iGaming Fraud Insights—ICE Barcelona, Part 2 | "What The Fraud?" Podcast

Welcome to What The Fraud?, a podcast by Sumsub, where digital fraudsters meet their match. I'm Kris Galloway, iGaming Product Evangelist here at Sumsub, and your host for this very special episode. We're bringing you conversations straight from the floor, and just like we did at Money 20/20 in Europe and the US, we've teamed up once again with our friends from C-Suite Podcast to get to the heart of the industry's biggest challenges.

In this episode, I sit down with the people actually fighting these battles. We talk about all the ecosystems—from fast-growing markets and money laundering pressure points, to the fight against unlicensed operators. Are we ready? Let's dive in.

Daniel Xavier, BetMGM

KRIS GALLOWAY: So to kick things off, we're looking at one of the most watched markets on the planet right now, which is Brazil, a territory with massive opportunity, but a regulatory landscape that's still very much under construction. I'm joined by Daniel Xavier, CEO at BetMGM Brazil. Daniel, thank you ever so much for coming onto the podcast.

DANIEL XAVIER: It's my pleasure. Thank you very much for inviting me.

KRIS GALLOWAY: You're most welcome. So, you're attending a panel tomorrow, I believe, which is titled ‘Brazil in play. The challenge of operating in a market under construction.’ Obviously, Brazil is an absolutely massive market. What would you say regulation has gotten spot on so far? And what is it that still feels unfinished?

DANIEL XAVIER: Look, Brazil took a lot of time to regulate its market, so a long time. That is bad. But there's one thing good about it that you could learn from best practice around the world, so we could understand what happened in each other's markets and could make better regulations for ourselves.

Suggested read: Brazil Gambling Laws and Regulations: What to Expect in 2025?

What I can tell you is that our regulation is robust. I think it's good for the player. It creates a good layer of protection, responsible gaming. It's clear about the dos and don'ts. The bad thing at the moment, I think that's the challenge for the next years, this year and the next, maybe 1 or 2 years more is the fight against the legal market. It is still huge. So, I had the numbers from H2 Capital, they just released new research; it’s about $3 billion. 28% of the market. So that's the next stage, I believe. But the foundation is very good.

KRIS GALLOWAY: You mentioned different templates that Brazil can copy from at the moment. What would you look at some of the templates in other regions that might have gotten it right so far? Are there any that jump out at you?

DANIEL XAVIER: I think that, for example, one that came right now to my mind is what happened with the Netherlands, for example. The Netherlands started very well, raised taxes, and the legal market increased its share of the total. So, Brazil started the right, but the tax is still under discussion. We recently had an increase from 12% GGR to 15% each year, an increase 1%. But it is still doable. It is still manageable. And I think that there are very good parts about the do's and the don'ts about KYC, about player protection, about responsible gaming that we copied from the best practices around the world. That's what I'm saying.

KRIS GALLOWAY: It feels like a very delicate balance in terms of what you do with taxes. What do you take from other templates? You mentioned 28%. It's very difficult, I think, to gauge exactly what that number is.

DANIEL XAVIER: It's impossible. 

KRIS GALLOWAY: I mean, some industry reports suggest illegal operators account for up to 55% of revenue in some cases. Like you say, it's impossible to know exactly what that figure is. It's hard to verify. But directionally, I think it does tell a story. We also know that Brazil has a high crypto adoption rate, which makes payments faster and harder to trace. Does this make challenging the illegal market in Brazil harder than in most other regulated regions?

DANIEL XAVIER: To be honest, I don't believe that we have a high usage of crypto in Brazil. The same research from H2 Capital shows that it's around 1% in crypto. Look, this is illegal because the legal only have just one option, called Pix. 

KRIS GALLOWAY: Yeah. Of course. 

DANIEL XAVIER: It's like a direct transfer. Brazilians, in general, use Pix for around 91% of the GGR of the total market, both legal and illegal. The banking system in Brazil is very advanced, and it's very trackable: both the source and the destination of the money. So maybe we have a better understanding of the legal market than other countries do because of Pix.

