Every week, billions of euros flow through European financial institutions in the hands of money launderers, fraudsters, and organised criminal networks.
According to Salv, banks hold the data capable of disrupting these flows. Regulators know it. Compliance officers know it. Yet many teams remain inactive, shielded by legal arguments that — when scrutinised — don’t withstand examination.
Salv recently detailed the five legal myths stopping banks from sharing financial crime intelligence.
Myth 1: GDPR prevents banks from sharing data with one another
This is the objection that surfaces most frequently. A compliance officer or data protection officer declares that customer data cannot be passed to another institution under GDPR, and the matter is considered closed. Diana Karyan, legal counsel at financial crime intelligence firm Salv, argues the interpretation is fundamentally flawed.
Salv legal counsel Diana Karyan said, “GDPR is not a legal prohibition. It never was. It is a different framework that specifies the conditions under which personal data processing is lawful.”
Article 6 of the GDPR, alongside Recital 47, has long recognised fraud prevention as a legitimate interest. That legal basis predates the EU’s latest anti-money laundering regulatory package. What the new framework adds is clarity: AMLR Article 75 now establishes an explicit EU-level structure for information-sharing partnerships, mandating regulatory oversight and data protection impact assessments without leaving any credible argument that sharing is forbidden. The Payment Services Regulation (PSR) and PSD3, which reached political agreement in November last year, go further still — making fraud detection not merely permissible but expected.
The real obstruction, argues Salv co-founder and CEO Taavi Tamkivi, is not legal but organisational.
Salv CEO and co-founder Taavi Tamkivi said, “If you just go to your DPO and ask ‘can I share customer data with another bank?’, the obvious answer is no — because you haven’t explained why, what the use case is, what governance structure is in place. Someone has to be the business owner for this. Without that, even a strong legal basis isn’t enough.”
Data protection officers and chief information security officers are stakeholders in this process, not its architects. The business case — specific use case, governance framework, data minimisation controls — must be constructed before legal review becomes a productive exercise.
Myth 2: Banking secrecy laws are an absolute bar on disclosure
Banks across Central and Eastern Europe routinely cite their national Credit Institution Acts as insurmountable obstacles, with individual compliance officers fearing personal criminal liability for any disclosure of customer information. Karyan contends the framing itself is the source of the confusion.
Salv legal counsel Diana Karyan said, “A lot of times I hear practitioners asking which obligation wins — banking secrecy or AML law. That framing assumes a conflict between the two. The first thing to establish is that they are not in conflict. They are in a structural relationship.”
Banking secrecy is a general obligation. AML law provides a specific statutory exception to it. Estonia offers one of the clearest illustrations: the Credit Institution Act establishes broad banking secrecy, while Section 16 of the Money Laundering and Terrorist Financing Prevention Act carves out an explicit, purpose-limited exception for financial crime prevention. The two instruments coexist without contradiction.
Tamkivi adds a detail that tends to reframe the conversation entirely.
Salv CEO Taavi Tamkivi said, “I was quite shocked to see that the Bank Secrecy Act has about twenty exceptions — police, tax, customs, and many others. AML data sharing is just one of them. Banking secrecy is a bit over-dramatised. As a customer, it’s quite shocking to realise how many organisations can lawfully access your bank data if they have legal basis.”
The EU’s shift from directives to regulations is also significant here. Six generations of AML directives required national transposition — producing inconsistency, delays, and fragmented enforcement. AMLR, by contrast, is a regulation. When its applicability date arrives in July 2027, it becomes law across every EU member state simultaneously, with no transposition process and no scope for local reinterpretation. PSR carries the same status.
Myth 3: Inter-bank intelligence sharing constitutes tipping off
Tipping off is a criminal offence, and the concern is genuine: if two institutions share intelligence about the same individual, could that person learn they are under investigation? Karyan is emphatic that the prohibition does not apply in this context.
