Regulatory Divergence
- Regulatory Shift
- Legal Impacts
- Regulations
- Actions
Regulatory divergence and legal challenge will continue, drive high operational, risk and compliance challenges/ impacts and potential compliance and reputational risks. Companies will need to remain vigilant and adaptable, balancing the diverse regulations and stakeholder interests to mitigate potential risks and align with emerging and evolving regulatory expectations. Regulatory focus and actions will be impacted by agency leadership mission changes amid the Administration's "day one" priorities. Expect varying associated intensity/lessening of intensity to supervision and enforcement and growing global regulatory.
1. Regulatory Shift
Although the regulatory landscape is expected to evolve in 2025, reflecting changes related to increasing digitalization, technology innovation, and pressure from legislative/ regulatory activity at the federal/state/global levels and associated legal challenge, regulators will continue their focus on resiliency and risk management across industries.
Key areas will include:
Resiliency
Regulators are emphasizing the importance of resiliency in both financial risk (e.g., capital, liquidity, credit) and non-financial risk (e.g., cybersecurity, third party, operational) and companies’ abilities to anticipate and manage change, growth, and disruption to processes, systems, platforms, and markets, through effective and sound risk management controls
Technology Risk
With the increasing adoption of innovative technologies such as AI/GenAI and predictive analytics, there are increasing expectations for risk and compliance in areas of technology risk including:
- Cybersecurity /information protection (e.g., incident reporting, skilled resources, business continuity planning).
- AI/GenAI (e.g., governance, testing and validation, transparency).
- Third/"nth" party providers and arrangements for “higher risk” and “critical activities” (e.g., cloud services, payments processing)
- Data and models (e.g., inputs, outcomes, bias, privacy).
Financial Crime
To keep pace with increasingly sophisticated financial crime threats (including risks to critical systems, services and infrastructure), expect attention in regulatory areas such as cybercrime, ransomware, sanctions, know-your-customer, AML/CFT, and beneficial ownership.
Fraud
Risks related to fraud, scams, and misrepresentations are increasing alongside advancements in technology, with increasing and significant cost to consumers and companies. Closely tied to cybersecurity and data privacy risks, regulators will focus on areas of expanding threat and vulnerability in 2025, including:
- Consumer/investor protections against fraud, identity theft, and imposter and other scams (e.g., payments, deepfakes).
- Complaints management (e.g., fair treatment, resolution/remediation).
- Analysis of loss exposures associated with existing and new products and services and associated model risk management.
- Data quality, lineage, sharing, and access (within and across the company and its parties/providers).
Rulemaking
Regulators will continue to utilize and apply existing rules, regulations, and guidance (e.g., heightened standards/ERM, financial stability, AML/BSA, UDAAP/UDAP, fair marketing, conflicts of interest, recordkeeping) to the supervision and enforcement of new and emerging areas (e.g., “automated systems,” predictive analytics, crypto and digital assets, digital devices), as appropriate.
2. Legal Impacts
Legal challenges and impacts from prior legal cases will continue to stymie rulemaking resulting in:
Increased Guidance vs. New Regulations
A noticeable rise in legal challenges to federal and state level regulations will prompt a shift towards more guidance and frameworks rather than the introduction of new regulations.
Extended Rulemaking Processes
Agencies will take measures to fortify their case for regulatory requirements and jurisdictional authority by:
- Seeking consumer voice and industry comments via RFIs, extended comment periods, etc.
- Providing indicators of potential regulations prior to releasing rulemakings through analytic/assessment analysis, reports, blogs, and speeches.
- Continuing to assert jurisdictional authority in enforcement and rulemaking procedures.
Agency Legal Actions
The uptick in legal actions both against and by agencies, particularly in areas such as anti-trust and labor practices, will continue to highlight the contentious and complex nature of regulatory enforcement.
3. Diverging Regulations Across Other Jurisdictions
State & Global Regulatory Activity
As federal rulemaking is slowed due to bipartisan divergence, state regulatory activity is expected to continue to increase, especially in areas such as AI, cybercrime, privacy, and “fair access” consumer/ investor protections. In addition, differences in global regulations and supervisory frameworks create varying requirements by geography or jurisdiction.
Operational and Compliance Risk
Divergences across states and between state, federal, and international regulations will increase regulatory complexities. These differences could potentially heighten reputational, compliance, and operational risks (and costs).
4. Actions
- Assess governance structure for Risk and Compliance. Expanded roles in terms of both direct and indirect areas of Compliance coverage (e.g., AI, data and privacy, human rights, responsible business practices) and buy-in from the Board to drive initiatives.
- Build/update process and control inventories dynamically linked to changes (e.g., regulatory, product, channels, etc.). Use of evolving advanced predictive analytics to help with scenario analysis and resiliency process and control enhancements.
- Enhance automation to enable increased risk coverage and ongoing monitoring to supplement business unit activities. Deploy/enhance real-time reporting that is integrated across the business and risk and compliance. Expand compliance data analytics, threshold metrics/”near-misses”, etc. in order to drive dynamic assessments of compliance effectiveness.
- Conduct dynamic and ongoing skills, resourcing levels, asset allocation and technology investment assessments to identify the most important departmental needs to appropriately mitigate emerging risks. Expand analytical and technological skill sets to risk and compliance teams. Use alternative workforce models and investments in assets and technology (in relation to business functions) to effectively expand coverage and utilize valued skills to highest/best use.
- Establish appropriate responsible and trusted technology and data processes, practices and controls ‘by design’ and through regular testing and assurance. Ensure the adoption and deployment of technology to further automate routines and expand the prevention/mitigation of risks. Incorporate the appropriate access to data and use of AI and other technology/ automation and analytics to both drive efficiencies in operations and better anticipate, measure and mitigate risk and compliance.
Dive into our thinking:
Get the latest from KPMG Regulatory Insights
KPMG Regulatory Insights is the thought leader hub for timely insight on risk and regulatory developments.
Explore more
Insight
Points of View
Insights and analyses of emerging regulatory issues and their impact.
Insight
Regulatory Alerts
Quick hitting summaries of specific regulatory developments and their impact.
Insight
Regulatory Insights View
Series covering regulatory trends and emerging topics
Meet our team
