Understanding MRAs

Matters requiring attention (MRAs) play a critical, if little understood role in bank supervision. While cease and desists, consent orders, and civil money penalties are public documents, MRAs are kept confidential. This confidentiality means that even those who follow the banking industry closely may have only a limited understanding of how MRAs work in practice.  I’ll share my own experience and my understanding of existing policy guidance. We’ll also discuss some of the few MRAs that are publicly available and the extent to which they square with some influential policy narratives.

Examiners use MRAs to highlight a bank’s deficient practices to its management and board. They are usually communicated via supervisory letter (SL) following an examination, a target review, or a focused review. As I noted in an earlier post, drafting of a supervisory letter usually starts with potential MRAs. The terminology varies somewhat across agencies. The Federal Reserve uses both MRAs and MRIAs, matters requiring immediate attention. The FDIC uses MRBA, matters requiring board attention. The basic idea behind an MRA remains the same.

The Five C’s

OCC’s MRAs follow a five C’s format: Concern; Cause; Consequences; Corrective Action; and Commitment. The Federal Reserve uses Issue; Risk; and Required Action, which roughly correspond to Concern; Consequences; and Corrective Action.

Concern describes, usually in one or two sentences, the deficient practice. (This section of the Fed’s MRAs tends to run longer.) One can include multiple concerns under a single MRA, but it can make the MRA more confusing and the bank’s remediation plan more difficult to track. Examiners can further label concerns as “new,” “repeat,” and “self-identified.” A repeat MRA represents a deficient practice that bank management had supposedly fixed. Having the problem pop up again reflects poorly on bank management and could give rise to more aggressive supervisory actions. A self-identified concern reflects more favorably on bank management but how favorably depends on the situation. Was the weakness identified by the first line (proactive) or by, say, internal audit (reactive)? Also, self-identification isn’t a get out of jail free card. It’s one thing to identify a problem and quite another to fix it.

Cause assesses what led to weakness. Root cause analysis sounds great in theory but can be tricky in practice. Examiners identify weaknesses but may lack the inside information to know why the weakness occurred. As a result, examiners sometimes just make the Cause a paraphrase of the Concern or resort to vague truisms: “The second line failed to provide effective challenge because it lacks stature in the organization.”

Consequences link the deficient practice to elevated risk and potential financial harm to the bank. Examiners use this section to explain why the MRA is necessary. That’s especially important if the subject area appears abstract or more form over substance. For example, “inadequate model risk management” sounds abstract. But it may make the bank’s risk measures unreliable. You can’t manage risk if you can’t measure it.

Corrective action describes what management and the board need to do to fix the problem. Examiners often face two contradictory constraints. Don’t be too prescriptive and don’t be too vague. The most effective MRAs are clear about the objectives but leave the details on getting there up to the bank’s management.

Commitment could best be described as the next steps. Supervisors usually give bank management 30 days to respond to the SL and come up with a plan to remediate the MRA. Supervisors then have 45 days to evaluate the bank’s response.

There are usually two main reasons why supervisors may reject the bank’s initial response. The first is that the plan is incomplete. In some cases, management only provided a plan for a plan. The plan itself may also leave key gaps or fail to describe the expected end state – that is, what “satisfactory” should look like. In other cases, the timeline is too long. Supervisors generally expect banks to remediate an MRA within 18 months. If a problem takes longer to fix, formal enforcement actions may be more appropriate.

The Five C’s format followed an international review of OCC’s Supervision. The review found weaknesses in MRA follow up. While some examiners disliked the Five Cs, I found this format made it easier to track and monitor the bank’s progress.

Some believe examiners use MRAs too frequently. That may be the case in some instances but, in my experience, it’s more often the opposite. I’ve heard the phrase “this does not rise to the level of an MRA” countless times. Supervisory concerns must reflect actual weaknesses and not simply falling short of best practices.

A symposium on bank supervision sponsored by the Brookings Institution included (at 2:27:00) the suggestion of a new, less intense category, Matters Requiring Discussion. In some ways, a similar category already exists, supervisory recommendations. OCC makes clear that recommendations should not appear in exam reports or supervisory letters but instead can involve an informal discussion between the examiners and bank management. Recommendations are not pre-MRAs. Failing to implement a recommendation should not provide the basis for an MRA the next time around. I’m not a big fan of recommendations. Imagine how seriously you would take a recommendation if the examiner spent the first ten minutes explaining that you can totally ignore what he or she is going to say. The FDIC includes supervisory recommendations in exam reports and SLs, but I’m less familiar with their process.

Too Many MRAs?

While MRAs are generally non-public information, Material Loss Reviews for failed banks usually provide a listing of MRAs. The Fed’s post-mortem of Silicon Valley Bank (SVB) went a step further by primary source documents, including supervisory letters that communicated MRAs.

