The opportunities and challenges of ISO 20022 for fighting financial crime

The improved and expanded ISO 20022 messaging standard is being heralded in financial crime risk management circles as the key to lowering the significant volume of false positives that firms have to grapple with in payment transaction screening. Certainly, ISO 20022 brings with it more structure, data, and meta-data delivered with greater integration potential. However, potential benefits will not be achieved automatically – firms will need to adopt technology that supports ISO 20022 and can exploit the new messaging standard’s data model, or they may wind up with more false positives than they had before.

Richer, better screening data

Screening using current messaging standards presents a significant challenge – data can be fielded inconsistently, there can be missing data, and the data is often of varying quality. This is because the basis for this messaging standard was created in the 1970s – for example, the address field does format street, city, or other address information, but is one large unstructured text block. As a result, it can be very challenging to accurately match the data from payment transactions against sanctions data. This typically results in a large number of false positives and considerable human intervention in anti-money laundering and sanctions processes.

In contrast, ISO 20022 is an international and open messaging standard for the financial services industry set by the International Organization for Standardization, an independent, standard-setting body. ISO 20022 is based on an extensible mark-up language (XML) format and is structured in a three-layer data hierarchy. Messages based on ISO 20022 provide distinct and specific data on the transaction’s parties and their relationships, such as actual and on-behalf-of information, intermediate and receiving roles, and their geographic location. The messages can also contain rich structured party data, extended remittance information, and special characters and expanded character sets. This rich amount of data contained in each message means that individuals and entities can be identified much more clearly – potentially dramatically reducing false positives.

This new data structure is a quantum leap from where messaging is today. Major market infrastructures such as SWIFT, the Eurosystem, the European Banking Authority, the Clearing House, the Federal Reserve, and the Bank of England have published plans to migrate to ISO 20022 between 2022 and 2025. Also, international financial crime entities such as the Financial Action Taskforce (FATF) and national regulators such as the Financial Crimes Enforcement Network (FinCEN) have already begun the regulatory and compliance work that will need to accompany adoption.

Benefit requires investment

However, firms will not automatically benefit from the transition to ISO 20022 in their financial crime programmes – there is quite a lot of work that most firms will need to do. For example, ISO 2022 brings with it many more data fields than the previous standard, and so financial crime technology will need to be able to screen all those fields, creating additional screening volume. Moreover, the increased volume of fields grows exponentially with each new message – creating a much greater overall quantity of data that financial crime technology will need to be able to process at speed.

Also, screening more fields will result in more alerts – that is a mathematical certainty – unless the financial crime technology has robust analytics that can maximise the potential that the ISO 20022 standard data has to offer.

In order to crunch all the new data, financial firms will need agile technology that has the scale and capacity to do so – it will need to be in the cloud. Firms will also need to work with financial crime technology that uses advanced matching technology that is able to cope with many more comparison objects. In some of today’s tools the matching technology shares a pedigree with the original 1970s messaging standard; some will not be able to adopt ISO 20022 without significant re-tooling.

Thinking strategically

Financial services firms that want to fully benefit from the adoption of ISO 20022 in their financial crime programmes will need to evaluate their current platform to see if it can meet these new demands – the answer is likely that it is not. Moving quickly now to bring in a financial crime technology platform that is ISO 20022 ready will deliver faster service within payment transactions, reduce customer friction, and greatly reduce the overall compliance burden. Firms that do not embrace the need for new technology could find themselves actually worse off, with accelerating levels of false positives.

Evolving payments ecosystem requires fresh thinking to combatting financial crime

Around the globe, the payments ecosystem is rapidly becoming more diverse – and more fragmented – as a once-in-a-generation transformation in how payments are made takes place. Financial crime risk management needs to adapt to the new ways in which transactions are being processed, and the fresh human behaviours these new payments ecosystems are creating.   

