"The compliance department owns it" is the answer most community banks give when asked who's responsible for remediating examination findings. It's also the answer that generates repeat findings. Remediation isn't a compliance function, it's an institutional response that spans operations, technology, compliance, risk management, and the board. When a BSA monitoring finding requires a system reconfiguration, the compliance officer doesn't reconfigure systems. When a lending finding requires underwriting policy changes, the CCO doesn't rewrite underwriting criteria. Compliance officers coordinate, monitor, and report, they don't single-handedly fix deficiencies in business processes they don't control.
Examiners understand the three-lines-of-defense model. They expect to see remediation ownership assigned to the right line, with the board exercising its fiduciary duty of oversight. Institutions that dump every finding on compliance, regardless of the root cause, tell examiners that management either doesn't understand the deficiency or doesn't want to assign accountability where it actually belongs.
Key Takeaways:
- First-line (operations/business) owns executing corrective actions for process and system deficiencies
- Second-line (compliance/risk) owns monitoring, advising, and validating, not executing operational fixes
- The board owns oversight, resource allocation, and ensuring management is held accountable
- A documented RACI matrix for each finding eliminates the ambiguity that produces stalled remediation
The Three Lines of Defense in Remediation
The three-lines-of-defense model, endorsed by the FFIEC and referenced in the OCC's Comptroller's Handbook, defines distinct roles for remediation. Confusing these roles is one of the most common root causes of repeat findings.
First Line: Business and Operations
The first line owns and operates the processes, systems, and controls where deficiencies occur. In a remediation context, the first line is responsible for:
- Executing corrective actions: If the finding involves a process failure in loan origination, the lending operations team executes the fix. If BSA monitoring systems need reconfiguration, the BSA operations team (or IT) executes.
- Implementing new controls: Embedding new procedures, system configurations, or workflow changes into daily operations
- Capturing operational evidence: Documenting that corrective actions were completed, with timestamps, approvals, and artifacts generated through normal business operations
- Sustaining the fix: Operating the corrected process on an ongoing basis and flagging exceptions
The first line does not wait for compliance to tell them exactly what to do. They own the process, they understand the operational details, and they should be driving the solution, with compliance providing regulatory context and oversight.
Second Line: Compliance and Risk Management
The second line provides the regulatory expertise, monitoring framework, and independent assessment that ensures corrective actions actually address the finding. In remediation:
- Interpreting the finding: Translating the regulatory citation into specific operational requirements. The compliance officer knows what 12 CFR § 1002.9 requires; the lending team knows how to implement it in their workflow.
- Advising on corrective actions: Reviewing the proposed fix to confirm it addresses the regulatory requirement, not just the symptom
- Monitoring implementation: Tracking milestones, verifying evidence quality, and reporting progress to the board
- Validation testing: Independently testing whether the corrective action works after implementation
- Escalation: Flagging stalled remediations to the board or senior management
The second line does not execute corrective actions in business processes it doesn't own. When compliance "owns" the fix for a lending process deficiency, the actual lending operations team has no accountability, and the fix is designed by someone who doesn't do the work daily.
Third Line: Internal Audit
Internal audit provides independent assurance that the remediation process is effective:
- Validating corrective actions: Testing independently that fixes were implemented and are working. Under the FFIEC Internal Audit Handbook, internal audit should "verify that corrective actions have been implemented and are effective."
- Assessing root cause adequacy: Evaluating whether the root cause analysis went deep enough
- Reporting to the audit committee: Providing an independent opinion on remediation status separate from management's self-assessment
- Identifying patterns: Flagging findings that share common root causes across different business areas
Internal audit does not execute corrective actions or direct the remediation. Doing so would compromise their independence and violate the IIA Standards (Standard 1130; Impairment to Independence or Objectivity).
Board Responsibilities: Oversight, Not Execution
The board's role in remediation is fiduciary oversight, not project management. But the distinction between "oversight" and "passive notification" is where many institutions fail.
What Active Board Oversight Looks Like
Approving the corrective action plan. The board formally approves the CAP, documented in minutes with specific motions and votes. This isn't a rubber stamp, the board should ask questions:
- Is the root cause analysis adequate, or does it address symptoms?
- Are timelines realistic given available resources?
- Are interim controls in place for extended remediations?
