A repeat finding is the worst kind of exam result. The first time an examiner cites a weakness, it's a problem. The second time, it's a credibility problem, because it tells the examiner your remediation didn't work and your management oversight missed it. Repeat findings escalate the supervisory response: a Matter Requiring Attention (MRA) becomes a Matter Requiring Immediate Attention (MRIA), and an MRIA can become a consent order. Examiners treat recurrence as evidence that the root cause was never addressed.
Key Takeaways:
- Repeat findings almost always trace to a remediation that fixed the symptom (a specific error) instead of the root cause (the control that allowed it)
- Examiners specifically test whether prior findings were corrected and whether the correction held over time
- "Closed" in your internal tracker is not the same as "sustained" under examination; verification is a separate step
- Weak management oversight and unclear ownership are cited as causes more often than the technical compliance gap itself
- Breaking the cycle requires root-cause analysis, evidence of sustained correction, and a control that prevents recurrence, not just a one-time fix
What Examiners Mean by a "Repeat" Finding
A repeat finding is any deficiency that was cited in a prior examination, supposedly corrected, and then identified again in a later exam. The FFIEC and the prudential agencies all instruct examiners to review the status of prior findings as a standard step. The FDIC's Risk Management Manual of Examination Policies directs examiners to evaluate whether management corrected previously identified problems and whether corrective action was effective and sustained.
That last word matters. Examiners do not just check whether you wrote a corrective action plan. They test whether the correction is still working at the time of the current exam. A control you implemented eighteen months ago that quietly stopped functioning is a repeat finding waiting to happen.
The reason recurrence draws a harsher response is governance. When the same issue surfaces twice, examiners conclude that either the board and management did not provide effective oversight, or the institution lacks the capability to fix its own problems. Both conclusions move you down the supervisory ladder.
Why the Same Findings Keep Coming Back
Across community banks and credit unions, repeat findings cluster around a small number of root causes. The compliance gap is rarely the real story.
You fixed the instance, not the process
The most common cause. An examiner cites three loan files with missing flood determinations. The bank corrects those three files, marks the finding closed, and moves on. The next exam pulls a different sample and finds four more. Nothing in the loan workflow changed, so the defect rate stayed the same. The remediation addressed the examples the examiner happened to find, not the process that produces them.
Remediation was never verified
Many institutions close findings when the action owner says the work is done. No one independently confirms that the control now operates as intended. Without verification, "closed" is an assertion, not a fact. When the examiner returns and tests, the gap reopens.
Ownership was unclear
When a finding is assigned to "compliance" rather than a named person with authority over the underlying process, accountability diffuses. The action lingers, gets a cosmetic fix, or is closed by someone who lacks visibility into whether it actually worked.
The correction decayed
A control implemented after the last exam depended on a specific employee, a manual checklist, or a one-time training. The employee left, the checklist stopped being used, the training was never repeated. The correction was real but not durable. For more on this pattern, see our guide on tracking and proving closure of exam findings.
Management oversight didn't change
Examiners frequently cite the absence of monitoring as the systemic cause. If nothing in your ongoing monitoring would have caught the issue recurring, you were always going to rediscover it during the next exam rather than before it.
How Examiners Test Whether You Actually Fixed It
When an examiner reviews a prior finding, the procedure is consistent across the OCC, FDIC, Federal Reserve, and NCUA:
- Read the corrective action plan you committed to and the board minutes documenting approval and oversight
- Confirm the action was completed by date, not just promised
- Independently test the control with a fresh sample to see whether the defect still appears
- Evaluate whether monitoring exists that would detect recurrence going forward
- Assess root-cause depth to judge whether the fix addressed the underlying process
If the fresh sample turns up the same defect, the finding is repeated and the supervisory tone hardens. The first 30 days after a regulatory finding set the trajectory, because a rushed, instance-level fix in that window is precisely what produces a repeat citation later.
Breaking the Cycle: Root Cause Over Symptom
Stopping repeat findings requires a different remediation discipline than closing the original finding.
Do a genuine root-cause analysis. Ask why the defect was possible, not just how to fix the cited examples. If flood determinations were missing, the question is why the loan workflow allowed a file to close without one, not how to add the three missing determinations. A corrective action plan that does not change the process will reproduce the defect. Our template for a bank corrective action plan walks through framing the systemic fix.
Implement a preventive control, not a cleanup. The durable fix is a control that makes the defect hard or impossible to repeat: a system block, a required field, an automated check, a second-line review with teeth. Manual reminders decay; controls embedded in the workflow persist.
Verify independently before closing. Someone other than the action owner should test the control and confirm it works on a fresh sample. Document that verification. This single step prevents a large share of repeats.
Monitor for recurrence. Build the defect into ongoing monitoring so that if it comes back, you catch it internally and remediate before the next exam, not during it. Recurrence found and fixed by your own monitoring is a very different conversation than recurrence found by an examiner.
Keep the evidence. When the examiner returns, you want to show the root-cause analysis, the control change, the verification test, and the monitoring results, all tied to the original finding. That package is what proves the correction was real and sustained.
Repeat findings are a tracking and verification problem as much as a compliance problem. See how Canarie ties each finding to its root cause, corrective action, and verification evidence →
The Governance Layer Examiners Are Really Judging
Underneath every repeat finding is a question about management and board oversight. Examiners want to see that leadership knows which findings are open, who owns them, what the remediation status is, and whether corrections held. When that information lives in scattered spreadsheets and email threads, oversight is weak by construction, because no one can see the whole picture.
A defensible record shows the lifecycle of every finding: identified, root-caused, assigned, remediated, verified, and monitored. When you can produce that record on demand, you demonstrate the exact oversight capability examiners use repeat findings to test. Institutions that present compliance status clearly to their boards, as covered in how to present compliance risk to your board, are the ones that catch recurrence early.
Frequently Asked Questions
What is the difference between a finding and a repeat finding?
A finding is any deficiency an examiner identifies. A repeat finding is one that was cited in a prior examination, reported as corrected, and then identified again. Examiners treat repeats more seriously because recurrence suggests the root cause was never addressed and that management oversight failed to catch it.
Can a repeat finding turn an MRA into an MRIA?
Yes. Recurrence is a common reason a Matter Requiring Attention escalates to a Matter Requiring Immediate Attention, and unresolved MRIAs can lead to formal enforcement such as a consent order. The escalation reflects the examiner's judgment that the institution cannot reliably correct its own problems.
How do examiners know a finding wasn't really fixed?
They test it. Examiners pull a fresh sample and independently verify whether the control now operates as intended, rather than relying on your assertion that the finding is closed. If the same defect appears in the new sample, the finding is repeated.
How long should we keep evidence that a finding was corrected?
Retain the full remediation record, including root-cause analysis, the corrective action, verification testing, and ongoing monitoring results, at least through the next two examination cycles. Examiners review the status of prior findings as a standard procedure, and you want to produce sustained evidence on demand.
Stop Closing Findings Before They're Actually Fixed
The institutions that escape the repeat-finding cycle are not the ones with the fewest findings. They are the ones whose remediation changes the underlying process, verifies the fix, and monitors for recurrence, with evidence to prove all three.
Canarie maps each finding to its root cause, assigns a named owner, tracks the corrective action to completion, and captures the verification evidence that proves the correction held. When the examiner returns to review prior findings, the record is already assembled.