KRIS GALLOWAY: I mean, Pix. I think a lot of regions look at Pix as being quite revolutionary in terms of payments, which is great for Brazil. Building on that, what would you say are some of the main fraud patterns that are most tied to the unlicensed ecosystem in Brazil? And which one of them worries you the most as we see the market maturing?

DANIEL XAVIER: Great question. Brazil is a country when it comes to fraud. Brazil is a huge country—200 million people. They used to find personal information on the internet and create dozens of accounts, too, for bonus abuse and other frauds. But regulation creates a very good foundation to prevent this from happening. Of course, operators would try to do it anyway, but there is now a need for a very sophisticated KYC process during sign-up.

So, you need to send an ID, a selfie. You need to cross-check information with some bureaus. So, it’s very reliable today, talking about the legal market. It’s a very reliable process that guarantees that the person is the real person using the documents and the data. But before that, in the legal market, that used to be a problem.

KRIS GALLOWAY: Yeah, I can understand. And I think you've also addressed some of the ways BetMGM is tackling this in your answer. How vulnerable would you say the Brazilian iGaming market is to money laundering specifically? Not least because, as we know, money laundering within banking is becoming increasingly expensive. Do you think this makes iGaming in the Brazilian market more vulnerable?

Suggested read: AML Casino Compliance and Responsible Gambling Standards: Global Guide

DANIEL XAVIER: I don't think so, because as I mentioned, the system—the platform—is very robust. The KYC process, how we handle the information, the technology, and the banking system are very advanced. So, it's very traceable—the source and destination of the money.

And regarding BetMGM in Brazil, you can imagine that MGM Resorts and Grupo Globo, which are in a joint venture between these two companies, are extremely concerned about compliance and governance. So, they have the highest level of concern about that.

So, I don't think it's worth it to use legal platforms or legal operators for money laundering. Maybe there is still some space in the legal market for that.

KRIS GALLOWAY: That makes sense. What do you feel could be done at a governmental and educational level within the Brazilian market to ensure users understand and know the difference between a regulated and an unregulated operator, and the risks that the unregulated operators carry.

DANIEL XAVIER: Brazil is a very different country from the others. The land-based casinos were banned from the country in 1946. And they are to date. But people kept on gambling somewhere, some way. But what happened: the public opinion about the market is very bad. It's, like, linked to illegal activity. And as a result, some people don't mind playing on illegal sites. So, 23% of the players of the people that this study is from, H2 were asked whether they prefer legal or illegal, 20% don't mind whatever. So, there's a lot of work to be done by the operators, the government, and the associations to educate the population about the risks of the black market. It will take time. We are just starting year two of the regulation, so everything is very new for everyone.

KRIS GALLOWAY: It's interesting because we mentioned that there are lots of templates that Brazil can take from in terms of creating the regulation, but this feels like something that it's revolutionizing in the sense of actually educating people as to the dangers and the differences between illicit operators and the regulated operators.

Looking forward and considering how unique the Brazilian iGaming landscape is, how do you expect the industry is going to evolve over the next few years, looking at things like education regulation that you mentioned?

DANIEL XAVIER: Well, I feel very optimistic about the market, about Brazil, because I understand that this work about blocking the legal market will increase over the next years. This education will show how important play is. There is a legal activity. Like anyone else, anywhere else. And you can find a tournament by this. Besides, I think that the market will also grow over time. Maybe if you invite me in 4 or 5 years. I hope you do. If the audience likes me, I don't know.

KRIS GALLOWAY: I'm sure they will.

DANIEL XAVIER: So if you invite me 4 or 5 years from now, maybe you can have the double of the size of the market that is today. I really believe it to happen because it's new. Like you'll be on an open TV channel and say, play in BetMGM in Brazil. Five years ago, it was prohibited.

KRIS GALLOWAY: Completely different.

DANIEL XAVIER: So the market grows. So, I'm very optimistic about that.

KRIS GALLOWAY: I think one thing we'll need to do on the video version of this is put a to be continued subtitle, so that we can pick up where we left off. 

DANIEL XAVIER: Let's do it. 

