Helping clients meet their business challenges begins with an in-depth understanding of the industries in which they work. That’s why KPMG LLP established its industry-driven structure. In fact, KPMG LLP was the first of the Big Four firms to organize itself along the same industry lines as clients.

How We Work

We bring together passionate problem-solvers, innovative technologies, and full-service capabilities to create opportunity with every insight.

Learn more

Careers & Culture

What is culture? Culture is how we do things around here. It is the combination of a predominant mindset, actions (both big and small) that we all commit to every day, and the underlying processes, programs and systems supporting how work gets done.

Learn more


Data quality, governance, and lifecycle management are the potential "soft underbelly" for heightened risk and compliance standards

Data governance

Regulators are continuing to look broadly at the strength of firms’ data risk management and  governance, including policies, procedures, and accountability, data outputs (e.g., reporting, models,  metrics), and third-party risks. Scrutiny will focus on firms’ understanding and identification of risks  around the ways data is collected, used, shared, and/or monetized, as well as how it is protected from  misuse. Anticipate data governance supervisory themes to include:

  • Scope: An expanded scope of regulatory scrutiny will include reporting and other key data outputs  (e.g., models, risk metrics, and compliance reports pertaining to fair lending, consumer protection,  and financial crimes).
  • Traceability: Demonstrable ability to trace and report on the relationship between data outputs and  business processes, systems of record, and systems of origin.
  • Heightened Standards: Increasing scrutiny of effective data risk management and compliance  program standards across business lines and key functions, and with clear roles, responsibilities, and  accountabilities for board, management and across 1st, 2nd, and 3rd lines.
  • Classification: Data classifications, tiering, and risk ratings based on the level of sensitivity, integrity,  and availability, as well as the value and criticality of the data to the firm.
  • Third-Party Data: Understanding of data sourced from, or shared with, third parties, as well as data  risk management and governance requirements embedded into third-party service agreements.

Data risk and controls

Regulators will assess firms’ processes to define, identify, measure, monitor, manage and  report on data risks, including those posed by third parties, at all levels of the enterprise.

In 2024 firms should look for continuing regulatory focus on the following capabilities:

  • Data Risk: Data risk defined through the risk taxonomy (e.g., data protection, data integrity,  and data resiliency) and metrics and processes to identify, measure, manage, and monitor  risk established at both the line-of-business and enterprise levels.
  • Data Controls: Standardized data controls established around access and authorization, use,  privacy and security, and sharing with third-parties or other data aggregators. These controls  should align to the data risk taxonomy and show sustainability through a regular and robust  control testing function.
  • Reporting: Holistic reporting on data risk and controls at the line-of-business, regional/  country, and enterprise levels.

Data lifecycle management

Through guidance, policy statements, supervision, and enforcement actions, regulators have  expressed expectations for firms to demonstrate cohesive and comprehensive strategies for  managing and overseeing systems, data, and controls throughout the data lifecycle, including  procedures for every step of the data lifecycle—from collection or acquisition, processing, and  safeguarding to retention, possible migration, and end-of-life processes or disposal.

Expect regulatory examinations to consider:

  • Data collection: Prioritization of effective risk management and oversight of information  systems, data, controls, and procedures, including when data is:
    • Initially captured and processed, especially if the data is sensitive consumer information (e.g.,  biometric, genetics or health, demographic) or manipulated or altered (e.g., conversion from  structured to unstructured forms).
    • Acquired from, shared with, or sold to new data sources, including external third-parties or  data aggregators.
    • Migrated to new internal systems from old systems (e.g., legacy or decommissioned) or to  external (third-party) systems (e.g., cloud, part of an M&A transaction).
  • Data Retention and Disposal: Scrutiny of data retention and recordkeeping, including  collection, storage, retention, and disposal practices under existing data retention, privacy, and  risk management regulations and guidance. Continuing supervision and enforcement focus on data associated with decommissioned systems/IT assets (e.g., end-of-life practices) and  recordkeeping associated with unauthorized channels or devices (e.g., SEC Regulation S-P)  will continue.

What to Watch

Amongst all things ‘data’, key regulatory actions to watch will include:

  • Data Safeguarding, Retention, & Disposal: Examination and enforcement around practices  for safeguarding and securing data, as well as retaining and disposing of it under existing  regulations (e.g., SEC Regulation S-P).
  • Data Risk Management: Intensifying scrutiny of data risk management processes across  business lines and functions, including data classification and traceability, internal governance  processes, and external, third-party oversight (e.g., Interagency TPRM Guidance)
  • Data Reporting Requirements: Increasing expectations around data reporting capabilities,  particularly around newly proposed/finalized rules (e.g., SEC cybersecurity and incident  disclosures, Basel III capital requirements, CFPB 1071 small business lending data).

Call to Action…

  • Clearly define data scope expectations: Clearly define the scope covered by data  governance and ensure that it is expanding beyond the traditional scope of prudential  regulatory reports.
  • Adjust risk taxonomy to consolidate data risks: Ensure the data risk taxonomy addresses  data protection, data integrity, and data resiliency and that data owners understand the  expectation to own and mitigate those risks.
  • Be explicit on standardized data controls: Ensure that there are standardized data  controls aligned to the data risks and there is clear guidance for the lines of businesses  and functions on what minimum control requirements apply to what scope and how to  operationalize the controls.
  • Continuous monitoring and improvement: Drive ongoing monitoring and assessment of  your organization’s holistic data risk to ensure effectiveness of the controls and to address  potential risks.

Dive into our thinking:

Ten Key Regulatory Challenges of 2024

Download PDF

Explore more

Regulatory Insights

A source for updates and perspectives on regulatory activity and issues

Read more

Explore other services tailored to your business

Thank you!

Thank you for contacting KPMG. We will respond to you as soon as possible.

Contact KPMG

Use this form to submit general inquiries to KPMG. We will respond to you as soon as possible.

By submitting, you agree that KPMG LLP may process any personal information you provide pursuant to KPMG LLP's Privacy Statement.

An error occurred. Please contact customer support.

Job seekers

Visit our careers section or search our jobs database.

Submit RFP

Use the RFP submission form to detail the services KPMG can help assist you with.

Office locations

International hotline

You can confidentially report concerns to the KPMG International hotline

Press contacts

Do you need to speak with our Press Office? Here's how to get in touch.