As the iGaming and payments industries face intensifying scrutiny and increasingly sophisticated fraud typologies, compliance leaders are calling for a new approach to anti-money laundering—one that goes beyond regulatory box-ticking and puts strategic resilience at its core.
Ahead of his appearance at SBC Summit Lisbon, Luis Carlos Perez, Chief AML Officer at Lottofy, speaks candidly about the shift towards ‘AML 2.0’ and what it really means for firms operating across high-risk verticals.
You’re speaking on a panel titled ‘AML 2.0: getting serious about fraud’. From yourperspective, what does AML 2.0 actually look like in practice—and how far along is the industry in getting there?
For me, AML 2.0 means breaking away from the old view of AML as just a backend function, something you do because the law says you have to. It’s about moving beyond a tick-box mentality and putting AML right where it belongs: at the core of how we protect our business and our players.
In practice, it’s not just about having better tools. Technology is important, but it’s not enough. AML 2.0 starts with a shift in mindset. It means fostering a culture of collaboration and communication across the industry, and using data more intelligently to create monitoring systems that are not just more advanced, but more human. AML 2.0 is about recognising how fraud, money laundering and other financial crimes are increasingly interlinked and tackling them proactively, in real time.
In gaming, we’re making progress. We’re seeing more investment in advanced transaction monitoring, better training, and more openness to working together. But let’s be honest: we’re not there yet. There are still operators who treat AML as a box to tick, instead of seeing it as what it really is a strategic asset that builds trust, security and long-term sustainability.
At the end of the day, AML 2.0 is about mindset. If we change how we think, we change how we protect.
Fraudsters are increasingly leveraging AI to carry out complex schemes. How can operators and payment firms use AI defensively without falling foul of regulatory or ethical concerns?
It’s true that fraudsters are often the first to adopt new technologies, using AI to exploit loopholes, create synthetic identities, and hide suspicious patterns in ways that are harder to detect. But the good news is: we’re catching up. Today, we have powerful AI tools that can help us fight back, but only if we use them wisely.
In the context of AML, AI should be seen as a support system, not a replacement for human judgment. It should help MLROs and compliance teams focus on real risks, by filtering out noise and identifying behaviors that matter. But using AI defensively isn’t about plugging in the latest algorithm and hoping it works. It’s about being intentional about how we design, train, and monitor these systems to make sure they’re learning the right things.
One of the biggest concerns is explainability. If an AI flags or blocks a transaction, we need to be able to explain why. Not just to the regulator, but to the customer and to ourselves. And then there’s ethics. Just because AI can analyze every digital footprint a player leaves, doesn’t mean it should. We need clear boundaries, built on respect for privacy and proportionality. Otherwise, we risk losing the very trust we’re trying to build.
The challenge is to stay ahead of the bad actors, without becoming careless in the process.
Real-time data is often hailed as a game changer for AML. But how realistic is it for firms, especially mid-sized operators, to implement real-time monitoring without overextending their resources?
Real-time data is a huge opportunity for AML, no doubt about it. But we have to be honest because for many small and mid-sized operators, implementing full-scale real-time monitoring can be financially and operationally challenging. If we’re not careful, it could widen the competitive gap between large and smaller players. So the question is not whether we should do it in real time, but how to do it in a smart way. For me, the key is to prioritise and be proportional. Not everyone needs the most powerful and expensive AI. But everyone can identify their biggest risk points and apply real-time controls where they really add value.
In my view, it’s not about using AI and real-time data as a tool to analyze every transaction in detail, but as a support to human oversight to have the clinical eye to know which transactions carry real risk and to scale from there. With the right focus, even mid-sized firms can achieve strong results without burning out their teams or blowing their budgets.
You’ve been vocal about the AML transformation in Malta following FATF greylisting. What lessons from that experience would you offer to other markets facing rising regulatory pressure?
Yes, the FATF greylisting was a wake-up call for Malta. But it also showed something important: meaningful AML change doesn’t happen just because a regulator says so. It happens when the whole ecosystem (operators, banks, regulators, supervisors) decide that financial crime is everyone’s problem, not just a box to tick.
One big lesson is that transparency and cooperation matter more than ever. When you’re under intense scrutiny, finger-pointing doesn’t solve anything, sharing information, being open about gaps and learning from mistakes does. So, my message to other markets is simple: don’t wait for a greylisting to fix what you already know needs fixing. Use rising regulatory pressure as a push to raise standards before someone forces you to. The cost of doing it late is always higher than doing it right the first time. At the end of the day, a strong AML culture is not a punishment, it’s a competitive advantage.
How do you see the AML priorities of gambling regulators differing from those of financial regulators, and what challenges does that create for firms operating across both sectors?
Financial regulators tend to focus heavily on source of funds, complex layering and large transaction flows. They expect deep due diligence, robust transaction monitoring and strict reporting lines because the sums can be huge and the systems are built for high volumes.
Gambling regulators, on the other hand, often focus more on the player’s behaviour: affordability, responsible gaming, and how gambling can be misused as a channel to launder illicit funds in smaller, harder-to-detect ways. They also care a lot about how AML overlaps with social responsibility.One big risk is that teams or systems get stuck: your AML framework for payments can’t ignore your AML framework for gaming. Bridging those gaps takes strong internal governance, good training and tech that can unify customer data across verticals.
