Skip to content 
Article by Borja Gomez, Market Strategist at Aptus.AI in Luxembourg. Aptus.AI is a Regulatory Intelligence Platform providing regulatory change management, regulatory watch and compliance workflow automation to financial institutions in Luxembourg.
Compliance burden: a term widely used since 2018 and still a relevant problem that remains unaddressed
Luxembourg’s financial institutions are navigating one of the most complex regulatory cycles in recent history. DORA, AMLA, CRD VI, MiCA, the EU AI Act and a stream of new CSSF circulars are arriving simultaneously, each with its own implementation timeline and governance obligations.
According to the 2025 ABBL/EY Cost of Regulation Survey, roughly 51% of the budget of credit institutions is allocated to compliance-related activities, mainly staff and consultancy services.
Despite growing headcount and spending, most compliance functions still cannot answer a simple question in near real time: “What changed last week, how does it affect us, what shall we do in 3-6-12 months, where do we start?”
Conventional wisdom points at tools as the main operational bottleneck. Tools that have mostly remained unchanged for years: manual processes, macros, spreadsheets and excessive reliance on Subject Matter Experts.
The Cost of Doing Nothing that we don’t dare to quantify
Most organisations still operate in reactive mode, which directly hurts profitability and productivity:
- delayed impact assessments turn regulatory changes into expensive fire-fighting exercises
- duplicated effort across legal, compliance and risk displaces resources from revenue-generating activities
- poor audit traceability exposes institutions to supervisory risk as CSSF thematic reviews focus increasingly on documentation quality and decision explainability
There is also an opportunity cost that rarely appears on any spreadsheet. They are strategic initiatives that never get started because compliance teams are permanently in catch-up mode:
- launching new financial products and maximising annual volume
- improving customer SLAs to gain market share
- rationalising consulting budgets
- training staff and building operational slack
- evolving the business model, for example from in-house to third-party fund manager
Few executives factor these costs into their mid-term transformation plans, and the result is marginal improvements where transformative ones were possible.
Where technology and AI can help, starting from today, safely and accurately
AI-powered compliance tools offer a clear adoption spectrum. Institutions can start anywhere on that curve, but they should design their ambitions based on their own capabilities, not on vendors’ value propositions.
Stage 1 — Low-risk, high-return: information, insight, wisdom
The right frame is not time efficiency but accuracy, quality and risk mitigation.
Regulatory horizon scanning eliminates hours of manual review weekly. Natural language querying lets a compliance officer ask: “Based on the latest RTS on EU AML regulation, what is my regulatory risk exposure across my current policies and procedures?
Elaborate a gap analysis and remediation roadmap by urgency, operational complexity and liability impact.”
These activities require no core system integration, deliver measurable returns within days, and produce auditable, traceable, hallucination-free outputs, relying on domain-specific models trained on regulatory texts, not generic AI that fabricates answers.
The goal is not to do more in less time, but to produce a precise, risk-mitigated output as if the most senior person in the organisation could handle an infinite workload.
Stage 2 — Middle tier: connecting AI to internal workflows
This is where compliance moves from reactive to structured and proactive:
- covering mapping obligations to controls
- flagging policy gaps automatically
- generating audit-ready documentation
The CSSF/BCL 2025 thematic review found 28% of supervised institutions already have AI in production and 22% are running pilots, many on in-house platforms built on Claude or ChatGPT. Yet, the underlying question is how many of these institutions are extracting genuine value (accuracy, productivity, lower risk) as their attention and budget split between business needs, IT governance, cybersecurity, data quality and IT operations.
Stage 3 — Advanced: proactive regulatory strategy & operations
The vision most executives already embrace:
- modelling scenarios based on forthcoming regulation
- automating gap analyses ahead of supervisory reviews
- running simulated audits to stress-test controls
- building organisations where regulatory knowledge stays current and evenly distributed
The Elephant in the Room: this is a Change Management Challenge
All three stages are available in the market today and the main barrier is not technology. It is the organisational dynamics that prevent adoption. Find below the most typical ones:
- Overconfidence in bespoke and in-house platforms built for a regulatory environment that no longer exists.
“You can press the accelerator as hard as you want, but the handbrake is still on.”
- Absence of an experimentation culture. Risk aversion means pilots stall, success metrics are never defined, and the default outcome is the status quo.
“Experimentation is the shortest path to exponential improvements.”
- Unrealistic expectations in both directions. Some teams expect AI to solve everything immediately; others dismiss it after one imperfect result.
“Learn to differentiate mediocre from good to great.”
- No clear business case for redeploying budget. Without measurable value, technology investment stays deprioritised.
“What cannot be measured rarely gets funded.”
Choose the right partner: one that understands your capabilities while delivering on time, on cost, on quality, while actively mitigating risk
Conventional wisdom says only the largest institutions will lead on compliance efficiency. This is based on the assumption that larger budgets and access to top tier consulting services can make the difference.
In reality, today’s price points and ROI profiles make advanced software platforms accessible to any player, from tier-3 PSFs to tier-1 systemic banks.
The firms that truly lead are those that look beyond slides and marketing slogans, select vendors that prove value in the field, and apply strong change-management skills to turn technology into measurable business outcomes.
