KPMG Report Warns of Increased Regulatory Scrutiny and Focus on Cybersecurity and Data Management

According to a recently released report by KPMG, financial institutions should brace themselves for heightened scrutiny and increased regulatory demands in the second half of 2023.

The report attributes this anticipated regulatory intensity to the failures of several mid-sized banks earlier this year. It advises financial institutions to be prepared for intensified reviews of their risk management, controls, data quality and processes, as well as enhanced management and board accountability.

Amy Matsuo, Principal and National Leader of Compliance Transformation and Regulatory Insights at KPMG, emphasizes that firms should expect regulators to intensify their supervisory activities, encompassing the scope, examination findings, and resolution times for financial services entities of all sizes and complexities. She highlights the need for organizations to respond effectively to this heightened regulatory intensity, demonstrating their commitment, milestones, and outcomes in preventing, mitigating, and resolving identified weaknesses.

The KPMG report outlines specific areas of regulatory focus, including financial risks and broader risk management practices such as leverage ratios, liquidity risk and maturity, operational risks, interconnections, concentrations, and certain activities. These areas will likely be subject to increased scrutiny by regulators.

Furthermore, the report identifies cybersecurity as a critical concern for regulators, with a growing emphasis on public companies' ability to protect data. The Securities and Exchange Commission and the New York State Department of Financial Services have proposed enhanced cybersecurity rules, which are expected to be finalized later this year. Matt Miller, KPMG Principal for Cybersecurity Services, stresses the importance for firms to continuously improve their cybersecurity measures to keep pace with evolving tactics used by perpetrators and fraudsters. Firms will be required to demonstrate to regulators their robust risk management practices, including measures for mitigation, surveillance, containment, and governance of cybersecurity.

Data management is also highlighted in the report, with new data-driven rules and expectations leading to increased scrutiny of data quality, testing, models, analysis, and technology. Regulators will seek a deeper understanding of how data is analyzed, the technologies and models employed, as well as details on operations, training, and compliance related to data usage. Additionally, regulators will examine how firms manage data breach risks posed by third-party providers.

Anand Desai, Risk and Financial Services Line of Business Leader at KPMG, underscores the convergence of data risk, technology, and cyber risks with third-party risk. He explains that institutions are now compelled to implement data-driven capabilities across their entire operations to comprehend interdependencies, upstream and downstream implications of data, and effectively articulate residual risks.

The KPMG report emphasizes that boards bear the ultimate responsibility for sound management practices and will be held accountable by regulators. Boards are expected to demonstrate their proactive approach in addressing issues raised during examinations or investigations, outlining their commitment to resolving identified weaknesses, and, when necessary, self-disclosing any wrongdoing.

By fLEXI tEAM