Close the gap. Get ready for the EU AML transformation.

A paradigm shift for AML in Europe

Anti-Money Laundering (AML) across Europe has entered a decisive new phase. Financial crime risks are increasing in scale and sophistication, driven by geopolitical tensions, digitalisation, and complex cross‑border financial flows. At the same time, regulators are responding with greater ambition, stronger supervision, and a clear push towards harmonisation.

The EU AML Package represents a paradigm shift, not an incremental change. It fundamentally transforms how AML regulation is designed, supervised, and enforced across the European Union from nationally fragmented frameworks to a single EU level approach.

The EU's new supervisor for preventing financial crime is the Anti-Money Laundering Authority (AMLA), based in Frankfurt, and is set to reach full operational capacity in 2028. Its mission is to strengthen and harmonise the supervision of AML rules within the EU, which can be viewed as positive for Luxembourg, where the financial sector works cross-border with many other European countries. Having one set of rules will therefore facilitate all cross-border conversations. Secondly, as Luxembourg has always been adapting the content of the EU AML Directives into its national legislative framework and as the good application of those rules were audited annually, the upcoming European rules are quite close to those in place. This is an opportunity to showcase Luxembourg’s skills in this important area. It can be viewed as a return of investment that the Luxembourg financial sector has done in the last ten years.

For financial institutions across banking, asset management, funds, insurance and payments, the message is clear: AML is now more than compliance; it’s an opportunity for true transformation to enhance efficiency and effectiveness across all European entities in a group.

In this article we discuss the EU AML transition, assessing Europe’s state of readiness using insights from the EMEA AML Survey 2026, and highlight what this shift means in practice, with some focus on Luxembourg. It is the first in a planned multi‑industry series following the implementation journey of the EU AML Package.

We encourage institutions (including insurance companies, banks, asset and wealth managers, electronic payments firms, crypto‑asset service providers, and virtual asset firms), to start preparing now if they have not already done so. We want to make sure institutions are aware of potential challenges that lie ahead. Understanding the changes and what they will require and preparing now will help to ensure a smooth transition and mitigate risks. 

From national frameworks to a unified EU model

Today, AML rules are driven by EU Directives which are then translated into national laws and regulations. While EU directives have provided a common baseline, each Member State has developed its own supervisory intensity, enforcement approach, and operational interpretation.

From 10 July 2027, this will change fundamentally.

The EU AML Package introduces:

• A single AML Regulation, directly applicable across all Member States;
• A reinforced AML Directive, strengthening national frameworks; and
• A new EU Anti‑Money Laundering Authority (AMLA), centralising and coordinating supervision.

AMLA will bring harmonised expectations, consistent supervision, and increased data‑driven oversight, including direct supervision of selected high‑risk and complex financial institutions. This unified framework reduces regulatory fragmentation, but it also removes the comfort of national interpretation and localised practices.

Regulatory ambition meets industry readiness

While the regulatory direction is clear, industry readiness remains mixed. In fact, findings from our PwC EMEA AML Survey 2026 highlight a growing execution gap:

• Only one‑third of EU financial institutions expect to be ready by July 2027;
• Over 50% anticipate significant disruption from sustained compliance pressure;
• 10–30% AML cost increases are expected by one‑third of institutions;
• 40% view Customer Due Diligence (CDD) requirements as overly rules based; and
• 61% of banks plan to invest in new transaction monitoring tools ahead of 2027.These figures point to a common challenge: institutions understand what’s coming, but many have not yet planned how to adapt their operating models, data foundations, and governance structures.

"Transform and comply": why incremental change is not enough

A central theme of the EU AML roadmap is "transform and comply."

The EU AML Package is not designed to be implemented through isolated policy updates or tactical system fixes. Instead, it pushes institutions to reassess AML end-to-end, including:

• Group‑wide AML frameworks with the designation of an EU top parent company:
  EU-wide rules will require greater alignment across subsidiaries, branches, and business lines. Specifically for groups with a non-EU top parent company, a single EU-based top parent entity will need to be designated to endorse the supervision role for the whole EU and non-EU underlying group entities. This means at this level, institutions will need to appoint clearly defined roles, including a person responsible for compliance with professional obligations (RR) and a compliance officer in charge of monitoring compliance (RC). The framework will also require the establishment of structured group-wide information-sharing mechanisms to ensure consistent application of AML requirements. 
• Operating models and responsibility allocation:
  Harmonised supervision requires clearer accountability across entities and teams from governance, policies and procedures, data, processes, and systems.
• Data quality:
  AMLA will rely on consistent, extractable, and comparable data, increasing pressure on data governance and architecture.
• KYC scalability and maturity:
  Unified expectations expose weaknesses in manual processes and inconsistent refresh cycles, specifically regarding the periodical review of files and the maintenance of the knowledge of the clients via the triggering event mechanism.

