The prudential audit is a mandatory rite of passage for all wealth management firms. Given the sheer number of issues to be addressed across every domain covered — Organisation, Suitability, AML and Sanctions — the exercise is burdensome for EAMs and their auditors alike. It becomes particularly tedious when, as in our case, one serves a large number of financial institutions on a delegated basis (Compliance Outsourcing). That said, the process is required by law, and the recommendations it produces help protect the firm and its clients.
Audits, yes — but how often?
The Financial Institutions Act (FinIA) and its implementing ordinance (FinIO) require that the supervisory organisations (SOs) determine the frequency and intensity of audits based on the risks associated with the EAM’s activities and organisation. The assessment is guided by FINMA’s own directives, which the regulator set out at an April 2021 seminar — a document still available on its website. As a reminder, the following circumstances are considered high-risk for an asset manager:
- De minimis management of funds or pension fund assets;
- Use of foreign custodian banks;
- Heterogeneous foreign client base, or a client base concentrated in a specific foreign region;
- Use of investment instruments presenting potential conflicts of interest or specific risks (in-house products, private debt or private equity);
- Third-party remuneration (retrocessions, etc.);
- Unlimited power of attorney;
- High assets under management: AuM > CHF 1 billion.
FINMA has remained silent on how it applies these criteria, using a confidential rating system for each EAM that it prohibits supervisory bodies from publishing or communicating individually. All that is known — or can be inferred from regulatory texts — is that during the first two years following FINMA authorisation, an audit must be carried out for each year of supervision. The SOs may then reduce audit frequency to once every four years at most, depending on the firm’s activities and risk exposure (the so-called multi-year audit).
Towards a biennial audit?
The first signs of relief are now emerging, and EAMs benefiting from them most commonly move to a biennial audit — once every two years instead of annually. During the year without an audit, supervision naturally continues, but takes the form of a self-declaration modelled on the audit report.
For us, this “pause” in formal controls is welcome: it allows us to carry out in-depth reviews — IT penetration testing, for instance, or a review of product classifications as reported in the CRM/PMS by custodian banks — and to implement our automated risk framework (Assign by Uldry RC) with clients. Audit or no audit, the goal is to anticipate and prevent risks as far as possible. And 2025, let us be clear, brought its share of incidents across Switzerland, including within the EAM community: cyberattacks, unilateral termination of collaboration agreements by custodian banks, dishonest employees, sanctions exposure, fraud in non-bank AMCs, and private debt or other illiquid products now valued at zero.
FINMA’s wariness
In theory, an EAM that is financially sound, well-organised, and either faces limited risks or manages them effectively should already be eligible for a reduced audit frequency — in keeping with the legislator’s intention to ease the administrative burden on firms that demonstrate a sufficient level of control; typically those with two clean audit cycles in the years following authorisation (no irregularities, no high-priority recommendations).
In practice, however, we are unable to answer the simple question our clients ask us: am I eligible for a biennial audit?
If the two most recent audit cycles were clean, the answer should be yes. Yet in practice, supervisory bodies frequently oppose this — without explanation — since the rating and the resulting assessment must remain confidential. The reality is that it is no longer acceptable for EAMs, who are entrepreneurs, to be left in the dark about how they will be audited. This opacity in FINMA’s practice extends to other areas as well, such as sanctions and embargo monitoring, or collective management below de minimis thresholds — areas where the rules evolve unilaterally or remain unclear.
In short, the culture of secrecy surrounding EAM risk criteria is no longer understood by the market. It is increasingly perceived as a signal of distrust — one that pushes regulated entities away from those who supervise them: first auditors, then supervisory bodies, and ultimately FINMA itself (which is itself a source of new risks). Of course, the regulator must retain its room for manoeuvre — what legal parlance calls its discretionary power, explicitly conferred by law. Given that the independent wealth management market represents some CHF 850 billion in client assets, comprises over 1,300 authorised EAMs, and is highly fragmented (see the WealthSummit study “Independent Asset Managers in Switzerland,” 19 March 2026), that discretionary power must be all the more meaningful and respected. But in an industry where risk management is built on anticipation, these genuine blind spots in FINMA’s practice undermine the prevention and monitoring of threats that the entire framework is designed to address. In fact, it would be enough to explain the issues clearly to EAMs — in other words, to extend them a degree of trust — to resolve the problem.
While we wait for greater transparency, we will continue to request biennial audits from supervisory bodies on behalf of those clients who, in our view, qualify and wish to pursue it.
Sergio Uldry, Uldry RC