Insights

Fresh thinking and actionable insights that address critical issues your organization faces.

Learn more

Resources

Services

KPMG's multi-disciplinary approach and deep, practical industry knowledge help clients meet challenges and respond to opportunities.

Services to meet your business goals

Technology Alliances

KPMG has market-leading alliances with many of the world's leading software and services vendors.

View all Alliances

Industries

Helping clients meet their business challenges begins with an in-depth understanding of the industries in which they work. That’s why KPMG LLP established its industry-driven structure. In fact, KPMG LLP was the first of the Big Four firms to organize itself along the same industry lines as clients.

How We Work

We bring together passionate problem-solvers, innovative technologies, and full-service capabilities to create opportunity with every insight.

Learn more

Careers & Culture

What is culture? Culture is how we do things around here. It is the combination of a predominant mindset, actions (both big and small) that we all commit to every day, and the underlying processes, programs and systems supporting how work gets done.

Learn more
Relevant Results
Sorry, there are no results matching your search.
Autocomplete suggestions are available. Use up and down arrows to review and enter to select.
See more results

Parties & Providers

  1. Risk Coverage
  2. Risk-based Approach
  3. Monitoring & Metrics
  4. Actions
Download PDF
Share

Given increasing reliance on and complexities in third-party/provider relationships as well as growing interdependencies and interconnectedness between and among companies and industries, regulators will continue to assess risks for supervised companies across such areas as compliance, fraud/waste, data management, cybersecurity, financial crimes, and fairness. Supervision and enforcement in 2025 is likely to focus on risk management oversight practices (throughout the relationship lifecycle and particularly to “critical” providers/relationships) and may also focus directly on service and technology providers as well as government provisions and reporting.

1. Risk Coverage

The scope of third parties, providers and related business arrangements is broad, encompassing direct, indirect, and “nth” party relationships. Such complexity elevates risks to companies and their customers and may draw heightened attention from regulators (and sometimes the public.)

Regulatory Pressure

Driven by increasing dependencies and interconnections between companies, as well as the complex ecosystems underlying the delivery mechanisms to customers, regulators will continue to assess third-party risk management expectations/pressures with a focus on:

  • Risk-based management (i.e., based on the size, complexity, and risk profile of the company and the nature of the relationship with the third party), with more rigorous oversight of third parties supporting “higher risk” or “critical activities.”
  • Contingency plans for replacing third parties as needed.
  • Risks associated with the non-delivery of goods and services by third parties (e.g., reputation, compliance, and strategic risk related to a third party’s failure to perform as agreed).
  • Data practices, including use and security of customer information (e.g., data collection, ownership, access, use, maintenance, protection and security, and deletion).
  • New or novel arrangements and features (e.g., bank-nonbank/fintech arrangements with long chains of providers).
  • Comprehensiveness and clarity of contracts, tailored to the nature and scope of the arrangement and including delineation of responsibilities, performance measures, data obligations (e.g., access, ownership), adaptive clauses for changing regulatory requirements and/or market conditions, and terms related to default and termination.

Supervisory & Stakeholder Focus

Stakeholders and regulators are particularly focused on:

  • Arrangements supporting “critical activities.”
  • Elements supporting operational resiliency (e.g., tolerance for provider / supply chain disruptions; incident response/business continuity plans; scenario testing/validation of interconnections/interdependencies).
  • Financial and compliance risks.
  • Reputational risks (e.g., ethical, sustainable supply chain).

Key features of “critical activities” might include activities that: i) pose significant risk to the company if it fails to meet expected agreements, ii) have significant customer impacts, or iii) have significant impact on the company’s financial condition or operations.

2. Risk-Based Approach

Under a risk-based approach, companies will be expected to establish strategic plans for managing third-party and provider risks, focusing on due diligence, oversight, and governance throughout the relationship lifecycle. 

Regulators will assess:

Strategic Plan

A strategic plan to direct the TPRM program for all party and provider relationships, including the allocation of resources, establishment of infrastructure, implementation of technology controls, and enhancement of organizational capabilities. Third-party relationships / arrangements are reevaluated through ongoing monitoring to discern whether they continue to align with the company’s strategic plan/goals.