For example, in 2021 there were more than 40.4 billion payment transactions in the UK[i], including card transactions, which are rapidly replacing the use of cash. By 2031, cash is anticipated to be used to make just 6% of all payments, compared with 15% today. With increased digitisation, open banking initiatives and the falling cost of enabling technologies, new payment networks are springing up – including peer-to-peer and crypto-based payment networks. Examples include: 

  • Circle Pay – Launched by crypto firm Circle, it enables individuals to send money to 29 different countries in a variety of currencies.  
  • Remitly – A payments platform that has focused on enabling immigrant communities around the globe to send money faster and more cheaply.  
  • Ripple – This platform uses blockchain to complete payments in its network of more than 200 banks. Blockchain technology supports the encryption of each payment and the traceability of each transfer. 
  • Revolut – This online bank has launched a crypto payment service. Cardholders can access “spend from crypto” in the app and can choose from cryptocurrency holdings to make purchases on their Revolut card.  

FinTechs like these and others are beginning to change the face of the payments industry. For decades payments were completed by a small number of providers, such as credit card companies and Swift. Now, for example, experts are predicting that just the global crypto payment transaction value will rise to more than $16 billion in 2023.ii  

New challenges ahead 

This new explosion in payment networks is good news for consumers – it has the potential to bring lower costs and increased agility in their ability to send and receive money. However, it may also be good news for criminals, because the explosion in payment networks means they potentially have more ways to send money too.  

In addition to this higher overall risk of criminals using new payment networks, compliance officers are going to face other challenges in this new, multi-channel world for payments. New payment networks will also bring: 

  • More data formats 
  • Different customer use cases 
  • A broader range of transaction behaviours 
  • Continued acceleration of changes in the underlying data and technology driving these systems 

These new payments networks will bring increased competitive pressures on traditional banks, who will want to be able to offer services that are as agile and easy as this new community of competitors, and often partner with these payment networks – while continuing to meet their existing compliance obligations.  

New technology for a new ecosystem 

To continue to combat financial crime in the face of this rapidly evolving payment networks ecosystem, compliance officers are going to have to engage with a new approach to technology. Existing on-premises financial crime tech stacks are not up to the coming challenges that traditional firms are facing. Instead, compliance teams need a technology solution in the cloud that is capable of delivering transaction monitoring faster, cheaper, and with increased agility in response to regulatory change and the continuing evolution of the payments network ecosystem. They also need a solution that has the capacity to engage with many payment media types, not just several. In addition, competitive pressures – and regulatory concerns – mean that compliance teams should be preparing for the need to adopt technology can already support sanctions and AML transaction monitoring in real time.  


Anti-financial crime technology updates needed to meet regulators’ increasing supervisory capacity

The financial crime technology stacks within banks, investment firms and insurers are struggling to meet today’s regulatory expectations. Although many financial services firms are working hard to meet their compliance obligations, out-dated software is now holding them back from realising the best compliance outcomes. 

Growing regulatory sophistication around financial crime takes many forms. To begin with, regulators are much savvier about technology and data. For example, the UK Financial Conduct Authority (FCA) has access to cutting edge financial crime and anti-money laundering technology through its Regulatory Sandbox, Digital Sandbox, and FCA Innovation Hub programmes. Over the past two years, the regulator has also brought in key technology talent, including a new CIO, and a director – intelligence and digital. Jessica Rusu, chief data, information, and intelligence officer, established a new division – Data Technology and Innovation – after she joined in June 2021. Recent new rules, such as the Consumer Duty, contain informed data and technology expectations – a supervisory approach that is also being applied in some areas of financial crime, such as trade surveillance.  

The FCA is also making its expectations clear in what it is saying at industry events. For example, in a September 2022 speech, Sarah Pritchard, executive director of supervision, policy and competition – markets at the FCA said, “Embed your financial crime checks in your systems from day one but keep evolving as the threats evolve. Use the power of data and tech and stay alert for situations in which you may need to recalibrate your defences and alerts.” The regulator is not standing still when it comes to data and technology, and it doesn’t expect firms to, either. It wants to see compliance agility within firms. 

Increasing enforcement 

As well, the UK FCA is using enforcement actions to make its messages around financial crime processes – including data and technology – heard. For example: 

  • In mid-July 2022, a firm was fined more than £2 million for inadequate financial crime systems and controls, pushing the firm into liquidation. 
  • In late June 2022, a branch of a bank was fined more than £5 million for failing to have the right policies and procedures in place, having inadequate enhanced due diligence, and having inadequate enhanced ongoing monitoring.  
  • In December 2021, a large international bank was fined nearly £70 million because its policies and procedures for two of its key automated transaction monitoring systems were not appropriate or sufficiently risk- sensitive, and the bank did not ensure the policies that managed and monitored those systems were adequately followed. 

