Financial Crime
- Heightened Risk
- Data Lineage & Quality
- Thresholds & Monitoring
- Actions
Focus on financial crime regulation (inclusive of sanctions, anti-corruption, know-your-customer, anti-money laundering, beneficial ownership, etc.) is unlikely to abate in 2025. Anticipate expansion of regulatory coverage as well as challenges to legal jurisdictional authorities at the federal and state level to continue. Expect ongoing heightened supervision/enforcement against financial crime risks, including illicit and terrorist finance and sanctions compliance amidst rapidly evolving technology innovations and increasingly sophisticated financial crime patterns.
1. Heightened Risk
Regulators will continue to focus heightened supervisory and enforcement attention on financial crimes in 2025 due to the risks associated with rapidly evolving technologies, growing sophistication of threat actors, increasing numbers and complexity of threat attempts, and layers of interconnections and interdependencies within the financial system.
Regulators will be reviewing:
Inherent Risks
Including efforts to identify, manage, and mitigate risks derived from geopolitical divergences affecting the business and potential misuse/abuse of new or evolving technologies by malicious individuals or groups.
Priority Areas
Including efforts to factor FinCEN’s national priorities into the AML/CFT risk management and governance frameworks, inclusive of KYB/KYC and CDD. Among these priorities are: i) corruption, ii) cybercrime (e.g., cybersecurity, virtual currency, malware/ransomware), iii) terrorist financing (foreign and domestic), iv) fraud (e.g., identity theft), v) transnational criminal organization activity, vi) drug trafficking, vii) human trafficking, and viii) proliferation financing.
Companies are expected to attract and retain skilled talent, enhance their AML Programs in response to the AML priorities, develop additional tooling and automation, strengthen third-party risk management, and make strategic investments to effectively manage these expanding areas of risk.
Potential/Anticipated Regulatory Changes
The regulatory landscape is poised for change with potential new and anticipated requirements and/or expectations to include:
- Modernization and enhancement of the AML/CFT program requirements across financial institutions (FinCEN proposal), to promote clarity and consistency across financial institutions and explicitly require implementation of a risk-based AML/CFT program with certain minimum components including a mandatory risk assessment process.
- Updates to the National AML/CFT Priorities (expected in 2025) and requirements (as proposed) that the priorities be included as a component in the risk-based AML/CFT program.
- Beneficial ownership reporting and related changes to CDD requirements.
- Multi-agency focus on sanctions activity and efforts to protect national security across industries, products, and services.
- Expanded regulatory coverage to “close the gap”, including FinCEN’s recent release of Final Rules that will require:
i) most investment advisers to implement an AML Program under the Bank Secrecy Act, akin to the existing requirements for banks, broker-dealers and others; and
ii) real estate professionals to report information on non-financed residential real estate transactions.
2. Data Lineage & Quality
Regulators continue to look broadly at the strength of companies’ data risk management and governance in key risk areas such as financial crimes. Throughout 2024 they have applied heightened expectations to both data and AML/CFT management, including policies, procedures, and accountability; data outputs (e.g., reporting, models, metrics); staffing/talent management (e.g., core skills/backgrounds); and third-party risks. Attention is also focused on companies’ understanding and identification of risks around how data is collected, used, stored and shared, as well as how it is protected from misuse.
Anticipate regulatory interest in these areas in 2025:
Data Lineage
Level of process automation and coverage of the entire data flow (e.g., to consolidate data from different business units / subsidiaries) as well as the accuracy and granularity of the data.
Data Traceability
Demonstrable ability to trace and report on the relationship between data outputs and business processes, systems of record, and systems of origin at the customer and transaction level.
Data Quality
Understanding of available internal and external data sources as well as processes to manage and report on data quality issues.
Third-Party Data
Understanding data sourced from, or shared with, third parties, as well as data risk management and governance requirements embedded into third-party service agreements.
Data Risk Governance
Sustainable and robust processes and controls to identify, measure, monitor, manage, and report on risks around:
- Access.
- Authorization.
- Integrity/Quality.
- Collection, use, storage.
- Privacy and security.
- Retention and deletion.
3. Thresholds & Monitoring
Financial crime risks, exposures, and complexities are increasing alongside technological developments, geopolitical events, and evolving interconnections and interdependencies in financial networks, increasing the importance of continuous improvement in identifying, monitoring, and mitigating potential risks and suspicious activity.
Key areas where regulators will focus in 2025 include:
Risk Tolerance
Established periodic and documented risk assessment processes as well as board approval for risk tolerance levels consistent with the company’s risk appetite.
Emerging Threats
The adequacy and continual improvement of threat detection, monitoring, and response capabilities, including the reliability of processes (e.g., due diligence, access, safeguards) and coverage of novel and emerging threats and vulnerabilities (e.g., digital assets, sanctions evasion, malware/ransomware, human rights/forced labor, organized crime). and the adequacy of investment in staffing, training, and resources.
Transaction Monitoring/ Surveillance
The quality of transaction monitoring and surveillance systems, processes, and controls, with expectations for:
- Increased accuracy and consistency, as well as better and more efficient outcomes via automation and potential innovative technologies such as AI.
- Adequacy of investment in staffing, training, and resources.
- Regulatory attention in evolving areas such as BSA/ AML/CFT, trading activity, and KYC/CDD and beneficial ownership.
- Preparation for implementing risk-based compliance programs in priority areas.
4. Actions
- Strengthen client onboarding: Implement analytics and automation in client onboarding processes and strengthen processes to gather, store, report, and monitor KYC information, including beneficial ownership, as appropriate.
- Develop a mature insider risk program: Promote a culture of compliance through ongoing communication, consistent enforcement of consequences for violations, and clear behavioral expectations. Implement tailored training and awareness programs for all personnel. Leverage technical tools and advanced analytics to monitor behavior and human input to identify anomalous insider behavior.
- Strengthen security: Establish robust authentication and access protocols for real-time and faster payments to minimize account takeover and social engineering risks. Enhance controls around regulatory focus areas, such as malware, phishing, and identify theft in addition to areas of national AML/CFT priority such as corruption, cybercrime, terrorist financing, trafficking (drug, human), transnational criminal organizations, and proliferation financing.
Dive into our thinking:
Get the latest from KPMG Regulatory Insights
KPMG Regulatory Insights is the thought leader hub for timely insight on risk and regulatory developments.
Explore more
Insight
Regulatory Alerts
Quick hitting summaries of specific regulatory developments and their impact.
Meet our team
