Rolling through the Shift - 10 key regulatory challenges organizations will face in 2025

2025 is expected to be the Year of Regulatory Shift—across areas of technology and data risks, consumer/investor protections, and risk management and governance, according to the new KPMG US Ten Key Regulatory Challenges of 2025 report. The report outlines how Regulatory Shift will be altered and how companies will need to ‘roll-forward' their actions to mitigate and respond to these emerging risks. 

“2025 will be the Year of Regulatory Shift fueled by a new Administration, agency leadership changes, and expanded regulatory divergence,” said Amy Matsuo, Regulatory Insights Leader, KPMG LLP. “Companies will look to ‘roll through the shift’ but must remain vigilant to potential new, emerging, and downstream risks—even amidst an agenda to reduce regulatory burden.”

With the use of the KPMG Regulatory Insights Barometer, that assesses areas of upcoming regulatory pressure and direction of change, the report identifies 10 key regulatory challenges organizations will face in 2025:

1. Regulatory Divergence: Regulatory divergence and legal challenge will continue drive high operational, risk and compliance challenges/ impacts and potential compliance and reputational risks. Companies will need to remain vigilant and adaptable, balancing the diverse regulations and stakeholder interests to mitigate potential risks and align with emerging and evolving regulatory expectations. Regulatory focus and actions will be impacted by agency leadership mission changes amid the Administration's "day one" priorities.  We expect varying associated intensity/lessening of intensity to supervision and enforcement and growing global regulatory divergence.
2. Trusted AI & Systems: In 2025, we anticipate repeal of the current AI Executive Order and the establishment of a new AI Executive Order focused on prioritizing AI innovation and growth across all agencies. We expect continued application of existing regulations and frameworks to AI and systems alongside a push toward “non-regulatory approaches” such as industry/sector-specific policy guidance and the use of voluntary frameworks and standards (such as the NIST AI Risk Management Framework), and test/pilot programs.  The Administration and regulators will continue to focus on the interplay between trusted systems and potential cybersecurity, privacy and national security risks as well as increase their focus on the nexus between AI policy and energy policy and lessen the focus on potential “AI harms”.  We expect ongoing expansion of state bills/laws and legal challenges to serve as precedent for new policies and/or rulemakings; the significant volume of AI-related state activity will likely pressure Congress and the Administration to establish a federal AI policy framework.
3. Cybersecurity & Information Protection: As cybersecurity risks remain a key concern across industries, and particularly relative to critical infrastructure and security, regulatory scrutiny of data security, data risk management, operational resilience, and incident response/ reporting will continue in 2025. We anticipate that federal regulatory activity will remain elevated driven by the complexities and interconnectedness of transactions, including the use of third-party AI/technology products and services and data protection/ privacy concerns. Similarly, we anticipate a continuation of state adoption of cybersecurity laws and regulations.
4. Financial Crime: Focus on financial crime regulation (inclusive of sanctions, anti-corruption, know-your-customer, anti-money laundering, beneficial ownership, etc.) is unlikely to abate in 2025. We anticipate expansion of regulatory coverage as well as challenges to legal jurisdictional authorities at the federal and state level to continue. We expect ongoing heightened supervision/enforcement against financial crime risks, including illicit and terrorist finance and sanctions compliance amidst rapidly evolving technology innovations and increasingly sophisticated financial crime patterns.
5. Fraud & Scams: Nationwide consumer-reported fraud losses well exceed $10B annually, with regulatory alerts directly to consumers and companies being issued nearly every week.  This, coupled with a new Administration focus on fraud, waste and abuse (particularly in/related to government spend), will help drive the focus in regulatory supervision of fraud model management, customer and party authentication, and investigation processes. We anticipate expanding attention in monitoring and reporting practices as well as  regulatory policy and alerts in areas of both fraud management and consumer data, particularly in areas such as online privacy, cybersecurity, identify theft, and AI-generated deepfakes.  Likewise, state requirements will continue to increase in such areas of AI, privacy and access, causing potentially divergent requirements.
6. Fairness & Protection: Agency leadership mission changes as well as the successful legal challenges to jurisdictional authorities have delayed and/or limited the effect of certain consumer/investor protection regulations. Existing regulations will still necessitate effective risk and compliance involvement and controls inclusive of product development, marketing, sales, servicing, complaints/claims management, and pricing/fees. The new Administration may decrease “net new” federal regulatory activity in this area.  Companies should anticipate an increase in state activity relative to individual consumer protections to fill perceived “gaps” as well as regulatory actions that seek to raise awareness and education.
7. Financial & Operational Resiliency: The probability and potential impact of disruptions has increased driven by evolving technologies and a growing interconnectedness between financial and nonfinancial companies. Cross-agency regulatory focus on demonstrable financial and operational risk management capabilities will likely continue in 2025 inclusive of the ability to prepare for and withstand or recover from "shocks" as well as adapt to longer-term change. Efforts to impose more stringent capital and liquidity requirements, however, may abate. Companies are, and will continue to be, required to take a risk-based approach to managing critical operations, third parties and disruptions/incident response while also establishing separate credible plans to maintain business continuity and to consider potential resolution in the event of severe distress.
8. Parties & Providers: Given increasing reliance on and complexities in third-party/provider relationships as well as growing interdependencies and interconnectedness between and among companies and industries, regulators will continue to assess risks for supervised companies across such areas as compliance, fraud/waste, data management, cybersecurity, financial crimes, and fairness. Supervision and enforcement in 2025 is likely to focus on risk management oversight practices (throughout the relationship lifecycle and particularly to “critical” providers/relationships) and may also focus directly on service and technology providers as well as government provisions and reporting.
9. Governance & Controls: Companies will need to continue to act on prior regulatory findings in the area of heightened risk management and governance amidst changing levels of regulatory intensity.  Companies will continue to be held to high expectations to enhance risk controls in areas such as cybersecurity, information protection, AI, and financial crime. However, investigations and enforcement actions related to corporate compliance, voluntary self-disclosures of misconduct, risk management programs, and individual accountability, though important, are anticipated to likely decrease in 2025.
10. Markets & Competition: A rise in legal challenges disputing regulators’ jurisdictional authorities, coupled with the Loper Bright decision, has limited these efforts; this, in combination with the priorities of the new Administration, may alter the focus on, and pursuit of, antitrust/anti-competitive supervision and enforcement in some industries in 2025.  State activity/ scrutiny, however, will likely continue; expect states to focus on managing risks associated with rapid innovation, consumer protection, transparency, and fairness.

Regulatory Barometer Methodology

The KPMG Regulatory Insights Barometer assesses areas of upcoming regulatory pressure and direction of change. The Barometer:

• Is based on a 10-point scale of regulatory intensity that ranges from ”minimally increasing” (1.0) to “significantly increasing” (10.0). Assesses three attributes for each challenge area:
  • Volume (V) – based on a combination of anticipated rulemakings (proposed/final/guidance), coverage in communications (reports/speeches/hearings), and oversight activities (supervision, enforcement)
  • Complexity (C) – based on factors such as the intricacies of future requirements versus existing ones, consistency of expectations across jurisdictions, and interactions with other regulations or standards
  • Impact (I) – based on factors such as the urgency of action required, potential implementation costs, resourcing challenges, and business risk
• Overall - Combines the individual factors for each attribute (V, C, I) to arrive at a single weighted average indicator of regulatory intensity for each challenge area.
  • Shift - difference of overall Barometer score from projected “current state” 2025 to new Administration impacts.

# # #