In Vendor Management, What's a MRA?

I was recently asked what a MRA is and what it really means. Well, if you’re a compliance officer at a financial institution, that acronym is enough to send a shiver down your spine.

A MRA is a “matter requiring attention”, sometimes also phrased as a matter requiring board attention. That means you need to pay serious attention and act quickly.

What It Looks Like

A MRA can look like a fairly detailed memo or portion of a larger report listing the vendor management deficiency, depending on the complexity and scope of the issue.

The timelines and expectations are usually fairly specific and outline any immediate deadlines, such as “within 90 days of the receipt of this, the board must formally approve a third party risk management program”, as well as future expectations for the next examination - but again, this can also depend on the nature of the deficiency.

And, MRA's are highly confidential, so don't go sharing yours around. 

What It Means

A MRA is a warning shot across the bow because if you don’t address the concern, it’s going to cause real damage the next time. In vendor management, it probably means you have serious deficiencies in your program and you can be absolutely certain the next time you’re examined – or perhaps even sooner – there’s going to be further discussion on specifically what you have done to address these concerns. Whatever you do – make sure it’s documented and recorded in board-level minutes.

Although MRA’s are usually very prescriptive, you should definitely ask if you have any uncertainty as to what needs to be done. Additionally, it’s helpful to review the regulatory guidance as to what a MRA really means; in this case, the best reference point is from the Office of the Comptroller of the Currency (the OCC) – here’s the key section from OCC: Bulletin 52-2014.

As detailed in the updated guidance, MRA's:

- Focus on deficient bank practices that are referred to as supervisory “concerns.”

- Are the means by which supervisory concerns are communicated in writing to bank boards and management teams.

- Communicate one or more concerns using the “Five C's” format:

Concern, Cause, Consequence, Corrective Action, Commitment

- Must receive timely and effective corrective action by bank management and follow-up by examiners.

Top 5 MRA Categories for Small Financial Institutions

To give an idea of MRA examples, here's a list of the top 5 categories, with share percentages, where small financial institutions receive MRAs:

1. Credit administration (32 percent)
2. Compliance (12 percent)
3. Management (11 percent)
4. Information technology (9 percent) 
5. Audit (6 percent)

Top 5 MRA Categories for Large Financial Institutions

And, here's a list of the top 5 categories, with share percentages, where large financial institutions receive their MRAs:

1. Credit-risk-related issues (36 percent)
2. Operational risk (16 percent)
3. Bank Secrecy Act/Anti-Money Laundering (BSA/AML) (14 percent)
4. Consumer compliance (10 percent)
5. Internal controls (8 percent)

You’ve been warned – now it’s time to act.

Help yourself keep track of vendor due diligence requirements, download our Model Due Diligence Checklist.