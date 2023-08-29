CISOs who work in the financial industry within the United States are familiar with matters requiring attention (MRA). An MRA is a notice that is communicated verbally and in writing to a financial institution's board and management team and is included in the organization's examination report from regulators. Security- and privacy-related issues can often trigger an MRA.

An MRA is often indicative of inadequate controls leading financial institutions to spend significant time and money on remediation. Yet many could be prevented by addressing common points of vulnerability and control weaknesses through a strong risk management program. Financial institutions, including banks, capital markets, fintech firms, and asset management groups, can reduce these costs by taking a more proactive approach to eliminating some of the most frequently cited matters requiring remediation.

What are MRAs and how do they work?

MRA notices denote a matter that the US Federal Reserve expects a financial institution to address to operate in a safe and compliant manner. Most MRAs are aligned with laws, rules, or regulations that mandate financial institutions to maintain proper controls for compliance. While not publicly issued, MRAs are communicated to management and boards both verbally and in writing and are included in consumer affairs examination reports from regulators. MRAs can also come in several different forms that are typically reserved for escalation, such as matters requiring immediate attention (MRIAs), matters requiring board attention (MRBAs), and matters requiring documentation (MRDs).

All forms of MRAs are expected to include standardized information regarding the cause and significance of the matter, the issue that needs to be addressed, and the timeframe within which corrective action must be taken. Once a report has been sent, the financial institution's board of directors is required to provide its plan, process, and completion of the MRA in written documentation to the Reserve Bank. During and following the resolution of an MRA, the Reserve Bank is required to perform check-ins and follow-ups to ensure that progress and results are timely and satisfactory.

Due to a dynamic regulatory environment and increased emphasis on compliance, the rate of MRAs issued has grown significantly over the years. What are the root causes of this issue?

Addressing common causes of MRAs

Common causes of MRAs include poor process design, significant control weaknesses, inappropriate and unsuitable risk-taking, and breakdowns in risk management. They can result in business-impacting events, reduced customer satisfaction, fraud, and, in the worst case, leaked consumer data and theft. Lack of appropriate governance and oversight also act as leading cause of enforcement actions. The warning signs are often there before critical failures negatively impact a financial institution's customers.