- Are the right people assigned as owners?
Directing resource allocation. If remediation requires additional staff, technology investment, or consulting engagement, the board authorizes the expenditure. A corrective action plan without budget authority is an unfunded mandate.
Requiring progress reports. The board directs management to report on remediation progress at defined intervals, monthly for MRIAs, quarterly for MRAs. The directive should be documented in minutes.
Holding management accountable. When milestones are missed, the board asks why, directs corrective measures, and documents its oversight in minutes. A board that receives overdue-finding reports without asking questions or taking action demonstrates inadequate governance.
Engaging with examiners. For consent orders and significant findings, the board may need to engage directly with the examiner-in-charge. Individual directors may be asked to attest to their understanding of findings and oversight responsibilities. Under 12 U.S.C. § 1818(i)(2), individual directors can face civil money penalties for failure to comply with certain enforcement orders.
What Inadequate Board Oversight Looks Like
- Minutes that state "the board was informed" without recording questions, discussion, or action
- Quarterly reports received but never discussed on the record
- No board resolution approving the corrective action plan
- Resource requests for remediation deferred "until next quarter"
- Finding status reports that don't track milestones, just a summary status
Examiners at the FDIC and OCC review board minutes specifically for evidence of active governance. The FDIC's Risk Management Manual (Section 4.1) identifies board oversight as a component of a sound compliance management system. A board that isn't actively overseeing remediation contributes to the management weakness that examiners cite as a factor in enforcement decisions.
Building a RACI Matrix for Examination Findings
A RACI matrix assigns four roles for each remediation activity: Responsible (does the work), Accountable (approves and owns the outcome), Consulted (provides input), and Informed (receives status updates). Documenting this for each finding eliminates the ambiguity that stalls remediation.
Example RACI for a BSA Monitoring Finding
| Activity | Operations/BSA Team | Compliance Officer | Internal Audit | Board/Committee |
|---|---|---|---|---|
| Root cause analysis | Consulted | Responsible | Consulted | Informed |
| Corrective action plan | Consulted | Responsible | Consulted | Accountable |
| System reconfiguration | Responsible | Consulted | , | Informed |
| Policy revision | Consulted | Responsible | Consulted | Accountable |
| Staff retraining | Responsible | Consulted | , | Informed |
| Interim control deployment | Responsible | Accountable | , | Informed |
| Validation testing | , | Consulted | Responsible | Informed |
| Ongoing monitoring | Consulted | Responsible | Consulted | Informed |
| Board progress reporting | Consulted | Responsible | Consulted | Accountable |
| Examiner remediation package | Consulted | Responsible | Consulted | Informed |
Example RACI for a Consumer Lending Finding
| Activity | Lending Operations | Compliance Officer | Internal Audit | Board/Committee |
|---|---|---|---|---|
| Root cause analysis | Consulted | Responsible | Consulted | Informed |
| Corrective action plan | Consulted | Responsible | Consulted | Accountable |
| Underwriting procedure revision | Responsible | Consulted | , | Informed |
| LOS system configuration | Responsible (with IT) | Consulted | , | Informed |
| Staff retraining | Responsible | Consulted | , | Informed |
| Consumer restitution | Responsible | Accountable | , | Informed |
| Validation testing | , | Consulted | Responsible | Informed |
| Ongoing exception monitoring | Consulted | Responsible | Consulted | Informed |
Notice the pattern: the first line (operations) is Responsible for executing changes to their own processes and systems. Compliance is Responsible for the regulatory coordination: root cause analysis, corrective action plan development, monitoring, and examiner reporting. The board is Accountable for approving the plan and ensuring it's resourced and executed. Internal audit is Responsible for independent validation.
When Accountability Breaks Down
Accountability gaps are the primary root cause of stalled remediation. These patterns appear repeatedly in institutions with repeat findings:
"Compliance Owns Everything"
When every finding is assigned to the compliance officer regardless of root cause, two failures follow. First, the compliance officer becomes a bottleneck, they can't execute fixes to systems and processes they don't control. Second, the first-line business owner has no remediation accountability, so the operational fix either doesn't happen or happens without compliance context.
The fix: Assign first-line ownership for execution and second-line ownership for oversight and validation. The compliance officer coordinates, they don't single-handedly remediate.
