In 2025, the European Securities and Markets Authority (ESMA) performed a Common Supervisory Action (CSA) exercise on the establishment of effective compliance and internal audit functions in the investment management sector. On 11 May 2026, ESMA published its Final Report on “2025 CSA on compliance and internal audit functions of fund managers” summarising its key findings and including a list of good and poor practices identified by regulators during the exercise.
While overall compliance levels are assessed to be satisfactory, a number of areas for improvement have been identified. Noting that the assessment guidelines prioritised UCITS and alternative investment funds (AIFs) with a retail investor base, ESMA’s views and conclusions focus on:
- ensuring that recordkeeping is appropriate and up to date;
- the importance of ensuring that compliance and internal audit are properly resourced and backed by the right organisational arrangements—ESMA highlights the fact that responsibility for ensuring that these functions operate compliantly lies with management, even when they are performed by third parties;
- giving the compliance function the necessary authority within the organisation, including a clearly defined escalation process in case of disagreement with operational units;
- verifying the independence of these functions;
- the importance of the compliance function receiving full and timely information in order to be able to monitor operational units;
- the risk that methodologies and tools provided by parent companies can potentially lead to an underestimation of local risk—i.e., risk must be looked at in context.
Thus, while the assessment represents an overall clean bill of health, it is also an indication of an ongoing need to revisit documentation, the granularity of the approach, independence, information flow and local ownership.