ESMA Peer Review On The Supervision Of Depositary Obligations

On 17 November 2025, ESMA published the findings of a peer review on the supervision of depositaries, focusing on their oversight and safekeeping duties under the UCITS and AIFMD frameworks (the Peer Review). The Peer Review assessed how national competent authorities (NCAs) supervise and enforce these obligations across key areas of depositary activity. ESMA assessed five jurisdictions: Czechia (Czech National Bank), Ireland (Central Bank of Ireland (the Central Bank), Italy (Bank of Italy), Luxembourg (CSSF), and Sweden (Finansinspektionen). The aim of peer reviews is to promote consistent, effective supervision across the EU with high-quality outcomes, and to maintain a level playing field among NCAs.

Scope of the Peer Review

The Peer Review, conducted by ESMA's Peer Review Committee (PRC) under its 2024 Work Programme, assessed how NCAs supervise and enforce depositary obligations.

It focused on three key areas:

• Oversight obligations, pertaining to:
  • Valuation oversight
  • UCITS or AIFs' compliance with investment restrictions and leverage limits under applicable laws and offering documents
• Safekeeping obligations, particularly:
  • Due diligence when delegating safekeeping to third parties
  • Compliance with asset segregation rules throughout the entire custody chain
• Delegation restrictions, ensuring functions other than safekeeping are not delegated, without prejudice to entrusting third parties with the performance of supporting tasks.

The PRC assessed two supervisory expectations - oversight and safekeeping – each comprised of two underlying sub-expectations:

• Oversight: (i) valuation, (ii) investment restrictions & leverage limits
• Safekeeping: (i) due diligence & asset segregation, (ii) delegation arrangements

Detailed findings are provided for each expectation and sub-expectation.

Peer Review findings

The PRC concluded that the core frameworks for supervising depositaries are in place. It identified several good practices, including:

• Effective supervisory checks to assess whether depositaries meet oversight and safekeeping obligations
• Reviews of compliance and internal audit reports
• Use of IT tools to record and share supervisory information
• Cross checking breach reports received by fund managers and depositaries

However, the Peer Review also highlighted notable differences in the depth and maturity of supervisory approaches across jurisdictions. Some NCAs demonstrated highly developed and granular practices, while others showed room for improvement.

• Central Bank, CSSF, and Bank of Italy: Strong supervisory practices in several areas, but improvements needed in others
• Czech National Bank: A broadly robust approach
• Finansinspektionen: Would benefit from more intrusive and intensive supervisory assessments

Concentration risk and convergence

The PRC observed a high concentration of custodied assets among a small number of depositaries in the markets assessed. In each jurisdiction, the top five depositaries hold between 67% and 100% of assets under custody, creating potential systemic risk if any face operational or financial issues. To address this, the PRC stresses the need for more frequent, risk-proportionate supervisory engagement and a convergent approach across NCAs, given depositaries' pivotal role in investor protection and market stability.

Supervisory activities

Most NCAs have risk-based supervisory cycles for on-site inspections. However, the PRC noted significant differences in:

• The length of supervisory cycles
• The frequency and intensity of such inspections for high-impact depositaries (determined by relevant factors like assets under custody, complexity of assets serviced, and organisational structure)

ESMA recommends NCAs increase the frequency and intrusiveness of risk-based supervision for the most impactful entities.

The PRC also noted limited enforcement actions - only three NCAs initiated or concluded actions during the review period (excluding the Central Bank and Finansinspektionen). The PRC urges NCAs to use enforcement tools more effectively when issues are identified to deter non-compliance and reinforce supervisory expectations.

Delegation of safekeeping functions

Concerns were raised about the depth of supervisory assessments regarding delegation of significant safekeeping tasks to third parties. Except for Czechia, all NCAs reported significant use of third-party cross-border delegation (EU and/or third countries). The PRC found that contracts, service level agreements (SLAs) and sample reports were not sufficiently reviewed and challenged to ensure compliance with ESMA Q&As. This raises risks of breaching UCITS and AIFMD rules prohibiting delegation of oversight responsibilities.

Recommendations

The PRC issued targeted recommendations under each assessed supervisory expectation, which may be subject to follow-up within two years. Key recommendations to relevant NCAs on their approaches to depositary supervision include:

• Enhancing risk-based supervision: More formalised, frequent and intrusive engagement with high-impact depositaries thereby moving closer to a true risk-based supervisory approach
• Strengthening delegation function: thoroughly assessing that depositary oversight functions are not delegated and whether any envisaged arrangements with third party service providers are in line with the criteria outlined in the ESMA Q&As on the matter¹, through the review of sample reports, KPIs, contracts/SLAs and conduct of on-site inspections at large service providers
• Safekeeping and asset segregation: The PRC observed that the Central Bank does not require depositaries to maintain first-level accounts when safekeeping is delegated - a practice that diverges from other NCAs and markets covered. The Peer Review did not find evidence for in-depth supervisory assessments by the Central Bank concerning the compatibility of their unique custody model with applicable EU rules following the 2020 legislative amendments² and therefore has encouraged the Central Bank to review its assessment.

Next steps

Although the Peer Review covered five NCAs, all EU NCAs should consider these findings and good practices in the context of their supervisory frameworks. ESMA will continue discussions on depositary supervision and may follow up on specific open recommendations in due course.

Footnotes

1 ESMA Q&As on the application of the AIFMD, Section VI, Q&A no. 10 and ESMA Q&As on the application of the UCITS Directive, Section X, Q&A no. 2.

1 Commission Delegated Regulation (EU) 2018/1618 and Commission Delegated Regulation (EU) 2018/1619

2 Commission Delegated Regulation (EU) 2018/1618 and Commission Delegated Regulation (EU) 2018/1619

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.