planning failure. Examiners expect milestones:
| Phase | Milestone | Deadline | Evidence |
|---|---|---|---|
| Phase 1 | Policy revision drafted | Day 30 | Draft policy document |
| Phase 2 | Policy approved by board | Day 45 | Board resolution, approved policy |
| Phase 3 | Staff training completed | Day 60 | Training materials, attendance records, assessment results |
| Phase 4 | System reconfigured | Day 90 | Change management ticket, configuration screenshots |
| Phase 5 | Validation testing completed | Day 105 | Test methodology, results, conclusion |
| Phase 6 | Monitoring plan activated | Day 110 | Monitoring procedure, first report |
Each milestone has its own deadline and evidence requirement. This gives examiners visibility into progress and gives your institution a structured execution plan.
Timelines must be achievable. OCC Bulletin 2014-52 establishes that the OCC expects corrective actions to be completed "in a timely manner" and that "proposed timeframes for corrective action should be reasonable." Proposing aggressive timelines you can't meet is worse than proposing longer timelines you can.
5. Are Evidence Requirements Predefined?
Define what evidence each corrective action will produce before implementation begins. This prevents the common failure mode where corrective actions are completed but evidence is incomplete or unavailable.
CAP Structure: A Working Template
The following structure covers what examiners expect. Adapt it to your institution's format, but ensure every element is present.
Section 1: Finding Summary
Restate the finding verbatim from the Report of Examination. Include the finding number, examination date, and regulatory citation. This creates an unambiguous link between the CAP and the specific finding.
Section 2: Root Cause Analysis
Present the root cause, the actual cause, not the surface explanation. Include the analytical method used (five whys, fishbone diagram, or similar). If the root cause analysis involved interviews, document review, or data analysis, note the methodology.
Structure:
- Initial observation: What the examiner found
- Contributing factors: Process, system, and governance factors that allowed the deficiency
- Root cause: The fundamental gap that, if corrected, prevents recurrence
- Supporting evidence: Data or documentation that confirms the root cause analysis
Section 3: Corrective Actions
For each corrective action:
| Element | Description |
|---|---|
| Action ID | Unique identifier linked to the finding |
| Description | Specific, measurable action to be taken |
| Root cause linkage | Which root cause this action addresses |
| Owner | Named individual responsible for completion |
| Start date | When work begins |
| Target completion | When the action must be completed |
| Milestones | Intermediate steps with their own deadlines |
| Evidence | What documentation this action will produce |
| Dependencies | Vendor timelines, system access, board approvals |
| Interim control | If completion exceeds 60 days, what mitigates the risk during implementation |
Section 4: Interim Controls
For any corrective action exceeding 60 days, describe the interim control:
- What the interim control is
- When it was or will be deployed
- Who is responsible for executing it
- How it mitigates the identified risk
- When it will be retired (upon completion of the permanent fix)
Examiners at both the FDIC and OCC expect interim controls for extended remediations. A 120-day corrective action with no interim control means the risk is unmitigated for four months, and examiners will note that.
Section 5: Validation Testing Plan
Describe how you'll test whether each corrective action actually works:
- Who tests: Someone other than the person who implemented the action
- What they test: The specific condition the original finding identified
- How they test: Sample selection methodology, test criteria, pass/fail standards
- When they test: After implementation is complete, with sufficient time for post-implementation data to accumulate
Section 6: Monitoring Plan
Define ongoing monitoring that will detect recurrence after the corrective action is validated:
- Metrics or reports that will be monitored
- Frequency of monitoring (monthly, quarterly)
- Responsible reviewer
- Escalation criteria, what triggers a reopening of the finding
Section 7: Board Reporting Schedule
Specify when and how remediation progress will be reported to the board:
- Reporting frequency (monthly for MRIAs, quarterly for MRAs)
- Report content (milestone status, evidence summary, timeline adherence, exceptions)
- Escalation protocol for overdue milestones
Common CAP Failures and How to Avoid Them
Symptom-Level Corrective Actions
The pattern: The finding cites a disclosure timing failure. The corrective action is "retrain staff on disclosure requirements." Retraining doesn't fix a systemic timing issue caused by a system configuration problem.
The fix: Ensure every corrective action traces back to a root cause, not a symptom. If the root cause is a system configuration issue, the corrective action should be reconfiguring the system, validating the configuration, and monitoring for exceptions, with retraining as a supplementary action, not the primary one.
