CryptaCount
EN
EnglishENDeutschDEEspañolESFrançaisFRItalianoIT日本語JA한국어KONederlandsNLPolskiPLPortuguêsPT
Log in Start Free

ESMA Targets Risk Management Functions in New EU-Wide Supervisory Action

CryptaCount Editorial · · 5 min read
NEWS ESMA Targets Risk Management Functionsin New EU-Wide Supervisory Action

ESMA has launched a Common Supervisory Action (CSA) focused on how UCITS management companies and Alternative Investment Fund Managers handle their risk management obligations. Running across 2026 and 2027, the exercise puts the independence, effectiveness, and technical competence of risk functions under direct scrutiny, coordinated through National Competent Authorities across the EU. For accounting firms, auditors, and CFOs serving fund clients, this signals a period of heightened regulatory attention on the evidence trail supporting risk oversight.

ESMA Targets Risk Management Functions in New EU-Wide Supervisory Action

What the CSA Covers

Scope and regulatory basis

The action spans both the UCITS framework and the Alternative Investment Fund Managers Directive (AIFMD). ESMA developed a common assessment framework that sets out the scope, methodology, supervisory expectations, and timeline, so that NCAs across member states apply a consistent standard rather than each conducting an isolated review.

The specific risk categories under examination include market risk, credit risk, liquidity risk, counterparty risk, and operational risk. Regulators will assess whether these risks are being properly identified, measured, monitored, and managed, not just documented in policy papers but evidenced through actual practice.

The independence requirement

One emphasis worth flagging immediately: the independence of the risk management function. ESMA's press release singles this out alongside effectiveness and expertise. In practical terms, supervisors will want to see that risk teams operate with genuine separation from portfolio management, have direct reporting lines to senior governance bodies, and are not structurally subordinated to the commercial side of the business. Audit and compliance teams advising fund managers should verify that organisational charts, mandate documents, and escalation procedures reflect this separation in substance, not just in name.

How the CSA Will Be Conducted

NCA coordination and knowledge sharing

ESMA designed this CSA specifically to drive supervisory convergence. NCAs will share findings and supervisory experiences through ESMA as the exercise progresses, which means observations from one jurisdiction can quickly inform examination priorities in another. Firms operating across multiple EU member states should not assume that a clean interaction with one NCA provides any read-through to others.

Timeline

The CSA runs throughout 2026 and 2027. ESMA has not published specific milestones for individual phases in the press release, but a two-year window is consistent with prior ESMA CSAs, which typically involve an initial data-gathering phase, supervisory assessments by NCAs, and a convergence report once findings are aggregated centrally.

What Compliance and Accounting Teams Should Do Now

Documentation and recordkeeping

The evidentiary expectations of a CSA are high. NCAs will expect to see risk management frameworks that are current, coherent, and demonstrably applied. For accounting and compliance teams, that means checking whether risk registers, limit monitoring records, stress-testing outputs, and board reporting packs are consistent with the written policy. Gaps between documented procedure and operational reality are exactly what supervisors are trained to find.

Firms that maintain fund accounting on platforms where risk data and financial data are siloed may find this particularly challenging. The ability to pull cross-referenced records quickly, especially liquidity metrics tied to specific portfolio positions at specific dates, will matter when NCA information requests arrive. Accurate, well-structured digital asset accounting software and broader fund accounting infrastructure need to support that retrieval without manual reconstruction.

Governance and reporting lines

Check that the organisational structure documented in the risk management policy matches what is in place today. Management changes, restructurings, or outsourcing arrangements entered into since the policy was last reviewed may have created mismatches. Where risk management functions are partially outsourced or delegated, the delegation chain and accountability framework should be clearly mapped and demonstrably supervised by the management company or AIFM itself.

Expertise and resourcing

ESMA's explicit reference to expertise suggests that supervisors will look at the qualifications, experience, and capacity of risk personnel, not just the existence of a risk function on paper. For smaller managers in particular, this could surface questions about whether the risk function is adequately staffed relative to the complexity and size of the portfolios managed.

ESMA Targets Risk Management Functions in New EU-Wide Supervisory Action

Broader Context: ESMA's Supervisory Convergence Programme

This CSA sits within ESMA's ongoing effort to ensure that supervisory standards do not diverge materially across member states. Previous ESMA CSAs have covered areas such as liquidity risk management, costs and fees, and sustainability disclosures. The risk management CSA extends that pattern into a foundational operational area, reflecting ESMA's view that consistent risk oversight is central to both investor protection and financial stability across EU capital markets.

For firms already managing compliance across the EU's evolving digital asset regulatory landscape, the pattern is familiar. ESMA has also been active in clarifying obligations under MiCA, including ESMA's MiCA white paper exemption guidance for non-ART/EMT offerings, and the implications are similar: coordinated supervisory actions amplify the consequence of gaps that might have passed unnoticed under purely national oversight. The MiCA transitional period expiry and mandatory CASP authorisation deadline earlier this year underlines how quickly ESMA-coordinated timelines can sharpen.

For firms serving both traditional fund managers and digital asset businesses, the operational lesson is the same: compliance infrastructure needs to generate evidence that holds up to a structured supervisory examination, not just satisfy internal review cycles.

What is a Common Supervisory Action?

A CSA is a coordinated examination in which ESMA works with national regulators across EU member states to assess compliance with specific regulatory requirements using a shared methodology. Findings from NCAs are aggregated and used to promote consistent supervisory standards across the EU.

Which firms are in scope?

UCITS management companies and Alternative Investment Fund Managers authorised in the EU fall within the scope of this CSA. ESMA has not published a list of specific entities; NCAs select firms for examination within their own jurisdictions.

Does this CSA apply to crypto-asset fund managers?

The CSA is framed under the UCITS Directive and AIFMD frameworks. Crypto-asset service providers authorised under MiCA are not referenced in this action, though AIFMs managing crypto or digital asset funds authorised under AIFMD would fall within scope in the same way as any other AIFM.

What should audit teams check first?

Start with the consistency between the written risk management policy and current operational practice. Verify the independence of the risk function from portfolio management, confirm that escalation and reporting lines are current, and check that risk monitoring records are retrievable and auditable.

Where can I find the full details of the CSA?

ESMA published the announcement on its official website. National Competent Authorities will communicate directly with firms selected for examination in their jurisdictions.

Source: European Securities and Markets Authority (ESMA)