The Bank Policy Institute, the lobbying research arm for the country’s largest banks, made much of the 31 outstanding MRAs at SVB at the time of its failure. BPI suggests that both the bank’s management and its regulators were too darn busy trying to address these MRAs to give adequate attention to the bank’s more material financial risks. This view has proved influential as key regulators like Michelle Bowman of the Fed and Travis Hill of the FDIC have also stressed the need to focus on material financial risks rather than process-related issues. But does this view stand up to scrutiny?

SVB had 13 MRAs dealing with information systems and security and another two dealing with BSA/AML. We have little further detail on what led up to these MRAs. While weaknesses in these areas were unrelated to SVB’s ultimate failure they have led to real financial damage at other firms. Ask Yahoo. Ask TD Bank. Moreover, who is being distracted? At a $200 billion bank, the people responsible for cybersecurity and AML efforts aren’t the ones deciding funding strategy or loading up on fixed rate MBS. And it didn’t appear that SVB made that much of an effort to close these MRAs since some were outstanding since 2019.

BPI has also dismissed some of the liquidity MRAs from a 2021 liquidity review as “process related.” But let’s take a closer look. Three of the MRAs that BPI cited related to internal liquidity stress testing (ILST), contingency funding plans (CFP), and liquidity limits. The ILST MRA notes that “Key assumptions rely on incomparable peer benchmarks. SVBFG’s historical analysis was based off other banks largely with a retail deposit base subject to FDIC insurance coverage, while SVBFG’s deposit base is largely commercial deposits without FDIC insurance coverage.” These deficiencies run the risk that “without sufficiently designed assumptions and scenarios, the firm’s liquidity buffer under stress may be insufficient.”

The CFP MRA identifies several deficiencies. The plan didn’t include “a quantitative evaluation of expected funding needs and funding capacity during a stress event. It lacks a realistic assessment of how funds providers would behave under stress.” The MRA further noted that “the firm identifies the types of contingent funding by source but does not identify available amount based on active contracts or internal firm limits … Additionally, several listed funding sources such as brokered CDs and discount window access have not been tested.” Under Risk, the examiners note “An ineffective CFP negatively affects management’s ability to assess whether the firm is under liquidity stress, what funding is available in varying levels of stress, and its ability to respond quickly to a real stress event.”

Another MRA required SVB to revise its liquidity limits framework to “reflect the company’s risk profile, size, complexity, and activities. The limit structure should also consider liquidity stress testing outcomes, funding concentrations, and off-balance sheet exposures.” The examiners found the current limits framework “inadequate for the purpose of measuring, monitoring, and controlling risks.”

These examiners’ critiques of SVB’s liquidity risk management and their potential effects were spot on. The supervisors missed the boat on follow up. Although the corrective action due date for each MRA was June 2022, the MRAs remained open when the bank failed in March of 2023.

First Republic offers an interesting contrast. As of March 2023, First Republic had no open MRBAs related to liquidity or interest rate risk and only two open MRBAs overall. Management was still rated “1.” Bank management and supervisors didn’t have a lot of pesky MRBAs to distract them. Yet they still allowed dangerously high concentrations of uninsured deposits and of fixed rate mortgages.

Focusing on Risks Rather than Processes

A reasonable case can be made that supervisors focus too much on processes and not enough on the risks themselves. OCC’s guidance on MRAs (page 51) indicates that they are designed to communicate concerns about a bank’s deficient practices, not specifically deteriorating condition or excessive risks. Processes are still important. In some cases, inadequate processes mean that the bank and its regulators lack a reliable way to even measure the risk, much less control it.

Supervisors may have hoped that more accurate ILSTs and CFPs and a more meaningful limit framework would shock SVB’s management and the board into bringing down the bank’s liquidity risk. That didn’t work out. But a more direct approach has its problems as well. It’s easy to say that a 94% concentration in uninsured deposits is excessive. But what is the right number? 70%? 50%? (I have had MRAs kicked back for that very reason.) Also, MRAs are supposed to be actionable. Banks can take steps to diversify their funding sources, but these actions usually take time, and the alternative sources introduce problems of their own.

Given their confidentiality, we don’t have public databases that show the full range of MRAs applied by supervisors. Public enforcement actions can at least give us some idea. Regulators still favor an indirect approach. The OCC database lists 811 enforcement actions since 2000 that mention “concentrations.” I reviewed the 36 issued from 2020 on. None established a specific target for acceptable concentration levels. Rather, the EAs required bank management to establish concentration and other risk limits.

A more direct approach is certainly faster but may have less staying power. Violation of the bank’s own limits may mean more than one set externally by regulators, especially if the limit reflects supervisory judgment rather than a regulatory bright line. For all the talk about the need to focus more on material financial risks, neither the legal nor the regulatory environment make that very likely. Recent court decisions make legal challenges more likely and more likely to succeed. And regulators have shown little appetite thus far to even identify; much less establish bright lines for material financial risk.