Provide the EIC with conclusion of findings, focusing on:

• The bank’s policies, management information systems, controls, and their impact on the bank’s capacity to operate in a safe and sound manner.

• Compliance with established laws, rules, and regulations.

• The quality and effectiveness of the bank’s insider policies and procedures and the bank’s vulnerability to insider abuse.

• The adequacy of audit coverage of insider activities.

• Any corrective action needed for deficient policies, practices, procedures, internal controls, or violations of law. In determining appropriate corrective action, consider whether deficiencies:

  • Reflect a lax attitude or lack of understanding of insider issues by management.

  • Resulted from bank personnel’s lack of familiarity with the laws, rulings, and regulations, or bank-established policy.

  • Reflect a failure by bank management to implement corrective action for deficiencies cited at previous bank or regulatory reviews.

  • Resulted from specific weaknesses in the bank’s systems.

  • Are technical and not expected to recur because adequate systems exist.

Determine the impact on aggregate risk and the direction of risk assessments for any risks identified when performing the above procedures. Examiners should refer to guidance provided under the OCC’s large and community bank risk assessment programs.

• Risk Categories: Compliance, Credit, Reputation, Strategic

• Risk Conclusions: High, Moderate, or Low

• Risk Direction: Increasing, Stable, or Declining

Determine, in consultation with the EIC, whether the risks identified are significant enough to merit bringing them to the board’s attention in the report of examination. If so, prepare items for inclusion under the heading Matters Requiring Attention (MRA). Use the following guidelines when preparing these items:

• An MRA is a bank practice that:

  • Deviates from sound fundamental governance, internal control, and risk management principles, which may adversely impact the bank’s earnings or capital, risk profile, or reputation if not addressed.

  • Results in substantive noncompliance with laws or internal policies or processes.

• While there is no specific format for MRAs, when composing an MRA you should provide the following details:

  • Description of MRA;

  • Factors contributing to the problem, including its root cause;

  • Consequences of inaction;

  • Management’s commitment to corrective action; and

  • The time frame for corrective action and the person(s) responsible for taking such action.

Determine in consultation with appropriate OCC personnel whether any enforcement action should be recommended (e.g., formal agreement, cease and desist order, civil money penalty) or a Suspicious Activity Report should be filed.

Discuss findings with management, including:

• Overall conclusions, specifically regarding applicable risks.

• Violations of law or regulation and non-conformance with bank policy.

• Deficiencies.

• Recommendations.

• If applicable, commitment from management to correct violations of law and/or Matters Requiring Attention.

As appropriate, prepare an insider activities comment for inclusion in the Report of Examination.

Advise appropriate OCC offices of any insider borrowings in this institution that may affect insiders in another national bank (12 USC 1972(2)). Also advise the district office of similar situations that may affect state banks.

Update the OCC supervisory database and any applicable Report of Examination schedules or tables. When appropriate, add information regarding insider borrowings at other banks.

Organize and reference working papers in accordance with OCC guidance. Prepare a memorandum or update the work program with any information that will facilitate future examinations.