Regulator Communication Drafting

• Communication purpose: Type of communication, triggering event, regulatory agency, intended recipient
• Regulatory context: Applicable regulations, prior examination findings, supervisory history, consent orders
• Factual basis: Underlying facts, data, analysis supporting the communication
• Institutional position: Management's assessment, remediation actions taken or planned, timeline commitments
• Governance requirements: Required approvals, legal review requirements, board or committee involvement
• Precedent communications: Prior correspondence on the same topic, established communication patterns

Methodology

Step 1: Communication Type Classification and Requirements

Identify the communication type and apply corresponding requirements:

Step 2: Audience Analysis and Tone Calibration

Calibrate communication style for the regulatory audience:

Tone principles:

• Professional and respectful: Acknowledge the regulator's authority and role without being obsequious
• Factual and precise: Every statement must be supportable by evidence; avoid subjective characterizations
• Transparent and forthcoming: Proactively disclose material information; do not require regulators to ask follow-up questions for information the institution should volunteer
• Confident but not dismissive: Demonstrate competence without minimizing regulatory concerns
• Forward-looking: Emphasize corrective actions and commitments, not just past explanations

Language standards:

• Use precise regulatory terminology (MRA, MRIA, significant deficiency, material weakness) correctly
• Avoid jargon, acronyms, or internal terminology without definition
• Do not use hedging language that implies uncertainty about facts within the institution's knowledge
• Do not use absolute statements ("we have never" or "this could never") that are difficult to substantiate
• Avoid adversarial or defensive language, even when the institution disagrees with a finding

Step 3: Factual Foundation and Evidence Assembly

Build the factual basis for the communication:

• Compile all relevant facts with source documentation references
• Verify accuracy of all dates, figures, names, and regulatory citations
• Identify any facts that are uncertain or in dispute and address them transparently
• Ensure consistency with prior communications to the same regulator on the same topic
• Cross-reference with legal and compliance to identify any privileged information considerations
• Confirm all referenced commitments (dates, actions, milestones) are realistic and approved by accountable executives

Step 4: Structure and Content Development

Apply the appropriate structure for the communication type:

Examination Response Letter Structure:

1. Opening — Acknowledge receipt of the examination report; express appreciation for the examination team's efforts
2. General response — Provide the institution's overall perspective on examination findings
3. Finding-by-finding response — Address each finding individually:
   a. Restate the finding (demonstrate understanding)
   b. State whether the institution agrees, partially agrees, or respectfully disagrees
   c. Provide factual context or additional information
   d. Describe corrective actions taken or planned
   e. Identify accountable executive and target completion date
4. Closing — Reaffirm commitment to safety and soundness; offer to provide additional information

MRA/MRIA Remediation Update Structure:

1. Opening — Reference the specific MRA/MRIA, original finding date, and prior communications
2. Remediation status — Current status (completed, in progress, on track, delayed)
3. Actions completed — Specific actions taken with evidence of completion
4. Actions in progress — Current activities with milestones and expected completion dates
5. Challenges or delays — Transparent disclosure of obstacles with revised timelines if applicable
6. Validation — Evidence of remediation effectiveness (testing results, metrics)
7. Closing — Commit to next update schedule; offer to discuss

Regulatory Notification Structure:

1. Notification statement — Clear identification of the event being reported
2. Factual summary — What happened, when, how detected
3. Impact assessment — Scope, customers affected, financial impact
4. Immediate actions taken — Containment, mitigation, customer notification
5. Root cause (if known) — Preliminary root cause or statement that investigation is ongoing
6. Remediation plan — Corrective actions underway or planned
7. Ongoing communication — Commitment to provide updates at defined intervals

Step 5: Regulatory Citation and Framework Alignment

Ensure the communication demonstrates regulatory awareness:

• Reference specific regulations, guidance bulletins, or supervisory letters applicable to the subject matter
• Demonstrate alignment between the institution's actions and regulatory expectations
• When disagreeing with a finding, cite specific regulatory language or guidance supporting the institution's position
• Avoid over-citing regulations in a way that appears argumentative
• Reference the institution's own policies and risk frameworks as evidence of governance maturity

Step 6: Review, Approval, and Quality Assurance

Apply rigorous quality assurance before finalization:

Review chain: (1) Subject matter expert — factual accuracy, (2) Legal — privilege, regulatory risk, commitment implications, (3) Compliance — citation accuracy, required disclosures, (4) Executive — tone, strategic alignment, commitment authorization, (5) Board (when required) — board-level communications, consent orders, examination responses.

