FINMA and real estate data integrity: what the 2025 Risk Monitor means for fund managers

FINMA's 2025 Risk Monitor put data integrity alongside cyber risk as a primary concern for Swiss institutional managers. For real estate fund managers, the implications are more concrete than most have yet registered.

FINMA publishes its Risk Monitor annually as a signal of supervisory priorities — what the regulator is paying attention to, where examinations will probe more deeply, and what institutional managers should expect to be asked in the coming cycle. The 2025 edition made two things clear that are directly relevant to real estate fund managers: data integrity risks are elevated, and cyber risk in the context of data management is a primary concern.

For real estate fund managers, this is not abstract regulatory language. It has specific operational implications — for how data is collected from property managers, how it is stored and processed, how changes are tracked, and how the entire pipeline from régie data delivery to investor reporting can be documented for examination purposes.

What FINMA means by data integrity

Data integrity in the FINMA context encompasses three related concerns. Accuracy: is the data in reports correct, and can the fund manager demonstrate that it is correct by tracing each figure back to its source? Completeness: does the data cover the full portfolio without gaps or unacknowledged approximations? And auditability: is there a documented trail of how data moved from source to report, who accessed and modified it, and when?

For investment funds regulated under CISA (the Collective Investment Schemes Act), FINMA expects that reported figures — net asset values, income distributions, portfolio valuations — can be substantiated from primary source data. In practice, this means being able to demonstrate that the quarterly income figure in the investor report corresponds to the income data delivered by property managers, that this data was validated before use, and that any adjustments made during consolidation are documented with reasons.

This expectation has always existed. What the 2025 Risk Monitor signals is that FINMA's supervisory intensity on this point is increasing — reflecting both growing awareness of data quality problems in the sector and rising regulatory standards across the European financial services industry.

What examiners look for in practice

Based on the pattern of FINMA examinations in the Swiss asset management sector, there are several specific areas where data governance for real estate funds tends to receive scrutiny.

The first is the data lineage from source to report. Can the fund manager trace the gross rental income figure in the annual report to specific property-level data points delivered by specific régie partners on specific dates? If this traceability requires a senior analyst to reconstruct the chain manually from email archives and spreadsheet version history, the data governance is not examination-ready.

The second is the validation process. What controls exist to ensure that data delivered by property managers is accurate before it enters the reporting model? Manual review by an experienced analyst is a partial answer, but it is not a systematic control — it depends on the analyst's knowledge, attention and time, all of which are variable. Systematic validation rules applied automatically at ingestion are a more defensible answer.

The third is access control and change management. Who has access to the data model and reporting templates? Are changes to model logic documented? Is there a version history that distinguishes between data updates and model changes? For funds that operate on shared Excel workbooks accessed by multiple team members, the honest answer to these questions is often unsatisfactory.

The cyber dimension

FINMA's linkage of data integrity to cyber risk reflects a specific concern: that the data pipelines on which fund reporting depends are vulnerable to both external attack and internal mismanagement. For real estate fund managers whose data consolidation process involves receiving files via email, processing them on local machines, and storing outputs on shared drives, the cyber exposure is real — even if the likelihood of active attack is lower than for a bank or insurance company.

The relevant risk is not primarily ransomware. It is the integrity of reporting data that could be compromised — deliberately or accidentally — without detection. An Excel-based consolidation process with no audit trail and no access controls provides no mechanism for detecting whether data has been altered after delivery from the property manager. FINMA's increasing focus on this risk reflects its experience elsewhere in the financial sector, where data integrity failures have emerged from exactly these kinds of informal, audit-light processes.

What examination readiness requires

A real estate fund manager preparing for FINMA examination should be able to demonstrate: a defined and documented data collection process with specified inputs from each property manager; systematic validation controls applied at data ingestion; a complete and retrievable audit trail showing the provenance of every figure in regulatory reports; access controls that limit modification of reporting data to authorised users; and a documented process for handling and recording adjustments made during consolidation.

This is a meaningful capability gap for funds that currently operate on manual consolidation processes. Closing it requires both process discipline and appropriate infrastructure. The good news is that the infrastructure required to achieve FINMA examination readiness is the same infrastructure that improves the efficiency and reliability of the quarterly reporting cycle — the benefits are concurrent, not sequential.

Timing and the regulatory trajectory

The direction of travel in Swiss financial regulation is consistent: higher expectations for data governance, greater emphasis on auditability, and increasing supervisory intensity on exactly the areas where real estate fund managers are currently most exposed. The 2025 Risk Monitor is a signal, not a sudden requirement. But the timeline between signal and examination is shorter than many fund managers plan for.

The appropriate response is not to wait for a formal regulatory change before addressing data governance. It is to treat the Risk Monitor's signal as the planning input it is intended to be, and to begin building the data infrastructure that will make the next examination straightforward rather than stressful.

STREETS is built for FINMA audit readiness

Every data point in STREETS carries a timestamp, a source record and a validation status. FPRE-compatible reports are produced from the same auditable dataset. Swiss data hosting. In production with FINMA-regulated fund managers since 2017.

Book a demo