The regulatory environment for Electronic Money Institutions (EMIs) is increasingly fragmented across jurisdictions. How does this cross-border complexity challenge compliance architecture and has this sparked more exploitation of regulatory arbitrage opportunities?
The regulatory environment for EMIs is fragmented, and this creates real challenges for the compliance architecture at the enterprise level. You can’t simply replicate one model across borders because every jurisdiction has its own interpretation and supervisory culture. In Cyprus, for example, we align with both the Central Bank of Cyprus and the EBA, while many of our clients operate in third countries with very different standards.
This increases complexity, but it also exposes opportunities for regulatory arbitrage, where some actors may be tempted to route flows through lighter-touch jurisdictions. For me, that’s short-term thinking. At our institution, we consciously aim for the highest common denominator rather than the lowest. It’s a matter of integrity: if you’re constantly chasing the easiest rulebook, you might gain speed, but you lose long-term trust and resilience.
EMIs are often perceived as nimbler than traditional banks, but less trusted. How do you tackle this and build institutional-grade trust without compromising operational efficiency and innovation?
Indeed, there is the perception that EMIs maybe nimbler than banks but not as trusted, and I see this as both a challenge and an opportunity. Building institutional-grade trust requires strong governance – independent boards, transparent reporting to regulator, in our case the Central Bank of Cyprus, and voluntary adoption of standards that go beyond the minimum.
At the same time, partnerships with reputable banks for safeguarding are critical because they provide an extra layer of reassurance. Of course, we don’t want to compromise agility by drowning innovation in bureaucracy. The way to balance this is through embedded compliance – automating controls so they become part of the tech stack rather than a separate burden.
In the end, trust is built not only by what you promise, but also by what you prevent. If clients see that our controls are strong without slowing them down, they stop comparing us to banks and start valuing us on our own merits.
With the accelerated adoption of embedded finance and application programming interfaces (APIs) in B2B banking, how do you handle third-party risk due diligence to ensure long-term reputational resilience in a volatile fintech environment?
The rise of embedded finance and APIs has made third-party risk one of the defining issues for EMIs. When you plug into another fintech or platform, their risk culture becomes your reputational risk.
We handle this through a multi-layered approach: beyond traditional KYC, we conduct deep assessments of business models, beneficial ownership, and jurisdictional exposure. In Cyprus, we pay particular attention to offshore structures, which may look legitimate at first glance, but can hide complex risks.
Due diligence doesn’t end at onboarding – it continues through constant monitoring of transactions, adverse media, and sanctions exposure. And sometimes the hardest, but most important step, is saying no. Reputational resilience is about declining business that looks profitable today but could be toxic tomorrow. At the end of the day, your reputation is only as strong as your partner’s last transaction.
AI and behavioural analytics are reshaping AML and fraud detection, but they raise new concerns around transparency and bias. How do you audit these systems to meet regulatory and ethical standards in real-time environments, and where’s the boundary between automated compliance systems and human judgement in your organisation?
AI and behavioural analytics are indeed changing the way we detect money laundering and fraud. They allow us to identify complex patterns and reduce false positives, which is vital in high-volume environments. But they do raise important questions around transparency and bias.
To manage this, we document model logic, we control versions, and we run validation tests that aren’t just the vendor’s word but our own independent checks. For high-risk scenarios, we ensure that human panels review and challenge the machine output. To me, the line is clear: AI does the heavy lifting, but accountability remains with people.
Regulators in Cyprus and across Europe are very explicit that you cannot outsource judgement to an algorithm. AI can detect what humans might miss, but it cannot replace human accountability. As I always say, technology can help you think but cannot do the thinking for you.
Central Bank Digital Currencies (CBDCs) have the potential to disrupt and redefine the cross-border payments landscape. How would widespread CBDC adoption impact EMIs, and does your company have a strategic position on this?
CBDCs could really change the cross-border payments game. For EMIs, I see this as an opportunity. CBDCs can lower costs, cut out the need for correspondent banks, and make international transactions faster and more transparent. That plays directly to the strengths of EMIs – we’re leaner, more digital, and already built around customer-focused, cross-border solutions. In many ways, CBDCs could amplify what we do best.
For traditional banks, the picture is more complicated. If central banks start offering retail wallets or direct wholesale access, then banks lose part of their historic role of simply moving money from A to B. They won’t disappear, but they’ll need to shift their focus toward value-added services – things like compliance, lending, or customer experience. And for some banks, that transition will be tough, given legacy systems and higher costs.