Quality checks: Every assertion is evidence-backed, all commitments are achievable and authorized, consistency with prior correspondence is verified, tone is professional and non-defensive, concerns are addressed directly, and no inadvertent admissions or privilege disclosures exist.

Step 7: Record Retention and Follow-Through

Maintain the communication and supporting evidence in the regulatory correspondence file. Calendar all commitments with accountable owners and track in the MRA/MRIA system. Prepare ready-reference packages for follow-up inquiries and brief stakeholders on commitments and next steps.

Output Specification

# [Communication Type]: [Subject]

**Date**: [date]
**To**: [Regulator name, title, agency]
**From**: [Institution executive name, title]
**Re**: [Subject line with reference numbers]

---

[Body of communication following the appropriate structure from Step 4]

---

**Attachments**:
[List of supporting documents]

**cc**:
[Distribution list]

Analysis Framework

Communication effectiveness assessment criteria:

Examples

Example 1 — MRA Remediation Update: "Dear [Examiner-in-Charge], This letter provides the quarterly remediation update for MRA 2025-03 (Third-Party Risk Management — Concentration Risk), originally identified in the [Date] Report of Examination. Status: In Progress, On Track. Since our prior update dated [Date], the institution has completed the following actions: (1) Implemented the fourth-party concentration risk assessment methodology approved by the Enterprise Risk Committee on [Date], incorporating identification of shared infrastructure dependencies across all critical vendors; (2) Completed fourth-party mapping for 8 of 12 critical vendor relationships, with the remaining 4 scheduled for completion by [Date]; (3) Presented initial concentration risk findings to the Board Risk Committee on [Date], including identification of AWS dependency across 7 critical vendors. Remaining action: Development of concentration risk limits and thresholds is underway with target presentation to the Risk Committee on [Date] and Board approval by [Date]. We remain on track for full remediation by the committed date of [Date]. We are available to discuss this update at your convenience."

Example 2 — Examination Response (Disagreement): "Regarding Finding 7 (Access Recertification Frequency), the institution respectfully provides additional context for your consideration. The Report characterizes the institution's semi-annual access recertification cycle for non-critical applications as insufficient. The institution's access recertification program applies a risk-based frequency: critical and SOX-relevant applications undergo quarterly recertification, while non-critical applications undergo semi-annual recertification with continuous automated monitoring for terminated-employee access and SoD conflicts. This risk-based approach is consistent with FFIEC Information Security Handbook guidance, which states that 'the frequency of reviews should be commensurate with the risk of the access granted.' The institution will, however, enhance its documentation of the risk-based rationale for recertification frequency decisions and present the updated framework to the Technology Risk Committee by [Date]."

Guidelines

• Never send regulatory correspondence without legal review; routine communications can create binding commitments
• Ensure all commitments are realistic; failing to meet a commitment is worse than requesting more time
• Be transparent about challenges; regulators value honesty over optimistic reporting
• Maintain consistent institutional voice; track all communications centrally
• Regulatory correspondence becomes part of the supervisory record referenced in future examinations
• When disagreeing, present facts and regulatory citations, not opinions or defensive arguments
• Engage the board appropriately; certain communications require board awareness or approval

Validation Checklist

• Communication type classified with appropriate structure applied
• Tone is professional, factual, transparent, and non-defensive
• All factual assertions verified with source documentation
• All commitments are specific, achievable, authorized, and calendared
• Regulatory citations are accurate and appropriately used
• Communication consistent with prior correspondence on the same topic
• Legal review completed; executive and board approvals obtained as required
• Communication filed and follow-up commitments tracked in MRA/MRIA system