Helping clients meet their business challenges begins with an in-depth understanding of the industries in which they work. That’s why KPMG LLP established its industry-driven structure. In fact, KPMG LLP was the first of the Big Four firms to organize itself along the same industry lines as clients.

How We Work

We bring together passionate problem-solvers, innovative technologies, and full-service capabilities to create opportunity with every insight.

Learn more

Careers & Culture

What is culture? Culture is how we do things around here. It is the combination of a predominant mindset, actions (both big and small) that we all commit to every day, and the underlying processes, programs and systems supporting how work gets done.

Learn more

Focus on Tech: Cloud, AI, Personal Data

Heightened regulatory expectations for technology risk management, operational resiliency, risk governance, data collection and privacy


February 2023

KPMG Regulatory Insights. 

  • Regulators will increasingly scrutinize technology innovations (e.g., cloud, AI) against a company’s sound risk management policies.
  • The principle of “protecting the consumer/customer” will be expected of all industries—with a continued focus on the technology sector (e.g., children’s protections, advertising) and financial services (e.g., data governance, AI bias).
  • Companies should expect heightened expectations (and so quickly look to enhance) such areas as:

While recognizing the many benefits to be derived from new technologies, the Administration is looking to address the challenges across sectors and the potential harms to consumers that may be realized from rapid technology development and innovation. Key issues include transparency, accountability, and privacy—as recently featured in the:

  • Calls for bi-partisan legislation outlined in the State of the Union Address
  • Treasury report on the Financial Services Sector’s Adoption of Cloud Services
  • White House Blueprint for an AI Bill of Rights

State of the Union Address

In remarks prepared for the State of the Union Address, President Biden called for Congress to pass bipartisan legislation to “stop Big Tech from collecting personal data on kids and teenagers online, ban targeted advertising to children, and impose stricter limits on the personal data these companies collect on all of us.” He also called for legislation to strengthen antitrust enforcement and regulate competition among big online platforms.

Treasury Cloud Report

The Department of the Treasury’s report on the adoption of cloud services in the financial services sector acknowledges an increasing trend toward cloud adoption by all types and sizes of financial institutions (FIs). Treasury suggests this trend has accelerated most recently by “customer demand for innovative offerings through digital channels and financial institution demand to accommodate remote work.” It adds that models of adoption vary across the sector and that there is a wide range of service uses (e.g., IT and cybersecurity management, data storage, and computing facilities needed for artificial intelligence/machine learning applications (AI/ML)).

The report identifies several challenges associated with this broad cloud adoption, noting that the challenges cut across multiple use cases, Cloud Service Providers (CSPs), and FIs. As outlined by Treasury, the six challenges include:

  • Gaps in available talent and tools to securely deploy cloud services, where Treasury finds the current talent pool is “well below demand,” presenting potential barriers to entry for some FIs and increased risk of “misconfiguration”.
  • Exposure to potential operational incidents, such as cyber incidents, that may impact multiple regions, CSPs, or FIs as well as technical vulnerabilities (e.g., uneven maturity of organizations or technologies) and physical events (e.g., power outages).  
  • Insufficient transparency from CSPs to support due diligence and monitoring by FIs, including information on risks related to incidents and outages needed to build technology architecture with appropriate consumer protections.
  • Potential impact of market concentration in cloud service offerings on the sector’s resilience, noting growth primarily in the adoption of services provided by three major (“Big Tech”) companies as well as a lack of data needed to assess how an incident at one CSP could affect the sector.
  • Dynamics in contract negotiation given market concentration, potentially providing CSPs with negotiating advantages especially with regard to smaller FIs and FIs with smaller scale service contracts.
  • International landscape and regulatory fragmentation, making it difficult for U.S. FIs to adopt cloud consistently at a global scale, increasing operational and data privacy risks. 

