Financial institutions across Europe are facing mounting regulatory pressure as authorised push payment (APP) scams rapidly evolve into one of the most significant financial crime threats. These schemes, in which victims are manipulated into willingly transferring funds, have now surpassed card fraud in total losses, fundamentally reshaping the region’s fraud landscape and triggering a shift toward stricter anti-money laundering (AML) obligations for banks and fintech companies.

Recent supervisory data indicates that APP scams are particularly damaging due to their high transaction values. In 2024, the average fraudulent credit transfer exceeded €2,000, far surpassing typical card fraud losses. Overall, credit transfer fraud reached approximately €2.5 billion, accounting for around 60% of all payment fraud losses in the European Economic Area. This shift reflects the growing use of instant payment systems, which enable fraudsters to move stolen funds almost immediately, limiting the chances of recovery.

Unlike traditional fraud involving unauthorised transactions, APP scams rely on social engineering, with victims unknowingly authorising payments themselves. This dynamic complicates reimbursement and shifts the burden of losses—estimated at 85%—onto consumers. As recovery rates decline, regulators are increasingly scrutinising whether financial institutions are adequately identifying and reporting these transactions as suspicious activity, rather than treating them solely as isolated fraud incidents.

Authorities now view APP scams as closely linked to money laundering. Once funds are transferred, they are often routed through networks of mule accounts, layered across jurisdictions and sometimes converted into cryptoassets. These patterns mirror classic laundering techniques, reinforcing the need for AML frameworks to address scam-related flows at an early stage.

Regulatory reforms are accelerating this convergence. The upcoming Payment Services Directive (PSD3) and Payment Services Regulation will expand liability for payment service providers that fail to prevent scams, particularly in cases of impersonation fraud. At the same time, AMLD6 formally recognises fraud as a predicate offence for money laundering, requiring institutions to incorporate scam-related transactions into AML monitoring and reporting processes. The launch of the new Anti-Money Laundering Authority (AMLA) is expected to further intensify supervisory expectations, particularly regarding cross-border risk and mule account detection.

Operationally, these developments are forcing institutions to rethink how they manage financial crime risks. Separate fraud and AML functions are increasingly seen as inadequate in addressing modern threats. Regulators now expect integrated systems where fraud intelligence feeds directly into AML controls, supported by real-time monitoring, shared risk assessment and coordinated investigations.

As APP scams continue to expand in scale and complexity, European regulators are signalling that fraud prevention and AML compliance can no longer be treated as separate disciplines. Institutions that fail to adapt risk both financial losses and heightened regulatory scrutiny, while those that successfully integrate their controls will be better positioned to respond to the evolving landscape of financial crime.