So, while the regulator is encouraging firms to raise their game around financial crime data and technology, it is also inflicting significant punishment on those which don’t meet the required standard. 

Fresh expectations 

Regulators want to see improved use of data and technology to meet financial crime compliance requirements within firms. They want to know why firms have the solution in place that they do, what their processes are, and how they manage the data. They are looking at the suitability of the firm’s controls and the effectiveness of those controls.  

In short, regulators are demanding more explainability of processes and outcomes. Much of current financial crime technology is a “black box”, and financial firms do not understand what is going on inside. Regulators are pointing out that this means that these firms do not have a sufficient grasp of key elements of their overall financial crime programme – the data and the technology – and this can lead to suboptimal outcomes.  

Firms should seek a financial crime solution that delivers an open-box approach, providing transparency of the logic behind every risk decision, and an audit trail of decision-making. Also, the solution should enable the compliance team to model and test the impact of new screening requirements – to improve speed to compliance –​ and provide specialised support for all major commercial watchlists. A cloud-based solution delivers more agility, which gives regulators confidence that the firm is capable of complying with future regulatory change. ​​ 

For many firms, now is the time to upgrade the data and technology that supports their financial crime processes. New approaches to financial crime processes deliver on regulatory demands, while at the same time enhancing the ability of firms to detect and prevent financial crime taking place within their organisations. 

Financial Firms Run Real Risks with Legacy Sanctions Screening Software

The financial crime technology most firms have in place today is ageing quickly and needs to evolve. Incumbent screening tech stacks for anti-money laundering (AML) compliance have not kept pace with the increasing complexity, scale and velocity of new risks.  This creates substantial operational pressures that are grow larger with each passing month.

A rapidly changing world

A good example of this situation can be found in the volume of Russian sanctions that have been implemented since February 2022. The US has put in place 1,375 Russian sanctions, the UK 1,375, and the EU 1,143. This is 73% of all the sanctions against Russia issued since 2014.[i] Legacy technology-based AML screening technology simply cannot respond with agility to this pace, and so firms have had to increase compliance headcount to support their sanctions screening processes. However, this expediency is unsustainable because of talent shortages, rising salaries and increasing training costs. Without robust sanctions screening processes, firms are exposed to considerable compliance risk and operational risk, which could lead to significant social consequences, regulatory action, and reputational damage.

Legacy screening technology is creaking under its own weight for other reasons, too. For example, most of today’s screening software is located in on-premises servers. However, current digital transformation programmes mean that most firms are increasingly moving their data and business processes to the cloud. Also – as a direct result of the pandemic – many client processes are being automated through new FinTech approaches, often breaking down internal silos. Legacy AML screening software usually struggles to operate outside of the silo in which it sits, and to integrate with cloud-based data and new technology – for example, with new customer management systems or onboarding portals – to create enterprise-wide end-to-end processes that firms need to stay competitive.  

Now is the time

Logically, firms should be investing in cloud-based sanctions screening technology today to close compliance gaps, reduce risk and enhance their organisation’s ability to achieve its strategic goals through digital transformation. Ironically, it is the rapid pace of current change that has put many firms off from implementing a new AML screening platform. They say that they are waiting for a “quieter time” to do this. The reality is that there will never be a “quiet” time because the world has changed. Firms need to take a new strategic approach to financial crime compliance or risk having this important part of their infrastructure fall behind, and non-robust processes increase the risk of getting sanctions wrong – leading to enforcement action, including fines.  

Screening in the cloud

To meet the demands of digital transformation and today’s compliance environment, firms need to embrace a cloud-based approach for AML sanctions screening. Taking this path will lower IT costs without compromising security or performance​. The cloud has big benefits, too. It is the best way to manage large or complex data volumes – a key requirement for today’s high velocity of sanctions issuance. Indeed, today’s screening platform should combine the cloud with a best-in-class core technology stack providing low-latency ETL and high-speed screening, capable of a million transactions a day.

