Compliance Risk Key Risk Indicators Examples are essential tools for monitoring regulatory exposure and preventing costly violations. On October 10, 2024, the US Department of Justice, FinCEN, the OCC, and the Federal Reserve assessed a combined $3.09 billion penalty on TD Bank for Bank Secrecy Act violations, the largest ever imposed on a bank for AML failures. About 92% of the bank’s transactions ($18.3 trillion) ran unmonitored from 2018 through 2024.
Six months later, the CFPB withdrew 67 guidance documents and rescinded its 2023 UDAAP policy statement. DOJ paused and then resumed FCPA enforcement under new guidelines focused on cartels and transnational criminal organizations. State attorneys-general filled lanes the federal agencies stepped back from.
| Key Takeaways |
| A 2026 Compliance Risk Key Risk Indicators program tracks at least six categories: regulatory and supervisory, AML / BSA / sanctions, consumer protection, anti-bribery and FCPA, privacy and data protection, and conduct, culture, and training. |
| TD Bank’s $3.09 billion AML penalty in October 2024 was the largest ever imposed on a bank for BSA violations. About 92% of the bank’s transactions ($18.3 trillion) ran unmonitored from 2018 through 2024, with a four-year independent monitor and an asset cap added on top. |
| The CFPB withdrew 67 guidance documents in May 2025 and rescinded its UDAAP policy statement, but consumer-protection exposure has shifted rather than disappeared. State attorneys-general are picking up enforcement lanes. |
| DOJ paused FCPA enforcement in February 2025 and resumed in June 2025 with new guidelines tied to cartel and transnational criminal organization links. The 2024 baseline was 38 FCPA enforcement actions and $1.5 billion in corporate penalties. |
| SOX material weakness data shows 60% of adverse ICFR reports come from repeat filers, and 40% of PCAOB-inspected ICFR audits in 2022 lacked sufficient evidence to support the opinion. Material weakness counts are board-level KRIs. |
| Standards: BSA, OFAC, GLBA, CCPA, CPRA, GDPR, HIPAA, FCPA, SOX 404, OCC Heightened Standards, FFIEC examiners’ manual, CFPB exam manual, and ISO 37301 frame the program. |
| A working catalog runs 35 to 60 KRIs total, with 10 to 15 elevated to the executive risk and audit committees each quarter. Tracking fewer than 25 leaves blind spots; tracking more than 70 invites monitoring fatigue. |
This is a working catalog of Compliance Risk Key Risk Indicators Examples, written so US banks, broker-dealers, fintechs, healthcare systems, and public companies can pull the metrics straight into a 2026 board pack and an audit-committee paper.
Six categories cover the field: regulatory and supervisory, AML / BSA / sanctions, consumer protection, anti-bribery and FCPA, privacy and data protection, and conduct, culture, and training. Indicators align to OCC Heightened Standards, ISO 31000:2018, and ISO 37301:2021 compliance management systems.
Figure 1. Compliance Risk Key Risk Indicators Examples distributed across six US-relevant risk categories.
What Are Compliance Risk Key Risk Indicators Examples?
A Key Risk Indicator is a leading metric that flags a compliance failure before the regulator does. Compliance risk includes the loss exposure from violating laws, regulations, and supervisory expectations. Legal risk and conduct risk both fall in scope.
KPIs measure performance against a goal. KRIs measure exposure against a tolerance. The same metric can play either role depending on whether it is reported against a compliance program target or a risk appetite threshold.
Useful Key Risk Indicators examples on a compliance dashboard share four traits. They are measurable, owned by one person, calibrated to a documented threshold, and they move ahead of the loss event.
How Compliance Risk Key Risk Indicators Examples Differ from KPIs
| Attribute | Key Performance Indicator (KPI) | Key Risk Indicator (KRI) |
| Direction | Measures progress against a goal (alerts cleared, training completed, audits closed) | Measures exposure against a tolerance (open MRAs, SAR lateness, complaint volume, FCPA DD gaps, material weaknesses) |
| Time view | Lagging or current performance | Leading early-warning signal of regulatory or supervisory action |
| Trigger | Compliance committee review, business scorecard | Escalation memo, audit-and-risk committee paper, board appetite review |
| Owner | Chief compliance officer, BSA officer, line compliance | First-line compliance owner plus second-line risk function |
| Reference | Annual compliance plan, OKRs, exam tracker | BSA, OFAC, FCPA, CFPB exam manual, OCC Heightened Standards, ISO 37301 |
Regulatory and Supervisory Compliance Risk Key Risk Indicators Examples
TD Bank’s $3.09 billion AML settlement included an asset cap and a four-year independent monitor on top of the cash penalty.
