ESMA identifies areas for further supervisory convergence on compliance and internal audit in the funds sector

Most fund managers are complying with the key requirements under AIFMD and UCITS, according to the results of ESMA’s 2025 Common Supervisory Action (CSA) exercise on the establishment of effective compliance and internal audit functions across the EU funds sector. However, ESMA also identified governance weaknesses, particularly in the independence of control functions, the quality and implementation of internal policies, and the way senior management and boards exercise oversight. 

What the review covered

ESMA performed the review in 2025, focusing on the compliance and internal audit functions of fund managers under the AIFMD and UCITS frameworks with the aim to further enhance supervisory convergence in this area. There was a high participation rate with all 27 EU and 3 EEA national competent authorities (NCAs) co-operating. NCAs used a common assessment framework, which helped align how firms were judged across jurisdictions. Throughout the review, supervisors relied on desk-based reviews and, where appropriate, on-site inspections. 

Findings

Whilst the results from the review were broadly positive, it also found significant variations in policy quality and implementation, linked to the size, nature and complexity of the firms involved. The most serious concerns were linked to governance. The CSA identified weaknesses in the independence of control functions, in internal policies, and in how senior management and boards exercise oversight, which was in some cases, too reactive.

Good and poor practice

The report also sets out examples of good and poor practices identified across the compliance and internal audit functions, highlighting where controls were effective and where further strengthening is needed. Examples of good practice include:

• Compliance functions consulting and providing an opinion before policy documents and procedures are submitted to senior management.

• The use of dedicated IT tools enabling efficient and traceable interaction between the compliance and operational functions, facilitating ex-post controls.

• The establishment of an internal ‘Controls Committee’ to ensure effective cooperation between the compliance and operational functions so that compliance requirements are properly embedded in day-to-day operations.

• Internal reports from the compliance function that are submitted on at least semi-annual or quarterly basis to the board of directors.

• Ad-hoc compliance reports on specific topics triggered by events, news or regulatory and market developments, with a particular focus on investor protection measures and which subsequently requests procedural updates and enhanced monitoring of critical activities.

• Internal audit as a standing agenda item on the board agenda to ensure that the board remains consistently and actively involved in internal audit matters.

Next steps

ESMA encourages NCAs to follow up on the breaches and vulnerabilities identified, understand their root causes, and make sure effective remedial actions are implemented quickly. More specifically, ESMA encourages NCAs to:

• verify that comprehensive internal control mechanisms are in place, including clear reporting lines, compulsory training programs, regularly updated risk assessments, comprehensive compliance monitoring plans, regular compliance controls and monitoring of remedial actions. NCAs should be satisfied that such mechanisms detect any risks of failure with the obligations under the AIFMD and UCITS Directive.

• verify that the appropriate written documentation and recordkeeping arrangements are put in place to enable them to review their compliance with the applicable rules, such as records and logs for monitoring breaches, conflicts of interest, related party transactions.

• ensure that the compliance function has the necessary authority within the organisation, and that the method of determining the remuneration of the relevant persons involved in the compliance function does not compromise or affect their objectivity. Organisational policies and procedures should also ensure that there is a clearly defined escalation procedure in the case of disagreements between the control functions and operational units.

• verify that the compliance and internal audit functions operate independently from operational functions. In case proportionality arguments are invoked to justify a lower level of independence, ESMA encourages NCAs to assess such cases in light of the size, type, nature, range and complexity of the compliance and internal audit functions.

• be satisfied that the organisational structures of the supervised entities ensure that all key risks are assessed for compliance by individuals that have sufficient knowledge and experience in the relevant matters and are independent from operational functions.

• ensure that the compliance function monitors the quality and application of the internal processes of operational units in order to minimise the risks of non-compliance with applicable requirements. Therefore, the compliance function should receive all necessary information (e.g. all periodic reports of risk management and internal audit).

ESMA also stresses that managers that are subsidiaries of banking groups should be aware that the risk assessment methodologies and tools provided by the parent company can potentially lead to underestimating local risks. Managers should therefore not just rely on the group risk assessment but develop their own risk assessment, if the group risk assessment does not gather properly the risks applicable to the business of the manager. The assessment of compliance risks should at least take into consideration the business areas, types of products, types of services, distribution channels and the categories of investors. 

ESMA’s final report published on 11 May 2026 is available here.

ESMA’s press release is here.