Every year, thousands of community and regional banks receive Matters Requiring Attention (MRAs) from the OCC, Federal Reserve, or FDIC following safety and soundness examinations. Many banks treat the response as a formality — a letter to be filed and forgotten. That's a costly mistake.
An MRA that fails to fully address the examiner's concern doesn't just linger on your record. It escalates. It becomes a Matters Requiring Immediate Attention (MRIA). It invites follow-up examination. In extreme cases, it leads to formal enforcement actions, consent orders, or civil money penalties.
This guide walks through what examiners actually want to see in an MRA response, how to structure it, the most common errors banks make, and how modern AI-powered compliance tools are cutting response time from months to days.
What Is an MRA and Why Do Examiners Issue Them?
An MRA is a written finding from a federal banking regulator — most commonly the OCC, Federal Reserve, or FDIC — identifying a deficiency in your bank's operations, policies, procedures, or controls that requires corrective action. MRAs are not violations of law; they're supervisory concerns. But they carry significant weight.
Under OCC guidelines, MRAs are issued when examiners find practices that:
- Deviate from sound governance or risk management principles
- Could result in financial loss or consumer harm if left uncorrected
- Represent weaknesses relative to peer institutions or regulatory guidance
- Indicate gaps between the bank's stated policies and actual practice
The most common MRA categories include BSA/AML deficiencies, consumer compliance gaps (UDAAP, TISA, Reg E), credit risk management weaknesses, and operational risk or vendor management issues.
The Anatomy of an Effective MRA Response
An MRA response is not a legal brief and not an apology. It's a structured commitment to corrective action, backed by evidence. Examiners review hundreds of responses. They know immediately whether a bank is serious about remediation or just going through the motions.
A strong response has four components:
1. Acknowledgment Without Argument
Start by acknowledging the finding precisely as framed by the examiner. Do not argue with the finding, minimize it, or offer explanations that read as excuses. Even if you believe the examiner's characterization is partly incorrect, save that conversation for the exit meeting — not the written response.
Example opening: "Management acknowledges the OCC's finding that [Bank Name]'s deposit account agreement does not adequately disclose the provisional credit timeline required under 12 CFR § 1005.7(b)(2) for error resolution claims exceeding $50. We take this finding seriously and have initiated the following corrective actions."
2. Root Cause Analysis
Examiners want to know that you understand why the deficiency occurred — not just that you've patched the symptom. A shallow root cause ("we overlooked this provision") is less convincing than a structural one ("our policy review process did not include a systematic comparison against current Reg E guidance, leaving a gap in our annual update cycle").
Common root causes worth investigating:
- Policy documents that haven't been updated to reflect recent regulatory guidance
- Training gaps — staff not familiar with updated requirements
- Third-party vendor agreements that don't include required disclosures
- Oversight breakdowns between compliance and operations teams
3. Specific Corrective Actions With Owners and Deadlines
This is the core of your response. Every corrective action must have: a description of what will be done, who is responsible (name and title, not just department), and a specific completion date. Vague commitments like "we will strengthen our compliance procedures" are red flags to examiners.
Common mistake: Banks often list corrective actions that address the surface issue but not the underlying control gap. If your deposit agreement had a disclosure deficiency, the action isn't just "update the agreement" — it's also "implement a quarterly regulatory comparison review so this doesn't recur."
4. Validation and Monitoring
Describe how you will verify that the corrective actions were effective and how the bank will monitor compliance on an ongoing basis. This typically includes internal audit sign-off, board-level reporting, and a defined review schedule. Examiners look for this because it demonstrates the fix is sustainable, not a one-time patch.
The MRA Response Timeline
Most examiners expect a written response within 30 to 60 days of the examination report. However, the corrective action itself may be assigned a longer implementation timeline — typically 90 to 180 days for policy changes, and up to 12 months for significant operational overhauls.
A common mistake is submitting a polished response letter but missing the first interim milestone. Examiners track these commitments. If your response says "revised policy will be Board-approved by June 30" and you miss that date without proactive communication, you've compounded the original finding.
What Examiners Actually Check
When reviewing your MRA response, OCC examiners are specifically looking for:
- Specificity: Does the response address the exact regulatory citation in the finding, not just the general topic?
- Accountability: Is a named individual (not a department) responsible for each action?
- Sustainability: Will the fix hold, or will the same gap reappear at next examination?
- Board engagement: For material findings, has Board or Audit Committee been briefed?
- Self-identification: Did the bank identify any related issues during its own internal review?
That last point is underrated. Banks that use MRA responses as an opportunity to demonstrate proactive self-assessment — identifying adjacent gaps the examiner didn't catch — consistently receive more favorable treatment. It signals a strong compliance culture.
How AI is Changing MRA Response Preparation
Traditionally, preparing an MRA response involved weeks of manual work: pulling the relevant regulatory text, comparing it against current policy language, interviewing operational staff, and drafting remediation language. For a single MRA with multiple sub-findings, the process routinely took 6 to 8 weeks and required outside counsel or compliance consultants at $300–$500/hour.
AI-powered compliance platforms are compressing this dramatically. Systems like RegentForge analyze your existing policy documents against a database of 18,000+ regulatory guidance documents — identifying specific gaps, citing the exact CFR sections at issue, and generating draft remediation language — in hours rather than weeks.
The practical impact: compliance teams spend less time on research and more time on the substantive work of designing effective controls. A response that used to take 8 weeks now takes 5 to 10 business days from first draft to final submission.
A Note on Repeat MRAs
Nothing damages your supervisory relationship faster than a repeat finding — the same MRA category appearing in consecutive examinations. OCC examiners track this explicitly, and repeat findings are a primary trigger for escalation to formal enforcement.
The most reliable way to avoid repeat findings is a systematic, technology-assisted policy review cycle that compares your current documentation against updated regulatory guidance at least annually — not just in the months before an examination.
See Your Compliance Gaps Before the Examiner Does
RegentForge analyzes your bank's policy documents against 18,000+ OCC, Fed, FDIC, and CFPB documents — surfacing MRA-risk findings with exact CFR citations in 48 hours.
Request a Free Policy ScanKey Takeaways
- Acknowledge the finding precisely — don't argue, minimize, or deflect
- Conduct a real root cause analysis, not a surface-level explanation
- Assign every corrective action to a named individual with a specific date
- Include a validation and monitoring plan that shows the fix is sustainable
- Use examinations as an opportunity to proactively identify related gaps
- Implement a regular policy review cycle to prevent repeat findings