The European Union has embarked on a major overhaul of its framework for combating money laundering and terrorist financing. This new legislative package — comprising primarily the 6th Anti-Money Laundering Directive (AMLD6), the Anti-Money Laundering Regulation (AMLR) and the creation of a dedicated European authority (AMLA) — represents the most significant change in AML regulation since the European framework was first established. For Luxembourg, a leading international financial centre, the implications are far-reaching.
AMLD6: the harmonisation of criminal sanctions
The primary objective of the 6th Anti-Money Laundering Directive (Directive 2018/1673/EU) is to harmonise the definition and criminal sanctions relating to money laundering across all Member States of the European Union. Until now, disparities between national laws created loopholes exploited by criminal networks, which directed their activities towards the most lenient jurisdictions.
The 22 predicate offences
AMLD6 defines a harmonised list of 22 predicate offences which, when they generate financial proceeds, constitute the basis for a money laundering offence. This list is considerably broader than those previously in force in many Member States and now includes:
- Cybercrime, reflecting the growing importance of offences committed via digital technologies.
- Environmental offences, recognising that ecological crimes can generate substantial illicit financial flows.
- Tax offences relating to both direct and indirect taxes, confirming the link between tax evasion and money laundering.
- Human trafficking, drug trafficking, corruption, fraud, counterfeiting, and terrorist financing, among others.
Aiding, abetting and extended liability
A major contribution of AMLD6 is the explicit criminalisation of aiding, abetting and attempted money laundering. Simply helping, assisting or facilitating a money laundering operation — even if it is not carried through to completion — is now punishable by criminal sanctions. This provision considerably expands the range of persons who may be subject to prosecution.
The directive also introduces the concept of self-laundering, making it possible to prosecute the perpetrator of the predicate offence also for laundering the proceeds of that offence. This provision, which did not previously exist in all jurisdictions, closes an important gap in the enforcement framework.
Criminal liability of legal entities
AMLD6 requires Member States to establish criminal liability for legal entities for money laundering offences committed on their behalf or for their account by persons in a leadership position. Sanctions applicable to legal entities include criminal fines, exclusion from public contracts, placement under judicial supervision, and even compulsory liquidation in the most serious cases.
For individuals, AMLD6 sets a minimum sanctions threshold: at least four years' imprisonment for the most serious forms of money laundering, in particular where the offence is committed within the framework of a criminal organisation, where the amounts involved are particularly significant, or where the perpetrator is a professional subject to AML/CFT obligations.
AMLR: the single rulebook
The Anti-Money Laundering Regulation (AMLR) constitutes a paradigm shift in the European approach to AML compliance. Unlike directives, which leave Member States a degree of latitude in transposition, the regulation is directly applicable across the entire European Union, without the need for national transposition. This approach aims to eliminate the interpretive differences and gaps that have weakened the European framework for years.
A uniform framework for customer due diligence
The AMLR harmonises Customer Due Diligence (CDD) obligations across the entire Union. It defines in a precise and uniform manner the situations in which Simplified Due Diligence (SDD), standard due diligence or Enhanced Due Diligence (EDD) must be applied. The risk factors to be taken into account for client categorisation are also standardised, including geographical risk, client risk, product or service risk, and distribution channel risk.
The regulation also clarifies obligations regarding the identification of Ultimate Beneficial Owners (UBOs), imposing a uniform threshold of 25% direct or indirect shareholding for the determination of beneficial owner status. It tightens verification requirements, demanding reliable and independent information sources, and requires regular updating of beneficial ownership information.
Interconnected beneficial ownership registers
The AMLR provides for the interconnection of national beneficial ownership registers through the BORIS system (Beneficial Ownership Registers Interconnection System). This interconnection will allow obliged entities and competent authorities to access beneficial ownership information on companies registered in other Member States, considerably facilitating verification for cross-border structures.
The regulation also strengthens reporting obligations for legal entities, requiring detailed and up-to-date information on their ownership and control structure to be communicated. Sanctions for non-reporting or inaccurate reporting are significantly enhanced.
AMLA: a European supervisory authority
The creation of the Anti-Money Laundering Authority (AMLA), headquartered in Frankfurt, represents the most significant institutional innovation of the new legislative package. AMLA will be endowed with direct and indirect supervisory powers, combining a centralised approach for the highest-risk entities with enhanced coordination for all others.
Direct supervisory powers
AMLA will exercise direct supervision over a limited number of financial entities identified as presenting the highest risks. The selection process will be based on objective criteria, including the volume of cross-border activity, structural complexity, history of non-compliance and inherent risk profile. Selected entities will be subject to on-site inspections, information requests and sanction procedures directly from AMLA.
For Luxembourg, this direct supervision could affect several internationally significant financial institutions, given the Grand Duchy's role as a domiciliation centre for funds and cross-border financial services.
Coordination and mediation
Beyond direct supervision, AMLA will play a crucial role in coordinating national supervisory authorities (in Luxembourg's case, the CSSF). It will issue guidelines, technical standards and recommendations aimed at ensuring convergent application of the rules across the Union. In the event of disagreement between national authorities, AMLA will have binding mediation powers.