KRIS GALLOWAY: It's been a pleasure. Thank you ever so much for coming on the podcast.

DANIEL XAVIER: Thank you for inviting me.

Andrew Wright, LeoVegas Group

KRIS GALLOWAY: We often talk about fraud as a technical or a legal battle, but for an operator, it's a human one as well. You can't just keep adding checks. Every extra hurdle affects the customer experience and the conversion rate, as well as the overall journey. It's about finding the Goldilocks zone where the platform is secure, but the experience remains seamless. To get the operator's view on the balance, I'm joined by Andrew Wright, who's the Managing Director for UK and Ireland at LeoVegas Group. Andrew, welcome to the Podcast.

ANDREW WRIGHT: Good morning. Thanks for having me.

KRIS GALLOWAY: You're fresh off of the Future of Sports Betting panel. And I'd like to broach the same topic. But from the perspective of fraud, it is the What The Fraud? Podcast, after all. How do you feel the World Cup in particular this year is going to threaten sports betting operators in ways that we haven't necessarily experienced in previous World Cups.

ANDREW WRIGHT: Yeah, it's a good starting point to say just off the panel, we talked a bit about, from an operator's perspective, from an acquisition and retention point of view. The World Cup is unbelievably important for operators. Once every four years, and it's the biggest show on earth. So, and I think this year is even heightened. There are more games than ever before. There are over 100 games, and more teams than ever before. And so actually, the way we're thinking about it is maybe different to how we've done in the past.

I think from the from a fraud point of view, obviously, where the issues can arise is, of course, everyone's going to spend a lot of money on acquisition. There'll be a lot of acquisition offers, welcome bonuses. Lots of bonuses for new customers, too. And so that creates an awful lot of opportunity for new accounts to be opened up that aren't perhaps the average person on the street who wants to have a bet on England v Panama or whatever it might be. So yes, it's a cracking opportunity. But of course, we're thinking about it from the perspective of fraud as well as risk from maybe a trading perspective as well.

KRIS GALLOWAY: Yeah, absolutely. What do you feel operators should be or should already have in place to combat these threats? Or what should they be working on now to make sure that they're not caught out when it's too late?

ANDREW WRIGHT: Yeah. I mean, look, this has been an ongoing process for a long time now, but we're forever looking at behavioral flags to try and indicate, let's be honest, the long-term or the lifetime value of a customer. That's a lot of what we do. And obviously, we're also looking at potential markers of harm from a safer gambling perspective.

We’ve been honing these skills and building this muscle over many years. For example, if a customer signs up through a particular welcome offer or affiliate, does that make them more or less likely to engage in harmful play, commit fraud, or become a valuable customer? Are their payment methods an indicator? What about their postcode—especially if there’s a bot running multiple accounts? You might see multi-accounting where several accounts appear to come from the same university halls of residence.

So, there are lots of indicators, even before a customer places their first bet, that help assess the potential likelihood of fraud or long-term value.

KRIS GALLOWAY: And what the trajectory is going to be and what the LTV is. And I imagine part of that is building a risk score based on some or all of those factors that you mentioned.

One of the other panels that LeoVegas attended was titled The Black Market Challenge. Do you feel that most regulated operators lack the innovation we see among offshore operators, or does regulation prevent them from competing at that level?

ANDREW WRIGHT: It's a really interesting question, actually. From my perspective now, if I think about my roadmap and I think about my colleagues—I've worked in this industry for 20-odd years and worked with some unbelievably brilliant people — there's no shortage of ideas and innovation. And how do we take things that work well in casino and bring them to sportsbook, and vice versa? And look at e-commerce—how does Amazon do this, and why can't we do that, etc.?

There's loads and loads of great thinking around how we attract and retain customers. And if you then look at our roadmap, you’ll see probably half of it for the next six months, in the lead-up to the World Cup, is around regulatory or compliance tickets. So lots and lots of thinking is there. But equally, because obviously we're fully regulated and we're proud to be so, there are things we simply have to have as P0s, let alone P1s. And yeah, they simply have to be done for us to retain our license and protect customers in the way that we think we should.