Both elements stay long after the headline fades. Open Matters Requiring Attention (MRAs) and Matters Requiring Immediate Attention (MRIAs) are the leading indicators of supervisory escalation that precedes events like this one.
Top 9 Regulatory and Supervisory Compliance Risk Key Risk Indicators Examples
| Regulatory / Supervisory KRI | Green threshold | Amber threshold | Red threshold |
| Open MRAs / MRIAs from supervisors | 0 | 1-2 | >2 |
| MRA / MRIA aging >180 days | 0 | 1 | >1 |
| Open consent orders / formal agreements | 0 | 1 | >1 |
| Regulator data requests open >30d | <3 | 3-7 | >7 |
| Regulator-finding repeats YoY | 0 | 1 | >1 |
| Regulatory-change items past go-live date | 0 | 1-3 | >3 |
| Compliance program independence findings | 0 | 1 | >1 |
| External legal-bill spend variance vs. plan | <10% | 10-25% | >25% |
| Asset-cap or growth-restriction status | None | Discussion stage | Imposed |
MRA aging past 180 days reads loudest in the next exam. A bank with an MRA still open at the next safety-and-soundness review has either a remediation problem or a documentation problem, and the supervisor will treat both the same.
AML, BSA and Sanctions Compliance Risk Key Risk Indicators Examples
$18.3 trillion in transactions ran unmonitored through TD Bank between 2018 and 2024, about 92% of the bank’s total flow. SAR filing timeliness, KYC backlog, and sanctions hit volume would have caught the trend years before the criminal plea. The 2024 settlement turned every one of those metrics into a board-level KRI.
OFAC enforces sanctions on a strict-liability basis, so list-update latency belongs on the same paper as transaction monitoring coverage. The Anti-Money Laundering Key Risk Indicators catalog walks through 30+ AML KRIs in the same taxonomy.
Top 11 AML, BSA and Sanctions Compliance Risk Key Risk Indicators Examples
| AML / BSA / Sanctions KRI | Green threshold | Amber threshold | Red threshold |
| SAR filings within 30-day deadline | 100% | 95-99% | <95% |
| CTR filings within 15-day deadline | 100% | 98-99% | <98% |
| KYC / CIP backlog (open files) | <25 | 25-100 | >100 |
| Enhanced DD (EDD) refresh aging | <90d | 90-180d | >180d |
| Transaction monitoring coverage (% products) | 100% | 90-99% | <90% |
| Sanctions screening false-positive rate | <10% | 10-20% | >20% |
| OFAC list-update latency (hours) | <24 | 24-72 | >72 |
| High-risk customer review aging | <90d | 90-180d | >180d |
| Suspicious-activity escalations / mo | Stable | +25% MoM | >+50% MoM |
| Beneficial-ownership data completeness | >98% | 90-98% | <90% |
| AML model validation findings open | 0 | 1-2 | >2 |
Figure 2. Compliance enforcement and audit data points 2024-2025 driving the Compliance Risk Key Risk Indicators Examples that belong on a 2026 board dashboard.
Consumer Protection Compliance Risk Key Risk Indicators Examples
The CFPB withdrew 67 guidance documents in May 2025 and rescinded its 2023 UDAAP policy statement. Consumer-protection exposure did not go away.
State attorneys-general filled several enforcement lanes, the FTC retained UDAP authority, and pending CFPB litigation against Zelle and three large banks for fraud-control failures continued through 2025.
Top 9 Consumer Protection Compliance Risk Key Risk Indicators Examples
| Consumer Protection KRI | Green threshold | Amber threshold | Red threshold |
| CFPB complaints / 1,000 customers | <1.0 | 1.0-3.0 | >3.0 |
| Complaint response within 15 days | 100% | 95-99% | <95% |
| Reg E error-resolution timeliness | 100% | 95-99% | <95% |
| Reg Z disclosure accuracy (audit %) | >98% | 95-98% | <95% |
| Fair lending HMDA fallout rate | <5% | 5-10% | >10% |
| State AG inquiries open | 0 | 1-2 | >2 |
| Complaint root-cause closure (days) | <30 | 30-60 | >60 |
| UDAAP-flagged products in pipeline | 0 | 1-2 | >2 |
| Repeat-complaint pattern (top issue) | <5% of total | 5-10% | >10% |
Repeat-complaint patterns deserve a dedicated KRI. A single product line generating more than 10% of total complaints has a control-environment problem the next state-AG inquiry will price in.
