CISOs who work in the financial industry within the United States are familiar with matters requiring attention (MRA). An MRA is a notice that is communicated verbally and in writing to a financial institution’s board and management team and is included in the organization’s examination report from regulators. Security- and privacy-related issues can often trigger an MRA.
An MRA is often indicative of inadequate controls leading financial institutions to spend significant time and money on remediation. Yet many could be prevented by addressing common points of vulnerability and control weaknesses through a strong risk management program. Financial institutions, including banks, capital markets, fintech firms, and asset management groups, can reduce these costs by taking a more proactive approach to eliminating some of the most frequently cited matters requiring remediation.
What are MRAs and how do they work?
MRA notices denote a matter that the US Federal Reserve expects a financial institution to address to operate in a safe and compliant manner. Most MRAs are aligned with laws, rules, or regulations that mandate financial institutions to maintain proper controls for compliance. While not publicly issued, MRAs are communicated to management and boards both verbally and in writing and are included in consumer affairs examination reports from regulators. MRAs can also come in several different forms that are typically reserved for escalation, such as matters requiring immediate attention (MRIAs), matters requiring board attention (MRBAs), and matters requiring documentation (MRDs).
All forms of MRAs are expected to include standardized information regarding the cause and significance of the matter, the issue that needs to be addressed, and the timeframe within which corrective action must be taken. Once a report has been sent, the financial institution’s board of directors is required to provide its plan, process, and completion of the MRA in written documentation to the Reserve Bank. During and following the resolution of an MRA, the Reserve Bank is required to perform check-ins and follow-ups to ensure that progress and results are timely and satisfactory.
Due to a dynamic regulatory environment and increased emphasis on compliance, the rate of MRAs issued has grown significantly over the years. What are the root causes of this issue?
Addressing common causes of MRAs
Common causes of MRAs include poor process design, significant control weaknesses, inappropriate and unsuitable risk-taking, and breakdowns in risk management. They can result in business-impacting events, reduced customer satisfaction, fraud, and, in the worst case, leaked consumer data and theft. Lack of appropriate governance and oversight also act as leading cause of enforcement actions. The warning signs are often there before critical failures negatively impact a financial institution’s customers.
Financial institutions must attempt to identify and address potential risks to their business and customers, investors, and partners. Some common areas where risk is overlooked include:
Mergers and acquisitions: Most financial institutions have processes in place that manage the financial, regulatory, and cybersecurity risks associated with M&As. However, due diligence assessments often overlook critical data about the acquired financial institution. For example, does a financial institution gain a complete understanding of a potential acquisition’s cloud infrastructure and its security configurations? Or test application code for vulnerabilities that can be exploited to steal sensitive data or take down applications and services?
Third-party risks: All companies have third-party trust relationships and dependencies. These include other financial institutions, cloud services providers, SaaS vendors, application developers, and the creators of code libraries used by their applications. These relationships introduce significant risks as cybercriminals can exploit them to bypass defenses. However, many companies lack full visibility into their supply chains and have not performed in-depth risk assessments.
Software development life cycle and change management: There are significant risks in the software development life cycle (SDLC) and change management processes, due to the critical nature of these processes in ensuring the quality and stability of software applications. SDLC is a structured approach to software development that includes planning, design, coding, testing, integration, and maintenance. Any weaknesses in these phases can lead to significant issues, including security breaches and system failures.
Change management ensures changes to software are planned, approved, and implemented in a controlled manner to prevent unexpected outcomes. Any deviation from established change management process can result in risks such as software instability, data loss, or regulatory non-compliance.
Identity and access management (IAM): IAM is critical for ensuring the security of an organization’s systems and data. However, some areas of IAM risk can result in MRAs. One area is the failure to regularly review and update access controls, which can lead to unauthorized access to sensitive data. Another is the lack of segregation of duties, which can result in conflicts of interest and potential fraud. Additionally, weak password policies, insufficient authentication mechanisms, management of privilege, use of multi-factor authentication (MFA) and inadequate monitoring and logging are also significant risk areas that can lead to regulatory MRAs. IAM systems should be designed with a strong focus on risk management, compliance, and governance to avoid these potential MRA related issues.
Antiquated technologies and end-of-life systems: As more financial institution services and products become digitized, organizations that use outdated technologies and systems risk losing their competitive edge. To prevent the risk of cost implications and hindering business growth, financial institutions should operationally align strategic business projects with supporting technology and ensure that key supporting systems are not older than one prior release (i.e., N-1 concept). Financial institutions following DevOps practices can often outcompete legacy models due to the focus on continuous delivery of products and the associated upgrades of software. For many larger financial institutions, this is a significant challenge.