I think when you're in an unregulated space, forgetting whether you pay tax, yes or no—that just means you have more money to spend. From an innovation perspective, you can purely focus—not saying they all do this, by the way—but you could purely focus on features and just making the product far more accessible, maybe far more enjoyable as well. So I don't think we're less innovative, but I think there are the pressures and the added workload that come with being regulated. Providing really safe play for customers can, at times, become a bit of a trade-off against cool, innovative new features.

KRIS GALLOWAY: That makes sense. So, it's not just a product and innovation thing. It's also a capacity thing, considering how much you have to fit into a short space of time. And I imagine that space of time can be considerably shorter, depending on when these features and requirements are announced at a regulatory level as well.

ANDREW WRIGHT: Absolutely, yeah. 

KRIS GALLOWAY: So, we see a broad range of unregulated industry statistics. AFJEL in France recently announced over 50% of revenue is black market. For example, UK reported a doubling from 2% to 4%. How accurate do you think these figures actually are?

ANDREW WRIGHT: I think LeoVegas operate in the Netherlands, and we're pretty confident that it'd be about 50% now unregulated to regulated in terms of from the industry. And that's since a big tax increase about 18 months ago in that country. Germany, well-documented, is about the same, probably 50, 55% or so. And I think interestingly, in that market, it sounds like the regulator is working really well with the regulated operators to try and find ways to help the regulated operators bring a bit more of that business back into the regulated environment, which is fantastic.

UK, very hard to know. Obviously, the tax increase is coming; it's going to make things harder for the regulated industries we've talked about. But similarly, lots of the affordability checks and whatnot, which again, rightly came in, were probably going back to 2021, 2022. I think some of the higher-staking, higher-turnover customers have already left for the unregulated market around that time. So, they're inevitably over the next 12 to 18 months, as casino tax increases in the UK and then sports book in 2027 increases again, there'll be a movement to the black market for reasons we just talked about around innovation and whatnot. But similarly, and maybe I'm clutching at straws here, like hopefully some of the move has already happened. All be it we've all done this. If you Google the best sports book in the UK, you're presented with a list of ten sports books that don't subscribe to GamStop and that sort of thing. And so immediately you're into an interesting place.

KRIS GALLOWAY: Absolutely. One last question, if I may. To what degree do you think the unlicensed operators slipped through the cracks at a regulatory level? Are the regulators focused predominantly on the regulated industry? Making it very unfair, considering you have so many unregulated operators slipping through the cracks? Or do you think there's a degree of recognition for the unlicensed operators from a money laundering perspective?

ANDREW WRIGHT: I mean, my gut feel would be the former. But similarly, if you think about, again, the recent tax announcement and there was £25 million has been allocated from that increased tax revenue to the Gambling Commission to try to clamp down and better, I suppose, regulate in air quotes the unregulated market. So hopefully that will help. And on a just a very this might be a bit crude thinking about in such commercial terms, but the government is now far more incentivized to clamp down on the unregulated market than it ever has been, because obviously the tax rates have doubled. So, fingers crossed that will make just make everything, make the gambling industry safer for all customers.

KRIS GALLOWAY: Absolutely. That's all my questions. Thank you ever so much for joining the Podcast. And hopefully we'll be able to do more in the future.

ANDREW WRIGHT: Yeah. Thanks for having me.

Adrianna Samuels, Globant

KRIS GALLOWAY: iGaming fraud doesn't sit in a box anymore. It touches every part of a business, from payments and product design to how we fight unlicensed operators. To see where the industry is headed. You need the whole map and to help me analyze that map, I have Adrianna Samuels, Vice President and Senior Client Partner for Gaming at Globant. Adrianna, thank you ever so much for joining us.

ADRIANNA SAMUELS: My pleasure.

KRIS GALLOWAY: Let's kick off with the first question. What are some of the most worrying and hardest to tackle fraud threats within iGaming right now?

ADRIANNA SAMUELS: I guess the biggest one I feel is the fake accounts. So in my experience, I've had people take their grandparents, their elderly family members' information, and game for the bonus abuses. It's insane.

