Max Irwin, VP of Sales Europe at Shufti, works at the intersection of compliance, fraud prevention, and player experience—areas operators have long struggled to balance. As regulation tightens and fraud grows more sophisticated, Irwin argues that the belief that stronger security leads to higher player drop-off is outdated.
Advances in real-time identity verification now allow operators to deliver seamless onboarding alongside robust compliance. In this interview, he discusses the rise of AI-driven fraud, common mistakes in new market entry, and why identity verification is shifting toward continuous, adaptive intelligence rather than one-time checks.
What is the biggest myth about strict security and player enjoyment? Can both coexist?
Max Irwin: The biggest myth I encounter in almost every operator conversation is that tightening security means accepting higher drop-offs. I hear it constantly, “we can’t afford to lose players at registration”, and it’s usually used as a reason to keep verification light.
Keeping verification light has its own costs. These show up later as chargebacks, bonus abuse, regulatory penalties, and account takeovers. Those costs are harder to see on a dashboard, but they’re very real.
Why the Trade-Off No Longer Exists
What’s changed is that technology has made the trade-off largely obsolete. When document verification, biometric matching, liveness detection, and AML screening all run simultaneously in the background, players don’t have to wait through a compliance process. Instead, it is completed before they have even finished filling in their details. The friction players actually complain about is waiting and confusion, not the verification itself.
The operators I’ve seen win in competitive markets are the ones who’ve reframed this internally. They don’t treat KYC as a regulatory burden sitting between the player and the product. They treat it as part of building a platform players trust and trust drives retention. Shufti’s SOC 2 Type 2 and ISO 27001 certifications support this. They give partners independently audited confidence with players and regulators.
So yes! you can absolutely have both. The operators still treating security and experience as a zero-sum game are working with an outdated assumption, and it’s costing them on both sides.
How has the battle between security tech and AI-driven fraud, like deepfakes, changed over the past 12 months?
Max Irwin: From where I sit, talking to operators across multiple regulated markets every week, the conversation has shifted noticeably. Twelve months ago, deepfake fraud was something operators were aware of in the abstract. Now it’s something their fraud teams are actively dealing with.
The uncomfortable reality is that generative AI has industrialized identity fraud. Synthetic identities, AI-generated document images, deep-fake video selfies; these aren’t sophisticated nation-state attacks anymore. They’re accessible to organized fraud rings targeting iGaming platforms specifically because the onboarding window is a known vulnerability. If your verification stack was built three or four years ago and hasn’t been fundamentally updated, you are exposed in ways that your current incident data may not yet reflect.
Why Fraud Prevention Must Evolve
What I tell operators is that the question isn’t whether your current system catches fraud, it’s whether it will catch the fraud that’s coming in six months. Shufti’s deepfake detection is trained on continuously updated, real-world manipulation data across global demographics. That matters because fraudsters iterate fast, and defenses built on static datasets fall behind. We combine this with iBeta Level 2 certified liveness detection, 3D facial recognition, device intelligence, and behavioral analytics, all running simultaneously. This allows the system to assess the full picture, not just the document.
The operators who are ahead of this have stopped thinking about fraud prevention as a gate at registration. They’re building it into the entire player lifecycle. That’s where the industry is moving, and the platforms that get there first will have a material advantage in both compliance posture and player trust.
When a brand moves into a new territory — like the newly regulated market in Brazil — what is the most common mistake they make regarding their onboarding strategy?
Max Irwin: The most expensive mistake I see is operators assuming their existing onboarding flow is 80% of the way there and just needs minor localization. It almost never is. Every regulated market has its own compliance logic, different document standards, different AML typologies, different data residency rules, different regulatory relationships. Brazil’s market is a clear example of the federal framework that now demands demonstrable, auditable KYC and AML controls from day one. Regulators there aren’t interested in a grace period while you adapt.
The second mistake, which often follows the first, is over-correcting with friction. Operators who realize their flow isn’t compliant sometimes stack every available check at the front of the funnel out of caution. Conversion data from that kind of onboarding is painful to look at, and the irony is that the added friction often isn’t delivering proportionate compliance value; it’s just indiscriminate.
The Shift Toward Adaptive Verification
The biggest thing we have seen in Brazil is adaptive verification built specifically for the jurisdiction. Using biometrics first to access document databases is changing how operators approach verification globally. It removes document uploads, waiting times, and unnecessary steps. Higher-risk profiles get proportionate scrutiny. Low-risk players move through seamlessly.