Salv legal counsel Diana Karyan said, “Tipping off prohibition applies to the unlawful disclosure to the customer or any third party that a suspicious transaction report has been filed, that an investigation is underway, or that information has been requested by the FIU. Its target is the subject of suspicion — not the parties who might alert each other.”
Inter-institutional intelligence sharing and tipping off are governed by entirely different legal instruments. AMLR Article 75 and PSR Article 83A expressly permit information exchange between financial institutions, written with the explicit understanding that effective financial crime prevention requires intelligence to flow. They sit alongside tipping off prohibitions without conflict.
Operational controls manage residual risk. On platforms such as Salv Bridge, access is restricted to credentialled representatives of member institutions, with audit logging, four-eye principles, and pre-agreed governance structures in place. Tamkivi notes that in practice, the concern tends to evaporate once sharing actually begins.
Salv CEO Taavi Tamkivi said, “When we launched, tipping off was among the top ten objections. After banks started actually exchanging information, I’ve never heard the question come back. That’s the ultimate proof — the risk exists, but it is very well mitigated.”
Myth 4: AML and fraud are the same problem
This myth operates in reverse. Rather than blocking action, it causes institutions to conflate two legally distinct regulatory regimes and design solutions that may be non-compliant from the outset. Tamkivi, who works across multiple European markets, has seen the knowledge gap at senior levels.
Salv CEO Taavi Tamkivi said, “Yes and no. I’ve spoken to very senior heads of AML who haven’t heard of PSR or mandatory reimbursement. And vice versa. They’re working in their own silos — which are enormous — and it’s understandable.”
The convergence of the two domains is real. The Financial Action Task Force — historically focused on money laundering — is moving rapidly into the fraud and scams space, because the pattern has become familiar: fraud converts into money laundering. But the tools designed to combat each problem were built for a different era. Legacy AML transaction monitoring systems were designed for large transactions, slow timelines, and modest volumes. Scam fraud looks nothing like that — it is high-frequency, real-time, and involves authorised payments that are behaviourally indistinguishable from legitimate activity.
Salv CEO Taavi Tamkivi said, “There’s a middle part between old AML and old fraud that neither covers. That’s where data sharing, real-time monitoring, behavioural profiling, and device fingerprinting all become relevant. New tool categories are emerging to fill it.”
Conflating the two regimes without understanding the legal distinction creates its own compliance exposure. AML and fraud carry different statutory obligations, different reporting requirements, and — under PSR — different reimbursement rules. Treating them as interchangeable risks both operational gaps and regulatory breach.
Myth 5: There is no urgency until the law compels action
The wait-and-see position has surface logic: regulation is not yet fully enforced, supervisors have not mandated participation, and peers are not moving. But the timeline is tighter than many teams have registered.
Salv CEO Taavi Tamkivi said, “Countries are moving at very different speeds. Some aren’t moving at all. Others are already running RFPs and forming task forces. But new product approval processes take 12 to 18 months — from start to live. Count the months back from July 2027 and there aren’t many left.”
The commercial stakes are measurable. Mandatory reimbursement under PSR means that authorised push payment fraud losses — previously absorbed by customers — will increasingly fall on banks. Every month of inaction is a month of preventable fraud losses and a month closer to liability under a reimbursement regime already in motion.
Salv legal counsel Diana Karyan said, “The upcoming regulation doesn’t just permit sharing — in some cases it mandates it. The question institutions should be asking is not ‘are we allowed to do this?’ but ‘what is our plan for compliance?'”
There is also a structural argument for early participation. Institutions that join shared intelligence networks now help shape the standards, governance models, and interoperability frameworks the broader market will eventually be required to adopt. Latecomers will inherit a structure they played no part in designing.
What the legal architecture is actually inviting
The framework for financial crime collaboration is in place. GDPR provides a lawful basis. Banking secrecy laws contain explicit AML exceptions. Tipping off prohibitions apply to a different set of actors entirely. AMLR and PSR are regulations — directly applicable across all member states, with hard deadlines and no room for local deviation.
Copyright © 2026 RegTech Analyst
Copyright © 2018 RegTech Analyst