Institutions that rely on incremental change risk higher costs, duplicated effort, and increased supervisory friction.

Cross-industry impact

Although banks will be among the most visible stakeholders, the EU AML Package is deliberately cross‑industry. Obliged entities include:

• Banks and credit institutions;
• Asset managers, management companies, and the funds that they manage;
• Professionals of the Financial Sector/Asset Service Providers
• Insurance and reinsurance undertakings; and
• Payment institutions and e‑money providers.

Each sector faces different pressure points, but all must align with the same regulatory logic and supervisory expectations. This makes cross‑industry coordination and group‑level design choices more important than ever.

Luxembourg benefits from a high level of AML maturity built over years of rigorous implementation. This can, however, create a false sense of comfort, as the EU AML Package does not always translate into stricter rules at first glance, just different ones. In reality, many requirements are quite different in how they must be implemented. Different literally means different and will require dedicated adaptation efforts. These changes will still demand significant transformation efforts across operating models, data, and governance.

Harmonisation offers both opportunity and tension

Harmonisation is one of the EU AML Package’s core objectives. A single rulebook and consistent supervision offer clear benefits, including reduced regulatory arbitrage, greater clarity for cross‑border groups, and potential efficiency gains through standardisation.

It is true however that at the same time, institutions are mindful of competitiveness versus the US and Asia, operational differences, such as KYC refresh frequencies, reduced flexibility to tailor AML frameworks locally.

Successfully navigating this tension will require strategic design choices, not just compliance responses, so there is much to think about. Planning ahead now will help reduce surprises or compliance challenges in the future.

Luxembourg in focus: a financial hub under pressure

Luxembourg’s role as a major European financial centre renders it particularly exposed to the EU AML transition.

Survey data shows clear readiness challenges:

• 59% of respondents have not fully analysed the impact of the EU AML Package;
• 42% have no plans to update their AML operating model;
• 40% still rely on fully manual risk assessments; and
• 59% use no digital tools to detect forged or fraudulent documents.

These findings highlight a structural risk: manual, fragmented AML frameworks are increasingly misaligned with EU level supervisory expectations.

But a clear point of differentiation exists. Luxembourg has a genuine opportunity to position itself as a best practice jurisdiction by accelerating its transformation at an early stage.

Data and technology: from enabler to supervisory expectation

One of the most significant shifts under the EU AML Package is the central role of data.

AMLA’s supervision model will rely heavily on standardised data requests, consistent reporting across entities and reusable, high-quality AML, and KYC data.

This elevates data governance, lineage, extractability, and quality to strategic priorities, rather than technical considerations. Institutions that take an early, proactive approach to data and technology will be better positioned to respond efficiently to evolving supervisory expectations.

So why act now?

The roadmap is clear: the window for preparation is narrowing. Between now and July 2027, actors in scope must assess entity level applicability and exposure. A European AML Headquarter must be selected, which will be the entity controlling AML Compliance for all entities in the EU. Then entities must review roles, and responsibilities, data architecture and AML/CTF policy, procedure, and control structures. Finally, entities need to evaluate KYC maturity and scalability. As the roadmap highlights, this regulatory change is not only a compliance exercise. It affects governance, operating model choices, and the future data model of financial institutions.

Closing the gap and looking ahead

The EU AML Package marks an undeniable turning point for AML in Europe. Institutions that act early can turn regulatory change into an opportunity to streamline frameworks, improve risk management, and strengthen trust.

The time to start this journey is now. This article is the first in a planned series over the next upcoming year in various media and on our website. We will explore industry‑specific impacts (banking, funds, insurance), and dive deeper into operating model and data considerations, as we will follow the EU AML Package’s implementation as July 2027 approaches.

Our message is simple: the gap is real, but it can still be closed. The time to act is now.

Want to know more? Our experts are ready to accompany you on this journey.