Five legal myths stopping banks from sharing financial crime intelligence

Every week, billions of euros move through European banks in the service of money launderers, fraudsters, and organised criminal networks. The institutions with the data to stop it often know this. Regulators know this. And yet many compliance teams remain on the sidelines, citing legal risks that, on closer inspection, don’t hold up.

In this post, we recap the key takeaways from a recent episode of Follow the Money, in which criminologist Dr Nicola Harding sits down with Taavi Tamkivi, Salv’s CEO, and Diana Karyan, Salv’s legal counsel, to work through five of the most persistent legal myths keeping financial institutions from sharing intelligence. Diana spent years navigating the intersection of GDPR, banking secrecy law, and the incoming EU AML regulatory package. The conversation covers what the law actually allows — and why the legal architecture for collaboration has existed for longer than most compliance teams realise.

---

Myth 1: GDPR makes data sharing between banks illegal

This is the most commonly cited blocker. A compliance officer or DPO says “we cannot share customer data with another institution because of GDPR” — and the conversation ends there.

Diana explains where the confusion comes from:

“GDPR is not a legal prohibition. It never was. It is a different framework that specifies the conditions under which personal data processing is lawful.”

— Diana Karyan, Legal Counsel, Salv

Article 6 of the GDPR and Recital 47 have always recognised fraud prevention as a legitimate interest. That legal basis existed before the AML regulatory package arrived. What has changed is that AMLR Article 75 now provides an explicit EU-level framework for information-sharing partnerships — mandating regulatory oversight and data protection impact assessments, but leaving no serious argument that sharing is prohibited. PSR and PSD3, which reached political agreement in November last year, go further still, making fraud detection and prevention not just permitted, but expected.

The real issue, as Taavi explains, is not the law — it’s ownership:

“If you just go to your DPO and ask ‘can I share customer data with another bank?’, the obvious answer is no — because you haven’t explained why, what the use case is, what governance structure is in place. Someone has to be the business owner for this. Without that, even a strong legal basis isn’t enough.”

— Taavi Tamkivi, CEO and Co-founder, Salv

DPOs and CISOs are stakeholders, not initiators. The business case has to be built first — specific use case, governance framework, data minimisation controls — before legal review becomes productive.

---

Myth 2: Banking secrecy laws prevent us from sharing anything

Banks in Central and Eastern Europe frequently cite their national Credit Institution Acts as an absolute barrier. The fear is real: individual compliance officers worry about personal criminal liability for disclosing customer data.

Diana explains why the framing itself is the problem:

“A lot of times I hear practitioners asking which obligation wins — banking secrecy or AML law. That framing assumes a conflict between the two. The first thing to establish is that they are not in conflict. They are in a structural relationship.”

— Diana Karyan, Legal Counsel, Salv

Banking secrecy is a general obligation. AML law provides a specific statutory exception to it. Once you understand the structure, the conflict dissolves.

She points to Estonia as one of the clearest examples. The Credit Institution Act establishes a broad banking secrecy obligation. Section 16 of the Money Laundering and Terrorist Financing Prevention Act then provides an explicit exception — purpose-limited, controlled, and specific to financial crime prevention. The two laws coexist. Neither wins because they were never at war.

Taavi adds a detail that tends to surprise people:

“I was quite shocked to see that the Bank Secrecy Act has about twenty exceptions — police, tax, customs, and many others. AML data sharing is just one of them. Banking secrecy is a bit over-dramatised. As a customer, it’s quite shocking to realise how many organisations can lawfully access your bank data if they have legal basis.”

— Taavi Tamkivi, CEO, Salv

The EU’s shift from directives to regulations matters here too. Historically, six generations of AML directives required national transposition — leading to inconsistency, delay, and fragmented enforcement. AMLR is a regulation. Once its applicability date arrives in July 2027, it is law across every member state simultaneously, with no transposition process and no room for gold-plating. PSR is also a regulation.

---

Myth 3: Sharing information between banks constitutes tipping off

This one genuinely frightens compliance teams. Tipping off is a criminal offence. The fear is that if Bank A and Bank B share intelligence about the same individual, the suspect could somehow find out they are under scrutiny.

Diana explains what tipping off actually covers:

“Tipping off prohibition applies to the unlawful disclosure to the customer or any third party that a suspicious transaction report has been filed, that an investigation is underway, or that information has been requested by the FIU. Its target is the subject of suspicion — not the parties who might alert each other.”

