The opportunities and challenges of ISO 20022 for fighting financial crime

The improved and expanded ISO 20022 messaging standard is being heralded in financial crime risk management circles as the key to lowering the significant volume of false positives that firms have to grapple with in payment transaction screening. Certainly, ISO 20022 brings with it more structure, data, and meta-data delivered with greater integration potential. However, potential benefits will not be achieved automatically – firms will need to adopt technology that supports ISO 20022 and can exploit the new messaging standard’s data model, or they may wind up with more false positives than they had before.

Richer, better screening data

Screening using current messaging standards presents a significant challenge – data can be fielded inconsistently, there can be missing data, and the data is often of varying quality. This is because the basis for this messaging standard was created in the 1970s – for example, the address field does format street, city, or other address information, but is one large unstructured text block. As a result, it can be very challenging to accurately match the data from payment transactions against sanctions data. This typically results in a large number of false positives and considerable human intervention in anti-money laundering and sanctions processes.

In contrast, ISO 20022 is an international and open messaging standard for the financial services industry set by the International Organization for Standardization, an independent, standard-setting body. ISO 20022 is based on an extensible mark-up language (XML) format and is structured in a three-layer data hierarchy. Messages based on ISO 20022 provide distinct and specific data on the transaction’s parties and their relationships, such as actual and on-behalf-of information, intermediate and receiving roles, and their geographic location. The messages can also contain rich structured party data, extended remittance information, and special characters and expanded character sets. This rich amount of data contained in each message means that individuals and entities can be identified much more clearly – potentially dramatically reducing false positives.

This new data structure is a quantum leap from where messaging is today. Major market infrastructures such as SWIFT, the Eurosystem, the European Banking Authority, the Clearing House, the Federal Reserve, and the Bank of England have published plans to migrate to ISO 20022 between 2022 and 2025. Also, international financial crime entities such as the Financial Action Taskforce (FATF) and national regulators such as the Financial Crimes Enforcement Network (FinCEN) have already begun the regulatory and compliance work that will need to accompany adoption.

Benefit requires investment

However, firms will not automatically benefit from the transition to ISO 20022 in their financial crime programmes – there is quite a lot of work that most firms will need to do. For example, ISO 2022 brings with it many more data fields than the previous standard, and so financial crime technology will need to be able to screen all those fields, creating additional screening volume. Moreover, the increased volume of fields grows exponentially with each new message – creating a much greater overall quantity of data that financial crime technology will need to be able to process at speed.

Also, screening more fields will result in more alerts – that is a mathematical certainty – unless the financial crime technology has robust analytics that can maximise the potential that the ISO 20022 standard data has to offer.

In order to crunch all the new data, financial firms will need agile technology that has the scale and capacity to do so – it will need to be in the cloud. Firms will also need to work with financial crime technology that uses advanced matching technology that is able to cope with many more comparison objects. In some of today’s tools the matching technology shares a pedigree with the original 1970s messaging standard; some will not be able to adopt ISO 20022 without significant re-tooling.

Thinking strategically

Financial services firms that want to fully benefit from the adoption of ISO 20022 in their financial crime programmes will need to evaluate their current platform to see if it can meet these new demands – the answer is likely that it is not. Moving quickly now to bring in a financial crime technology platform that is ISO 20022 ready will deliver faster service within payment transactions, reduce customer friction, and greatly reduce the overall compliance burden. Firms that do not embrace the need for new technology could find themselves actually worse off, with accelerating levels of false positives.

Evolving payments ecosystem requires fresh thinking to combatting financial crime

Around the globe, the payments ecosystem is rapidly becoming more diverse – and more fragmented – as a once-in-a-generation transformation in how payments are made takes place. Financial crime risk management needs to adapt to the new ways in which transactions are being processed, and the fresh human behaviours these new payments ecosystems are creating.   

For example, in 2021 there were more than 40.4 billion payment transactions in the UK[i], including card transactions, which are rapidly replacing the use of cash. By 2031, cash is anticipated to be used to make just 6% of all payments, compared with 15% today. With increased digitisation, open banking initiatives and the falling cost of enabling technologies, new payment networks are springing up – including peer-to-peer and crypto-based payment networks. Examples include: 

  • Circle Pay – Launched by crypto firm Circle, it enables individuals to send money to 29 different countries in a variety of currencies.  
  • Remitly – A payments platform that has focused on enabling immigrant communities around the globe to send money faster and more cheaply.  
  • Ripple – This platform uses blockchain to complete payments in its network of more than 200 banks. Blockchain technology supports the encryption of each payment and the traceability of each transfer. 
  • Revolut – This online bank has launched a crypto payment service. Cardholders can access “spend from crypto” in the app and can choose from cryptocurrency holdings to make purchases on their Revolut card.  

FinTechs like these and others are beginning to change the face of the payments industry. For decades payments were completed by a small number of providers, such as credit card companies and Swift. Now, for example, experts are predicting that just the global crypto payment transaction value will rise to more than $16 billion in 2023.ii  

New challenges ahead 

This new explosion in payment networks is good news for consumers – it has the potential to bring lower costs and increased agility in their ability to send and receive money. However, it may also be good news for criminals, because the explosion in payment networks means they potentially have more ways to send money too.  

In addition to this higher overall risk of criminals using new payment networks, compliance officers are going to face other challenges in this new, multi-channel world for payments. New payment networks will also bring: 

  • More data formats 
  • Different customer use cases 
  • A broader range of transaction behaviours 
  • Continued acceleration of changes in the underlying data and technology driving these systems 

These new payments networks will bring increased competitive pressures on traditional banks, who will want to be able to offer services that are as agile and easy as this new community of competitors, and often partner with these payment networks – while continuing to meet their existing compliance obligations.  

New technology for a new ecosystem 

To continue to combat financial crime in the face of this rapidly evolving payment networks ecosystem, compliance officers are going to have to engage with a new approach to technology. Existing on-premises financial crime tech stacks are not up to the coming challenges that traditional firms are facing. Instead, compliance teams need a technology solution in the cloud that is capable of delivering transaction monitoring faster, cheaper, and with increased agility in response to regulatory change and the continuing evolution of the payments network ecosystem. They also need a solution that has the capacity to engage with many payment media types, not just several. In addition, competitive pressures – and regulatory concerns – mean that compliance teams should be preparing for the need to adopt technology can already support sanctions and AML transaction monitoring in real time.