"The Committee Will Handle It"
Committees don't remediate findings. Named individuals do. When a finding is assigned to "the BSA Committee" or "the Risk Committee," no single person is accountable for execution. Tasks fall between members, deadlines drift, and evidence isn't captured.
The fix: Every corrective action has one named individual owner. Committees provide oversight and reporting, they don't execute. For findings that cross departmental boundaries, designate a lead owner with supporting owners for specific actions.
"The Board Was Informed"
Being informed is not oversight. A board that receives findings, approves a vague corrective action plan, and doesn't follow up until the next examination has failed its governance responsibility. Examiners distinguish between boards that actively direct remediation and those that passively receive reports.
The fix: Structure board engagement around decisions and directives, not information receipt. Board minutes should reflect: what was approved, what questions were asked, what resources were directed, and what deadlines were set. This is what examiners verify in exam preparation reviews.
Handoff Failures
When finding owners change roles, leave the institution, or transfer departments, the remediation often stalls. Knowledge about the root cause, corrective action rationale, and evidence collected is lost.
The fix: Document everything in the remediation file, not in the owner's memory. When an owner transition occurs, conduct a formal handoff: review the finding, corrective action status, evidence collected, and upcoming milestones. Document the handoff in the remediation record.
Documenting Accountability for Examiners
Examiners don't just verify that corrective actions were completed. They verify that the right people were involved and that accountability was clearly assigned.
What examiners look for:
- Named owners in the corrective action plan, not department names
- Board minutes showing approval, questions, directives, and follow-up
- Evidence attribution, who completed each action, with dates
- Escalation records, documentation of missed deadlines and corrective measures
- Separation of duties, first-line execution, second-line oversight, third-line validation
Institutions that can show a clear RACI for each finding, with evidence at each stage, demonstrate the management strength that examiners evaluate in the management (M) component of the CAMELS assessment.
How Teams Assign and Track Remediation Accountability
The institutions that close findings without repeats assign clear ownership from day one and track it with the same rigor as any operational responsibility, deadlines, evidence requirements, escalation on overdue items, and board reporting.
Canarie assigns every corrective action to a named owner with milestone deadlines, evidence gates, and automatic escalation. Board reporting pulls from the same workflow data, showing who owns what, what's on track, and what's at risk. When examiners ask who was responsible for a corrective action and how it was overseen, the answer is documented, not reconstructed.
See how compliance teams assign and track remediation ownership →
Frequently Asked Questions
Should the compliance officer be the finding owner for every examination finding?
No. The compliance officer should own the regulatory coordination, root cause analysis, corrective action plan development, examiner communication, and monitoring. But the execution of corrective actions in business processes should be owned by the first-line team that operates those processes. A BSA monitoring system reconfiguration should be owned by the BSA operations team or IT, not the compliance officer. The compliance officer ensures the reconfiguration meets regulatory requirements and validates the outcome.
What happens if a finding owner leaves the institution during remediation?
Immediately reassign the finding to a new owner and conduct a documented handoff. The handoff should cover: the finding and its root cause, the corrective action plan, progress to date, evidence collected, upcoming milestones, and any dependencies or open issues. Document the handoff in the remediation file. The new owner should acknowledge acceptance of the assignment, including awareness of all deadlines. Ownership transitions that aren't documented create evidence gaps that examiners will identify.
How does the RACI framework apply to consent order remediation?
The same principles apply, but the stakes are higher. Under a consent order, the board's Accountable role includes specific legal obligations, certification of compliance, resource commitment, and personal liability under 12 U.S.C. § 1818(i)(2). The first line remains Responsible for execution, but the FDIC may require that certain actions be validated by an independent third party rather than internal audit. The RACI matrix should reflect these consent-order-specific requirements.
Can the board delegate remediation oversight to a committee?
Yes, delegation to a compliance committee, risk committee, or audit committee is standard practice and acceptable to examiners. But delegation doesn't eliminate the full board's fiduciary responsibility. The committee should report to the full board on remediation progress at least quarterly, and the full board should document its review and any directives in minutes. For MRIAs and consent orders, more frequent full-board engagement is expected. The board should also periodically verify (through internal audit or direct review) that the committee is exercising adequate oversight.