APP fraud has no borders, Europe's regulation is starting to reflect that

Criminals don’t distinguish between jurisdictions when they manipulate someone into approving a payment. Whether the industry calls it APP fraud, payment fraud, or a scam depends on the market. The underlying action (socially engineering a victim into authorising a transfer) is happening everywhere.

Europe has been watching the UK’s experience with mandatory reimbursement under the Payment Systems Regulator closely. In November 2025, the European Parliament and Council reached a political agreement on a new Payment Services Regulation and third Payment Services Directive. The formal legal text has not yet been published or formally adopted, but there is some consensus forming based on what has been revealed so far.

To think through what that preparation should look like, we spoke with two people who have been at the centre of this for years: Taavi Tamkivi and Dr Nicola harding.

Taavi Tamkivi is Founder and CEO at Salv and has spent his entire career fighting financial crime, and the last five of Salv’s eight years building fraud intelligence infrastructure across Europe. He is a spokesperson and champion for data sharing in the industry, based on Salv’s deep experience in the space.

Dr Nicola Harding is a criminologist and Founder of The Financial Crime Lab. She has spent over a decade working at the intersection of financial crime, behavioural risk, and institutional credibility.

Throughout their conversation, they cover the human impact, the regulatory architecture, and the operational reality of fighting financial crime today. Highlights from their discussion have formed the basis of this article. The full conversation is available to listen to here as part of Salv’s Follow the Money series.

What we expect from Europe’s incoming payment services framework

The political agreement includes mandatory reimbursement for victims of impersonation fraud, where a criminal poses as a payment service provider to trick a customer into approving a transfer. It is worth being precise about the scope: this applies to personal, not corporate, accounts. It does not extend to all APP fraud types in the way the UK PSR does.

“For some specific fraud types, like impersonation fraud,” Taavi said. “It’s covered. So non-corporate, personal cases. If it’s corporate fraud, it’s not covered.”

The UK’s own framework, which went live in October 2024, has a different limitation: geography. Nicola is direct about this: “The bank that it’s coming from has to be a UK financial institution. The bank that it’s going to has to be a UK financial institution or it doesn’t work. So it immediately rules out cross-border.”

That cross-border blind spot is something the European framework has taken into account. But the more consequential provision in the incoming regulation is not reimbursement at all.

Payment service institutions will be required to connect to shared data infrastructure — specifically to technology providers who operate the exchange platforms — to share fraud-related intelligence with each other. This is not a voluntary arrangement or a best practice recommendation. It is a legal requirement built into the regulation itself.

Taavi is clear about why this matters: “We’re not talking about regtechs as products anymore. We’re talking about an infrastructure layer which is set into the PSR, which is cross-European law.”

Reimbursement changes behaviour, data sharing changes outcomes

Mandatory reimbursement is a big deal. When fraud losses move from an operational nuisance to a direct balance sheet liability, risk teams get resources, controls get new scrutiny, better detection gets approved.

“When I’m speaking with heads of fincrime or chief risk officers,” Taavi says, “they clearly acknowledge the need. It pushes them to take more serious actions.”

The FCA’s multi-firm review of fraud controls in the UK reflects the same logic from the regulator side. As Nicola says: “They’re trying to look more under the hood of what financial firms are doing to detect, decide and intervene — asking more around how controls are integrated, dynamic, and if they’re proportionate.”

But reimbursement only operates after a fraud has occurred. It reallocates cost, but the loss still happens. Data sharing is different.

When an institution receives intelligence from another — that a customer or IBAN has already been flagged as suspicious elsewhere — they can act on it before a payment clears. That is how Salv Bridge works in practice: teams use shared signals to apply the right scrutiny at onboarding, collaborate in real time to stop stolen funds in transit, or block transfer requests before they complete.

A customer who looks clean in one institution can look very different across the network. Salv Bridge moves that picture between institutions so every team is working from more complete information, not just their own.

That is what makes the mandatory data sharing requirement significant — and why infrastructure that already does this is worth understanding now.

“So far, everyone has been working mostly with their own data,” Taavi says. “Which has been becoming richer and richer, but it hasn’t been enough. So [data sharing] is like opening into a new universe.”

This is also where the EU framework differs from the UK. The UK’s Economic Crime and Corporate Transparency Act includes provisions for information sharing, but participation is voluntary. In Europe, under the incoming regulation, connection to the network is mandatory.

“In the UK, the tooling is like a soft version of data sharing. But in Europe, now everybody is forced to connect to the network.”

— Taavi Tamkivi, Founder and CEO, Salv

See Salv Bridge in action

Salv Bridge is the fraud intelligence infrastructure connecting European institutions.

Learn more

The accountability gap the regulation hasn’t closed

Mandatory data sharing doesn’t resolve everything. Scams don’t start inside a bank — they start on social media, via a spoofed phone call, or through a fraudulent advertisement online. By the time a payment is authorised, the manipulation has already taken place.

“Even if payment service providers would be perfect in their fight against crime,” explains Taavi, “criminals would still be several steps ahead, because criminals are also using tooling which is not controllable, not regulated at that level.”

Telecoms companies and social media platforms currently carry little financial liability for fraud that originates on their services. Payment service institutions bear the cost of losses that began somewhere else entirely.

“Telcos and social media are completely free from that,” says Taavi. “And that’s so unfair because actually, as the crime starts there, that’s the top of the funnel for the criminals.”