Anti-Bribery and FCPA Compliance Risk Key Risk Indicators Examples
DOJ paused FCPA enforcement in February 2025 and resumed in June 2025 under new guidelines tied to cartel and transnational-criminal-organization links.
The 2024 baseline was 38 FCPA enforcement actions and over $1.5 billion in corporate penalties. The new prioritization narrows the lens but does not remove the requirement to monitor third-party bribery exposure.
Top 8 FCPA Compliance Risk Key Risk Indicators Examples
| FCPA / Anti-Bribery KRI | Green threshold | Amber threshold | Red threshold |
| Third-party DD coverage (high-risk) | 100% | 85-99% | <85% |
| Third-party DD refresh aging | <24mo | 24-36mo | >36mo |
| Gifts and hospitality policy exceptions | <5% | 5-10% | >10% |
| FCPA training completion (high-risk) | 100% | 95-99% | <95% |
| Public-official touchpoint logging | 100% | 85-99% | <85% |
| Open internal FCPA investigations | 0 | 1-2 | >2 |
| Charity / political-contribution review rate | 100% | 90-99% | <90% |
| High-risk-jurisdiction revenue share | <15% | 15-30% | >30% |
Third-party DD refresh aging is the FCPA KRI most boards under-watch. A vendor onboarded with clean diligence in 2022 and not refreshed since may have changed ownership, taken on PEP relationships, or moved into sanctioned jurisdictions. The DOJ resource guide treats stale DD as the same risk as no DD.
Figure 3. Illustrative threshold dashboard showing Compliance Risk Key Risk Indicators Examples across categories with green / amber / red bands.
Privacy and Data Protection Compliance Risk Key Risk Indicators Examples
US privacy law fragments by state. California (CCPA / CPRA), Texas, Virginia, Colorado, Connecticut, Utah, and a growing list of others each set their own private right of action, breach notification window, and data-subject-access-request requirements. EU operations add GDPR; healthcare adds HIPAA; financial services adds GLBA.
Top 9 Privacy and Data Protection Compliance Risk Key Risk Indicators Examples
| Privacy / Data Protection KRI | Green threshold | Amber threshold | Red threshold |
| DSAR response within statutory deadline | 100% | 95-99% | <95% |
| Privacy incidents reportable to regulators | 0 | 1-2 | >2 |
| Records-of-processing completeness | >95% | 85-95% | <85% |
| Vendor DPA coverage on regulated data | 100% | 90-99% | <90% |
| Cross-border transfer-mechanism coverage | 100% | 85-99% | <85% |
| Privacy training completion | 100% | 95-99% | <95% |
| Cookie / consent banner pass rate | >95% | 80-95% | <80% |
| DPIA completion on high-risk processing | 100% | 85-99% | <85% |
| Open privacy-regulator inquiries | 0 | 1-2 | >2 |
DSAR response timeliness is the privacy KRI regulators cite most often in audit findings. A program running below 95% on-time response across a 30-day or 45-day statutory window is one customer complaint from a state-AG investigation. Track per-state and per-regulation cadence on the same dashboard.
Conduct, Culture and Training Compliance Risk Key Risk Indicators Examples
Whistleblower tips remain the most effective fraud-detection control, accounting for 43% of cases per the ACFE 2024 Report to the Nations. Conduct KRIs put a number on the culture signals supervisors and the audit committee both watch.
Top 8 Conduct and Culture Compliance Risk Key Risk Indicators Examples
| Conduct / Culture KRI | Green threshold | Amber threshold | Red threshold |
| Hotline / whistleblower tips logged (qtr) | >2 | 1 | 0 |
| Conflict-of-interest disclosures complete | 100% | 95-99% | <95% |
| Mandatory compliance-training completion | 100% | 95-99% | <95% |
| Code-of-conduct attestations on file | 100% | 95-99% | <95% |
| Repeat conduct findings / employee | 0 | 1 | >1 |
| Sales-practice complaints / 1,000 customers | <0.5 | 0.5-1.5 | >1.5 |
| Senior-leader compensation clawback events | 0 | 1 | >1 |
| Voluntary turnover in compliance roles | <10% | 10-20% | >20% |
Voluntary turnover in second-line compliance roles is the conduct KRI that quietly precedes program drift. A compliance department running 20%+ annual turnover loses institutional knowledge faster than the next examiner can write the MRA.
How to Implement Compliance Risk Key Risk Indicators Examples
Standing up a Compliance Risk KRI program is a six-step exercise inside the wider enterprise risk management framework. The reference texts are ISO 31000:2018 clause 6.6, ISO 37301:2021, and the OCC Heightened Standards.