Suggested read: Bonus Abuse in Gambling: Types, Risks & How to Prevent It

KRIS GALLOWAY: It's something that goes back to the 90s, if I'm not mistaken. I've heard stories of people buying IDs from town folk in rural parts of China to serve these ends. It's terrifying.

ADRIANNA SAMUELS: It is terrifying. Especially when it's someone close to you. Like your grandparents. When it's family. Because you have all the information. So, it's very simple.

KRIS GALLOWAY: I mean, I think there are two sides to this, I suppose. There's the industrial level bonus abuse and account fraud. And then there's the opportunistic side of things as well. How would you compare those two to each other? Which do you think can be the the most worrying?

ADRIANNA SAMUELS: Most worrying is probably the folks who are taking their families because it's really hard to gauge. You can scout IPs, verify the tools they're using on phones or computers, but you can't really nail down whether they're using each other's ideas. Their information. So that's what's worrisome to me.

KRIS GALLOWAY: That makes sense. Over the past few years, we've seen, actually, I want to say over the last decade or two, if I'm not mistaken, we've seen a number of operators being fined for a wide range of violations. I won't give any examples. Do you think these fines are enough to ensure that users are actually being protected, or could regulators or we be doing more in this sense, do you think?

ADRIANNA SAMUELS: That's a really heavy question.

KRIS GALLOWAY: It really is!

ADRIANNA SAMUELS: Because it depends on the operator you're talking about. If you're talking about a tier one operator, it's like chump change to them. They don't care. It's the cost of doing business. So, they're marketing, and they're pushing for this clientele. So, those fines don't mean much. However, when you're talking about the start-ups, that hurts.

KRIS GALLOWAY: Would it be a little bit too ambitious to suggest a dynamic policy in regard to fines based on where the operator is at in their journey?

ADRIANNA SAMUELS: I mean, I think that would be more fair. Because start-ups again, they're just trying to make it, and they're competing against tier ones, and it's very difficult to do. So those fines hurt the wallet.

KRIS GALLOWAY: I think there's a much deeper conversation to be had here, particularly in regards to regulation, especially in the US. It seems as though some of the regulations are actually prohibitive to new start-ups coming into the industry.

ADRIANNA SAMUELS: It's very difficult. The taxes, the licenses, it's really hard to be competitive.

KRIS GALLOWAY: It can be.  So let me ask you something a little bit different. I had a quick look at your LinkedIn. If you had a time machine, questions that start with if you had a time machine are always great, aren't they? If you had a time machine, which for some reason only went back to New Jersey in 2014, specifically, what would you tell the Adrianna Samuels, who was a senior Fraud Analyst at Bally Technologies, to prepare for in terms of fraud over the coming decade?

ADRIANNA SAMUELS: I would tell that Adrianna to focus on the partners that you brought into the operation, specifically in technology. I don't feel that we really thought about the technology that we were using. It was more speed to market, speed to market. I think we could have done better choosing the right technology and building for success.

KRIS GALLOWAY: Do you think regulation would change that today? Because, obviously, regulation has come a long way since 2014. Do you think it puts a little bit more pressure on the operator to make sure they're getting the technology right? Or do you think it's still a speed to market issue?

ADRIANNA SAMUELS: I think when you're a start-up, it's speed to market. When you're growing in the business, and you've been in the business for quite a bit, then it's about, okay, we're looking for the technology now because we want to bring it in-house. We want to utilize sticky features, we want to add more technology that's going to increase revenue, but also protect the business and the end consumer.

KRIS GALLOWAY: Makes sense. You've obviously worked in gaming and payments as well. If I'm not mistaken. Do you think payment providers could be doing more to support regulators, and regulated industries? And if you do, why aren't they. What does that look like at the moment?

ADRIANNA SAMUELS: That's a tough question. I have worked in payments, but I think a lot of it has to do with the information they provide the platforms. There's only so much information they can give. Because then you're crossing the lines of other legal laws. So, I think you're stuck in a, what do they call, a rock and a hard place. So, you can only provide so much information to the operators or the technology providers. And nobody wants to give too much information. So, it's a lot of manual work in order to protect the business.

