The EU anti-money laundering package applies on 10 July 2027. Here is what changes for compliance teams at Luxembourg’s fund administrators, management companies and depositary banks, and how to use the year that remains.

Most AML due diligence in Luxembourg still runs on workarounds: a periodic review tracked in a spreadsheet, beneficial ownership checked once at onboarding, the evidence behind a decision spread across emails. It holds up until someone asks to see it. From 10 July 2027 the standard for how due diligence is done, evidenced and supervised rises for everyone, and the year to prepare for it has already started.

The KPMG Luxembourg and Finologee partnership combines KPMG’s regulatory and advisory expertise with Finologee’s RegTech platform, KYC Manager, to close the gap between strategy and execution. This article looks at the AML package from both angles, the regulatory and the operational.

What is changing

For the regulatory reading, we asked Giovanna Giardina, Partner and Forensic & Financial Crime Leader at KPMG Luxembourg. Her assessment: the regime becomes more uniform across the EU, aligning with Luxembourg’s stricter standard and considerably more demanding on data governance and reporting. In practice, that means:

  • One rulebook, applied directly across the EU, with far less room for local interpretation.
  • New data points to be collected and stored.
  • More frequent and comprehensive reporting to the authorities.

“The Luxembourg regulatory framework was already more stringent than those of other European countries, thus, although new obligations arise, the greater impact for the Luxembourg-based entities will be around data storage and reporting.”

Giovanna Giardina, Partner, Forensic & Financial Crime Leader at KPMG Luxembourg

A new supervisor, a single standard

Supervision changes too. From 2028, the EU’s new authority, AMLA, takes direct supervision of around 40 of the largest cross-border groups to be named in 2027. AMLA will also oversee national competent authorities, harmonising supervisory practices and interpretation of the regulation.

The countdown

The implementation timeline is fixed, with the key dates as follows:

  • 1 July 2027: AMLA names the entities it will supervise directly.
  • 10 July 2027: the new AML package applies to all obliged entities.
  • 1 January 2028: AMLA’s direct supervision begins.

In one year, all obliged entities must be compliant with the new regulation and able to collect and store all necessary data points for new business relationships and provide the authorities with the required reporting.

Gap and impact assessment should be performed soon to ensure that any necessary remediation is finalised before July 2027.

From rules to workflows

The regulation sets the standard. Proving the standard is met, consistently and on demand, is the harder part and it is where operational readiness is decided.

This is the work KYC Manager is built for. It covers the full client lifecycle in one place, from onboarding through ongoing monitoring and periodic review, so each relationship keeps a single record and a single history. Reviews run on a risk-based schedule and capture the trigger, the checks and the decision as they happen, so the audit trail builds itself instead of being reconstructed later. Screening against sanctions, PEP and adverse media lists runs continuously, with every match routed to a person rather than left in a queue.

When a supervisor asks how a decision was reached, the answer is a record, not an email hunt.

“Most teams already know what good due diligence looks like. The new standard is about proving it, every time and at scale, and that is an infrastructure question, not a legal one.”

Jonathan Prince, co-founder and CSO at Finologee

Where readiness breaks down

In Giovanna Giardina’s experience, one gap accounts for most of the exposure:

“It will be relatively easy to adapt the AML framework of each obliged entity to the new standards. What might be more complex and time- and resource-consuming is to ensure that the required level and quality of data is available, and the capacity to generate relevant reporting.”

Giovanna Giardina, Partner, Forensic & Financial Crime Leader, KPMG Luxembourg

The year ahead

Twelve months is enough time to prepare, provided the work starts now. The coming months should go to a clear-eyed gap assessment, the rest of the year to redesigning and rebuilding what it exposes, and the final stretch to confirming it all holds. The teams that treat this as an operational programme, not a reading exercise, are the ones that will not be working against the clock in 2027.

To see how KYC Manager supports lifecycle management, periodic review and screening under the new framework, book a demo.