Helping clients meet their business challenges begins with an in-depth understanding of the industries in which they work. That’s why KPMG LLP established its industry-driven structure. In fact, KPMG LLP was the first of the Big Four firms to organize itself along the same industry lines as clients.

How We Work

We bring together passionate problem-solvers, innovative technologies, and full-service capabilities to create opportunity with every insight.

Learn more

Careers & Culture

What is culture? Culture is how we do things around here. It is the combination of a predominant mindset, actions (both big and small) that we all commit to every day, and the underlying processes, programs and systems supporting how work gets done.

Learn more

Regulatory Intensity

The standards go to new heights

July 2023

Regulators have ‘set out flares’ signaling their expectations for meeting heightened standards and the supervision of risk management. So, what will this mean for banks?  What will their boards and managements need to focus on? How might they be constrained by the heightened standards and intensified supervision and examinations, or might they be able to use them as an advantage for growth?

The regulators’ focus on heightened standards spotlights:

  1. “Persistent weaknesses” – failure to correct deficiencies or meet supervisory expectations in a timely manner will drive exam intensity and possible ratings downgrades
  2. “Repeat offenders” - failure to make “sufficient” progress toward correcting deficiencies is an indicator of “persistent weakness”
  3. “Too big to manage” – when size and complexity give way to persistent/repeated weaknesses, simplification via divestiture is the regulators’ “big stick”

The signals are clear.  Heightened standards from the past are now front and center with a new complexion, expectations are rising, and patience is waning.  How will the industry respond?

1. “Persistent weaknesses” will drive exam intensity and possible ratings downgrades

What Are “Persistent Weaknesses”? The OCC states that “persistent weaknesses” may include:

  • “CAMELS” Composite or Management component ratings of 3 or worse, or three or more risk management assessments of “weak” or “insufficient quality” for more than three years
  • Failure by a bank to adopt, implement, and adhere to all the corrective actions required by a formal enforcement action in a timely manner
  • Multiple enforcement actions against a bank executed or outstanding during a three-year period.

Further, the OCC states that it may take additional and increasingly severe supervisory or enforcement action(s) when a bank exhibits “persistent weaknesses” or “continuing, recurring, or increasing deficiencies for a prolonged period.”

Source: OCC PPM 5310-3, Appendix C, May 2023 

Growing supervisory scrutiny of “persistent weaknesses” at banks is focusing on management, and in particular, their ability to adequately identify and mitigate risks as well as remediate supervisory concerns or identified deficiencies, MRAs, or enforcements in a timely manner. While guidance around supervisory examinations and ratings is established, mounting intensity around “weaknesses” in risk management and compliance, especially with regard to correcting deficiencies, could lead to more stringent evaluations and potential ratings downgrades.

Why it Matters

Regulators expect banks to correct identified deficiencies in a timely manner. Boards are expected to ensure compliance with enforcement actions within required timeframes by:

  • Holding management accountable for the firm’s deficiencies.
  • Directing management to develop and implement corrective actions.
  • Approving necessary changes to the firm’s policies, processes, procedures, and controls.
  • Establishing processes to monitor progress and verify and validate the effectiveness of management’s corrective actions.

When deficiencies are “continuing, recurring, or increasing for a prolonged period,” regulators may consider additional and increasingly severe action(s), such as assessing civil money penalties (CMPs) or other enforcement actions, including requirements for board oversight of enterprise-wide action plans for resolving the “persistent weaknesses”, restrictions on growth or business activities, or directives for specific actions such as making certain investments or additions to capital or liquidity.

If a firm continues to fail to correct its persistent weaknesses in response to enforcement actions or other measures, regulators will consider further action(s) to remediate the weaknesses, such as requiring the firm to simplify or reduce operations (e.g., reducing asset size, divesting of subsidiaries/business lines, exiting from market(s) of operation).

2. “Repeat offenders” increase ‘weakness risk’

“Repeat offenders” are companies (or their directors, employees, and affiliates) that engage in unsafe and unsound practices or exhibit deficiencies related to, or violations of, the law “over and over”. Examples may include violations of terms or conditions in formal court or agency orders, repeated violations of specific laws or regulations, and violations of law or regulations across different business lines with the same root cause.