— Diana Karyan, Legal Counsel, Salv

Inter-institutional intelligence sharing and tipping off are governed by different legal instruments. AMLR Article 75 and PSR Article 83A expressly permit information sharing between financial institutions, drafted with the explicit understanding that effective financial crime prevention requires intelligence to flow. They coexist with tipping off prohibitions — they don’t conflict with them.

Technology and operational controls handle the residual risk. On a platform like Salv Bridge, only credentialled representatives of member institutions have access. There is no pathway by which a suspect could be informed. Audit logging, four-eye principles, and pre-agreed governance structures manage the risk that remains — which is no different in kind from the internal tipping off risks that already exist in every AML investigation.

Taavi notes what happens in practice:

“When we launched, tipping off was among the top ten objections. After banks started actually exchanging information, I’ve never heard the question come back. That’s the ultimate proof — the risk exists, but it is very well mitigated.”

— Taavi Tamkivi, CEO, Salv

---

Myth 4: AML and fraud are the same problem

This myth works in the opposite direction. Rather than preventing action, it causes institutions to conflate two legally distinct regimes and build solutions that may be non-compliant by design.

The reality, as Taavi explains, is more complicated:

“Yes and no. I’ve spoken to very senior heads of AML who haven’t heard of PSR or mandatory reimbursement. And vice versa. They’re working in their own silos — which are enormous — and it’s understandable.”

— Taavi Tamkivi, CEO, Salv

The convergence is real. The Financial Action Task Force, historically focused on AML, is moving rapidly into the scam and fraud space, because the pattern is now classical: fraud converts into money laundering. But the tools used to fight each problem were built for a different era.

Legacy AML transaction monitoring systems were designed for a world where money laundering involved large transactions, slow timelines, and limited volume. Scam fraud looks nothing like that — it is high-frequency, real-time, and involves authorised payments that look indistinguishable from normal behaviour. Old AML tools are not fit for this purpose. Neither are legacy card fraud systems, which were built for unauthorised transactions, not authorised push payment scams.

“There’s a middle part between old AML and old fraud that neither covers. That’s where data sharing, real-time monitoring, behavioural profiling, and device fingerprinting all become relevant. New tool categories are emerging to fill it.”

— Taavi Tamkivi, CEO, Salv

Merging the two regimes without understanding the legal distinction creates its own compliance risk. AML and fraud have different statutory obligations, different reporting requirements, and — under PSR — different reimbursement rules. Treating them as identical leads to both operational gaps and potential non-compliance.

---

Myth 5: We don’t need to do this until the law forces us to

The wait-and-see position has some internal logic: regulation is not yet fully enforced, supervisors haven’t mandated participation, and peers are not moving. Why go first?

Taavi works across multiple European markets and sees the cost clearly:

“Countries are moving at very different speeds. Some aren’t moving at all. Others are already running RFPs and forming task forces. But new product approval processes take 12 to 18 months — from start to live. Count the months back from July 2027 and there aren’t many left.”

— Taavi Tamkivi, CEO, Salv

The commercial risk is measurable. Mandatory reimbursement under PSR means that APP fraud losses — which were previously absorbed by customers — will increasingly fall on banks. Every month of delay is a month in which preventable fraud losses are not being prevented, and a month closer to liability under a reimbursement regime that is already coming.

On the regulatory side, the question is not whether fines will arrive but when. AMLR’s direct applicability removes the ambiguity that existed under directives. There is no transposition gap to hide in.

Diana puts it plainly:

“The upcoming regulation doesn’t just permit sharing — in some cases it mandates it. The question institutions should be asking is not ‘are we allowed to do this?’ but ‘what is our plan for compliance?’”

— Diana Karyan, Legal Counsel, Salv

There is also a network effects argument. Institutions that participate in shared intelligence networks early help shape the standards, governance models, and interoperability frameworks that the rest of the market will eventually adopt. Those who wait will find themselves onboarding into a structure they had no hand in designing.

---

What the law is actually inviting

The legal architecture for financial crime collaboration exists. GDPR provides the lawful basis. Banking secrecy laws contain explicit AML exceptions. Tipping off prohibitions govern a different set of actors. AMLR and PSR are regulations — directly applicable, with hard deadlines, and no room for local reinterpretation.

What remains is institutional will. The decision by compliance teams, general counsels, and executive leadership to move past these myths — and to build the infrastructure the law is actively inviting them to build.

The myths persist not because the law is ambiguous, but because no one in the organisation has taken ownership of the use case. That is a business problem, not a legal one. And it is one that can be solved.

---

This article is based on an episode of Follow the Money with Dr Nicola Harding, featuring Taavi Tamkivi and Diana Karyan. Watch the full episode here.