Six Steps to Deploy Compliance Risk Key Risk Indicators Examples
- Step 1. Anchor in the compliance risk taxonomy: Tie each KRI to a specific regulation, supervisory expectation, or compliance program domain so dashboard movement maps to a treatable exposure.
- Step 2. Calibrate thresholds: Set green / amber / red bands using internal data, peer benchmarks, exam findings history, and the board-approved risk appetite statement.
- Step 3. Assign owners: Every KRI gets a named first-line owner and a second-line risk partner. AML KRIs go to the BSA officer; FCPA KRIs to the chief ethics officer; privacy KRIs to the DPO; CFPB KRIs to the head of consumer compliance.
- Step 4. Define escalation: Document what happens at each band: who is notified, the response window, the executive risk committee trigger, and the board-paper threshold.
- Step 5. Automate collection: Pull data from the case-management system, GRC tool, AML/KYC platform, complaint system, hotline, and HRIS into a single Compliance Risk KRI workbench.
- Step 6. Review quarterly: Recalibrate thresholds, retire indicators that never breach, replace those that always breach, and add KRIs for newly identified risks (AI use, climate disclosure, ESG reporting, crypto / stablecoin AML).
Common Pitfalls in Compliance Risk Key Risk Indicators Examples
Implementation failures around Compliance Risk Key Risk Indicators Examples tend to fail the same way at every institution size. Global systemically important banks and 50-person fintechs alike, the traps below keep coming up in supervisory examinations and CFPB exam manuals.
| Pitfall | Root cause | Remedy |
| KPI / KRI confusion | Same metric reported as both with one threshold | Document the threshold (KRI) separately from the target (KPI); report side by side |
| Activity counts mistaken for KRIs | Tickets-closed and alerts-cleared reported as risk metrics | Reframe as exposure: SAR lateness, MRA aging, complaint root-cause closure |
| Static thresholds | Bands set at framework launch and never recalibrated | Quarterly review tied to internal trend, peer data, and risk appetite |
| Compliance silo | AML, FCPA, privacy KRIs each reported only to their own committee | Surface all six categories on a single Compliance Risk KRI dashboard for the audit-and-risk committee |
| State-AG blind spot | Federal CFPB activity tracked, state inquiries missed | Add state-AG inquiry count and state-AG investigation aging as Consumer Protection KRIs |
| Vanity dashboards | Beautiful charts no committee acts on | Tie each amber / red band to a triggered action; track action closure as a meta-KRI |
| Annual-only cadence | KRIs reviewed once per year for the audit committee | Quarterly delta review of high-severity KRIs; weekly automated alerts on AML, sanctions, and complaints |
Frequently Asked Questions About Compliance Risk Key Risk Indicators Examples
What are the most important Compliance Risk Key Risk Indicators Examples?
The seven most important Compliance Risk Key Risk Indicators Examples are open MRAs / MRIAs, SAR filing timeliness, KYC backlog, CFPB complaints per 1,000 customers, FCPA third-party DD coverage, DSAR response timeliness, and material weakness count.
Together they cover the dominant 2026 risk drivers across regulatory, AML, consumer protection, anti-bribery, privacy, and financial reporting. Add 30 to 50 more across the six categories for a complete program.
How many Compliance Risk Key Risk Indicators Examples should an organization track?
US banks, broker-dealers, insurers, and large fintechs typically run 35 to 60 Compliance Risk Key Risk Indicators Examples in total, with 10 to 15 elevated to the executive risk committee each quarter. Tracking fewer than 25 leaves blind spots.
Tracking more than 70 invites monitoring fatigue. The right number scales with regulatory tier, business mix, and geographic footprint, not with the size of the GRC tool’s catalog.
How do Compliance Risk Key Risk Indicators Examples differ from KPIs?
Compliance Risk Key Risk Indicators Examples measure exposure against a tolerance, while KPIs measure performance against a goal. A KPI tells the compliance team whether training was delivered. A KRI tells the board whether the risk of training-driven misconduct is rising.
The same raw metric (training completion, alerts cleared, complaints handled) can serve both purposes if its threshold (KRI) and target (KPI) are documented separately and reported side by side.
Which standards govern Compliance Risk Key Risk Indicators Examples?
The dominant references are the Bank Secrecy Act, OFAC sanctions program, GLBA, CCPA / CPRA, GDPR (where applicable), HIPAA, the FCPA, SOX 404, OCC Heightened Standards, the FFIEC examiners’ manual, the CFPB exam manual, and ISO 37301:2021 compliance management systems.