MRAs are expensive
Regardless of the cause, remediating an MRA is far more costly than strengthening a risk management process at the outset. Some of the risks and costs that a company accepts when it allows an issue to grow into an MRA include:
Incident remediation costs: The average cost of a data breach or security incident in the financial industry is much higher than the cost of identifying and remediating vulnerabilities earlier. The financial institution will also need to allocate remediation resources, which could include hiring additional staff, investing in new technology, or engaging third-party consultants to provide expertise and support.
Regulatory fines, penalties, and increased scrutiny: If the financial institution fails to address the MRA appropriately, it could face fines and penalties. These fines can range from a few thousand to millions of dollars. Once an MRA is issued, the financial institution may also face increased regulatory scrutiny and oversight. This can result in lost sales, stricter contractual terms, or additional or more intensive audits and assessments.
Reputational damage: An MRA is a message from examiners that a financial institution has not done its job. A publicized MRA can damage the financial institutions reputation and erode customer trust. This could result in lost business, decreased customer satisfaction, and brand rebuilding expenses for marketing and PR.
Opportunity cost: An MRA often hinders normal operations and requires rapid remediation, which pulls skilled personnel away from other important projects or initiatives. This could delay the delivery of critical business priorities, resulting in lost revenue or missed opportunities.
Legal costs: In some cases, an MRA may lead to legal action against the financial institution. This could involve hiring outside counsel, paying settlement fees or damages, or engaging in protracted litigation. The cost of legal action can be significant and unpredictable.
The cost of an MRA can be substantial and can impact the financial institution’s financial performance, reputation, and long-term viability. In light of recent regulatory developments and the banking crisis, the probability of getting an MRA will only increase as regulators investigate the cause and actions that led to the crisis. As such, financial institutions need to take a proactive risk management approach and implement measures across their organization, business operations and technology processes to curb issues that can lead to MRAs.
8 steps to reduce MRA risk
We recommend focusing on these eight risk management steps to help prevent getting an MRA:
- Maintain laws, rules, regulations (LRR) compliance: Financial institutions must ensure that they are compliant with all applicable laws and regulations. They should have a compliance process in place that includes regular monitoring, risk assessments, and internal audits to ensure they are compliant.
- Regularly review policies and procedures: Organizations should regularly review their policies and procedures to ensure ongoing compliance with the latest regulations. This includes making updates in response to changes in laws or regulations, such as the forthcoming EU Digital Operational Resilience Act (DORA). This new regulation is focused on improving operational resilience and preventing disruptions of critical business services in the financial sector. It will impact all financial services organizations that serve customers in the EU by Q1 2025. This recent Forbes article shares more about the regulation and importance of preparing for the deadline now.
- Engage with regulatory agencies: Organizations should also engage with regulatory agencies regularly to discuss any issues or concerns they may have. This can help to establish a good working relationship and provide organizations with valuable feedback on their compliance efforts before an issue arises that leads to an MRA.
- Strengthen overall risk management processes: As part of their overall risk management processes, financial institutions should conduct regular risk assessments to identify potential areas of risk and take appropriate measures to mitigate those risks. This can include implementing security measures as part of a holistic risk treatment (remediation/mitigation, transference, etc.) program, improving operational processes, enhancing internal controls, risk reporting and governance.
- Implement robust security measures: Security is one of the top risks, so financial institutions should implement robust security measures to protect against cyber threats such as malware, phishing attacks, and ransomware. This can include implementing firewalls, intrusion detection systems, and multi-factor authentication.
- Improve operational efficiencies: Financial institutions should focus on improving their operational efficiencies to reduce the risk of errors and omissions. This can include implementing process improvements, automating manual tasks, and providing regular training to staff.
- Foster a culture of compliance: Financial institutions should foster a culture of compliance where employees are trained and educated on the importance of compliance and risk management. They should be encouraged to report any issues or concerns that they may have.
- Establish robust key risk indicators (KRIs): Banks should establish KRIs that drive visibility and early warning into process and control environmental weaknesses. The KRIs should be linked to aggressive triggers, limits, and escalation procedures when breaches occur.
It is critical for financial institutions to take steps to reduce this likelihood of receiving an MRA by implementing robust internal controls, effective risk management practices, and a strong operational risk and compliance culture. By implementing these measures, organizations can minimize the risk of receiving an MRA and demonstrate to regulatory agencies that they are committed to compliance and risk management.