top of page

MiCA · AIFMD II ready

AMLR 2027 ready

office@caml.lt

+370 600 26147

Vilnius · Lithuania

Pink Poppy Flowers

AML Compliance Outsourcing

AML Teams · Audit · MiCA

Investment Funds & AIFM Licensing

AIFMD II · Europe · 4–6 mo

ESMA’s 2025 Common Supervisory Action for AIFMs

  • May 13
  • 4 min read
Post Hero Image

AIFM Compliance Function: What Foreign Managers Should Know Before Entering Lithuania


ESMA’s 2025 Common Supervisory Action reviewed compliance and internal audit functions of AIFMs and UCITS management companies across all 27 EU and 3 EEA national competent authorities. The overall findings were broadly satisfactory, but ESMA also identified recurring weaknesses in how some managers document, resource, monitor and evidence their compliance function.

For foreign managers considering Lithuania, the message could sound as following: AIFMD compliance is not only about having policies. It is about having a compliance function that works.


A policy library is not sufficient; practice must also be applied


Most supervised entities reviewed by ESMA had written compliance policies and procedures, but the issue was often not whether documents existed, but whether they were updated, tailored and followed in practice.

Group-level policies can be useful, but they should also reflect the local entity, the manager’s actual activities and the regulatory environment in which it operates. A generic policy framework often leaves gaps and is not adapted to the business model, fund strategy, distribution approach and governance structure.

A strong AIFM compliance function should therefore be practical, documented and specific to the manager’s operations.


Visual 6 things the Compliance of AIFM should do

What the compliance function should do


ESMA’s findings show that an effective compliance function should be active and embedded in governance. Its role includes monitoring regulatory developments, updating policies and procedures, conducting risk-based ex-ante and ex-post checks, identifying non-compliance, escalating issues to senior management or the board, and overseeing remediation.

Compliance should not only review decisions after they are made, but should be involved early enough to help identify risks linked to new funds, new markets, delegation, investor onboarding, marketing, investment limits and operational changes.


Accuracy matters both in Hiring and in Outsourcing

Independence, authority and resources


ESMA emphasises that the compliance function should have sufficient independence, authority, expertise and resources. Proportionality may apply, but it must be justified by the manager’s size, nature, complexity and risk profile.

This does not mean that every AIFM needs a large internal compliance department. For many foreign or emerging managers, a properly structured compliance outsourcing model can be an effective and proportionate solution.

The key is governance. Outsourced compliance should have clear scope, documented responsibilities, access to relevant information, regular reporting and effective oversight by the manager. Compliance outsourcing can bring specialist expertise, market knowledge and experienced resources, particularly where the manager does not yet require a full in-house team.


Why Outsourcing is Good for Accountability

Outsourcing can strengthen the compliance model


ESMA recognises that many managers use third-party providers or group entities for compliance-related tasks. This can be particularly relevant for foreign AIFMs entering a new EU market, where local regulatory knowledge and practical experience are important.

However, outsourcing must be managed properly. Managers remain responsible for compliance with applicable rules, even when tasks are performed by an external provider. ESMA highlights the importance of documented due diligence, written contracts or mandates, clear internal responsibility, regular monitoring and formalised reporting.

A well-designed compliance outsourcing model should include service levels, KPIs where appropriate, evidence of control execution, escalation procedures and board-level reporting. Done properly, outsourcing is not a weakness. It can be a practical way to access specialist compliance capability while maintaining a proportionate operating structure.


Monitoring plans and board reporting


A strong compliance function needs a risk-based monitoring plan. ESMA observed that weaker plans were often too generic, with broad themes that did not assess specific risks or produce actionable recommendations.

A better approach is to map regulatory requirements to the manager’s activities, assess inherent and residual risks, define control priorities and frequencies, track findings, and monitor remediation.

Board reporting should be equally practical. Compliance reports should explain what was reviewed, what was found, what risk it creates, what action is recommended, who owns the action and when it should be completed. Reports should also track previous findings and remediation progress.

For foreign AIFMs, this evidence is important. It shows that compliance is not only designed on paper, but actively monitored and governed.


Good practices to adopt


ESMA identified several good practices that are useful for AIFMs:

  • involving compliance before policies and procedures are approved by senior management or the board; 

  • using dedicated IT tools to support traceable interaction between compliance and operational teams; 

  • establishing a controls committee to embed compliance into day-to-day operations; 

  • submitting compliance reports to the board at least semi-annually or quarterly; 

  • preparing ad-hoc compliance reports in response to regulatory, market or investor protection developments. 

These practices help make compliance visible, documented and connected to real business activity.


Things to Avoid according to new ESMA notice

ESMA also identified weaknesses that managers should avoid. These include compliance reports without progress updates, deficiencies without clear recommendations or deadlines, weak documentation of board discussions, group compliance functions that do not focus on local risks, lack of systematic tracking of non-compliance, insufficient controls over investment limits and undocumented risk assessment methodologies.

For foreign managers, these examples are useful because they show what can undermine an otherwise well-presented compliance framework.


Practical checklist for AIFMs entering Lithuania


Before entering the Lithuanian market, a foreign AIFM should be able to evidence:

  • localised compliance policies and procedures; 

  • a risk-based compliance monitoring plan; 

  • clear compliance responsibilities and reporting lines; 

  • structured board and senior management reporting; 

  • breach, issue and remediation registers; 

  • documented escalation procedures; 

  • oversight of outsourced compliance tasks; 

  • evidence of compliance involvement in key decisions; 

  • regular review and updating of policies. 


ESMA’s findings do not suggest that every manager needs the same compliance structure. They do suggest that every manager needs a compliance function that is real, proportionate and effective.

For foreign AIFMs considering Lithuania, compliance outsourcing can be a practical way to build that function from the start — provided it is properly scoped, documented and overseen.

CAML supports financial market participants with practical compliance frameworks, compliance outsourcing for AIFMs and regulatory readiness. CAML can help assess whether your compliance function, outsourcing arrangements and governance framework are ready for the Lithuanian and EU supervisory environment.

This article is for general information only and should not be treated as legal advice.

Comments

bottom of page