Our view is that EMIs and PIs must have a seat at the table as CBDCs are developed. In Cyprus, for example, we’re closely watching the ECB’s digital euro pilot and we discuss this in our industry associations. It’s essential that CBDCs are designed in a way that keeps the ecosystem balanced and competitive.
So, to put it simply: CBDCs are a catalyst for EMIs, and a real challenge for banks. EMIs can scale faster and adapt quicker, while banks will need to rethink their value proposition.
Given recent geopolitical tensions and the use of alternative payment systems to circumvent sanctions, how do you ensure your platform isn’t inadvertently facilitating sanctions evasion through complex corporate structures or emerging technologies? What growing risks or red flags do you see that regulators and organisations may be underestimating?
Geopolitical tensions have made sanctions compliance one of the biggest challenges for financial institutions across the world. The sophistication of evasion is growing – we’re not just dealing with obvious names on OFAC, OFSI, UN or EU lists, but with shell companies, proxy ownership, voting rights, and the use of emerging technologies like DeFi or stablecoins.
In Cyprus, we’re especially conscious of this because the jurisdiction has long been under scrutiny. Our approach is always to go deeper than the first ownership layer, to assess sectoral sanctions and even ‘ownership by association’ risks. Real-time monitoring helps us catch typologies such as rerouting through third countries.
What worries me is that regulators may still underestimate the role of professional enablers – lawyers or corporate service providers who knowingly or unknowingly create complex structures that hide true beneficial ownership. The risk is not the obvious sanctioned entity; it’s the well-dressed structure that looks legitimate, until you peel back the layers.
There’s always strong regulatory focus on jurisdictions perceived as higher risk. But that can sometimes mean bad actors choose to operate in places considered ‘safer’ or more ‘mature’, where regulators might be less alert.
If I take Cyprus as an example, over the past decade we’ve taken significant steps to build a robust legal and regulatory framework, and we’ve implemented it strictly across the board. Some say we’ve gone too far, making already tight rules even tighter, but when you’re working to change a bad reputation, those steps are necessary.
By contrast, countries with a strong reputation on paper can sometimes run into problems if overconfidence leads to complacency and less rigorous enforcement. So, it’s not just about having the rules, it’s about how consistently and seriously you apply them.
What horizon scanning mechanisms do you rely on – not just in terms of preventing risk or ensuring regulatory alignment, but in enabling future-ready, compliant innovation at scale?
For me, horizon scanning is about preparing ahead, not just catching up. At a practical level, it involves active dialogue with the Central Bank of Cyprus and participating in EBA consultations, which give us early signals of where regulation is heading. It also means staying plugged into industry associations, like the Association of Cyprus EMIs and PIs (ACEMPI) and ACAMS through the local Chapter which turned 10 this year, as they are often the first to surface emerging risks and best practices.
Beyond regulation, we also scan the technology horizon – AI, blockchain, even quantum computing, because these will redefine compliance challenges in the near future. Importantly, horizon scanning isn’t only defensive. It’s also about enabling compliant innovation at scale. If you can spot the regulatory trend before it lands, you can build solutions that are future-ready rather than scrambling after the fact. That’s what allows us to innovate with confidence.
Gregory Dellas is the Group Chief Compliance and Risk Officer at ECOMMBX and a recognised leader in financial crime prevention and risk management. With an over 30-year career in banking and financial services, Gregory has held a series of senior leadership roles. At the Bank of Cyprus, he served as Director Wealth & Markets and led the AML Risk Management team within International Banking Services, overseeing high-risk clients and transactions while providing strategic guidance and specialised training to management and staff. Prior to that, he was Group MLRO for a major Cypriot bank and held other senior management positions. In 2015, Gregory founded the ACAMS Cyprus Chapter, where he continues to serve as Chair. He also serves as Vice-President of the Association of Cyprus Electronic Money and Payment Institutions (ACEMPI). He is an Associate Fellow at the Royal United Services Institute (RUSI), a Fellow of the International Compliance Association (FICA), a long-standing member of the AMLP Forum and AGRC, and a certified CAMS Instructor and GCI-accredited trainer. His credentials include CAMS (Advanced) – Risk, CAMS (Advanced) – Audit, and CGSS, reflecting his deep expertise across the spectrum of AML/CFT and sanctions compliance. He holds an MBA from Lancaster University and a BSc (Hons) in Industrial Economics from the University of Warwick.
