BSA oversight and regulation has increased sharply over the past couple of years. BSA and compliance officers share stories of the aggressiveness of regulators and granular scrutiny that examiners are putting both large and small institutions through. The good news from this increased oversight is the number of formal regulatory actions (written agreements and Cease & Desist Orders) has not increased. The bad news is that the number of informal actions (MOUs and board resolutions) has increased – and it’s likely to increase more.
Most banks receive some sort of finding or “Matter Requiring Attention” (MRA) or “Matter Requiring Immediate Attention” (MRIA) regarding their BSA Program during a BSA exam. MRAs and MRIAs addressing issues at large institutions, before they become enforcement actions, can also trickle down to smaller institutions. The OCC updated its policy and procedures regarding MRAs in the fourth quarter of 2014, so expectations for institutions to respond to these exam findings accordingly is now in full swing.
MRAs focus on the deficient practices at a bank that are referred to as supervisory concerns, and are a means of communicating these concerns in writing to boards and management teams. These concerns are now detailed using the “Five Cs” format: Concern, Cause, Consequence, Corrective Action, and Commitment.
To better understand how to successfully address and respond to an MRA, carefully consider how the OCC focuses on each “C” within an MRA.
- Concern – describes the deficient practice in question and how it deviates from sound governance, internal control, or risk management principles. Further, the concern may identify a practice that is not in compliance with BSA laws and regulations, supervisory guidance, or an existing order or agreement. In other words, the concern is why you are receiving the MRA, and it is essential to understand what that concern is before attempting to address it.
- Cause – notes the root cause of the concern when it is evident. If not evident, the board or management team may be tasked with identifying the root cause of the concern, as part of the corrective action.
- Consequence – explains how continuing the deficient practice could negatively affect your institution’s condition, including its financial performance or risk profile. If the concern is not sufficiently addressed, matters could escalate to become violations of the law, followed by additional supervisory actions, including enforcement actions or civil monetary penalties for your bank, the board of directors, or management team members.
- Corrective Action – includes what the board and management must do to address the concern and eliminate the cause of the concern. The board and management must ensure that the corrective action is timely, measurable, and sustainable.
- Commitment – relates your institution’s action plan to ensure that the concern is resolved and does not reemerge, including specific information and milestones, completion date, and staff who are accountable for the implementation of the plan. Note: If management is unable to provide an action plan during an examination, it must submit to the OCC, within 30 days of receipt of the MRA, a board-approved plan addressing the concern.
The OCC will expect your institution’s board to ensure timely and effective correction of the practices that caused the concern and were cited in the MRA. These corrections include assigning responsibility, establishing processes to monitor progress and validate the effectiveness of the corrective actions, and hold people accountable.
Just as the OCC communicates concerns to your bank using the “Five C” formulation in an MRA, your response should be directed at each “C,” demonstrating an understanding of each action item. Those responsible for BSA compliance should make sure board members and senior management also understand the “Five Cs” well for each MRA they receive.