Anticipating continued and accelerated adoption of cloud services across the sector, Treasury lays out plans to engage with U.S. financial regulators, the private sector, and international partners to address the identified challenges, including:

  • Establishing an interagency Cloud Services Steering Group
  • Conducting follow-on work to the April 2022 “tabletop exercise” involving CSPs and the financial sector
  • Progressing collaboration on the challenge areas and developing options or approaches with respect to: common definitions and terms across the sector (e.g., “critical” services); sector-wide measurement of the concentration of critical uses of cloud services and similar third-party services; incident response and communications updates among financial regulators, CSPs, and FIs; and enhancements to regulatory guidance on risk management practices for cloud services.

Blueprint for an AI Bill of Rights

The Administration released its Blueprint for an AI Bill of Rights in the fall of 2022, stating that “the use of technology, data, and automated systems in ways that threaten the rights of the American public” is “among the great challenges posed to democracy today.” The Blueprint identifies five principles that the Administration suggests should guide the design, use, and deployment of automated systems to protect the public “in the age of artificial intelligence.” These principles include:

  • Safe and effective systems, that meet their intended use and contain protections from unintended use, including inappropriate or irrelevant data use.
  • Algorithmic discrimination protections, built into systems as continuous measures to mitigate disparate treatment or impacts to people, with ongoing testing and oversight.
  • Data privacy, where data collection conforms to “reasonable expectations” and only data necessary for the specific context is collected; consumers’ permission should be sought for collection, use, access, transfer, and deletion of their data to the greatest extent possible.
  • Notice and explanation, in plain language regarding how an automated system is being used and it how it contributed to determining an outcome impacting the consumer.
  • Human alternatives, consideration, and fallback, providing opportunity to opt-out from an automated system, where appropriate, as well as providing a remedy to errors or to contest an impact. 

The Blueprint states “automated systems should be developed with consultation from diverse communities, stakeholders, and domain experts to identify concerns, risks, and potential impacts of the system”. Furthermore, to demonstrate that these systems are safe and effective, they should undergo pre-deployment testing, risk identification and mitigation, and ongoing monitoring.

The Administration highlights specific examples of regulatory actions across multiple sectors supportive of the Blueprint, including the Federal Trade Commission’s ANPR on commercial surveillance, and the Consumer Financial Protection Bureau’s Circular 2022-03 (Adverse action notification requirements in connection with credit decisions based on complex algorithms).

Relevant KPMG Thought Leadership:

KPMG Regulatory Insights POV| Regulatory Scrutiny of Technology and Data

KPMG Regulatory Alert| Data Retention and Deletion: Increasing Regulatory Expectations

KPMG Regulatory Alert| Regulatory Focus on Cloud Computing

Dive into our thinking:

Focus on Tech: Cloud, AI, Personal Data

Download PDF

Explore more

Get the latest thinking from KPMG

KPMG’s Financial Services Regulatory Insight Center comprises key industry practitioners and regulatory advisors from across KPMG’s global network.

Thank you

Thank you for subscribing to Regulatory Insights thought leadership content. You will receive our next issue when we publish.

Get the latest thinking from KPMG

KPMG’s Financial Services Regulatory Insight Center comprises key industry practitioners and regulatory advisors from across KPMG’s global network.

The Regulatory Insight Center regularly provides insights into the implications of regulatory changes, distilling the impact of regulatory developments and advising financial services firms on how to adapt their business models to not only comply but to better thrive in this dynamic environment.
Our publications include:

  • Regulatory Alerts: Quick hitting summaries of specific regulatory developments and their impact on financial services firms.
  • Points of view: Insights and analyses of emerging regulatory issues impacting financial services firms. 

By submitting, you agree that KPMG LLP may process any personal information you provide pursuant to KPMG LLP's Privacy Statement.

An error occurred. Please contact customer support.

Thank you!

Thank you for contacting KPMG. We will respond to you as soon as possible.

Contact KPMG

Use this form to submit general inquiries to KPMG. We will respond to you as soon as possible.

By submitting, you agree that KPMG LLP may process any personal information you provide pursuant to KPMG LLP's Privacy Statement.

An error occurred. Please contact customer support.

Job seekers

Visit our careers section or search our jobs database.

Submit RFP

Use the RFP submission form to detail the services KPMG can help assist you with.

Office locations

International hotline

You can confidentially report concerns to the KPMG International hotline

Press contacts

Do you need to speak with our Press Office? Here's how to get in touch.