Repeated failure to address deficiencies or correct violations heightens examiners’ concerns and may lead to additional scrutiny of management and compliance weaknesses.

While repeat offenses in all forms raises regulatory concerns, regulators evaluate the severity of the violations across a variety factors, including a company’s intent, continuation of offenses after notification, history of violations and tendency toward violations, the duration and frequency of violations prior to notification (i.e., pattern or practice), and loss or harm to consumers.

Regulators have said that violations of formal court or agency orders are “especially egregious because [the offender] often consented to the terms as part of a settlement and clearly understand the laws and provisions to adhere to but failed to comply due to dysfunction or calculated risk.”1

Regulators further suggest that when a bank is subject to multiple enforcement actions executed or outstanding for an extended period of time, the bank’s repeated failures to address the deficiencies “become, by themselves, presumptive evidence that it is at the limits of its manageability”; failure to make sufficient progress toward correcting the deficiencies is thus an indicator of “persistent weakness”.2

Regulators will consider the evaluations, ratings, and enforcement actions a company receives from other regulators when evaluating and assigning their own ratings. Actions by one regulator deemed to be “repeat offenses” very likely will have implications to examinations by other regulators, including the prudential regulator.

Why it Matters

A number of regulatory and enforcement agencies (e.g., CFPB, OCC, DOJ) have specifically called out a focus on reining in “repeat offenders”, including increased monitoring of those companies deemed to be repeat offenders and actions to hold those companies (and their boards and management) accountable for consistently failing to meet compliance requirements. 

As a general rule, when initially identified concerns or deficiencies go unaddressed and lead to repeat offenses, regulators may consider escalation to more formal enforcement actions. If repeat offenses continue, regulators will often terminate an existing enforcement action and replace it with a more comprehensive or severe action (e.g., from an MOU to a formal agreement, or from a formal agreement to a consent order).  Supervisory evaluations, enforcement actions, court or agency orders, settlements, and remediation timeframes imposed by other regulators and across applicable laws and regulations may also be factored into the regulator’s response.

For some companies, repeated offenses, repeated delays in meeting established remediation milestones, or new violations related to similar laws or regulations (so-called “recidivist” outcomes), can ultimately paint a picture of a company that is stretched to the limits of its manageability.

Companies, however, may proactively influence, and potentially minimize, the severity of regulatory actions by:

  • Improving self-identification of deficiencies and violations.
  • Providing proactive disclosure to supervisory authorities.
  • Establishing timely and complete remediation processes that address root causes of problems.
  • Providing customer restitution, where applicable.
  • Holding responsible individuals accountable.

Enforcement Guidance

Regulators evaluate progressive levels of severity and culpability when determining an enforcement response to examination deficiencies or violations of laws or regulations. Factors that may weigh heavily against a company include:

  • Intent
  • Continuation after notification
  • Concealment
  • Loss or harm to consumers or the public
  • Previous concern or administrative action for similar violations

Mitigating factors that regulators may also consider include levels of self-identification and remediation/corrective action. 

3. “Too big to manage” holds the stick

“Enterprises can become so big and complex that control failures, risk management breakdowns, and negative surprises occur too frequently – not because of weak management, but because of the sheer size and complexity of the organization. In short, effective management is not infinitely scalable. This axiom underpins the TBTM problem, as well as its solution.”– Acting Comptroller of the Currency (Jan. 17, 2023)

Several dynamics are driving regulatory scrutiny of firms that deemed “too big to manage” (TBTM), including inadequate oversight of controls (observed in recent enforcement actions), banking industry volatility leading to enhanced risk assessments, and intensified capital, liquidity, and recovery planning reviews.

Deficiencies identified in MRAs and/or enforcement actions, coupled with repeat offenses or failures to remediate them, are driving regulators to closely examine the size and complexity of companies, and the adequacy and limits of their manageability.

Why it Matters

Regulators employ escalation frameworks to ensure that deficiencies are clearly identified, banks are given opportunities to address them, and that failures to do so are met with proportionate, fair, and effective consequences. Escalation frameworks effectively use the threat of restrictions and divestitures “to force banks to prove that they are manageable and to then let the effectiveness or ineffectiveness of their actions speak for themselves.”

