Risk 'complacency': Regulatory challenges

Deliberately guard against overconfidence by raising risk and compliance investment and voice.

Amy S. Matsuo

Amy S. Matsuo

Regulatory and ESG Insights Leader, KPMG US

+1 919-664-7100

Julie Gerlach

Julie Gerlach

Partner, Internal Audit & Enterprise Risk, KPMG US

+1 704-371-8120

Regulators view “risk complacency” by financial service companies as a potential threat to both stakeholder trust and safety and soundness. Companies must deliberately ensure that they are guarding against overconfidence—particularly during times of business, M&A, and innovative growth—by raising risk and compliance investment and voice.

Over-confidence leading to complacency is a risk—when prudent risk management is set aside in pursuit of profit.
Michael Hsu, Acting Comptroller of the Currency, August 2021

Explore here insights from the KPMG report Ten key regulatory challenges of 2022.



Mitigating risk: Risk "complacency"

Appropriately stature, recognize and size risk management.

Prudent risk and compliance management (commensurate with size, complexity, and risk profile) must accompany business change and growth, as well as anticipate and address expanded regulatory risk expectations.

In the areas of human capital and risk culture and commitment, heightened regulatory attention will include:

  • Demonstrable and credible challenge, including the adequacy of risk assessments and the monitoring and adjustment, as needed, of internal controls. 
  • Appropriate stature of Risk, Compliance, Information Security, and Audit that is comparable to other strategic functions, including the quality of autonomy, empowerment, and visibility. 
  • Sufficient and skilled staffing and funding resources.
  • Dynamic, metric-driven risk capacity models to determine technology, operational, and risk resources needed to keep pace with the growth or changes in the business.


Invest in data-driven risk automation, analytics and process efficiency. 

Financial service companies must continuously determine how best to utilize data and technology to meet consumer and client demands – both from a business and a risk perspective.  Regulators expect companies to take a data-driven approach to risk and compliance monitoring and assessment. Likewise, regulators increasingly utilize data-driven supervision and enforcement. 

Areas of regulatory attention will include:  

  • Sufficient direct or indirect access to relevant sources of data to allow for timely and effective monitoring and/or testing of policies, controls, and transactions.
  • Robust data quality auditability standards and practices.
  • Use of data to perform a more dynamic and robust risk assessment, diligence and surveillance (and update risk and compliance programs accordingly).
  • Ongoing data analytics to challenge business processes and controls and flag potential issues (systemic and isolated) timely and with resolution.
  • Drive consistency and auditability via use of workflow and automation tools in such areas as risk, examination management, and compliance management processes.


Anticipate and incorporate emerging risks, but don’t lag in remediating known (or should have known) issues.

Financial service companies must incorporate emerging risks and regulatory expectations, but also continue to demonstrate timely identification and remediation of issues. 

Regulatory attention will expand in areas such as:

  • Establishing effective front-line units, independent risk management, and internal audit and control functions. 
  • Continuously accessing operational data and information across functions to update and revise risk assessments based on changing compliance risk. 
  • Ensuring that deficiencies (including data quality, timely and accurate reporting, and reporting to the Board) are quickly identified and appropriately remediated.
  • Robustly analyzing complaints, disputes, and claims information for systemic issues, and demonstration that actions have been taken (e.g., to modify products or service, enhance process controls, and product or disclosure clarity).
  • Analyzing employee/insider threat data and behavioral patterns and key insights from investigations and interviews to identify, acknowledge and resolve cultural/conduct risk or control issues.


Champion risk-embedded business, operational and technology change.

Regulators will expect that risk and control functions are part of continued business, operational and technology change.  The sense that “it cannot happen here”, “the third party owns that risk”, or “that’s the way we have always done it” is unlikely to be a strong or sufficient risk stance and will be increasingly pressured by regulatory supervision and enforcement. 

Key areas of focus for robust risk governance and controls will include:

  • Continued large scale technology change-related initiatives, such as focus on data management, digital assets, digital adoption, cloud adoption and migration, and core platform modernization.
  • Support for, or investment to facilitate, access to operational data and information across functions and/or from disparate sources.
  • Industry or corporate practices that have not undergone recent changes but may result in disproportionate impacts across consumer/client groups (e.g., complaints handling, use of appraisal or other valuation models, application of product fees).
  • Appropriateness of risk and control testing of AI and other technology (e.g., for potential bias, inappropriate or vulnerabilities in access and security).
  • Consistency of public issuances and of regulatory responses (e.g. in such areas as ESG commitments and reporting and regulatory inquires and examination responses).


Ten Key Regulatory Challenges of 2022

The year 2022 brings high levels of risk and regulatory supervision and enforcement. Regulatory “perimeters” continue to expand, and regulatory expectations are rapidly increasing. All financial services companies should expect high levels of supervision and enforcement activity across ten key challenge areas. Read the full report to learn more.

Subscribe to our mailing list to receive our Regulatory Alerts and Points of View.