Relevant Results
Sorry, there are no results matching your search.
Autocomplete suggestions are available. Use up and down arrows to review and enter to select.
See more results

Data

Data quality, governance, and lifecycle management are the potential "soft underbelly" for heightened risk and compliance standards

Data governance

Regulators are continuing to look broadly at the strength of firms’ data risk management and  governance, including policies, procedures, and accountability, data outputs (e.g., reporting, models,  metrics), and third-party risks. Scrutiny will focus on firms’ understanding and identification of risks  around the ways data is collected, used, shared, and/or monetized, as well as how it is protected from  misuse. Anticipate data governance supervisory themes to include:

  • Scope: An expanded scope of regulatory scrutiny will include reporting and other key data outputs  (e.g., models, risk metrics, and compliance reports pertaining to fair lending, consumer protection,  and financial crimes).
  • Traceability: Demonstrable ability to trace and report on the relationship between data outputs and  business processes, systems of record, and systems of origin.
  • Heightened Standards: Increasing scrutiny of effective data risk management and compliance  program standards across business lines and key functions, and with clear roles, responsibilities, and  accountabilities for board, management and across 1st, 2nd, and 3rd lines.
  • Classification: Data classifications, tiering, and risk ratings based on the level of sensitivity, integrity,  and availability, as well as the value and criticality of the data to the firm.
  • Third-Party Data: Understanding of data sourced from, or shared with, third parties, as well as data  risk management and governance requirements embedded into third-party service agreements.

Data risk and controls

Regulators will assess firms’ processes to define, identify, measure, monitor, manage and  report on data risks, including those posed by third parties, at all levels of the enterprise.

In 2024 firms should look for continuing regulatory focus on the following capabilities:

  • Data Risk: Data risk defined through the risk taxonomy (e.g., data protection, data integrity,  and data resiliency) and metrics and processes to identify, measure, manage, and monitor  risk established at both the line-of-business and enterprise levels.
  • Data Controls: Standardized data controls established around access and authorization, use,  privacy and security, and sharing with third-parties or other data aggregators. These controls  should align to the data risk taxonomy and show sustainability through a regular and robust  control testing function.
  • Reporting: Holistic reporting on data risk and controls at the line-of-business, regional/  country, and enterprise levels.

Data lifecycle management

Through guidance, policy statements, supervision, and enforcement actions, regulators have  expressed expectations for firms to demonstrate cohesive and comprehensive strategies for  managing and overseeing systems, data, and controls throughout the data lifecycle, including  procedures for every step of the data lifecycle—from collection or acquisition, processing, and  safeguarding to retention, possible migration, and end-of-life processes or disposal.

Expect regulatory examinations to consider:

  • Data collection: Prioritization of effective risk management and oversight of information  systems, data, controls, and procedures, including when data is:
    • Initially captured and processed, especially if the data is sensitive consumer information (e.g.,  biometric, genetics or health, demographic) or manipulated or altered (e.g., conversion from  structured to unstructured forms).
    • Acquired from, shared with, or sold to new data sources, including external third-parties or  data aggregators.
    • Migrated to new internal systems from old systems (e.g., legacy or decommissioned) or to  external (third-party) systems (e.g., cloud, part of an M&A transaction).
  • Data Retention and Disposal: Scrutiny of data retention and recordkeeping, including  collection, storage, retention, and disposal practices under existing data retention, privacy, and  risk management regulations and guidance. Continuing supervision and enforcement focus on data associated with decommissioned systems/IT assets (e.g., end-of-life practices) and  recordkeeping associated with unauthorized channels or devices (e.g., SEC Regulation S-P)  will continue.

What to Watch

Amongst all things ‘data’, key regulatory actions to watch will include:

  • Data Safeguarding, Retention, & Disposal: Examination and enforcement around practices  for safeguarding and securing data, as well as retaining and disposing of it under existing  regulations (e.g., SEC Regulation S-P).
  • Data Risk Management: Intensifying scrutiny of data risk management processes across  business lines and functions, including data classification and traceability, internal governance  processes, and external, third-party oversight (e.g., Interagency TPRM Guidance)
  • Data Reporting Requirements: Increasing expectations around data reporting capabilities,  particularly around newly proposed/finalized rules (e.g., SEC cybersecurity and incident  disclosures, Basel III capital requirements, CFPB 1071 small business lending data).

Call to Action…

  • Clearly define data scope expectations: Clearly define the scope covered by data  governance and ensure that it is expanding beyond the traditional scope of prudential  regulatory reports.
  • Adjust risk taxonomy to consolidate data risks: Ensure the data risk taxonomy addresses  data protection, data integrity, and data resiliency and that data owners understand the  expectation to own and mitigate those risks.
  • Be explicit on standardized data controls: Ensure that there are standardized data  controls aligned to the data risks and there is clear guidance for the lines of businesses  and functions on what minimum control requirements apply to what scope and how to  operationalize the controls.
  • Continuous monitoring and improvement: Drive ongoing monitoring and assessment of  your organization’s holistic data risk to ensure effectiveness of the controls and to address  potential risks.

Explore more

Regulatory Insights

A source for updates and perspectives on regulatory activity and issues

Read more

Meet our team

Image of Amy S. Matsuo
Amy S. Matsuo
Principal, Growth & Strategy, Regulatory Insights, KPMG LLP
Read bio
Image of Robert S. Westbrook
Robert S. Westbrook
Principal, Financial Services Solutions, KPMG US
Read bio
Image of Brian Radakovich
Brian Radakovich
Partner, Advisory - Financial Services, KPMG LLP
Read bio
Image of Amy S. Matsuo
Amy S. Matsuo
Principal, Growth & Strategy, Regulatory Insights, KPMG LLP
Read bio
Image of Robert S. Westbrook
Robert S. Westbrook
Principal, Financial Services Solutions, KPMG US
Read bio
Image of Brian Radakovich
Brian Radakovich
Partner, Advisory - Financial Services, KPMG LLP
Read bio

Explore other services tailored to your business

Industry
Financial Services
Read more
Service
Financial Services Risk, Regulatory and Compliance
Read more

KPMG. Make the Difference.


Some or all of the services described herein may not be permissible for KPMG audit clients and their affiliates or related entities.

The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act upon such information without appropriate professional advice after a thorough examination of the particular situation. KPMG LLP does not provide legal services.

The information contained herein is not intended to be “written advice concerning one or more Federal tax matters” subject to the requirements of section 10.37(a)(2) of Treasury Department Circular 230.

© 2025 KPMG LLP, a Delaware limited liability partnership and a member firm of the KPMG global organization of independent member firms affiliated with KPMG International Limited, a private English company limited by guarantee. All rights reserved.

For more detail about the structure of the KPMG global organization please visit https://home.kpmg/governance.

Thank you!

Thank you for contacting KPMG. We will respond to you as soon as possible.

Contact KPMG

Use this form to submit general inquiries to KPMG. We will respond to you as soon as possible.

By submitting, you agree that KPMG LLP may process any personal information you provide pursuant to KPMG LLP's . Privacy Statement

An error occurred. Please contact customer support.

Job seekers

Visit our careers section or search our jobs database.

Search now!

Submit RFP

Use the RFP submission form to detail the services KPMG can help assist you with.

Submit

Office locations

View locations

International hotline

You can confidentially report concerns to the KPMG International hotline

Learn more

Press contacts

Do you need to speak with our Press Office? Here's how to get in touch.

Contact

Headline