In the end, different regulators have different lenses but criminals don’t care about sector boundaries. We shouldn’t either.
With the EU’s Anti-Money Laundering Authority (AMLA) set to go live, what structural changes should payment firms start preparing for now?
The creation of AMLA is probably one the biggest structural shift for European AML in years. AMLA will bring more direct supervision, more standardisation and tougher scrutiny across member states. Firms need to make sure their AML frameworks can stand up to EU-level questions, that means clearer reporting lines, documented risk assessments and proper board- level oversight and not just box-ticking policies.
Second, data architecture. AMLA will push for more consistency and cross-border data sharing.
Third, skilled people. When supervision gets tougher, weak teams get exposed fast. Firms need to upskill their compliance staff and make sure AML is embedded into day-to-day business, not just left to one department. In the end, AMLA will raise the bar and that’s good news for everyone in the industry.
Where do you see the biggest gaps in AML frameworks today? Are firms underestimating customer risk, transaction monitoring, or cross-border complexity?
The biggest gaps today don’t lie in any single area, they lie in how firms treat these areas in isolation.
Too often, we see decent KYC at onboarding, but no real effort to reassess risk as customer behaviour evolves. Or we see advanced transaction monitoring tools but powered by outdated or incomplete customer data. In those cases, the system is only as strong as its weakest input.
Cross-border complexity is another blind spot. If your business operates across multiple jurisdictions without aligning data, policies, and oversight, you end up with fragmented controls, local inconsistencies, and gaps that bad actors are quick to exploit.
So, for me, the real issue is lack of integration. Too many AML frameworks are still siloed onboarding here, monitoring there, investigations over in another system. But financial crime doesn’t operate in silos, and neither should we.The firms that close those internal gaps will be the ones who stay ahead of the criminals who thrive in the space between.
Clobet works across high-risk verticals. What advice do you have for PSPs serving iGaming clients who want to remain compliant while staying commercially competitive?
My first advice is: know your client, but really know them. Don’t just check the onboarding box. Understand how they run their KYC, how they manage responsible gaming, and whether they have a track record of robust compliance.
Second: align incentives. Too often, PSPs want volume and operators want speed but the best PSPs today are more like partners than vendors, they help iGaming clients stay compliant because it protects both sides.
Third: invest in real-time monitoring and collaboration tools. When something suspicious pops up, being able to share information quickly and take action fast is a competitive advantage.
In the end, compliance and commercial success aren’t opposites. In this industry, trust and security is the real currency. If you lose them, you lose everything.
If you had to predict one major AML or fraud-related shift in the next 12–18 months, what would it be—and who will it impact most?
If I had to pick just one big shift, I’d say we’re going to see a serious regulatory clampdown on the misuse of AI and deepfake tech for fraud. In the next 12–18 months, I expect more cases where criminals use generative AI to fake identities, forge documents and manipulate onboarding or payment flows. We’re already seeing signs of this, but I think the scale will explode and regulators will have no choice but to respond fast.
This will hit everyone in the chain from operators to payment providers, even affiliates. It’ll force firms to rethink how they verify identity, how they train staff to detect new fraud typologies, and how they balance speed with robust controls. The biggest impact will be on firms that still rely too much on static KYC or outdated monitoring rules. They’ll struggle to keep up if they don’t invest in smarter systems and skilled people.
So this isn’t just a prediction, it’s already happening. The question now is who’s ready to respond at the speed fraud is evolving.
Finally, what are you most looking forward to discussing with peers at SBC Summit Lisbon— and what are you hoping to learn from the other panellists?
What I’m really looking forward to is honest conversation. I want to hear how others are actually tackling the challenges, what’s working for them, where they’ve struggled, and what they’ve learned in the process.
It’s easy to talk frameworks and buzzwords, but the real value comes from stories that help us all get better. Personally, I hope to come away from Lisbon with a few things I hadn’t thought of before. Maybe a new angle, a new question, or even just the reassurance that we’re not alone in trying to raise the bar. Because at the end of the day, behind all the policies, systems and controls, its people learning from people. And that’s where real progress starts.
SBC Summit will take place from 16–18 September at the Feira Internacional de Lisboa and MEO Arena, bringing together 30,000 industry stakeholders for an unmissable three-day experience.
Looking to attend? Here’s how:
- Secure your place with a VIP Event Pass – Enjoy full access to all conference sessions, the exhibition floor, exclusive networking events, and complimentary food and drink throughout the summit.
- Bringing the team? Take advantage of our Group Pass Discount — purchase three or more VIP Event Passes and pay just €400 per ticket (saving €200 off the standard price).
- Operator or affiliate? You may be eligible for a complimentary VIP Event Pass, which includes full access to the exhibition, conference, and exclusive networking events. Apply now to reserve your spot.
Expo+ Pass: Gain access to the full exhibition floor and all conference sessions across the three days. This does not include access to our exclusive VIP evening networking events.
Source: https://paymentexpert.com/2025/07/24/aml-compliance-lottofy-luis-carlos-perez/
