Authorised push payment (APP) fraud does not stop at national borders. When a criminal manipulates a victim into approving a payment transfer, the attack is just as effective whether it takes place in London, Lisbon or Ljubljana.
According to Salv, the terminology may shift — APP fraud, payment fraud, scam — depending on the market, but the mechanics are identical: social engineering deployed to trick someone into authorising a transfer they never intended.
Salv recently detailed and discussed why APP fraud has no borders, as well as why Europe’s regulation is starting to reflect that.
Europe has been watching the United Kingdom’s experience with mandatory reimbursement under the Payment Systems Regulator closely.
In November 2025, the European Parliament and Council reached a political agreement on a new Payment Services Regulation and a third Payment Services Directive. Whilst the formal legal text is yet to be published or formally adopted, consensus is beginning to emerge around what the framework will require.
To understand what financial institutions should be doing to prepare, a discussion recently took place between Taavi Tamkivi, founder and CEO of Salv, and Dr Nicola Harding, founder of The Financial Crime Lab.
Tamkivi has spent his entire career tackling financial crime, the last five of those years building fraud intelligence infrastructure across Europe through Salv. Harding is a criminologist with more than a decade working at the intersection of financial crime, behavioural risk, and institutional credibility.
What Europe’s incoming payment services framework will require
The political agreement reached in late 2025 includes mandatory reimbursement for victims of impersonation fraud — cases where a criminal poses as a payment service provider to trick a customer into approving a transfer. It is worth noting the precise scope: the coverage applies to personal accounts, not corporate ones, and does not extend to all APP fraud types in the way the UK’s PSR does.
Salv founder and CEO Taavi Tamkivi said, “For some specific fraud types, like impersonation fraud, it’s covered. So non-corporate, personal cases. If it’s corporate fraud, it’s not covered.”
According to Salv, the UK framework, which came into force in October 2024, carries a different limitation: geography. The Financial Crime Lab founder Dr Nicola Harding said, “The bank that it’s coming from has to be a UK financial institution. The bank that it’s going to has to be a UK financial institution or it doesn’t work. So it immediately rules out cross-border.”
That cross-border blind spot is something Europe’s incoming regulation appears to have addressed. However, the more consequential provision in the new framework is not the reimbursement requirement at all.
Under the regulation, payment service institutions will be legally required to connect to shared data infrastructure — specifically to technology providers operating fraud intelligence exchange platforms — and to share fraud-related data with one another. This is not a voluntary arrangement or a best practice recommendation. It is a hard legal obligation embedded within the regulation itself.
Tamkivi said, “We’re not talking about regtechs as products anymore. We’re talking about an infrastructure layer which is set into the PSR, which is cross-European law.”
Reimbursement changes behaviour, data sharing changes outcomes
Mandatory reimbursement is significant. When fraud losses shift from being an operational nuisance to a direct balance sheet liability, risk teams receive greater resources, controls attract more scrutiny, and investment in better detection becomes easier to justify internally.
Tamkivi said, “When I’m speaking with heads of fincrime or chief risk officers, they clearly acknowledge the need. It pushes them to take more serious actions.”
The Financial Conduct Authority’s multi-firm review of fraud controls in the UK reflects the same logic from a regulatory perspective. Harding said, “They’re trying to look more under the hood of what financial firms are doing to detect, decide and intervene — asking more around how controls are integrated, dynamic, and if they’re proportionate.”
But reimbursement only operates after the damage has been done. It redistributes the cost of fraud; it does not prevent the loss from occurring. Data sharing works differently.
When one institution receives intelligence from another — that a customer or IBAN has already been flagged as suspicious elsewhere — it can act on that information before a payment clears. This is how Salv’s Bridge platform operates in practice: teams use shared signals to apply scrutiny at onboarding, collaborate in real time to intercept funds in transit, or block transfer requests before they complete. A customer who appears clean within one institution can look very different when viewed across the network.
Tamkivi said, “So far, everyone has been working mostly with their own data, which has been becoming richer and richer, but it hasn’t been enough. So [data sharing] is like opening into a new universe.”
This is also where the European approach diverges most sharply from the UK. The UK’s Economic Crime and Corporate Transparency Act includes information-sharing provisions, but participation remains voluntary. Under the incoming European regulation, connection to the network is mandatory.
Tamkivi said, “In the UK, the tooling is like a soft version of data sharing. But in Europe, now everybody is forced to connect to the network.”
For institutions operating across European markets, the message is clear that the compliance question is no longer whether to connect to shared fraud intelligence infrastructure, but how quickly they can get there.
Copyright © 2026 RegTech Analyst
Copyright © 2018 RegTech Analyst