Missing Interim Controls
The pattern: A corrective action has a 120-day timeline with no interim control described. The examiner asks: "What was preventing the same issue from recurring during those four months?"
The fix: For any corrective action exceeding 60 days, include an explicit interim control. Even a manual check or enhanced monitoring protocol demonstrates risk awareness during the remediation gap.
Vague Evidence Requirements
The pattern: The corrective action says "update policy." The evidence requirement says "updated policy." When the examiner asks for the evidence, the institution provides a policy document with no approval date, no approver signature, and no evidence of distribution or training.
The fix: Define evidence requirements with specificity: "Board-approved policy document (signed by board chair with approval date), board resolution reflecting approval, staff distribution record with read-receipt confirmation, and training completion records for all affected staff."
Monolithic Timelines
The pattern: One deadline for a multi-component corrective action. Everything is "due by June 30." When June 30 arrives, some components are done, some aren't, and there's no clear record of progress.
The fix: Break every multi-step corrective action into milestones with individual deadlines. Each milestone produces its own evidence. Progress is visible throughout the remediation, not just at the end.
No Link to Prior Findings
The pattern: The institution receives a finding similar to one from a prior exam. The CAP doesn't acknowledge the prior finding or explain why prior corrective actions didn't prevent recurrence.
The fix: If a finding is related to a prior finding, explicitly address this in the CAP. Explain what was done previously, why it was insufficient, and what's different about the current corrective action. Examiners will make this comparison whether you address it or not, it's better to be proactive. Maintaining a structured finding tracking system makes this comparison straightforward.
Progress Reporting: What Examiners Expect
The CAP isn't a set-and-forget document. Examiners expect evidence of active management throughout the remediation period.
Board-level progress reports should include:
- Finding summary table: All open findings with current status, owner, target date, and percentage complete
- Milestone status: For each finding, which milestones are complete, in progress, or overdue
- Evidence summary: What evidence has been collected and what remains outstanding
- Timeline adherence: Any milestones that were delayed, with explanation and revised dates
- Exceptions and escalations: Any issues that required deviation from the original plan
These reports should appear in board minutes. Examiners read minutes specifically to assess the board's oversight of remediation. Minutes that show the board received reports and asked no questions, directed no actions, and required no follow-up suggest inadequate governance, which can itself become a finding. Strong exam preparation includes rehearsing what the examiner will look for in board documentation.
How Teams Build and Execute Corrective Action Plans
The institutions that produce effective CAPs treat them as structured workflows, not as Word documents that live on a shared drive. Each corrective action has an owner, a deadline, an evidence gate, and automatic escalation when deadlines approach.
Canarie turns every corrective action into a tracked workflow with milestones, evidence collection at each gate, and board reporting generated from the same data. When the CAP is done, the remediation package is already assembled, because the evidence was captured as the work happened.
See how compliance teams build and track corrective action plans →
Frequently Asked Questions
Does the corrective action plan need to be submitted to the regulator?
Yes, for most regulatory findings. The FDIC and OCC both expect a written response that includes the corrective action plan, typically within 45 days of ROE receipt. For OCC-supervised institutions, OCC Bulletin 2014-52 specifically requires written corrective action commitments for MRAs and MRIAs. The plan becomes part of the supervisory record and the benchmark examiners use at the next examination.
How detailed should the CAP be for an observation vs. an MRA?
Proportional to severity, but the structure should be consistent. For an observation, a 1-page corrective action description with an owner, deadline, and evidence requirement is appropriate. For an MRA, the full structure, root cause, milestones, interim controls, validation testing, monitoring, is expected. For an MRIA, add interim control documentation and compressed timelines. The framework is the same; the depth scales with severity.
What if the corrective action requires a vendor that has a 6-month lead time?
Document the vendor dependency explicitly in the CAP. Include evidence of vendor engagement (executed SOW or contract, project timeline from vendor), describe interim controls that mitigate the risk during the waiting period, and set milestones that track vendor progress. Examiners accept vendor-driven timelines, they don't accept vendor timelines used as an excuse for inaction on everything else. The policy revision, training, and interim controls should proceed independently of the vendor timeline.
Should we share the corrective action plan with internal audit?
Yes. Internal audit should be aware of the CAP for two reasons: (1) they may need to adjust their audit plan to include validation testing of corrective actions, and (2) they should evaluate whether the root cause analysis and corrective actions are adequate as part of their independent assessment. The FFIEC Internal Audit Handbook expects internal audit to verify that corrective actions for examination findings are implemented and effective.