KRIS GALLOWAY: It goes a lot deeper than people realize.

ADRIANNA SAMUELS: It really does.

KRIS GALLOWAY: So, staying on the theme of fraud, we're seeing more unlicensed operators pop up alongside grey market ones. Some people assume it's as simple as identifying their domains and blocking them. But in practice, why is domain-level blocking so hard to make effective? And what are its limitations as a disruption strategy?

ADRIANNA SAMUELS: I am definitely not a geolocation expert by no means. But I do feel that it's very difficult to pinpoint, because there are so many different bots and technologies that hackers are utilizing in order to get where they want to go when they want to go. If they want to get into a specific operator or they want to do something, they'll find ways around it.

KRIS GALLOWAY: What do you think the US gets right to dissuade operators, the rest of the world really doesn't catch on to, because obviously, I think if an illicit operator thinks about the US market, they steer well clear of it. So, what is it that the US really gets right in that sense?

ADRIANNA SAMUELS: I guess the first question is the US getting it right?

KRIS GALLOWAY: That's. Yeah, absolutely. Let's take a step back and look at it from that perspective. It's certainly doing something better than a lot of other countries.

ADRIANNA SAMUELS: I mean, regulatory I mean they're really strict. They're protecting end consumer, which I feel they're doing that right. They're being really strict. And I think that it's a positive thing to protect the end consumer. 

KRIS GALLOWAY: Of course.

ADRIANNA SAMUELS: However, I think a lot of the licensing and the taxes and the way to do business is definitely something that should be reviewed because you're not really getting operators that can come in and really put the money into the technology and to the ways to protect the fraud and so forth, because they're putting all this money in upfront.

KRIS GALLOWAY: Do you feel there's a gap between the technology and the regulators understanding of what can be achieved in terms of responsible gaming or in terms of anti-money laundering, or do you feel that there's still a lot there that can be learned from a regulatory perspective?

ADRIANNA SAMUELS: I think they could learn more. I think regulators know what they want to see. I know they want to see certain reports. They want certain, and they want to educate, and provide customers with a clear definition of what's going on in their gaming experience. However, I do feel that they could learn more, and I feel like technology providers, and even AI experts and companies, can really educate regulators a little bit better to say, 'Hey, listen, if operators are putting their revenue and their money into this technology to protect the business and to protect the end consumer, that is where you're really going to find the most value.'

KRIS GALLOWAY: Perfect. That's it. That's all my questions. It's been an absolute pleasure. Thank you ever so much for joining us. And hopefully we'll be able to do it again soon.

ADRIANNA SAMUELS: Thank you so much.

Torben Friis, Match Liquidity

KRIS GALLOWAY: From the liquidity side of iGaming, you get a different view of risk. It's not so much only about whether or not fraud exists, but how it affects financial stability, decision-making, and long-term confidence in an operator. To explore this perspective with me, I'm joined by Torben Friis, Managing Director at Match Liquidity. Torben, thank you for joining us on the Podcast.

TORBEN FRIIS: Thank you for having me.

KRIS GALLOWAY: So from the liquidity side of the industry, I imagine you see a very different risk profile from an investor's perspective. When does fraud stop being an operational issue and when does it start becoming an investment risk?

TORBEN FRIIS: Well, the main thing for us as a provider in this, let's say, vertical, I must emphasize we don't deal with iGaming operators directly. We deal with the service companies within their groups, which deal with marketing IT and stuff like that. But what we really see with this stuff is that a lot of these people don't really appreciate the necessity of having basic safeguards in place. A clear example is they might take the lowest level of screening that a company like Sumsub will offer, but they will not take the next level up, where it will allow that to be integrated with a back-end solution that will map the IP address consistency of that customer against subsequent activity.

So, they will perhaps go into something like a Sumsub solution that will KYC the customer. But funnily enough, that person is from, let's say, France, and that will go via France. But all the subsequent activity of that player's account is done out of India or, I don't know, an obvious VPN that is used by a provider out of Russia. And what we say to them, look guys, you don't have your house in order. So, from a business point of view, when we talk to them both as a provider, but also we are a proprietary trading firm originally, so we have a bit of money on the side, and we've given some of these companies a bit of money on the side to see what they could grow. We really have to educate them a lot. That's the sad truth.

