Helping clients meet their business challenges begins with an in-depth understanding of the industries in which they work. That’s why KPMG LLP established its industry-driven structure. In fact, KPMG LLP was the first of the Big Four firms to organize itself along the same industry lines as clients.

How We Work

We bring together passionate problem-solvers, innovative technologies, and full-service capabilities to create opportunity with every insight.

Learn more

Careers & Culture

What is culture? Culture is how we do things around here. It is the combination of a predominant mindset, actions (both big and small) that we all commit to every day, and the underlying processes, programs and systems supporting how work gets done.

Learn more

Risk 'complacency': Regulatory challenges

Deliberately guard against overconfidence by raising risk and compliance investment and voice.

a line of dominoes falling
How KPMG can help: Regulatory and compliance transformation

Regulators view “risk complacency” by financial service companies as a potential threat to both stakeholder trust and safety and soundness. Companies must deliberately ensure that they are guarding against overconfidence—particularly during times of business, M&A, and innovative growth—by raising risk and compliance investment and voice.

Over-confidence leading to complacency is a risk—when prudent risk management is set aside in pursuit of profit.

Michael Hsu

Acting Comptroller of the Currency, August 2021

Explore here insights from the KPMG report Ten key regulatory challenges of 2022.

Mitigating risk: Risk "complacency"

Appropriately stature, recognize and size risk management.

Prudent risk and compliance management (commensurate with size, complexity, and risk profile) must accompany business change and growth, as well as anticipate and address expanded regulatory risk expectations.

In the areas of human capital and risk culture and commitment, heightened regulatory attention will include:

  • Demonstrable and credible challenge, including the adequacy of risk assessments and the monitoring and adjustment, as needed, of internal controls. 
  • Appropriate stature of Risk, Compliance, Information Security, and Audit that is comparable to other strategic functions, including the quality of autonomy, empowerment, and visibility. 
  • Sufficient and skilled staffing and funding resources.
  • Dynamic, metric-driven risk capacity models to determine technology, operational, and risk resources needed to keep pace with the growth or changes in the business.

Invest in data-driven risk automation, analytics and process efficiency. 

Financial service companies must continuously determine how best to utilize data and technology to meet consumer and client demands – both from a business and a risk perspective.  Regulators expect companies to take a data-driven approach to risk and compliance monitoring and assessment. Likewise, regulators increasingly utilize data-driven supervision and enforcement. 

Areas of regulatory attention will include:  

  • Sufficient direct or indirect access to relevant sources of data to allow for timely and effective monitoring and/or testing of policies, controls, and transactions.
  • Robust data quality auditability standards and practices.
  • Use of data to perform a more dynamic and robust risk assessment, diligence and surveillance (and update risk and compliance programs accordingly).
  • Ongoing data analytics to challenge business processes and controls and flag potential issues (systemic and isolated) timely and with resolution.
  • Drive consistency and auditability via use of workflow and automation tools in such areas as risk, examination management, and compliance management processes.

Anticipate and incorporate emerging risks, but don’t lag in remediating known (or should have known) issues.

Financial service companies must incorporate emerging risks and regulatory expectations, but also continue to demonstrate timely identification and remediation of issues. 

Regulatory attention will expand in areas such as:

  • Establishing effective front-line units, independent risk management, and internal audit and control functions. 
  • Continuously accessing operational data and information across functions to update and revise risk assessments based on changing compliance risk. 
  • Ensuring that deficiencies (including data quality, timely and accurate reporting, and reporting to the Board) are quickly identified and appropriately remediated.
  • Robustly analyzing complaints, disputes, and claims information for systemic issues, and demonstration that actions have been taken (e.g., to modify products or service, enhance process controls, and product or disclosure clarity).
  • Analyzing employee/insider threat data and behavioral patterns and key insights from investigations and interviews to identify, acknowledge and resolve cultural/conduct risk or control issues.

Champion risk-embedded business, operational and technology change.

Regulators will expect that risk and control functions are part of continued business, operational and technology change.  The sense that “it cannot happen here”, “the third party owns that risk”, or “that’s the way we have always done it” is unlikely to be a strong or sufficient risk stance and will be increasingly pressured by regulatory supervision and enforcement. 

Key areas of focus for robust risk governance and controls will include:

  • Continued large scale technology change-related initiatives, such as focus on data management, digital assets, digital adoption, cloud adoption and migration, and core platform modernization.
  • Support for, or investment to facilitate, access to operational data and information across functions and/or from disparate sources.
  • Industry or corporate practices that have not undergone recent changes but may result in disproportionate impacts across consumer/client groups (e.g., complaints handling, use of appraisal or other valuation models, application of product fees).
  • Appropriateness of risk and control testing of AI and other technology (e.g., for potential bias, inappropriate or vulnerabilities in access and security).
  • Consistency of public issuances and of regulatory responses (e.g. in such areas as ESG commitments and reporting and regulatory inquires and examination responses).

Dive into our thinking:

Ten Key Regulatory Challenges of 2022

Download PDF

Get the latest thinking from KPMG

KPMG Regulatory Insights comprise key industry practitioners and regulatory advisors from across the KPMG global network.

Explore more

Meet our team

Image of Amy S. Matsuo
Amy S. Matsuo
Principal and National Leader, Regulatory Insights, KPMG US
Image of Julie Gerlach
Julie Gerlach
Partner, Internal Audit & Enterprise Risk, KPMG US

Thank you

Thank you for subscribing to Regulatory Insights thought leadership content. You will receive our next issue when we publish.

Get the latest thinking from KPMG

KPMG Regulatory Insights comprise key industry practitioners and regulatory advisors from across the KPMG global network.

Please enter your information to receive KPMG Regulatory Insights updates.

By submitting, you agree that KPMG LLP may process any personal information you provide pursuant to KPMG LLP's Privacy Statement.

An error occurred. Please contact customer support.

Thank you!

Thank you for contacting KPMG. We will respond to you as soon as possible.

Contact KPMG

Use this form to submit general inquiries to KPMG. We will respond to you as soon as possible.

By submitting, you agree that KPMG LLP may process any personal information you provide pursuant to KPMG LLP's Privacy Statement.

An error occurred. Please contact customer support.

Job seekers

Visit our careers section or search our jobs database.

Submit RFP

Use the RFP submission form to detail the services KPMG can help assist you with.

Office locations

International hotline

You can confidentially report concerns to the KPMG International hotline

Press contacts

Do you need to speak with our Press Office? Here's how to get in touch.