Helping clients meet their business challenges begins with an in-depth understanding of the industries in which they work. That’s why KPMG LLP established its industry-driven structure. In fact, KPMG LLP was the first of the Big Four firms to organize itself along the same industry lines as clients.

How We Work

We bring together passionate problem-solvers, innovative technologies, and full-service capabilities to create opportunity with every insight.

Learn more

Careers & Culture

What is culture? Culture is how we do things around here. It is the combination of a predominant mindset, actions (both big and small) that we all commit to every day, and the underlying processes, programs and systems supporting how work gets done.

Learn more

Risk Standards

Supervision, enforcement, accountability, and a focus on risk mitigation drive a return to ‘heighten standards’ but applied across risk & compliance programs

Heightened standards

Reinforcing the importance of risk management, issues management, and governance, regulators  have signaled expectations for heightened risk management standards, including an increased  focus on “persistent weaknesses” (e.g., multiple enforcement actions executed over successive  years, failure to adhere to corrective actions), “repeat offenses” (e.g., violations of terms or  conditions in formal court or agency orders, “insufficient” progress toward correcting deficiencies  or violations), and the belief select firms may be “too big to manage” (e.g., where size and  complexity give way to persistent weaknesses and repeat offenses).

The expectations for meeting these heightened standards will be driven through regulatory:

  • Intensity: Growing supervisory scrutiny of persistent weaknesses focusing on management’s  ability to adequately identify and mitigate risks as well as timely remediate/correct supervisory  concerns or identified deficiencies, including MRAs and enforcement actions. This will be  reflected in:
    • Exam intensity (e.g., faster communication, issues escalation, expected remediation, new  triggers).
    • Potential ratings impact and escalating enforcement activity (e.g., consent orders, MOUs,  divestitures) based on severity of violations and compliance efforts (e.g., intent, history of  violations, duration/ frequency, loss/ harm to consumers, actions taken by other regulators,  self-identification, proactive disclosure) (e.g., CFTC Enforcement Advisory).
    • Multiagency focus on curbing “repeat offenders”/ holding firms (and boards and  management) accountable for perceived ongoing risk and compliance weaknesses.
  • Scope: Supervisory and enforcement levels have “shifted up”. Independent of firm size, should  be able to demonstrate and sustain “heightened standards” in core safety and soundness  principles across governance, risk management, internal controls, and Compliance including  Treasury, liquidity, interest rate risks, risk assessments, model risk management, enterprise  data management, digitalization, technology, and cybersecurity—and all three lines of defense  (e.g., OCC Heightened Standards, FRB Enhanced Prudential Standards).

Financial and nonfinancial stability

Events in early 2023 demonstrated the importance of managing stability in the financial  system, including mitigating contagion risk, improving resiliency, and preventing financial  disruptions through supervision and regulation. Working together through the FSOC, financial  services regulators will finalize an analytic framework designed to identify, assess, and  mitigate stability risks (from activities, firms, or otherwise) with the goal of reducing the risk of adverse events, or “shocks”, to the financial system, inclusive of bank and nonbank  financial companies (e.g., fintechs, insurers, funds).

  • ‘Mitigating Shocks’: Regulators, acting individually and collectively through the FSOC, will  focus on mitigating the risk of shocks to the financial systems by:
    • Identifying risks, both financial and nonfinancial, through broad risk monitoring  (including the increasing use of digital technology/automation, new or evolving  products or practices, new or novel structures (e.g., partnerships, critical services), and  developments that could impact resiliency such as cybersecurity).
    • Assessing vulnerabilities that contribute to risks (e.g., concentrations;  interconnectedness; “inadequate” risk management (including appropriate resourcing  and “voice” to Risk and Compliance); and operational risk and channels of “transmission”  that can spread and amplify the negative effects of a financial stability risk to financial  markets or market participants (e.g., exposures, critical function/service).
    • Evaluating identified areas of risk and compliance weakness and the sustainability of  planned or completed tools/actions to address them.
    • Responding to potential stability risks through coordination, policy recommendations,  new rulemakings, and ‘determinations’ or ‘designations’ of specific financial entities.


