Ahead of SBC Summit (29 September – 1 October 2026), Luis Carlos Pérez spoke to Payment Expert about the new AML challenges reshaping how operators handle high-risk customers
Continuous AML oversight is redefining how AML teams use payment data, not only to identify high-risk customers and fraudulent activity, but to understand the customer before taking action.
Luis Carlos Pérez, Chief AML Officer at Lottofy, explains to Payment Expert why having all the latest AML detection tools ultimately falls short if human oversight cannot verify how third party accounts mimic legitimate player behaviour.
Read the full interview below
AML expectations in regulated gaming are rising fast, with regulators moving from one-off checks to continuous oversight – how has that shift changed the way operators handle payment flows day to day?
The biggest change is in how we think about payment data. It used to be something we looked at after the money had already moved, mostly to reconcile it. Now, it is one of the first places we look to understand risk. The deposit screen is no longer just where a player funds their account; it is one more signal in a picture we are building.
This has moved us away from reviewing customers on a fixed schedule or waiting for someone to cross a set figure before we act. Fixed thresholds still matter, they are a line you are required to watch, but on their own, they tell you very little.
The real question is: does this player’s behaviour fit what you would expect? That direction is only hardening with the new European framework taking shape around us, which pushes everyone towards the same continuous, risk-based standard.
Day-to-day, it means the payments and AML teams are in constant conversation. How quickly someone deposits, whether they keep switching methods, how soon they try to withdraw, all of that informs our view of the player as it happens, rather than weeks later. The real discipline, for an operator running several products at once, is doing this consistently across all of them, so we keep a single, joined-up picture of the player no matter where the money comes in.
Where do RegTech and fintech tools add the most value in spotting suspicious fund movements that traditional rules-based systems tend to miss?
The real value is that these tools see relationships, not just transactions. A fixed rule looks at each payment on its own and asks whether it crosses a line. But a lot of suspicious activity is made up of movements that each look perfectly normal on their own, it is only when you put them side-by-side, across accounts or over time, that something starts to feel off. That joined-up view is what a good system gives you and a rigid rule never will.
A system that learns from the cases you have already worked on gets better at telling apart a player who simply deposited a little more this month, from one whose behaviour has genuinely changed so people can spend their time where it actually matters.
Where I’d push back on the usual conversation is the idea that better tools are the whole answer. They are not.
The more capable the system, the easier it becomes to stop thinking and treat the alert, or the silence, as the conclusion. The technology should sharpen a trained eye, not stand in for it. You can bring in the best tools on the market, but the judgement is the one thing you can never hand over.
How do you keep sanctions and PEP screening effective across multiple payment methods and jurisdictions without creating bottlenecks at deposit?
The first thing I’d say is that the bottleneck people picture is usually the wrong one. It is rarely the screening itself that slows a deposit down, a name check against a list is fast. What actually clogs things up is false positives: common names, near-matches, the same player flagged again and again.
The rest is about when you do the work, not how hard. You screen properly when the relationship begins, and then you keep your screening current, rechecking your customer base against lists that change all the time, because someone can be clean when they join and be designated a week later after something on the other side of the world.
Done that way, the deposit is not where you start looking; it is where you confirm what you already know.
A PEP is not a stop. It does mean more work, closer scrutiny, senior management approval, and establishing their source of wealth and funds, but that is about handling the risk properly, not deciding the person is guilty.
A lot of the friction in this industry comes from treating every near-match as if it were a hard block. Keep the two apart, get the false positives down, and the deposit stays clear without anyone lowering their guard.
Once a flag is raised, what does well-integrated case management and SAR/STR reporting look like when payments data sits across several providers and processors?
It means the person investigating has the whole story in front of them. When a flag goes up, they should see who the player is, how they were onboarded, what the screening said, how they behave, and every euro in or out, by any method, across every provider, all on one screen and without asking anyone for a file.
If they can’t, the problem is not the alert. It is that your data is living in pieces.
That is the real difficulty here. Each payment provider hands you its data in its own shape, and unless you have pulled it all into one consistent picture, the full story simply isn’t there when you need it. The authorities have already penalised operators for exactly this, for not being able to link a single customer’s activity across their own data, treating that gap itself as the failure rather than only whatever slipped through because of it.
The report at the end should read like an explanation, not a printout. A good STR tells whoever receives it what happened, who was involved and why it troubled you, in plain language they can act on.
How do you balance tighter AML controls with the low-friction payment experience players now expect?
I’d start by questioning the word “balance”, because it suggests the two things pull against each other in equal measure, and most of the time they don’t. The friction players actually feel does not come from having strong controls. It comes from badly placed ones. Get the placement right and a lot of the supposed trade-off simply disappears.
The way I see it, AML should not be the protagonist of the player’s experience. It should work from the background, so that by the time someone wants to deposit, there is very little left to do. The honest player should barely notice we are there.
The cleanest control of all is the one you never have to run. A lot of friction comes from accepting payment routes that force you to watch everything closely afterwards. Keep the riskiest of those out of the mix from the start and you protect the experience and the controls at the same time.
Working quietly in the background is exactly what keeps the experience smooth for the honest player and keeps the whole thing safe for everyone in it, the operator included.
Looking ahead, where do you see payments-led AML frameworks heading as instant payments and crypto rails become more common in regulated gaming?
The way I see it, the faster money moves, the earlier your controls have to sit. Once a payment goes through in seconds and you can’t get it back, reacting afterwards stops being an option, and you are left relying on what you already understood about the player before they pressed deposit.
When crypto does become part of the regulated world, we will treat it the way we treat everything else: who is this player, and where is their money coming from. The form it arrives in changes; those two questions never do.
What I would be wary of is thinking that speed, or more rules, fixes this on its own. Real time only helps if the way you work is ready for it. If it isn’t, you are just making the same mistakes faster.
The best operators will be the ones quietly getting this right where nobody sees it, because in the end that is the point.
Held in Lisbon from 29 September to 1 October 2026, SBC Summit is one of the world’s largest gatherings of betting and gaming professionals. The event will bring together 40,000 attendees from across the industry for three days of learning, networking, and discussion, alongside a major exhibition featuring leading brands from around the globe.
For more information and tickets, visit sbcevents.com/sbc-summit.
Source: Payment Expert
