Home / Blog

AMLA Luxembourg: What the March 2026 Data Exercise Really Signals

Regulatory
AMLA's clock is running
AMLA Luxembourg+

AMLA Luxembourg: in March 2026, the Authority for Anti-Money Laundering and Countering the Financing of Terrorism launched its first data collection exercise targeting the financial sector, placing Luxembourg at the front line of a structural shift in European AML supervision. The institutions that received a notification from the CSSF scrambled to prepare their submissions. Those that did not breathed easier. Both reactions, in different ways, missed the point.

The exercise is officially described as a testing and calibration phase: AMLA is building the risk assessment models that will determine, in 2027, which institutions come under its direct supervision from 2028. Forty entities across the EU will eventually be selected, all of them cross-border, all of them assessed as carrying a high residual money laundering and terrorist financing risk. For the vast majority of Luxembourg’s financial sector, that sounds like someone else’s problem. It is not.

Forty entities, but one methodology for everyone

The selection threshold for direct AMLA supervision is specific: institutions must be active in at least six Member States, with meaningful activity defined as more than 20,000 resident customers in a given jurisdiction or more than EUR 50 million in transaction flows. By that measure, a large portion of Luxembourg-domiciled funds, banks and payment institutions will not qualify for the first cohort of forty.

But the methodology being tested in March 2026 is not built for forty institutions. It is being built for the entire EU financial sector.

AMLA’s mandate explicitly includes supervisory convergence: national supervisors across all 27 Member States will be expected to apply the same risk assessment framework that AMLA uses to select its directly supervised entities. The CSSF, like every other national supervisor, will work within that common methodology. When AMLA Chair Bruna Szego described the harmonised risk standards announced in late 2025 as “a significant step toward supervisory convergence”, she was not speaking only to the institutions likely to end up on the list of forty. She was describing a structural change to how AML supervision works across the board.

The data collection exercise running from March to April 2026 therefore serves two distinct purposes, and the second is the one that matters most for Luxembourg. The first purpose is obvious: calibrating the selection model. The second, stated just as clearly in AMLA’s own documentation, is to ensure that money laundering risks of credit and financial institutions are assessed consistently by supervisors across the EU. That consistency project is universal. Being outside the scope of direct supervision does not place an institution outside the scope of convergence.

What the CSSF response reveals about AMLA Luxembourg’s reach

The CSSF’s handling of the March exercise is itself instructive. The European-level calibration exercise formally selected a sample of institutions, notified them directly, and made their participation mandatory. So far, standard procedure.

What the CSSF then did is more telling: it extended the AMLA-developed data collection templates to all credit and financial institutions under its supervision, not just those selected for the calibration exercise. Institutions that received no notification from AMLA are nonetheless submitting to the CSSF, using the same data architecture, by the same April deadline.

The CSSF’s circular is explicit that this approach is designed to “ensure consistency and a level playing field, against the background of preparing for the new common EU AML/CFT methodology.” That phrase contains a significant operational implication. The CSSF is treating the AMLA methodology not as a future consideration for the largest institutions, but as the baseline against which the entire supervised population should begin measuring itself.

Luxembourg sits in a structurally exposed position in this transition. The Grand Duchy hosts more than EUR 6.2 trillion in fund assets under management, a banking sector that generated EUR 7.4 billion in profit before provisions in the first three quarters of 2025, and a population of financial intermediaries that are, by design, cross-border. The very features that make Luxembourg attractive as a financial centre, international clientele, complex delegation structures, multi-jurisdictional fund flows, are precisely the features that AMLA’s risk methodology is designed to assess. The 2023 FATF mutual evaluation of Luxembourg identified the banking and investment sectors as among the most vulnerable to money laundering and terrorist financing. That assessment was made under the old national methodology. Under AMLA’s harmonised framework, the same vulnerabilities will be measured with a common ruler, comparable to what every other EU supervisor applies.

A data quality reckoning

Behind the supervisory architecture lies a more immediate operational challenge: data.

AMLA’s risk models are built around structured, quantitative data points, among them the number of customers by jurisdiction, total transaction values, the volume of high-net-worth client relationships, and the proportion of customers classified as politically exposed persons. These are not new categories for compliance functions. But the expectation that they can be extracted, validated and submitted in a standardised format by April 2026, consistently and comparably across institutions, is a higher bar than many organisations have previously cleared.

The March exercise is explicitly a test of that capacity. AMLA’s documentation for the reporting package acknowledges that the data collection is partly designed to allow participating financial institutions to test and prepare their systems for future data collections. The calibration is mutual: AMLA is calibrating its models, and the sector is calibrating its ability to feed them.

For compliance officers and MLROs, this is where the practical stakes of the exercise become concrete. An institution that discovers in March 2026 that its customer data is fragmented across legacy systems, that its transaction monitoring output cannot be mapped to AMLA’s templates without manual reconciliation, or that its jurisdictional activity tracking falls short of the required granularity, is not facing a 2026 problem. It is facing a 2027 problem, when the real selection exercise runs, and a 2028 problem, when direct supervision begins for those selected.

The institutions that treat the current exercise as a dry run will be better positioned. Those that treat non-participation as an exemption from preparation will find that the CSSF’s own data expectations have quietly shifted in the interim.

The C-suite question: AMLA Luxembourg and governance readiness

The compliance function cannot absorb this transition alone, and that is the aspect of AMLA’s rollout that boardrooms in Luxembourg have been slowest to internalise.

