Every week, billions of euros flow through European financial institutions in service of money launderers, fraudsters, and organised criminal networks.
According to Salv, the banks holding the data that could stop these flows are often fully aware. So are regulators. And yet compliance teams across the continent continue to hold back, citing legal barriers that, on closer examination, simply do not stand up to scrutiny.
Salv recently detailed the five legal myths stopping banks from sharing financial crime intelligence.
Salv legal counsel Diana Karyan and CEO and co-founder Taavi Tamkivi have spent years navigating these objections across European markets. Together, they identify five persistent myths that are keeping banks on the sidelines - and explain why the legal architecture has long since moved on.
Myth 1: GDPR makes inter-bank data sharing illegal
This is the objection heard most often. A data protection officer or compliance lead declares that sharing customer data with another institution is prohibited under GDPR, and the conversation ends there.
Karyan argues the confusion stems from a fundamental misreading of the regulation. Salv legal counsel Diana Karyan said, 'GDPR is not a legal prohibition. It never was. It is a different framework that specifies the conditions under which personal data processing is lawful.'
Article 6 and Recital 47 of the GDPR have always recognised fraud prevention as a legitimate interest. That basis existed well before the EU's anti-money laundering regulatory package arrived. What has changed is that AMLR Article 75 now provides an explicit EU-level framework for information-sharing partnerships - one that mandates regulatory oversight and data protection impact assessments, but leaves no credible argument that sharing is prohibited. The Payment Services Regulation (PSR) and PSD3, which reached political agreement in November last year, go further still, framing fraud detection and prevention not merely as permitted, but as expected.
The real obstacle, Tamkivi argues, is not the law - it is internal ownership. Salv CEO and co-founder Taavi Tamkivi said, 'If you just go to your DPO and ask 'can I share customer data with another bank?', the obvious answer is no - because you haven't explained why, what the use case is, what governance structure is in place. Someone has to be the business owner for this. Without that, even a strong legal basis isn't enough.'
Data protection officers and chief information security officers are stakeholders in this process, not its initiators. The business case - specific use case, governance framework, data minimisation controls - must be established before legal review can be productive.
Myth 2: Banking secrecy laws are an absolute barrier
Banks in Central and Eastern Europe routinely cite national Credit Institution Acts as insurmountable obstacles, with individual compliance officers fearing personal criminal liability for any disclosure of customer data.
Karyan contends that the framing itself is the problem. Salv legal counsel Diana Karyan said, 'A lot of times I hear practitioners asking which obligation wins - banking secrecy or AML law. That framing assumes a conflict between the two. The first thing to establish is that they are not in conflict. They are in a structural relationship.'
Banking secrecy is a general obligation. AML law provides a specific statutory exception to it. Estonia offers one of the clearest illustrations: its Credit Institution Act establishes a broad secrecy obligation, while Section 16 of the Money Laundering and Terrorist Financing Prevention Act then provides an explicit, purpose-limited exception for financial crime prevention. The two laws coexist, neither superseding the other, because they were never in conflict to begin with.
Tamkivi adds a detail that tends to catch people off guard. Salv CEO and co-founder Taavi Tamkivi said, 'I was quite shocked to see that the Bank Secrecy Act has about twenty exceptions - police, tax, customs, and many others. AML data sharing is just one of them. Banking secrecy is a bit over-dramatised. As a customer, it's quite shocking to realise how many organisations can lawfully access your bank data if they have legal basis.'
The EU's shift from directives to regulations also matters here. Six generations of AML directives required national transposition, producing inconsistency and fragmented enforcement. AMLR is a regulation. When its applicability date arrives in July 2027, it becomes law across every member state simultaneously - no transposition required, no room for local variation. The same is true of PSR.
Myth 3: Sharing intelligence between banks constitutes tipping off
This is the objection that genuinely unsettles compliance professionals. Tipping off is a criminal offence, and the concern is that intelligence exchanged between institutions could somehow alert a suspect to an ongoing investigation.
Karyan is clear about what the prohibition actually covers. Salv legal counsel Diana Karyan said, 'Tipping off prohibition applies to the unlawful disclosure to the customer or any third party that a suspicious transaction report has been filed, that an investigation is underway, or that information has been requested by the FIU. Its target is the subject of suspicion - not the parties who might alert each other.'