The political agreement reached in November does include a limited platform liability provision: online platforms can be held liable where they are informed of fraudulent content and fail to remove it. That is a step, but it is not a structural accountability shift.

A solution that brings all relevant stakeholders together — including those outside financial services — requires digital markets and telecoms regulators to act in coordination with payment services regulators. There are signs that political will exists: Australia’s restrictions on social media access for under-16s demonstrate that governments can regulate platforms when they judge the harm significant enough. The question is whether that same logic gets applied to fraud at scale across Europe.

“Telcos and social media are completely free from that. And that’s so unfair because actually, as the crime starts there, that’s the top of the funnel for the criminals.”

— Taavi Tamkivi, Founder and CEO, Salv

From conference slides to procurement: what’s actually happening now

For most of the past decade, the consensus at industry events was clear: financial institutions need to share fraud intelligence with each other. High-level agreement is easy. Making it happen is not.

The blockers are familiar: legal uncertainty, GDPR raised as an objection rather than an engineering problem, unresolved questions about governance and liability for acting on shared intelligence.

Taavi and Salv have lived through this period. “There are more and more people who believe in it and who have seen the evidence. But they’re always getting stuck on how to launch it in real life,” he says.

That is changing. Taavi has seen a material shift in the past six months.

Banking associations and national AML consortiums across Europe are now issuing formal requests for proposals. Not exploratory conversations, but structured procurements with defined requirements and tight go-live timelines. “Recently, there was another RFP from one medium-sized European country,” he says. “They had a clear list of requirements, very strict timelines. They want to be ready to launch this summer.”

A useful barometer is the direction of Nick Maxwell’s work at FFIS, which convenes senior financial intelligence professionals and has consistently been three to five years ahead of where the industry lands. “He doesn’t want to touch domestic private-to-private sharing because that’s already happening,” says Taavi. Nick’s current focus is cross-border intelligence sharing: UK to EU, EU to Australia, and beyond.

That may feel distant from where most institutions are today. The immediate task is getting domestic infrastructure right with institutions connected, data clean, structured, and actionable.

“There are more and more people who believe in it and who have seen the evidence. But they’re always getting stuck on how to launch it in real life.”

— Taavi Tamkivi, Founder and CEO, Salv

What this means for fincrime teams preparing for data sharing now

The incoming European framework gives institutions a legal basis for data sharing they have not had before. For many, that removes the most common blocker. The question shifts from “are we allowed to do this” to “how do we implement it well.”

Connecting to an infrastructure platform in a way that actually improves detection (where analysts can act on shared signals in real time, not just satisfy a regulatory checkbox) requires thinking about data quality, integration with existing monitoring systems, and operational workflow.

Institutions that treat this as only a compliance exercise will get compliance outcomes. Institutions that embrace it as an intelligence problem will get much better ones.

New regulation is also a prompt to examine what controls look like when regulators inspect them. The FCA’s multi-firm review in the UK is a precedent for what European supervisors are likely to follow — not just loss figures, but how controls integrate, adapt, and respond proportionately.

“The industry has done a lot of talking,” says Nicola. “It’s great to hear it’s now in the action phase.”

The institutions best positioned are already having those conversations: working through technical and governance questions, engaged with the consortiums and working groups moving toward procurement. Eighteen months is not much runway if the starting point is zero.

Salv Bridge is the infrastructure a growing number of European institutions are connecting to. Read more about it here.

Taavi Tamkivi and Dr Nicola Harding discussed APP fraud regulation, data sharing, and the accountability gap in episode 3 of Follow the Money, Salv’s podcast series on financial crime prevention. Listen to the full conversation here.

Salv Bridge

Is your institution ready for mandatory data sharing? Find out how to connect.

Get in touch

---

Frequently asked questions

What is APP fraud? Authorised push payment (APP) fraud occurs when a criminal manipulates a victim into approving a payment to an account they control. Unlike unauthorised fraud, the victim initiates the transaction, which makes it harder to detect and, historically, harder to recover from.

How does Europe’s approach to APP fraud regulation differ from the UK’s? The UK’s PSR mandatory reimbursement scheme, which came into force in October 2024, covers a broader range of APP fraud types but only applies to payments between UK financial institutions, excluding cross-border transactions. The incoming European framework covers impersonation fraud specifically (personal accounts only, not corporate), but applies across EU member states and makes fraud data sharing between institutions mandatory rather than voluntary.

Does PSD3 require banks to share fraud data with each other? Based on the political agreement reached in November 2025, yes. Payment service institutions will be required to connect to shared data infrastructure via technology providers operating exchange platforms to share fraud intelligence. This differs to the UK’s approach, where information sharing under the Economic Crime and Corporate Transparency Act remains voluntary. The formal legal text is not yet published, so the precise mechanics are subject to confirmation.

When does PSD3 come into force? A political agreement was reached in November 2025. The formal legal text is expected to be published in the Official Journal of the EU around mid-2026, after which an 18-month implementation period is anticipated. Final timelines will be confirmed once the text is formally adopted.

Are social media companies and telecoms liable for APP fraud under PSD3? Only to a limited degree. The agreement includes a provision allowing online platforms to be held liable to payment service providers where they were informed of fraudulent content and failed to remove it. This falls well short of proportional financial liability for fraud that originates on their platforms, which would require coordinated action from telecoms and digital markets regulators, not payment services regulators alone.