Public-bond issuers add SEC disclosure-rule artifacts. Healthcare adds HIPAA Security Rule. Defense contractors add CMMC 2.0. ESG-reporting firms add SEC climate disclosure (where finalized) and CSRD requirements for EU operations.
How often should Compliance Risk Key Risk Indicators Examples be reviewed?
Compliance Risk KRIs should be measured continuously where the AML, KYC, complaint, hotline, and HRIS systems permit. Review weekly at the compliance operating level, monthly at the compliance committee, and quarterly at the executive risk committee or board.
AML, sanctions, and complaint KRIs warrant real-time alerts. FCPA and privacy KRIs typically run on a monthly cadence. Conduct and culture KRIs anchor on quarterly reviews aligned with HR cycles.
Can community banks use the same Compliance Risk Key Risk Indicators Examples as global banks?
Yes, with calibration. Community banks and credit unions can use the same Compliance Risk Key Risk Indicators Examples catalog but should narrow the scope to 20 to 30 indicators that match their actual regulatory footprint.
Thresholds change with asset size, business mix, and regulatory tier, but the metric definitions do not. Discipline and ownership are the binding constraints, not headcount or GRC-tool spend.
How do Compliance Risk Key Risk Indicators Examples feed board reporting?
Compliance Risk KRIs feed the quarterly board risk report through a tiered rollup. Function-level dashboards aggregate to enterprise heat maps, with the top 10 to 15 indicators reaching the audit-and-risk committee or the full board.
The board paper should show trend, threshold breach history, owner, and remediation status, all anchored to the institutional risk appetite. Without that structure, the board sees decoration rather than decision support.
How does the 2025 CFPB pivot change Compliance Risk Key Risk Indicators Examples?
The CFPB withdrew 67 guidance documents and rescinded its UDAAP policy statement in May 2025. State attorneys-general picked up several enforcement lanes, the FTC retained UDAP authority, and pending CFPB litigation continued. Consumer-protection exposure shifted; it did not disappear.
Add state-AG inquiry count, state-AG investigation aging, and FTC enforcement-tracker items to the Consumer Protection KRI set. Continue tracking CFPB complaints per 1,000 customers as a leading indicator regardless of the federal enforcement posture.
Looking Ahead: Compliance Risk Key Risk Indicators Examples in 2026 and 2027
AML and sanctions enforcement will keep its post-TD Bank intensity through 2026. Asset caps, monitor mandates, and personal-accountability orders show up in the supervisory toolkit more often. SAR timeliness, KYC backlog, OFAC list-update latency, and beneficial-ownership data completeness sit on every board paper.
Consumer-protection enforcement migrates from federal to state. The CFPB’s 2025 guidance withdrawal does not remove UDAAP exposure, and state attorneys-general are filling lanes the federal agency stepped back from. Track state-AG activity at the same cadence as CFPB activity.
FCPA enforcement narrows but does not stop. DOJ’s June 2025 guidelines focus on cartel and TCO connections, US economic and national-security interests, and individual criminal misconduct. Companies operating in defense, energy, infrastructure, and critical-minerals sectors face the same DD bar as before.
A live KRI dashboard with quarterly recalibration is what holds up under OCC, FinCEN, CFPB, DOJ, and state-AG scrutiny. Without it, boards rotate through the same concerns until the next consent order or asset cap forces one of them to the top of the agenda.
Ready to Operationalize Compliance Risk Key Risk Indicators Examples?
At riskpublishing.com we help US banks, broker-dealers, fintechs, healthcare systems, and public companies build Compliance Risk Key Risk Indicators Examples that hold up under board questions, supervisory examinations, CFPB exams, DOJ investigations, and rating-agency surveillance.
The work usually includes the KRI catalog, a threshold-calibration workshop tied to peer benchmarks, a function-to-enterprise rollup model, and a quarterly board-paper template anchored to BSA, OFAC, FCPA, OCC Heightened Standards, ISO 37301, and the CFPB exam manual.
Explore our risk advisory services, or contact us to scope a compliance KRI maturity review tailored to your business mix, regulatory tier, and 2026-2027 enforcement priorities.
Related reading on riskpublishing.com: Key Risk Indicators examples, how to use Key Risk Indicators, compliance Key Risk Indicators examples, Key Risk Indicators for Anti-Money Laundering (AML), how to conduct a compliance risk assessment, operational risk management framework, and the integrated risk management approach.
Chris Ekai is a Risk Management expert with over 10 years of experience in the field. He has a Master’s(MSc) degree in Risk Management from University of Portsmouth and is a CPA and Finance professional. He currently works as a Content Manager at Risk Publishing, writing about Enterprise Risk Management, Business Continuity Management and Project Management.