Inter-institutional intelligence sharing and tipping off are governed by entirely different legal instruments. AMLR Article 75 and PSR Article 83A expressly permit information sharing between financial institutions, drafted with the explicit understanding that effective financial crime prevention requires intelligence to flow. They coexist with tipping off prohibitions - they do not conflict with them.
Technology and governance controls address the residual risk. On a platform such as Salv Bridge, access is restricted to credentialled representatives of member institutions, with no mechanism by which a suspect could be notified. Audit logging, four-eye principles, and pre-agreed governance structures manage what risk remains.
Tamkivi notes that in practice, the objection tends to dissolve once institutions begin sharing in earnest. Salv CEO and co-founder Taavi Tamkivi said, 'When we launched, tipping off was among the top ten objections. After banks started actually exchanging information, I've never heard the question come back. That's the ultimate proof - the risk exists, but it is very well mitigated.'
Myth 4: AML and fraud are fundamentally the same problem
This myth works in the opposite direction. Rather than preventing action, it leads institutions to conflate two legally distinct regimes and build solutions that may be non-compliant by design.
Tamkivi acknowledges the complexity. Salv CEO and co-founder Taavi Tamkivi said, 'Yes and no. I've spoken to very senior heads of AML who haven't heard of PSR or mandatory reimbursement. And vice versa. They're working in their own silos - which are enormous - and it's understandable.'
The convergence is genuine. The Financial Action Task Force, historically focused on money laundering, is increasingly entering the fraud space, recognising that scam fraud has become a classical precursor to laundering. But the tools developed to address each problem were built for a different era.
Legacy AML transaction monitoring systems were designed for large, slow-moving transactions. Scam fraud is high-frequency, real-time, and involves authorised payments that are behaviourally indistinguishable from legitimate activity. Old AML tools are not fit for this purpose. Neither are legacy card fraud systems, which were built for unauthorised transactions, not authorised push payment scams.
Salv CEO and co-founder Taavi Tamkivi said, 'There's a middle part between old AML and old fraud that neither covers. That's where data sharing, real-time monitoring, behavioural profiling, and device fingerprinting all become relevant. New tool categories are emerging to fill it.'
Merging the two regimes without understanding this legal distinction creates its own compliance risk. AML and fraud carry different statutory obligations, different reporting requirements, and - under PSR - different reimbursement rules. Treating them as identical risks operational gaps and potential non-compliance.
Myth 5: There is no urgency until regulators force the issue
The wait-and-see position has surface logic: regulation is not yet fully enforced, supervisors have not mandated participation, and few peers are moving. Why act first?
Tamkivi's answer is rooted in timelines. Salv CEO and co-founder Taavi Tamkivi said, 'Countries are moving at very different speeds. Some aren't moving at all. Others are already running RFPs and forming task forces. But new product approval processes take 12 to 18 months - from start to live. Count the months back from July 2027 and there aren't many left.'
The commercial exposure is concrete. Mandatory reimbursement under PSR means that authorised push payment fraud losses - previously absorbed by customers - will increasingly fall on banks. Every month of inaction is a month of preventable losses unremedied, and a month closer to full reimbursement liability.
On the regulatory side, AMLR's direct applicability removes the ambiguity that existed under earlier directives. There is no transposition gap to shelter in.
Karyan frames the question institutions should now be asking. Salv legal counsel Diana Karyan said, 'The upcoming regulation doesn't just permit sharing - in some cases it mandates it. The question institutions should be asking is not 'are we allowed to do this?' but 'what is our plan for compliance?''
There is also a structural argument for moving early. Institutions that participate in shared intelligence networks now help shape the standards, governance models, and interoperability frameworks the rest of the market will eventually adopt. Those who wait will find themselves onboarding into a structure they had no hand in designing.
The legal architecture is already in place
The conditions for financial crime collaboration are not pending. GDPR provides lawful basis. Banking secrecy laws contain explicit AML exceptions. Tipping off prohibitions govern a different set of actors altogether. AMLR and PSR are regulations - directly applicable, with hard deadlines and no room for local reinterpretation.
What remains is institutional will. The decision by compliance teams, general counsel, and executive leadership to move beyond these myths - and to build the infrastructure that regulators are actively inviting them to build.
The myths persist not because the law is genuinely ambiguous, but because no one inside the organisation has taken ownership of the use case. That is a business problem, not a legal one. And it is one that can be solved.