As heightened attention is directed toward risk management standards, regulators  will continue to look to demonstrable evidence of credible challenge and dynamic risk assessment and decisioning from both within and across the board and senior management.  As part of these expectations (and as part of supervisory focus and evolving regulatory  reporting), regulators will expect increased and formalized documentation, mapping,  ownership, and ongoing testing and monitoring of controls. Looking toward 2024, regulators  are beginning to include expectations/requirements for board and management governance  responsibilities into new regulations, guidance, and enforcement actions:

  • New Regulations: Provisions in new regulations and guidance that clarify the roles,  responsibilities, and expectations for “ownership” of the board and management, including:
    • Oversight, documentation and reporting processes, escalation procedures, domain skills  and experience/expertise (e.g., SEC Cyber Rule, SEC Climate Rule), and ongoing testing  and monitoring of controls.
    • Incentive-based compensation arrangements to reward compliance commitment, as well  as disincentives, such as “clawbacks”, for employees engaged in misconduct (e.g., DOJ  pilot program, Interagency rule).
    • Evaluating identified areas of risk and compliance weakness and the sustainability of  planned or completed tools/actions to address them.
    • Responding to potential stability risks through coordination, policy recommendations,  new rulemakings, and ‘determinations’ or ‘designations’ of specific financial entities.
  • Accountability: Ongoing legislative and regulatory focus on holding board and  management accountable.

What to Watch

Supervisory intensity and enforcement around heightened risk standards will center on firms’ responsiveness to, and mitigation of, risk and compliance “shocks”, as well as risk accountability and governance. Key regulatory actions to watch will include:

  • Supervision of “Persistent Weaknesses” at Banks: New OCC policies and procedures outlining supervisory or enforcement actions the agency may take against firms with “continuing, recurring, or increasing deficiencies over a prolonged period” and particularly when the firm has not made “sufficient progress” toward correcting deficiencies. Includes money penalties, remediation plans, and/or growth restrictions, or in certain cases, divestiture, and simplification.
  • Financial Services Supervisory and Regulatory Change: The Administration and regulators continue to issue suggestions for potential changes  to supervision and regulation (e.g., enhanced prudential standards (EPS) for banks,  deposit insurance reforms, expectations for risk management and governance, and the  intensity of supervisory reviews and exams).
  • Financial Stability and Nonbank Supervision: A framework used by the FSOC and its member agencies to identify, assess, and  respond to financial and nonfinancial stability risks posed by activities, firms, or  otherwise, with the goal of reducing the risk of “shocks”, improving resilience,  and mitigating vulnerabilities.hold individuals accountable, incentivize compliance,  and penalize misconduct, including through compensation clawbacks and financial  sanctions.


Call to Action…

  • Demonstrate and sustain “Heightened Standards”: Be able to both demonstrate and  sustain the elements of “Heightened Standards”—regardless of size and complexity.
  • Strengthen risk assessment methodologies: Strengthen the risk assessment and control  methodology to ensure proactive identification of new and emerging risks, processes to  capture risks within business lines, documentation of controls effectiveness throughout end-  to-end business processes, first line ownership of risk assessment and controls process,  the role of independent challenge/review, and remediation measures to address identified  controls deficiencies in a sustainable manner.
  • Review control testing coverage: Review supervision and control testing coverage with  an eye to increasing coverage as needed. Invest in automation, analytics, and process  improvements (including enhanced methodologies) to better identify potential risks.
  • Clarify the role of the board: Clarify that it is the role of the board to ensure compliance  with enforcement actions within required timeframes: hold management accountable; direct  management to take corrective actions; approve necessary changes to policies, processes,  procedures, and controls; establish processes to monitor and validate corrective actions.
  • Position, scale, and reward risk management: Appropriately position, scale, and reward  risk management and compliance; hold individuals accountable, incentivize compliance, and  penalize misconduct, including through compensation clawbacks and financial sanctions.

Dive into our thinking:

Ten Key Regulatory Challenges of 2024

Download PDF

Explore more

Regulatory Insights

A source for updates and perspectives on regulatory activity and issues

Read more

Explore other services tailored to your business

Thank you!

Thank you for contacting KPMG. We will respond to you as soon as possible.

Contact KPMG

Use this form to submit general inquiries to KPMG. We will respond to you as soon as possible.

By submitting, you agree that KPMG LLP may process any personal information you provide pursuant to KPMG LLP's Privacy Statement.

An error occurred. Please contact customer support.

Job seekers

Visit our careers section or search our jobs database.

Submit RFP

Use the RFP submission form to detail the services KPMG can help assist you with.

Office locations

International hotline

You can confidentially report concerns to the KPMG International hotline

Press contacts

Do you need to speak with our Press Office? Here's how to get in touch.