The shift from fragmented national supervision to a harmonised EU-level model is not, at its core, a technical update to existing processes. It represents a change in the standard against which an institution’s AML framework will be evaluated: not against historical CSSF precedent, or against what peers in Luxembourg typically do, but against a common methodology calibrated across 27 jurisdictions and designed to be operationally robust at the scale of the most complex cross-border institutions in Europe.

Building towards that standard requires decisions at the governance level: whether the compliance function has adequate resources and seniority, whether the technology infrastructure supports the data architecture AMLA requires, whether third-party and delegation relationships are documented with the traceability that a structured supervisory assessment will demand. Those are not questions a compliance officer can resolve unilaterally.

The talent dimension is equally material. Luxembourg’s compliance market has been under sustained pressure for several years, with senior AML and regulatory expertise in short supply relative to demand. The current phase of AMLA implementation, before direct supervision begins, is precisely the window in which institutions should be assessing their capability gaps and addressing them. The window will close faster than the 2028 deadline implies, because the real selection process begins in 2027, and the data that informs it is being collected now. Firms like We Put You in Touch exist precisely because regulatory expertise does not centralise as easily as institutional mandates do.

The architecture of what comes next

The March data collection is the first element of a multi-year construction project. AMLA’s Single Programming Document for 2026 to 2028 identifies 24 of its 40 regulatory mandates as deliverable within 2026 alone, covering everything from regulatory technical standards on customer due diligence to implementing rules on supervisory cooperation. The Anti-Money Laundering Regulation itself, AMLR, becomes directly applicable across all EU Member States on 10 July 2027, without national transposition: one set of rules, identical in Frankfurt, Warsaw and Luxembourg.
For the 40 institutions that will be directly supervised from 2028, the journey will be intensive. Joint supervisory teams combining AMLA staff and national supervisors will conduct on-site inspections, impose administrative measures and, where necessary, apply pecuniary sanctions. AMLA also has the capacity to request a European Commission decision placing any institution under direct supervision, irrespective of the standard eligibility criteria, if systematic AML failures are identified and the national supervisor is deemed to have acted insufficiently.
For the institutions that fall outside those forty, the AMLR framework still applies in full. National gold-plating, the use of local interpretations to soften or adjust EU-level requirements, will no longer be available once the Regulation enters into force. The CSSF will supervise against the same standards AMLA uses.
The practical implication is that being out of scope for direct supervision is a statement about the supervisory channel, not about the level of scrutiny. By 2027, the question is not whether an institution will be assessed against AMLA’s methodology, but through whom.

Not a compliance exercise

The March data collection has been treated, by most of those subject to it, as a reporting obligation: fill in the templates, meet the deadline, move on. That framing understates what is happening.

AMLA’s calibration exercise is the first operational expression of a structural transformation in how AML supervision works in the European Union. The methodology it is testing will become the common language of AML risk assessment across every national supervisor. The data quality standards it is probing will become the baseline expectation for every institution that wants its risk controls to be legible to a supervisor operating at EU scale.

For Luxembourg, the financial centre most deeply exposed to the cross-border flows and complex institutional structures that AMLA’s framework is designed to assess, the March exercise is an early indicator of what consistent supervision looks like. The institutions that read it as such, and begin adapting accordingly, will be better prepared. Those that read it as someone else’s problem will find, in 2027, that the methodology arrived before they did.

References

  1. AMLA, “AMLA launches data collection exercise to test risk assessment models” (16 March 2026) — amla.europa.eu
  2. AMLA, Press Release: “AMLA to launch data collection exercise to test risk assessment models for the financial sector” — amla.europa.eu
  3. AMLA, Interpretative Note, AMLA 2026 Testing and Calibration Exercise (16 March 2026) — amla.europa.eu
  4. AMLA, “AMLA Takes Major Step in Preparing for Direct Supervision”, Press Release — amla.europa.eu
  5. AMLA, Single Programming Document 2026-2028 — amla.europa.eu
  6. AMLA, FAQs — amla.europa.eu
  7. CSSF, Circular Letter: AML/CFT standardised data collection exercise (12 February 2026) — cssf.lu
  8. CSSF, “2025 Questionnaire on Financial Crime” (23 February 2026) — cssf.lu
  9. Freshfields, “Will you be directly supervised by AMLA? Draft RTS on the selection of obliged entities” — riskandcompliance.freshfields.com
  10. Jones Day, “Direct Supervisory Powers of the New European Anti-Money Laundering Authority” (July 2025) — jonesday.com
  11. Protiviti, “AMLA Readiness Starts Now: Ten Practical Moves for 2026” (March 2026) — blog.protiviti.com
  12. EY Luxembourg, “AML Package and regulatory crossroads: how fund managers should navigate among AMLA, CSSF and AED” — ey.com
  13. Chambers and Partners, “Banking Regulation 2026: Luxembourg” — practiceguides.chambers.com
  14. Elias Neocleous, “AMLA’s First Data Collection Exercise: What It Signals for the Future of EU AML Supervision” (February 2026) — neo.law
  15. FATF, “Luxembourg: Mutual Evaluation Report” (September 2023) — fatf-gafi.org
  16. Global Legal Insights, “Banking Laws and Regulations 2026: Luxembourg” — globallegalinsights.com