The operators who succeed build compliance into planning before launch. Not after their first conversation with regulators. The cost of rebuilding a broken onboarding flow mid-launch, in lost players and regulatory exposure, is always higher than getting the architecture right up front.
Operators fear high-security checks lead to drop-offs. How does Shufti ensure verification stays seamless in the background?
Max Irwin: This is probably the concern I address most often in operator conversations, so let me be direct about it. Drop-offs happen when players are made to wait, or when they’re asked for things, they don’t understand or didn’t expect. They don’t happen because security is happening, they happen when security is visible in the wrong ways. The goal is to make comprehensive verification feel effortless, and that’s fundamentally an architecture problem.
Shufti’s stack runs every relevant check in parallel, including document verification. This includes biometric matching, liveness detection, AML screening, sanctions and PEP checks, and device intelligence. Identity solutions that are evolving fast to handle increasing verification demands in regulated markets.
All of these are triggered simultaneously by a single player action. There’s no sequential handoff between systems, no latency building up between steps. The player scans an ID and takes a selfie. By that point, the compliance assessment is already complete. Legacy systems would take several minutes or require manual review.
The practical outcome is verification completing in under 30 seconds for most cases. Because risk orchestration routes only complex cases to enhanced review, operators avoid creating blanket friction. The impact on conversion is both meaningful and measurable. Operators can see this clearly in before-and-after data from partners who have switched from older verification providers.
As players become more aware of digital privacy, how does Shufti help partners build “Data Trust”?
Max Irwin: This is becoming a real commercial issue, not just a compliance one. Players in mature markets, and increasingly in emerging ones, are arriving at registration with legitimate questions about what you’re doing with their data. How you answer that question, whether through your privacy messaging, your verification experience, or your brand reputation, has a direct effect on conversion and retention.
The operators best positioned here are the ones who can honestly tell players: we collect what we need, we secure it to the highest standard, and we don’t hold it longer than necessary. Shufti helps our partners make that claim credibly. Our QG-GDPR certification, PCI DSS compliance, and ISO 27001 accreditation are independently verified, not internal policy documents. Sensitive data is encrypted, retention is configurable, so operators aren’t holding documents beyond what regulation requires, and full audit trails are available for compliance teams and regulators.
The capability operators often underutilize is privacy-preserving verification. Instead of storing a player’s full identity document, the operator receives verified attributes—such as age or identity—without retaining sensitive data. This creates a lower-risk data posture and a more trustworthy experience for players.
Commercially, the benefit is clear: players who trust your platform stay longer, spend more, and refer others. Data trust isn’t a soft benefit—it’s a key driver of retention and an increasingly important factor in how players choose between platforms.
Looking ahead, what is one “silent” trend in identity verification that you think will be a standard feature for every major iGaming site by this time next year?
Max Irwin: Continuous adaptive identity intelligence. The shift from verifying a player once at registration to maintaining dynamic, ongoing risk understanding throughout the entire player relationship.
The operators I speak with who are furthest ahead are already thinking this way. They recognize that onboarding verification, however good, only tells you who someone was at the moment they signed up. Account takeover, session-level manipulation, and mid-lifecycle risk changes are becoming a larger share of the fraud problem. They are often invisible to platforms that stop monitoring after KYC approval.
What’s coming is real-time risk scoring that updates continuously based on behavioral signals, transaction patterns, device changes, and contextual anomalies. When something changes meaningfully, an unusual withdrawal from an unrecognized device, a behavioral pattern inconsistent with 18 months of history, the platform responds proportionately. A biometric re-authentication prompt, not an account freeze. Targeted friction, not blanket disruption.
Alongside this is reusable verified identity. Once a player has completed full KYC, they should be able to authenticate for sensitive actions with a quick biometric confirmation. This removes the need for re-submission or repeated document uploads, while maintaining full regulatory integrity. Shufti’s Fast ID already enables this, and I fully expect it to be a standard expectation from players within the next 12 months.
For operators, the business case is compelling on multiple dimensions: lower fraud losses, stronger compliance posture, and a player experience that feels genuinely premium. The platforms that build this layer now won’t just be better protected; they’ll be harder to compete with
With a background in digital media and a keen eye for emerging technologies, Ronaldo bridges the gap between players and platforms through clear, insightful reporting to the iGaming industry.
