The EMEA AML Survey 2026 analyses how financial institutions are preparing for the EU AML Package and highlights a growing gap between confidence and concrete action ahead of July 2027.

Key highlights:

   •    59% of respondents have not yet fully analysed the impact of the EU AML Package

   •    42% have no plans to update their AML operating model in Luxembourg

   •    40% of Luxembourg firms still rely on fully manual risk assessments

   •    59% use no digital tools to detect forged or fraudulent documents

The European Union AML Package marks the most far-reaching reform of Anti-Money Laundering and Counter-Terrorist Financing (AML/CFT) regulation in the EU’s history. With a single EU rulebook, reinforced supervisory powers through AMLA and strict implementation deadlines, the regulatory transition has now entered an operational phase.

Luxembourg starts this transition from a position of strength. Its financial sector benefits from mature AML frameworks, long-standing cross-border supervision experience, and a well-established compliance culture. Yet the findings of the EMEA AML Survey 2026 Luxembourg reveal growing tension between this confidence and the level of concrete actions taken to prepare for the new framework.

Based on responses from a highly representative sample of Luxembourg financial institutions and benchmarked against EU and international peers, this report highlights where Luxembourg is well positioned, and where inaction, underinvestment and overreliance on manual processes may expose firms to regulatory, operational and strategic risk as the July 2027 deadline approaches.

Confidence vs. preparedness

Luxembourg institutions widely acknowledge that the EU AML Package will have a material impact on their operations. Three quarters of respondents expect at least a medium impact, implying a reallocation of AML resources of 5% or more. Despite this, many firms have yet to translate awareness into concrete preparation.

Only a minority of Luxembourg respondents have conducted a full impact assessment, and Luxembourg ranks as the most inactive EU country in terms of updating AML operating models. This gap between perceived impact and action suggests a risk of overconfidence, compounded by reliance on group-level instructions and wait-and-see strategies.

With regulatory scrutiny increasing and hard deadlines approaching, delayed decision-making may significantly constrain firms’ ability to adapt smoothly and cost-efficiently.

Operational pressure points

Operationally, the EU AML Package does not represent a complete overhaul for Luxembourg, but rather a series of targeted yet impactful changes. The survey identifies Customer Due Diligence (CDD) onboarding and periodic reviews as the controls most affected by the new framework.

Despite this awareness, alignment with the CDD regulatory technical standards remains limited, and remediation efforts are predominantly planned in-house, even as many firms report no intention to increase headcount or outsource activities. In parallel, risk assessment and fraud prevention processes remain highly manual compared with EU peers.

These factors create a cumulative operational risk: incremental regulatory changes may trigger significant strain on already stretched AML functions if left unaddressed.

Technology and data: the missing link

Technology and data readiness emerge as critical weaknesses in the Luxembourg market. Firms report strong concerns around data collection and reporting requirements, yet continued underinvestment in digital tools. On average, Luxembourg firms allocate less of their AML budget to technology than EU peers, and investment in AI for AML has declined further since 2024.

While some institutions are exploring the use of AI, adoption remains cautious and focused on relatively basic solutions. Advanced use cases, particularly for transaction monitoring and fraud detection, remain limited. At the same time, many firms express confidence in systems that still rely heavily on manual processes.

The survey findings suggest that without accelerated and more strategic investment in digital infrastructure, data quality and automation, Luxembourg risks falling behind both regulatory expectations and competing financial centres.

Claude Marx, Directeur général, Commission de Surveillance du Secteur Financier said: 

“It is urgent for Luxembourg entities to get educated about the possibilities that technology offers to make AML/CFT future-fit and live up to expectations of recent regulatory requirements. Besides fulfilling regulatory expectations and safeguarding the entities’ reputation, the increased use of modern technology in compliance also allows entities to operate at scale without slowing legitimate customer activity, which is increasingly becoming a concern for bona fide customers.”

Michael Weis, Advisory Partner, Forensics & Anti-Financial Crime Leader, PwC Luxembourg said:

“The question for Luxembourg firms is no longer whether change is required, but how decisively and how early they choose to act.”

The full report can be found here.