EU AML Package: Eight Critical Implementation Pitfalls To Avoid

What Financial Institutions Cannot Afford To Ignore

The European Union’s Anti-Money Laundering Package (‘AMLP’) represents the most significant overhaul of financial crime compliance frameworks in decades. With a go-live date of July 10, 2027, financial institutions have approximately 18 months to implement comprehensive changes across their AML and countering the financing of terrorism (‘CFT’) infrastructure.

While 18 months may seem like a long time, anyone with experience of delivering complex regulatory change knows it is not — and with a regulation as comprehensive as the AMLP, the stakes are high. The EU’s new package introduces more than 50 specifications, including regulatory technical standards (‘RTS’), implementing technical standards, guidelines and delegated and implementing acts. Because these requirements are so numerous and detailed, from additional customer information collection to new beneficial ownership definitions, they require large-scale transformation and must be accomplished over time.

Firms that begin strategic planning today will implement sustainable controls whereas those that delay are at risk of rushed implementations that will be plagued by predictable pitfalls. This matters because unlike the previous EU AMLD directives, the core AMLR regulation will apply uniformly across all EU member states from day one, leaving no room for delayed compliance.

For a selected group of approximately 40 in-scope firms, the pressure is doubly on because their new regulator, the Frankfurt-based EU-wide Anti-Money Laundering Authority (‘AMLA’), will start directly supervising them from January 2028. This move underlines a broader regulatory pivot toward a more intrusive, data-driven supervision. But even firms outside of AMLA’s direct remit should prepare for heightened scrutiny and elevated expectations from both European and national regulators.

What Is Changing With the AMLP?

The AMLP introduces material changes with significant implications for business processes, systems, data architecture, and customer-related activities.

  • Expanded customer information requirements: Ultra high net worth individuals and high net worth individuals are now explicitly high-risk categories, requiring updates to policies, procedures, data fields and information management systems, potentially necessitating large-scale customer outreach.
  • Redefined risk categories: The expanded definition of Politically Exposed Persons will likely increase high-risk customer populations, resulting in higher workloads due to enhanced due diligence requirements and shorter know your customer (‘KYC’) review cycles.
  • Harmonised KYC timelines: Maximum review intervals of every five years for low-risk customers and every 12 months for high-risk customers.
  • New beneficial ownership standards: The prescribed calculation method and ownership threshold may increase the number of natural persons requiring documentation — in some cases all senior managing officials — and mandate additional data points such as identity document numbers alongside specific verification requirements.

Eight Implementation Pitfalls To Avoid

As firms are poised to start implementing the AMLP internally, our experience of helping clients navigate regulatory change of a similar magnitude tells us that firms will grapple with eight critical pitfalls.

  • Compressed timelines: With around 18 months to implement the AMLP’s core changes, firms must mobilise quickly and move at pace. This can lead to a flawed delivery approach, where firms attempt to deliver too much too quickly, rather than sequencing a realistic implementation roadmap. This results in risk misidentification and misaligned controls. One way to avoid falling into this implementation trap is clustering obligations to create a transparent link between legal expectations and operational implications, enabling focused planning and effective prioritisation of the required framework enhancements. Firms should conduct structured assessments of their current capabilities against AMLP requirements now to produce a quantified inventory of gaps and realistic resource estimates.
  • Insufficient governance and oversight: This is another trap firms can fall into when delivering regulatory change at pace. Gaps and duplication of effort often occur when oversight mechanisms are insufficient or unclear, or where roles and responsibilities have been poorly defined or misallocated. Although it may seem counterintuitive, firms should not rush through mobilisation. Instead, they should ensure clear programme governance through defined decision-making authority, escalation paths and accountability frameworks before moving into enhancement design.
  • Underestimating the scale of change: The AMLP’s detailed requirements demand large-scale transformation, which necessitates governance and organisational evolution, not least due to the introduction of the new Compliance Manager role. By establishing balanced governance structures including both the first (‘1LOD’) and second lines of defence (‘2LOD’) and investing in comprehensive stakeholder alignment from the outset, firms can ensure that framework enhancements are proportionate and operationally realistic. Success can then be measured through formal cross-functional governance committees, stakeholder visioning workshops, and documented sign-off on design principles.
  • Weak programme design: Given the package’s magnitude, firms must ensure that the changes they implement do not result in an operating model that is overly complex or disconnected from operations, reflecting a theoretical ‘paper design’ rather than business reality. Firms should aim for a single, enterprise-wide framework that is road-tested before full-scale implementation to ensure it balances regulatory requirements with operational feasibility.
  • Missing benchmark standards: The challenge of delivering a complex transformation at pace is further compounded by the fact that only a handful of draft RTS have been published so far with final versions not expected until, at the earliest, end of Q2 2026. The lack of confirmed standards has held some firms back from finalising enhancements for fear of regulatory goalposts moving at the last minute. While no one can precipitate the finalised standards, firms can anticipate them, but this requires balanced representation from both 1LOD and 2LOD in regulatory interpretation and design decisions. Work should begin on conclusively defined regulations while monitoring developments in uncertain areas.
  • Persisting national variations: While a desire to harmonise and bring clarity to the financial services industry are core drivers behind the AMLP, some scope for bloc-level divergence remains through national derogations and imprecise wording. Firms with a global footprint will have to reconcile AMLP requirements with anti-financial crime regulatory regimes elsewhere. This is another reason why fostering cross-functional collaboration is critical for a successful regulatory transformation.
  • Resource pressure: Competition for skilled AML, data and compliance talent is already fierce and, given the scale of upcoming regulatory change, is likely to intensify as firms move into transformation mode. Having dedicated, ringfenced and capable resources in place prior to transformation work kicking off will ensure firms are well positioned to deliver in full and on time.
  • Data and insight limitations: With a move to a data-driven supervision model, it is unlikely firms can afford to not put data at the centre of their regulatory change programmes, but data remediation should be prioritised as foundational work. Conducting comprehensive data assessments early is key to identifying gaps in customer information, beneficial ownership data, risk scoring inputs and management information capabilities, as well as quality issues and integration challenges, ensuring data-centric transformation. Firms can then track improvements through measurable KPIs such as percentage of customer records with complete required information and data accuracy rates.

Achieving AMLP Readiness

The AMLP’s harmonisation agenda, AMLA’s supervisory model and the shift toward data-driven oversight signal the direction of travel for financial crime compliance across the EU for the next decade. Each institution’s starting point will shape the specific changes required to achieve AMLP readiness. There will be huge variance in the level of transformation needed for each firm depending on their organisational maturity and geographical location. The firms that will emerge strongest from the AMLP transition are those that resist the temptation to treat this as a compliance exercise and instead use it to build something durable.

The fundamental challenge is universal: implementing comprehensive changes within a compressed timeline while avoiding predictable pitfalls. Firms that act now with structured planning, balanced design and robust stakeholder engagement will meet the end of Q2 2027 deadline with sustainable, supervisory-ready controls. Those that delay risk regulatory sanctions, operational disruption and competitive disadvantage.

Related Insights

Related Information

Published

June 01, 2026

temp Key Contacts

Anna Kostus

Senior Managing Director

Michael Peters

Senior Managing Director

Most Popular Insights

  1. Hybrid Energy Strategies for Data Centers Expose Complex Constraints
  2. Venezuela’s Oil Sector Recovery: Navigating the Post-Maduro Investment Landscape
  3. How the War on Iran Is Reshaping Transportation & Logistics
  4. Four Predictions for Private Equity in 2026
  5. Global CFO Survey 2026

Sign up to get access to FTI Consulting Insights

Subscribe