Criminals do not recognise borders. When a victim is manipulated into authorising a fraudulent payment transfer — a tactic the industry variously labels APP fraud, payment fraud, or a scam depending on the market — the underlying mechanism is identical whether it occurs in Helsinki, Frankfurt, or Lisbon.
According to Salv, Europe’s regulators are beginning to acknowledge as much, and the legal architecture responding to that reality is now taking shape.
Salv recently detailed and discussed why APP fraud has no borders, as well as why Europe’s regulation is starting to reflect that.
In November 2025, the European Parliament and Council reached a political agreement on a new Payment Services Regulation alongside a third Payment Services Directive. The formal legal text has yet to be published or formally adopted, but a consensus is beginning to crystallise around the provisions that have been disclosed. Europe has been observing the UK’s mandatory reimbursement regime — introduced by the Payment Systems Regulator — with considerable interest, and the incoming framework borrows from that experience while attempting to address some of its structural shortcomings.
To understand what financial institutions should be doing now to prepare, a recent dicussion take place between two practitioners who have spent years at the centre of fraud intelligence and financial crime: Taavi Tamkivi, founder and CEO of Salv, a company that has spent five of its eight years building fraud intelligence infrastructure across Europe; and Dr Nicola Harding, criminologist and founder of The Financial Crime Lab, who has worked for over a decade at the intersection of financial crime, behavioural risk, and institutional credibility.
What the incoming European framework actually covers
The political agreement reached late last year includes mandatory reimbursement for victims of impersonation fraud — cases where a criminal poses as a payment service provider to deceive a customer into approving a transfer. However, the scope is narrower than some may assume. The obligation applies to personal accounts only, and does not extend across all APP fraud typologies in the manner that the UK’s Payment Systems Regulator framework does.
Salv founder and CEO Taavi Tamkivi said, “For some specific fraud types, like impersonation fraud, it’s covered. So non-corporate, personal cases. If it’s corporate fraud, it’s not covered.”
The UK’s own regime, which came into effect in October 2024, carries a different constraint. The Financial Crime Lab founder Dr Nicola Harding said, “The bank that it’s coming from has to be a UK financial institution. The bank that it’s going to has to be a UK financial institution or it doesn’t work. So it immediately rules out cross-border.”
That cross-border gap is one the European framework has explicitly sought to close. But the most consequential element of the incoming regulation is not the reimbursement obligation at all.
The provision that matters most: mandatory data sharing
Under the incoming regulation, payment service institutions will be legally required to connect to shared data infrastructure — specifically to technology providers operating exchange platforms — and to share fraud-related intelligence with one another. This is not a voluntary arrangement or a best practice recommendation. It is a statutory requirement embedded in the regulation itself.
Tamkivi said, “We’re not talking about regtechs as products anymore. We’re talking about an infrastructure layer which is set into the PSR, which is cross-European law.”
This distinction matters. Mandatory reimbursement changes incentives: when fraud losses shift from an operational nuisance to a direct balance sheet liability, risk teams receive greater resource allocation, controls attract closer scrutiny, and investment in better detection becomes easier to approve. As Tamkivi put it, speaking about conversations with senior compliance and risk leaders: “They clearly acknowledge the need. It pushes them to take more serious actions.”
The FCA’s multi-firm review of fraud controls in the UK reflects the same regulatory instinct. As Dr Harding noted: “They’re trying to look more under the hood of what financial firms are doing to detect, decide and intervene — asking more around how controls are integrated, dynamic, and if they’re proportionate.”
But reimbursement, however significant, only functions after a fraud has already occurred. It redistributes cost without preventing the underlying loss. Data sharing operates differently — and upstream.
From reactive to preventive: how shared intelligence changes outcomes
When one institution receives intelligence from another indicating that a customer or IBAN has already been flagged as suspicious elsewhere in the network, it can act before a payment clears. That is the operating principle behind Salv Bridge: institutions share signals to apply appropriate scrutiny at onboarding, collaborate in real time to intercept stolen funds in transit, or block transfer requests before they complete. A customer who appears entirely clean within one institution’s data set may look very different when viewed across a broader network of shared intelligence.
Tamkivi said, “So far, everyone has been working mostly with their own data, which has been becoming richer and richer, but it hasn’t been enough. So [data sharing] is like opening into a new universe.”
This is also where the European framework diverges most sharply from the UK approach. While the UK’s Economic Crime and Corporate Transparency Act includes information-sharing provisions, participation remains voluntary. Under the incoming European regulation, connection to the network is compulsory.
Tamkivi said, “In the UK, the tooling is like a soft version of data sharing. But in Europe, now everybody is forced to connect to the network.”
For institutions operating across European markets, that is not a future consideration — it is a present-tense infrastructure decision. Firms that treat mandatory data sharing as a compliance exercise rather than a strategic capability risk falling behind both regulators and the fraud networks that are already operating without borders.
Copyright © 2026 FinTech Global