Regulators may consider and prescribe any combination of several options to promote remediation of “persistent weakness” or “repeat offenses”, including:

  • Changing senior management.
  • Increasing remediation budgets.
  • Developing better action plans.
  • Hiring more risk and control function personnel.
  • Imposing fines
  • Capping growth
  • Divesting certain activities or business lines.

The regulators suggest, however, that as companies become larger and more complex, the most effective and efficient way to fix issues is to simplify them – divest businesses, curtail operations, reduce complexity. These are “bright line structural remedies” that “meaningfully change business incentives”.

Heightened Standards

The Heightened Standards establish standards for the design and implementation of a bank’s risk governance framework to manage and control the bank’s risk-taking activities, as well as standards for the bank’s board of directors to provide oversight of that design and implementation. The expectations, which are extensive, matter today more than ever.

Standards for a Risk Governance Framework, including such areas as:

  • Roles and Responsibilities for Front Line Units, Risk Management, and Internal Audit
  • Risk Data Aggregation and Reporting
  • Relationship of Risk Appetite Statement, Concentration Risk Limits, and Front Line Unit Risk Limits to Other Processes
  • Talent Management Processes
  • Compensation and Performance Management Programs

Standards for the Board of Directors, including such areas as:

  • Require an Effective Risk Governance Framework
  • Provide Active Oversight of Management
  • Exercise Independent Judgment
  • Self-Assessments

Source: 12 CFR 30, Appendix D

The Bottom Line...

Take the regulatory signals—show that your organization “gets it” by establishing, sustaining, challenging, and continuously improving risk management and risk governance.

No board or executive management team wants to be deemed ‘persistently weak’, a ‘repeat offender’ and/or ‘too big to manage’.  And it’s very clear that the regulatory supervisory and enforcement “levels” have ‘shifted up’. 

Being able to both demonstrate and sustain the elements of "Heightened Standards"—regardless of your size and complexity—will be imperative to allow your organization to be in a position in the future to more easily expand and grow.



1 “Reining in Repeat Offenders”: 2022 Distinguished Lecture on Regulation, University of Pennsylvania Law School | Consumer Financial Protection Bureau (

2Acting Comptroller of the Currency Michael J. Hsu remarks at Brookings, “Detecting, Preventing, and Addressing Too Big To Manage”, January 17, 2023 (


Dive into our thinking:

Regulatory Intensity: The standards go to new heights

Download PDF

Explore more

Meet our team

Image of Amy S. Matsuo
Amy S. Matsuo
Principal, U.S. Regulatory Insights & Compliance Transformation Lead, KPMG LLP
Image of Anand Desai
Anand Desai
Principal, Advisory - Financial Services Line of Business Leader, Risk Services, KPMG US

Get the latest from KPMG Regulatory Insights

KPMG Regulatory Insights is the thought leader hub for timely insight on risk and regulatory developments.

Thank you

Thank you for signing up to receive Regulatory Insights thought leadership content. You will receive our next issue when we publish.

Get the latest from KPMG Regulatory Insights

KPMG Regulatory Insights is the thought leader hub for timely insight on risk and regulatory developments. Get the latest perspectives on evolving supervisory, regulatory, and enforcement trends. 

To receive ongoing KPMG Regulatory Insights, please submit your information below:
(*required field)

By submitting, you agree that KPMG LLP may process any personal information you provide pursuant to KPMG LLP's Privacy Statement.

An error occurred. Please contact customer support.

Thank you!

Thank you for contacting KPMG. We will respond to you as soon as possible.

Contact KPMG

Use this form to submit general inquiries to KPMG. We will respond to you as soon as possible.

By submitting, you agree that KPMG LLP may process any personal information you provide pursuant to KPMG LLP's Privacy Statement.

An error occurred. Please contact customer support.

Job seekers

Visit our careers section or search our jobs database.

Submit RFP

Use the RFP submission form to detail the services KPMG can help assist you with.

Office locations

International hotline

You can confidentially report concerns to the KPMG International hotline

Press contacts

Do you need to speak with our Press Office? Here's how to get in touch.