KRIS GALLOWAY: No, that makes sense. And a shameless plug here. Whereas you're saying that if they'd gone that step further and taken on some Sumsub’s device intelligence, for example, then they'd be much better protected rather than just taking the approach of 'We're ticking this box, this is done, this is the minimum we need to do.'

TORBEN FRIIS: Yeah, but that's because most of these businesses often have a reactive approach where they say, let's just tick some boxes, let's get some providers on board. If anybody comes and asks a question, we'll say we have Sumsub for compliance, crypto. We don't know how this works. So, they will take the cheapest provider on the street, like Crystal, and then they will get it going. And then when the shit hits the fan, they will come back to you and say, 'We need an open heart surgery. What kind of extra solutions do you have?' Some might even be so cheeky as to ask if you can backdate the invoices, and they'll pay you back until then, because they really just need a justification that they have taken necessary measures.

KRIS GALLOWAY: Yeah. So, it's not even a conscious prioritisation issue. It's actually just not understanding the threats that are there and how to prepare for them.

TORBEN FRIIS: I think a lot of them are conscious of the threats. They just choose, from a commercial or risk point of view, to say, why spend that money now? Why buy that car insurance? We'll just take the cheapest option, and then if there is an incident, we'll call the insurance agent and say, 'By the way, do you remember last week I told you to get full insurance on the car?' But I never received that in the mail. Is that in process?

KRIS GALLOWAY: Partly terrifying. Partly interesting. So are there types of fraud you see is almost as an inevitable cost of business versus others that immediately raise questions about management quality.

TORBEN FRIIS: Well, I don't believe there are any kinds of fraud that you would somehow condone and just say, 'Well, that's the cost of doing business,' because that's literally we have to remember that fraud in its own right is a criminal activity. And although lawyers and judges will tell you that prosecuting and convicting for fraud is often difficult.

KRIS GALLOWAY: Especially in this industry.

TORBEN FRIIS: Indeed, the key thing is we always tell these people, we at Match we have been running a series of educational efforts. We had a long event with Scotland Yard, London Metropolitan Police, the head of the whole cybercrime section there, top people from Chainalysis, one of the leading companies in the KYT space in the world. Therefore, their main person on these systems architecture, who was with the German FBI Bundeskriminalamt. And they were explaining that a lot of these businesses, if they would just take a more active role in preventing fraud at their user level early on, then they would stand a lot better. But many of them choose to take a reactive role rather than going into it at first because they want to save money.

KRIS GALLOWAY: Absolutely. It goes back to what you said at the beginning in regard to being preventative rather than reactive. So, on the occasions that you do work with operators early on, what tells you or what signs are there that they genuinely do understand the risk exposure versus just ticking compliance boxes, as we mentioned a moment ago? And are there any signals that you've learned to trust over time?

TORBEN FRIIS: The main thing is we always ask how understanding these people are of the routes they are operating. So even though we have nothing to do with credit card processing—we are purely on the B2B treasury side of the industry and do first-party transfers back to relevant companies, banks, financial institutions, whatever—the reality is we always ask them about a simple vertical that we have nothing to do with, like credit cards.

Please tell me, how is your credit card acquiring process right now? And then we understand how they run this. And if they start talking about miscoding early on, we understand they have a very high risk profile in terms of risk tolerance. And that's the moment we say, oh, do we really want—going back to fraud, or let's say negligence—are these people appreciating what's going to happen next?

And then the next step we take from that is we ask them, 'Right, what safeguards do you have internally?' For instance, as in any business, a company that sits on a lot of money—let's say an online operator or the technology arm of this entity—you tell us you've changed your bank accounts. But I don't know if one of your senior financial controllers has decided to go on holiday two weeks after they make the last transfer, but the day before they make the transfer, he informs us that you've changed bank accounts, and then he wires 5 million out to somewhere behind the moon.