Firms also need tools with high levels of self-configurability that can address requirements without product customisation or professional services. This enables firms to adapt to regulatory change quickly and easily in the future, without the weight of high cost installed software.

In addition, today’s screening platform should include APIs that enable the solution to exchange information directly with other systems, such as CRM platforms, no matter where those systems are located. This enables screening to overcome silos within firms – communicating and harvesting data across the whole enterprise at lightning speed.  

Financial firms that fail to invest in a cloud-based sanctions screening platform today are potentially significantly increasing the risks that they face, while also failing to meet the demands of digital transformation. Firms should think more strategically about sanctions screening technology and the benefits it can bring to their organisation today and in the future.


Mind the growing financial crime technology gap

There is a growing gap between increasingly demanding anti-money laundering (AML) and sanctions compliance requirements and the technology capabilities of financial services firms to respond to those requirements. Regulatory change and increased sanctions activity have created operational pressures that are being tactically plugged by working incumbent technology harder and expanding compliance headcount. This situation is unsustainable because of its cost and complexity – organisations need to increase the amount of automation in their financial crime processes to improve compliance effectiveness, increase operational efficiency and increase the responsiveness of controls to new risks.  

Continuous AML rule changes

In the AML space, regulatory change is constant. For example, in the UK, amendments to the Money Laundering, Terrorist Financing and Transfer of Funds Regulations 2017 had an implementation deadline of 1 September 2022. The amendments include an explicit legal right of access for regulators to suspicious activity reports (SARs), so that they can consider the quality of their content. This is putting new pressure on firms to improve their SARs processes.

In the EU, a 7th Anti-Money Laundering package is working its way towards being finalised. This creates a single AML rulebook for the whole of the EU, and will also produce a new EU Anti-Money Laundering Authority which would directly supervise large, cross-border entities and provide support to national regulators. The new rules also require compliance functions to have adequate resources, staff and technology in place. The goal is to raise supervisory standards, and therefore AML compliance standards, overall.

At the international level, the Financial Action Task Force adopted amendments which require countries to prevent the misuse of legal persons for money laundering or terrorist financing in March 2022. They also require firms to ensure that they have adequate, accurate and up-to-date information on the beneficial ownership and control of legal persons. All of these evolving rules – and others – add to the compliance burden firms are under and create significant regulatory change complexity. Firms are often finding they cannot easily adapt their existing technology to cope without growing complexity in the underlying code that supports the technology, and the liberal use of manual processes.  

Managing thousands of sanctions

Organisations are also struggling to keep up with the pace of sanctions issuance. Since the start of the war in Ukraine, more than nine thousand sanctions[i] have been published against Russian individuals and entities. These Russian sanctions have strained operations within firms, especially where there is a reliance on manual processes, or where significant manual intervention is required. Regulators like the UK Financial Conduct Authority say they expect firms to have established systems and controls to counter financial crime risks – and that includes compliance with financial sanctions obligations.  However, many firms privately admit that they are having to try to hire and train people to keep their sanctions processes from being overwhelmed.

Firms are resorting to tactical responses because they have not kept up their investment in financial crime technology. While firms are heavily investing in digital transformation in other areas of their business, their financial technology can be a decade old or more. As a result, activities such as AML and sanctions screening can require significant human intervention – for example, to reduce false positives. Hiring more talent to try to keep up is no longer a viable solution as there is a significant talent squeeze in compliance roles, which can be evidenced by the escalating cost of hiring. According to the 2022 Thomson Reuters Cost of Compliance survey 67% of respondents expect the cost of senior compliance staff to be more than today over the next 12 months, compared with 47% in the 2021 survey[ii].

Firms need to change their strategic approach to meeting financial crime compliance requirements and implement technology that is fit for purpose. They need technology that is agile enough to meet regulatory change demands, reduces workloads through AI-automated false positive remediation, and is configurable to meet an individual company’s risk profile. Firms that do not invest in the next generation of financial crime technology may find themselves facing greater compliance risk, regulatory risk, and reputational risk down the road.