ESMA Review Finds Oversight Weaknesses in Parts of Europe’s Funds Industry

Key Takeaways

• ESMA Review Finds Governance Gaps: European Securities and Markets Authority identified weaknesses in the independence of compliance and internal audit functions, along with shortcomings in board and senior management oversight at some fund managers.
• Implementation Quality Varied Across Firms: While most entities had policies and procedures in place, regulators found major differences in how effectively those controls were implemented in practice.
• Some Potential Breaches Identified: A limited number of national regulators flagged possible breaches tied to incomplete reporting and insufficient independence of control functions.
• Supervisory Follow-Up Expected: National competent authorities are expected to pursue remediation efforts and additional supervisory actions where vulnerabilities or breaches were uncovered.

Deep Dive

European Securities and Markets Authority has identified governance and oversight shortcomings in parts of Europe’s investment management sector following a sweeping EU-wide review into the compliance and internal audit functions of fund managers.

The exercise was carried out with the participation of all EU and EEA national competent authorities and focused on whether firms had established effective compliance and internal audit functions capable of operating independently and providing meaningful oversight.

The review painted a relatively stable picture. Most national regulators assessed the overall level of compliance among supervised entities as satisfactory, and ESMA noted that the majority of firms had the relevant policies and procedures in place. But beneath that broader finding, supervisors identified a range of governance vulnerabilities that regulators appear increasingly focused on across the financial sector, not simply whether controls exist, but whether they function effectively in practice.

In particular, the review highlighted weaknesses surrounding the independence of compliance and internal audit functions, the quality of internal policies, and the effectiveness of oversight exercised by boards and senior management. National regulators also observed significant differences in how firms implemented their control frameworks, with the quality and practical application of those measures often varying depending on the size, complexity, and nature of the organizations involved.

The report suggests that, in some cases, governance structures may formally satisfy regulatory expectations while still falling short operationally.

Although only a limited number of national competent authorities reported formal regulatory breaches, some supervisors identified potential failures tied to incomplete reporting to senior management and insufficient independence within compliance and internal audit functions. In those instances, regulators said follow-up supervisory action would be pursued.

Authorities also identified broader operational vulnerabilities that stopped short of formal breaches but nevertheless raised supervisory concerns. Those included missing or incomplete internal audit documentation, weak compliance risk assessments, and a lack of sufficiently structured risk-based approaches for identifying and addressing compliance risks.

The CSA itself was conducted under a common assessment framework developed by ESMA during 2024 and formally agreed later that year. All 27 EU national regulators, along with supervisors from three EEA jurisdictions, participated in the exercise. Supervisory activity throughout 2025 included desk-based reviews as well as targeted on-site inspections where appropriate.

ESMA said national authorities generally relied on desk-based supervisory reviews, though several regulators also used online reporting systems and secure exchange platforms to support data sharing and analysis during the exercise. The authority additionally noted that cooperation between regulators on cross-border cases remained relatively limited, with only a small number of NCAs engaging in direct cross-border exchanges during the review.

ESMA published examples of both good and poor practices observed across firms’ compliance and internal audit arrangements, part of a broader effort to strengthen supervisory convergence throughout the EU funds sector.

The regulator said it expects national authorities to continue investigating the root causes behind identified vulnerabilities and to ensure firms implement effective remedial measures in a timely manner. ESMA added that it will continue promoting supervisory coordination and follow-up actions among regulators as it pushes for greater consistency in oversight standards across Europe’s investment management industry.

The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.