An MRA — Matter Requiring Attention — is an examiner finding that a bank's practice in a specific area is deficient and requires corrective action. Vendor management MRAs have become more common in community bank examinations as regulators have elevated their expectations for third-party risk monitoring. Understanding the specific deficiencies that generate MRAs is the most direct guide to building a program that avoids them.
The Most Common Vendor Management MRA Findings
The most frequently cited deficiency in vendor management MRAs is failure to perform ongoing monitoring between annual reviews. The examiner finds a risk event — a data breach, a regulatory enforcement action, a material change in the vendor's financial condition — that occurred 4 to 8 months before the examination, and the bank was unaware of it because monitoring only occurred at the last annual review. This is a textbook ongoing monitoring failure under the interagency guidance.
The second most common finding is OFAC screening applied inconsistently — screening vendors at onboarding but not on an ongoing basis, or screening major vendors but not the full portfolio. The third most common finding is inadequate documentation: a verbal assertion that monitoring occurs without the supporting log to demonstrate it. The fourth most common finding is failure to apply risk-based monitoring intensity — treating all vendors the same regardless of their criticality tier.
The Persona Scenario the Guidance Is Written Around
The OCC guidance describes a scenario that many community bank compliance officers recognize: a vendor suffers a data breach, the bank's customers are affected, and the examiner asks when the bank first learned about it. If the answer is "from the news, after the examiner brought it up," that is the MRA. If the answer is "our monitoring system flagged it 3 days before the vendor disclosed it — here is the timestamped alert, here is our documented response," that is a passing answer.
The Banking Vendor Risk AI Agent is designed specifically to produce the second answer. The system detects adverse events before vendor disclosure in many cases, generates a timestamped alert, routes it to the appropriate staff, and logs the disposition — creating the exact documentation that converts an MRA scenario into a passing examination response.