Relationship Lifecycle

Consistent management of risk across the company and throughout the relationship lifecycle, irrespective of the type of relationship or activities involved. Key features include:

  • An assessment of risk for each third-party relationship (during planning, due diligence, selection, contract negotiation, and monitoring), tailored to the specific size, complexity, and risk profile of the company and the nature of the relationship with the third party.
  • Ranking of each third-party and provider arrangement based on the risk posed to the company, with parties and providers involved in “higher risk” and “critical activities” (as defined by the company) subject to more rigorous oversight.
  • Alignment with procurement and vendor management activities for risk management consistency.

Governance

The proliferation of available consumer data, the volume of Clear oversight and accountability mechanisms regardless of how TPRM and governance processes are structured (e.g., dispersed across business lines or centralized under specific function(s)). Regulators will look for key governance practices (commensurate with size, risk, and complexity) including:

  • Delineation of roles, responsibilities, performance metrics, and standards for the Board and management.
  • Board approval of the TPRM program, risk appetite, disruption tolerances, and, in some cases, the selection of third parties supporting “higher risk” and “critical activities.”
  • Board participation in the strategic plan.
  • Periodic independent audits of the TRPM program.
  • Documentation/reporting channels both within the company and to/from third parties.

3. Monitoring & Metrics

Due diligence, risk assessments, continuous monitoring, and informative performance indicators and metrics are essential to managing third-party relationships, and in facilitating strategic alignment throughout the relationship lifecycle.

Due Diligence

Relationships with parties and providers should align with the strategic goals, business objectives, and risk appetite of a company. Companies will be expected to assess, and document their capability to identify, monitor, and control the risks posed by a party/provider, commensurate with the level of risk and complexity of the relationship, taking into account the party’s/provider’s:

  • Business strategies, goals, relevant experience, and legal/ regulatory compliance.
  • Ownership structure and financial condition.
  • Human resources (e.g., staffing, experience, culture).
  • Governance and risk management, including cyber/ information security.
  • Reliance on other parties (e.g., subcontractors).

Monitoring

On an ongoing basis, companies will be expected to evaluate a third party’s/provider’s practices and adherence to company policies, standards, and thresholds; a key area of focus will be the controls related to sensitive systems or data. Regulators will likely expect companies to be able to demonstrate:

  • Confirmation of the quality and sustainability of a third-party’s practices and controls, escalation of significant issues or concerns, and appropriate response when identified.
  • Evaluation of the effectiveness of the third-party relationship, including whether it continues to align with the company’s strategic goals, business objectives, risk appetite.
  • Periodic (or more frequent, where appropriate) monitoring for third-party relationships that support “higher risk” activities, including “critical activities.”

Performance Measurement

Regulators are emphasizing the need to assess the effectiveness of both individual third-party relationships, and the entire TPRM program through metrics such as dynamic risk thresholds; key performance indicators; and scorecards to align/measure compliance with service-level agreements, contractual provisions, regulatory expectations, and legal requirements. These measures should be in line with company policies and procedures and serve as a framework for evaluating and maintaining the integrity of third-party relationships.

4. Actions

  • Centralize Oversight and Governance: Firms should utilize a multidisciplinary approach to risk management of parties/providers (“TPRM”) by adopting a “hub and spoke model” to facilitate comprehensive identification and mitigation of risks and enable independent oversight of the TPRM function. The TPRM function would act as a hub with a central leadership team responsible for setting policies, standards, reporting and risk appetite of its operation, and would be supported by subject matter experts from relevant risk domains (e.g., privacy, cyber, BC, DR, etc.) to provide insights and execution while coordinating across the business line “spokes.” Alignment and integration with procurement and vendor management practices to drive consistency in execution is key.
  • Employ a Risk-Based Approach: Adopting a risk-based approach is paramount to drive efficiency across the relationship lifecycle. This approach involves focusing efforts on third parties/ providers that pose the highest risk to the company, based on factors such as data access, service criticality, operational resiliency, and regulatory impact.
  • Enrich data associated with service: In order to adopt a risk-based approach, it is important to gather the right data about the service up front in terms of how the service will be delivered and controlled (e.g. What process steps will service support?; What products are dependent on party/provider for delivery?; What controls at the third party will manage risk and compliance requirements? Are subcontractors involved in delivery? Will Artificial Intelligence be used in delivery of service?)
  • Develop Strong Ongoing Monitoring: To ensure that party/provider risk is accurately measured and mitigated, firms need to perform ongoing monitoring of party/provider risk profiles and contract performance. Risks assessments should incorporate a comprehensive inventory of risks based on direct experience, market developments, and/or strategic business changes, and be conducted during the contracting phase and refreshed on a regular basis. (For example: Develop cloud governance programs aligned with cybersecurity strategies. Tailor security measures to address the unique risks of multi-cloud environments and enhance monitoring of cloud-based incidents.)
  • Ensure TPRM meets or exceeds global and jurisdictional regulatory expectations: The location of a party/provider (and supply chain providers) does not relieve the company of its responsibility for compliance with all applicable laws and regulations, including ensuring that the party/provider also meets those obligations.

