The 14-Month Window: Why Customer Due Diligence Is the AMLR Bottleneck Most Firms Are Underestimating

There is a particular danger in headline statistics. They give a sense of urgency without telling you where to act. The most quoted finding from the PwC EMEA AML Survey 2026, published on April 21, is that only one-third of EU financial institutions expect to be ready for the EU AML Package by the July 10, 2027 deadline. Two-thirds, in other words, risk being non-compliant for what PwC describes as the most significant overhaul of AML regulation in more than a decade.

That is a useful number for getting attention. It is not a useful number for deciding what to do.

A different finding from the same survey is more actionable, and it has received less coverage. Forty percent of respondents identified customer due diligence as the area where the AMLR is most operationally burdensome and rules-based. That is not a complaint about regulatory ambition. It is compliance officers telling their own market exactly where the bottleneck sits. Anyone planning the next 14 months of AMLR readiness work should start there.

The Deadline Math

The AMLR applies from July 10, 2027. From today, that is roughly 14 months. The institutions PwC surveyed (531 across 40 countries, with a substantial Luxembourg sample) were asked whether they expect to be ready in time. The detail underneath the one-third figure is worth pausing on. Fewer than 30% have completed both a detailed analysis and an impact assessment of the package. Around one-third anticipate compliance costs rising 10% to 30% over the next two years. AMLA's first reporting exercise, launched in March 2026, has already revealed significant data and process gaps in the institutions that have submitted information.

These are not the numbers of a sector that is on track. They are the numbers of a sector that has understood the destination but has not finished mapping the route.

For management companies and TCSPs, the picture is sharper. The AMLR's CDD rules under Article 28 specify the information that must be collected and verified, and the package's beneficial ownership reforms tighten the threshold for identifying ultimate beneficial owners. Group-wide policy requirements under Article 16, on which AMLA published draft RTS in April 2026, apply to firms with cross-border structures. For a Luxembourg management company with Mauritius or Channel Islands exposure, that is most files.

The CDD Bottleneck

Why is CDD specifically the operational bottleneck?

The answer is not that the rules are unfamiliar. It is that the rules are dense, and the underlying data infrastructure is not built to feed them. CDD under the AMLR requires identification of the customer, identification of beneficial owners, verification of identity documents, assessment of the purpose and nature of the relationship, ongoing monitoring of transactions and updates to information, and the maintenance of records that can be produced to a supervisor on request. Each of those is straightforward in principle. Together, on a portfolio of customers with layered ownership, they are an evidence assembly problem the firm has to solve thousands of times.

Eighty-nine percent of PwC's respondents identified data quality as the single largest barrier to adopting AI in their AML workflows. That figure has not moved since the 2024 edition of the survey. More than a third of respondents expect to make significant changes to their data structures to meet AMLR requirements. AMLA's reporting exercise has confirmed that many institutions are still working out what data they have to produce and how to generate it.

Read these findings together and a clear shape emerges. The AMLR readiness problem is not really a regulatory problem. It is a data infrastructure problem with a regulatory deadline. The reason CDD is the bottleneck is that CDD is the AMLR requirement that exposes the data infrastructure most directly. A firm cannot automate evidence it cannot find.

Where Investment Is Going, and Where It Should Go

PwC found that 61% of banks and 57% of asset and wealth management firms plan to introduce new technology in transaction monitoring within 24 months. That is a rational response to operational pressure, but it is not aligned with where the bottleneck actually is. Transaction monitoring sits downstream of CDD. Better screening of transactions does not help if the underlying customer record is incomplete or contradictory.

The more useful sequence for a firm with limited budget and a 14-month window is the opposite of the headline trend.

First, map the current CDD data flows. For each category of customer, where does the evidence physically live, who has access to it, and how long does it take to produce on request. The firms that perform well in CSSF inspections are not necessarily the ones with the most sophisticated systems. They are the ones that can produce the file when asked.

Second, identify gaps against AMLR Article 28 specifically. The article enumerates what must be collected and verified for each customer category. Compare that list against what the firm actually holds, in machine-readable form, today. Most firms will find the gap is not in the policy but in the consistency of what is captured.

Third, decide what to fix internally and what to source externally. CDD is an area where the build versus buy decision is genuinely contested. Identity verification, sanctions and PEP screening, registry data, and ongoing monitoring all have mature vendors. The integration is the hard part, not the components.

Fourth, build for AMLA's data reporting requirements rather than retrofitting later. The first AMLA reporting exercise has already shown what kinds of data the authority will expect. Firms that build their CDD data model with that output in mind will avoid duplicating work in 2027 and 2028.

What Readiness Looks Like in 14 Months

Readiness for July 2027 is not a binary. It is a position on a spectrum that runs from "we have a plan" to "we can produce a complete, verifiable customer file in machine-readable form on supervisory request, across our whole portfolio, in any of the jurisdictions where we operate." Most of the firms PwC surveyed are closer to the first position than the second. The path between them is not optional, and it is not a procurement decision. It is a sustained programme of CDD data work.

Fourteen months is short for that programme. It is enough time to do it properly if it starts now. It is not enough time to do it properly if it starts in Q4. The firms that are already in motion are not necessarily the ones with the largest budgets. They are the ones that have understood that CDD is the AMLR's load-bearing wall, and that the rest of the package depends on it.

The PwC headline was that two-thirds of firms might miss the deadline. The more useful question is which third will arrive in shape to operate under it, and what that third decided to prioritise that the other two-thirds did not.

Want a structured review of how your CDD data infrastructure stacks up against AMLR Article 28, or help mapping where your readiness sits today? Talk to our team.