KPMG flags fragmented 2026 regulation, warns of tougher compliance work
KPMG says 2026 rules are splintering across jurisdictions, forcing client teams to add controls, retrain on AI, and track more compliance work.

KPMG’s midyear regulatory update treats the rest of 2026 less like a single-policy story and more like a workload problem. The firm’s message is that divergence across federal, state, and global jurisdictions is making compliance harder to standardize, which means more judgment, more evidence, and more coordination for the people who turn rules into client-ready advice.
Fragmentation is now the main regulatory risk
KPMG’s “Ten Key Regulatory Challenges of 2026: Midyear” does not read like a checklist of disconnected policy topics. It frames the year as one of “sharper focus and wider fragmentation,” with federal regulators narrowing in on core priorities and material risk even as state and global regimes move in different directions. The firm’s earlier full-year outlook, published on December 4, 2025, called 2026 a “regulatory stack,” a useful shorthand for the overlapping demands now hitting firms at once.
That stack includes ten pressure points: executing mandates, adopting disruptive tech and AI, maintaining cyber and data security, mitigating financial crimes, averting fraud and scams, protecting fairness, ensuring resiliency, driving capital formation and growth, expanding digital assets, and enhancing parties and workforce issues. KPMG’s point is not that every issue will hit every client equally. It is that all of them are now feeding the same underlying problem, which is that compliance teams are being asked to track more moving parts across more jurisdictions with no single universal playbook.
The firm also says the pace of regulatory change remains “unrelenting,” while supervision and enforcement are sharpening focus. That combination matters because a lighter-touch approach in one area does not mean less work overall. It usually means more work deciding where the real enforcement risk sits, what evidence will satisfy which regulator, and which controls need to be upgraded first.
The first functions to feel the pressure
Inside KPMG and at its clients, the biggest burden is likely to land first on teams that already sit at the intersection of rules, systems, and reporting. Consultants, auditors, and tax professionals will have to do more cross-border analysis because the same business activity may face different expectations in the United States, individual states, and Europe. That is especially true when clients are trying to sequence control changes instead of trying to fix everything at once.
Audit teams will need to be more precise about how they document material risk and where they draw the line between core statutory priorities and broader governance expectations. In practice, that means more evidence gathering, more review of control design, and more back-and-forth with management about whether a process is defensible in more than one regulatory regime. The shift is subtle but important: the job becomes less about checking whether a policy exists and more about whether the policy can survive scrutiny in several places at once.
Tax and advisory teams face a similar squeeze. Clients will want help translating fragmented rules into reporting calendars, documentation requirements, and operational workflows, especially when they operate across borders. That pushes KPMG people toward more evidence-based compliance advice and more conversations about sequencing, because not every control can be changed at the same speed. The result is a heavier workload for senior managers and directors who have to decide which risks deserve the first round of remediation.
AI, cyber, fraud, and fairness are becoming one control problem
KPMG’s challenge list makes clear that AI is not a separate conversation from compliance. “Adopting disruptive tech and AI” sits alongside cyber and data security, financial crime, fraud and scams, fairness, and resiliency for a reason: these issues now travel together. A client rolling out AI tools has to think about model governance, data security, bias and fairness, incident response, and the possibility that new workflows create fresh fraud exposure.
That is why the second half of 2026 looks less like a policy debate and more like a retraining cycle. Client-service teams will need to understand where AI tools touch regulated processes, where controls should be added, and how to explain those controls to internal stakeholders who may still see AI as an efficiency project rather than a risk-management issue. For KPMG professionals, that likely means more time on documentation, more time on test design, and more time on client education.
The same logic applies to financial crimes and fraud. KPMG’s update puts “mitigating financial crimes” and “averting fraud and scams” in separate buckets, but the operational response often overlaps: red-flag monitoring, escalation protocols, case management, and evidence trails. Once those workflows are in place, firms can support both compliance and operational resilience with the same underlying control architecture.
The regulators setting the tempo
The U.S. Securities and Exchange Commission is a major reason firms cannot rely on one static plan. The SEC says it updates its rulemaking agenda twice a year under the Regulatory Flexibility Act, and its current priorities include rulemaking tied to investor protection, market efficiency, and innovation. It also created a Crypto Task Force, which is working with Commission staff and the public to help chart a new approach to crypto regulation. For firms advising capital markets clients, that means digital assets remain a moving target, not a settled category.
The Consumer Financial Protection Bureau is sending a similar signal on fraud. The CFPB says scams are constantly changing and maintains a dedicated fraud-and-scams resource page to help people prevent, recognize, and report them. That reinforces KPMG’s view that fraud is not a niche issue tucked inside a broader compliance file. It is a live operational risk that changes as quickly as the products and payment channels clients use.
In banking, Federal Deposit Insurance Corporation Chairman Travis Hill testified in February 2026 and again on June 4, 2026 about rightsizing supervision while preserving the agency’s core mission of deposit insurance, safety and soundness, and failed-bank resolution. That is a useful clue for advisory teams: supervision may become more targeted, but the mission is not changing. Banks and their advisers still need to prepare for oversight that is more selective without assuming it will be softer.
Europe makes KPMG’s fragmentation argument even clearer. The EU AI Act entered into force in 2024, general-purpose AI model obligations began applying on August 2, 2025, and most of the law becomes applicable on August 2, 2026. The European Banking Authority also says the EU’s Digital Operational Resilience Act creates an EU-wide oversight framework for critical ICT third-party providers. For cross-border firms, those dates do more than fill a calendar. They force separate compliance tracks to run at the same time.
What has to change in the workflow now
The practical response for KPMG teams is not to build a single giant compliance binder. It is to separate work by jurisdiction, risk type, and control owner, then sequence the changes that matter most.
- Audit teams need tighter evidence packs and clearer escalation paths for material risk.
- Tax and advisory teams need jurisdiction-by-jurisdiction rule maps, not generic policy summaries.
- AI and digital assets specialists need to pair innovation advice with governance, documentation, and control testing.
- Cyber, fraud, and financial crime teams need workflows that can absorb faster-changing threats without creating duplicate reviews.
That is the real workplace consequence of the midyear update. The hardest part of 2026 is not that regulation is everywhere. It is that it is arriving on different clocks, under different supervisors, with different thresholds for what counts as enough control. For KPMG’s client-service teams, the winners will be the groups that can turn that fragmentation into repeatable work before the second half of the year raises the bar again.
This article was produced by Prism’s automated news system from verified source data, official records, and press releases, then run through automated quality and moderation checks before publishing. The system is built and supervised by the people who set the standards it runs under. Read our full AI policy.
Did this article answer your question?