Specific impact on Luxembourg
As an international financial centre, Luxembourg is particularly affected by these regulatory developments. Several factors amplify the impact of AMLD6 and AMLR on the Luxembourg financial sector:
- The volume of cross-border activity: the majority of Luxembourg financial services have an international dimension, which multiplies the risks of cross-border money laundering and the associated due diligence obligations.
- The investment fund industry: Luxembourg is the largest fund domiciliation centre in Europe and the second largest globally. Investment structures — often multi-layered and multi-jurisdictional — present specific challenges in identifying beneficial owners.
- Professionals of the Financial Sector (PSF): support PSF, fund administrators and depositaries are subject to the same obligations as credit institutions, often with more limited resources to fulfil them.
- The family office and wealth management sector: high-net-worth international clients require enhanced due diligence and a thorough understanding of the source of funds.
New CDD requirements under the new framework
The new regulatory framework fundamentally changes Customer Due Diligence obligations for Luxembourg professionals. The main developments concern:
Remote identification: the regulation defines precise standards for remote identity verification, including requirements for biometric recognition, electronic document verification and liveness detection. These provisions facilitate digital onboarding while maintaining a high level of security.
Mandatory Enhanced Due Diligence: the AMLR extends the list of situations requiring EDD, now including transactions involving crypto-assets above a certain threshold, business relationships with entities established in countries identified as having strategic deficiencies, and complex transactions without apparent economic justification.
Transaction monitoring obligations
The AMLR significantly strengthens transaction monitoring obligations. Obliged entities must have automated systems capable of detecting unusual transactions based on the client's risk profile, transactional history and pre-determined detection scenarios. The regulation also requires periodic review of detection parameters to ensure their ongoing effectiveness.
Reporting obligations are also reinforced: Suspicious Transaction Reports (STRs) must be transmitted to the FIU without delay, and the regulation imposes quality and completeness standards for these reports. AMLA will publish standardised forms for cross-border STRs, facilitating cooperation between national FIUs.
Record-keeping and retention
The AMLR harmonises record retention obligations to a period of five years after the end of the business relationship or the completion of the transaction. This retention covers all documents collected in the context of CDD, transaction records, client correspondence and internal reports relating to alerts generated by monitoring systems.
Retained data must be rapidly accessible upon request from the CSSF, the FIU or AMLA, and must be stored in a manner that guarantees its integrity and confidentiality, in compliance with the GDPR.
Implementation timetable
The implementation timetable for the new legislative package spans the period 2026–2028:
- 2026: obliged entities must begin adapting their internal policies and procedures to anticipate the requirements of the regulation. National authorities are preparing cooperation mechanisms with AMLA.
- 2027: the main provisions of the AMLR enter into application. Entities must be in compliance with the new CDD, EDD and transaction monitoring requirements. The interconnection of beneficial ownership registers enters operational phase.
- 2028: AMLA becomes fully operational and begins direct supervision of selected entities. Cross-border cooperation mechanisms are in place.
Practical steps to prepare
In the face of these developments, Luxembourg professionals must adopt a proactive and structured approach. Here are the key steps to consider:
- Conduct a compliance audit (gap analysis) to identify the gaps between current practices and the requirements of the new regulatory framework.
- Update the firm's risk assessment (BRA) to incorporate the new risk factors identified by the AMLR.
- Adapt CDD and EDD procedures to the new requirements, in particular for beneficial owners and remote identity verification.
- Strengthen transaction monitoring systems to meet the standards of the regulation.
- Train teams on the new obligations and the practical implications of the new framework.
- Invest in digital tools capable of handling the increased complexity of compliance obligations.
How e-KYC.lu already aligns with these requirements
The e-KYC.lu platform was designed with a forward-looking vision, already integrating features aligned with the requirements of the new regulatory framework:
- Granular management of due diligence levels: CDD, SDD and EDD with differentiated workflows and documentary requirements adapted to each risk level.
- Real-time screening compliant with AMLR requirements, covering sanctions, PEPs and adverse media, with continuous database updates.
- Complete and immutable audit trail, meeting the retention and traceability requirements of the regulation.
- Certified training covering the new AMLD6 and AMLR obligations, enabling teams to prepare for the regulatory changes ahead.
- Compliance dashboard providing real-time visibility across the entire KYC portfolio, facilitating reporting to authorities.
Conclusion: a necessary and urgent transformation
AMLD6 and AMLR represent the most ambitious overhaul of the European anti-money laundering framework since its inception. For the Luxembourg financial sector, these developments are not simply additional regulatory constraints: they represent an opportunity to reinforce the Grand Duchy's reputation as a clean, transparent and rigorous financial centre.
Professionals who anticipate these changes and invest today in bringing their processes into compliance will be the best positioned to navigate this transition. Those who wait until the final deadlines risk finding themselves in difficulty faced with requirements whose complexity and scope demand methodical preparation. Digitalising KYC/AML processes is no longer optional — it is the indispensable foundation on which durable and effective compliance must be built.