KPMG's 'Ten Key Regulatory Challenges of 2025: Navigating the Shift in Governance, Risk, & Compliance

As 2025 looms on the horizon, the regulatory landscape is bracing for seismic changes. Dubbed the "Year of Regulatory Shift," the upcoming year is expected to reshape the rules governing technology, data risks, consumer protections, and corporate governance. This prediction, highlighted in KPMG US's latest Ten Key Regulatory Challenges of 2025 report, signals a turning point for organizations aiming to navigate a web of emerging risks.

For organizations, the challenge isn't just adapting to new rules but navigating the unpredictable ripple effects of a changing compliance environment.

“Companies will look to ‘roll through the shift,’" said Amy Matsuo, Regulatory Insights Leader at KPMG LLP, “but must remain vigilant to potential new, emerging, and downstream risks—even amidst an agenda to reduce regulatory burden.”

This underscores a paradox many companies will face i.e., balancing the opportunities created by deregulation while safeguarding against unforeseen risks. This shift isn’t merely a change in pace though; it reflects the increasing complexity of balancing federal oversight, state-led innovation, and global regulatory divergence. Whether it’s shifting agency priorities or the potential for divergent international regulations, vigilance and agility will define success in the coming year. The report identifies 10 critical areas where these dynamics will play out, each with unique challenges and operational implications:

1. Regulatory Divergence and the Balancing Act: As agency leadership recalibrates under new administration priorities, companies will face intensified pressures from diverging regulatory frameworks. Legal challenges to jurisdictional authority, combined with global discrepancies in standards, will amplify compliance risks. Companies will need to adopt agile risk management practices that harmonize conflicting stakeholder expectations, especially as some regulators push for heightened enforcement while others scale back.

2. Trusted AI and Evolving Oversight: Artificial intelligence remains a critical focus, with 2025 expected to usher in a revised AI Executive Order prioritizing innovation over regulatory intervention. Existing frameworks like the NIST AI Risk Management Framework will guide non-regulatory approaches, such as industry-specific standards and voluntary compliance programs. Meanwhile, expanding state laws and precedent-setting legal challenges are likely to pressure federal agencies to articulate a cohesive national AI strategy. Companies must anticipate heightened scrutiny of AI’s intersection with cybersecurity, privacy, and even energy policy, as regulators seek to balance technological growth with national security considerations.

3. Cybersecurity and Data Protection in a Complex Ecosystem: The interconnectedness of global systems and reliance on third-party technologies make cybersecurity a top-tier risk in 2025. Regulatory scrutiny will focus on operational resilience, incident reporting, and third-party vendor oversight. New rules and state-level laws are expected to proliferate, driven by concerns over data security breaches, ransomware attacks, and vulnerabilities in critical infrastructure. Companies will need to demonstrate robust defenses and scalable incident response protocols to withstand increasing pressure from regulators and stakeholders alike.

4. Financial Crime: Expanding Scope, Higher Stakes: The fight against financial crime will intensify as agencies expand their reach into anti-money laundering (AML), sanctions compliance, and anti-corruption measures. This expansion comes against the backdrop of rapidly evolving financial technology and increasingly sophisticated criminal networks. Businesses should prepare for heightened enforcement activity, particularly in areas where federal and state jurisdictions overlap, and anticipate stricter demands for transparency in beneficial ownership reporting.

5. Fraud and Scams in the Digital Age: With consumer fraud losses surpassing $10 billion annually, regulatory bodies are stepping up efforts to combat scams and protect consumers. A new administration focus on fraud, waste, and abuse—particularly tied to government expenditures—will drive the development of new rules around fraud model management, authentication, and investigation processes. Emerging threats such as AI-generated deepfakes and identity theft will further complicate the regulatory landscape. Companies must strengthen their fraud detection systems and ensure compliance with a growing patchwork of state-level data privacy laws.

6. Financial and Operational Resilience Under Pressure: As financial systems grow more interconnected, the risk of systemic disruptions increases. Regulators will continue emphasizing the need for robust financial and operational risk management frameworks that can withstand external shocks and adapt to long-term changes. Businesses may see some reprieve from stringent capital and liquidity requirements, but the overall expectation for resilience remains high. This includes managing third-party dependencies and ensuring business continuity plans are not only theoretical but actionable during crises.

7. The Third-Party Risk Nexus: The growing reliance on third-party service providers has elevated the risk landscape for many companies. Regulators are expected to focus on the entire lifecycle of third-party relationships, from initial due diligence to ongoing oversight. Particularly critical providers—those integral to operations or possessing significant data access—will face heightened scrutiny. In parallel, regulators may target technology vendors directly, signaling a broader push for accountability across the supply chain.

8. Governance and Compliance Controls: Heightened Expectations: Corporate governance standards will remain under the microscope as companies address prior regulatory findings and enhance their risk management capabilities. While the volume of enforcement actions may decrease, regulators will expect proactive measures to address vulnerabilities in cybersecurity, AI oversight, and financial crime. Boards of directors and compliance leaders must ensure governance structures can withstand regulator scrutiny and align with emerging best practices.

9. Consumer Protection in an Era of Diverging Priorities: Shifts in agency leadership and successful legal challenges have delayed certain federal consumer protection initiatives. However, state regulators are poised to fill the gap, creating a patchwork of rules aimed at transparency, fairness, and equity. Companies must adapt their compliance programs to navigate these diverging priorities, with a focus on aligning product development, marketing, and claims processes to evolving standards.

10. Markets and Competition in a Post-Loper Bright World: The Supreme Court’s Loper Bright decision has reshaped the boundaries of regulatory authority, potentially dampening antitrust enforcement at the federal level. However, states are likely to step in, emphasizing risks tied to rapid innovation and market concentration. Companies operating in highly innovative sectors should anticipate increased scrutiny of competitive practices, transparency, and consumer protections.

At the heart of these challenges lies KPMG's Regulatory Insights Barometer, a tool designed to quantify regulatory intensity across key dimensions—volume, complexity, and impact. By measuring the projected shifts under the new administration, the Barometer offers companies a roadmap to anticipate and adapt to the year's regulatory upheaval.

For organizations, it is clear that 2025 will demand proactive engagement, strategic foresight, and robust governance. While the temptation to “roll through the shift” may be strong, Matsuo’s warning resonates as a call for vigilance. Companies that prepare for these multifaceted challenges will be better positioned to thrive amid uncertainty, setting the stage for resilience in an increasingly complex regulatory world.

The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.