So this is the kind of stuff where we ask, what are your safeguards for this? And we often challenge people and say, look, you've just sent this across to us. You've now moved to a bank in Singapore. You were always in Europe. We need a video call where this person is on the call. And if there can't be a video call, then we will halt the whole process until there has been a video call. We've even had incidents where we were like, with AI these days, everything's possible.

KRIS GALLOWAY: I was just about to ask, is a video call enough these days?

TORBEN FRIIS: Then we're going to say, look, there's only one thing to do. Who do we have as a trusted source nearby? I personally have been in the financial industry for 26 years, so I can dial up people in over 100 countries in the world within a few hours. And I'll say to somebody, 'Look, I need somebody on your team to go to that address, ring the doorbell, and tell me, and I'll send them a photo of the person.' Is this guy there? And if he's not there. Thank you very much. I owe you a lunch or dinner next time I'm in town. But we're not going there because you can't dial it back afterwards. Or you could try, but it's very cumbersome.

KRIS GALLOWAY: Yeah, absolutely. I had a couple of other questions here, but I think you've answered them so far with everything that we've discussed, your answers have been so comprehensive. But let's just touch a little bit more on AI. As a final question. Obviously, a lot of us are aware of how AI is impacting the operator side of things, the impact it has on multi-accounting, bonus abuse, and money laundering, for example. On your side of the industry, what are the threats from AI there?

TORBEN FRIIS: Artificial intelligence is based around a much more basic concept, which is LLM—Large Language Model. That is the format in which an AI agent is built.

Suggested read: From AI Agents to Know Your Agent: Why KYA Is Critical for Secure Autonomous AI

What does that mean? That means that this particular piece of software is built to do something. So, what fraudsters often do is have dev teams—developer teams—build AI tools, large language models, which are profiled, in this case, toward online casinos. How? They will screen for how easy it is to KYC online. Is there any requirement for that? Number two, they will understand—so they will run almost like a kind of smart contract equivalent as an AI concept—they will screen, okay, what are the minimum deposits? What are the maximum deposits and withdrawals on this system? What are the RTP rules — return to player?

And then, on that basis, they will say, let's go. Okay, there's no KYC. We can just spin up a lot of Svetlana Ivanovas. We can spin up a lot of Peter Joneses, give it a tweak, and then let's just see how much we can run through it. And if there's, let's say, a crypto casino akin to Stake or something like that—although Stake are some of the guys who are doing the most, again retroactively—then the issue becomes this: if you're an online casino accepting crypto, suddenly you have these huge waves of cash coming in.

You are producing, so to speak, documentation for people, because the RTP rules via the relevant gaming studios prescribe what it should be, or the relevant operator does. So then you are giving people bona fide documentation for how their money was laundered, and then these guys move out. Subsequently, you might be informed, I'm sorry, but you've just laundered $50 million from Lazarus, the North Korean hacker group, and you had no safeguards in place to actually screen this in real time. So you have now been abetting money laundering.

KRIS GALLOWAY: Yeah. Was it Lazarus, the famous Hack on Stake?

TORBEN FRIIS: That was also them yesterday. But what they mainly use? They don't really target online casinos as such because the amounts for them versus the effort, they sit and build this as a social engineering program. So that was also the trick they did with Bybit. So, they say, right, look, instead of trying to hack online casinos, instead of trying to hack crypto exchanges, let's just take it one step up. Let's take it into the most core infrastructure of the industry. Let's take it into smart contracts that these crypto exchanges use in the back end, whereby they do it, and people say, okay, there's a smart contract update. I don't know what the hell I'm doing anyway because I just press buttons here. So let me just press the poof. Oh what 1.3 billion is missing in Ethereum? I think I need to go downstairs and get out of here.

KRIS GALLOWAY: I think Scattered Spider was the other hacker group, if I'm not mistaken.

TORBEN FRIIS: That’s right.

KRIS GALLOWAY: Thank you ever so much. We need to finish up. We're out of time. Really appreciate you coming and answering these questions, and hopefully we can do it all again soon.

TORBEN FRIIS: Absolutely. Thank you for having me.