Dive into our thinking:

Ten Key Regulatory Challenges of 2025

Rolling through the Shift

Download PDF

Get the latest from KPMG Regulatory Insights

KPMG Regulatory Insights is the thought leader hub for timely insight on risk and regulatory developments.

Subscribe

Explore more

Points of View
Insight
Webcast Replay Webcast Upcoming Listen Now

Points of View

Insights and analyses of emerging regulatory issues and their impact.

Read more
Insight
Webcast Replay Webcast Upcoming Listen Now

Regulatory Alerts

Quick hitting summaries of specific regulatory developments and their impact.

Read more
Regulatory Insights View
Insight
Webcast Replay Webcast Upcoming Listen Now

Regulatory Insights View

Series covering regulatory trends and emerging topics

Read more

Meet our team

Image of Amy S. Matsuo
Amy S. Matsuo
Principal, U.S. Regulatory Insights & Compliance Transformation Lead, KPMG LLP
Read bio
Image of Greg Matthews
Greg Matthews
Partner, KPMG US
Read bio
Image of Jennifer Shimek
Jennifer Shimek
Office Managing Partner, Advisory, KPMG US
Read bio
Image of Amy S. Matsuo
Amy S. Matsuo
Principal, U.S. Regulatory Insights & Compliance Transformation Lead, KPMG LLP
Read bio
Image of Greg Matthews
Greg Matthews
Partner, KPMG US
Read bio
Image of Jennifer Shimek
Jennifer Shimek
Office Managing Partner, Advisory, KPMG US
Read bio

Thank you

Thank you for signing up to receive Regulatory Insights thought leadership content. You will receive our next issue when we publish.

Get the latest from KPMG Regulatory Insights

KPMG Regulatory Insights is the thought leader hub for timely insight on risk and regulatory developments. Get the latest perspectives on evolving supervisory, regulatory, and enforcement trends. 

To receive ongoing KPMG Regulatory Insights, please submit your information below:
(*required field)

By submitting, you agree that KPMG LLP may process any personal information you provide pursuant to KPMG LLP's Privacy Statement.

An error occurred. Please contact customer support.

KPMG. Make the Difference.


Some or all of the services described herein may not be permissible for KPMG audit clients and their affiliates or related entities.

The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act upon such information without appropriate professional advice after a thorough examination of the particular situation. KPMG LLP does not provide legal services.

The information contained herein is not intended to be “written advice concerning one or more Federal tax matters” subject to the requirements of section 10.37(a)(2) of Treasury Department Circular 230.

© 2024 KPMG LLP, a Delaware limited liability partnership and a member firm of the KPMG global organization of independent member firms affiliated with KPMG International Limited, a private English company limited by guarantee. All rights reserved.

For more detail about the structure of the KPMG global organization please visit https://home.kpmg/governance.

Thank you!

Thank you for contacting KPMG. We will respond to you as soon as possible.

Contact KPMG

Use this form to submit general inquiries to KPMG. We will respond to you as soon as possible.

By submitting, you agree that KPMG LLP may process any personal information you provide pursuant to KPMG LLP's Privacy Statement.

An error occurred. Please contact customer support.

Job seekers

Visit our careers section or search our jobs database.

Search now!

Submit RFP

Use the RFP submission form to detail the services KPMG can help assist you with.

Submit

Office locations

View locations

International hotline

You can confidentially report concerns to the KPMG International hotline

Learn more

Press contacts

Do you need to speak with our Press Office? Here's how to get in touch.

Contact

Headline