The opportunities and challenges of ISO 20022 for fighting financial crime

The improved and expanded ISO 20022 messaging standard is being heralded in financial crime risk management circles as the key to lowering the significant volume of false positives that firms have to grapple with in payment transaction screening. Certainly, ISO 20022 brings with it more structure, data, and meta-data delivered with greater integration potential. However, potential benefits will not be achieved automatically – firms will need to adopt technology that supports ISO 20022 and can exploit the new messaging standard’s data model, or they may wind up with more false positives than they had before.

Richer, better screening data

Screening using current messaging standards presents a significant challenge – data can be fielded inconsistently, there can be missing data, and the data is often of varying quality. This is because the basis for this messaging standard was created in the 1970s – for example, the address field does format street, city, or other address information, but is one large unstructured text block. As a result, it can be very challenging to accurately match the data from payment transactions against sanctions data. This typically results in a large number of false positives and considerable human intervention in anti-money laundering and sanctions processes.

In contrast, ISO 20022 is an international and open messaging standard for the financial services industry set by the International Organization for Standardization, an independent, standard-setting body. ISO 20022 is based on an extensible mark-up language (XML) format and is structured in a three-layer data hierarchy. Messages based on ISO 20022 provide distinct and specific data on the transaction’s parties and their relationships, such as actual and on-behalf-of information, intermediate and receiving roles, and their geographic location. The messages can also contain rich structured party data, extended remittance information, and special characters and expanded character sets. This rich amount of data contained in each message means that individuals and entities can be identified much more clearly – potentially dramatically reducing false positives.

This new data structure is a quantum leap from where messaging is today. Major market infrastructures such as SWIFT, the Eurosystem, the European Banking Authority, the Clearing House, the Federal Reserve, and the Bank of England have published plans to migrate to ISO 20022 between 2022 and 2025. Also, international financial crime entities such as the Financial Action Taskforce (FATF) and national regulators such as the Financial Crimes Enforcement Network (FinCEN) have already begun the regulatory and compliance work that will need to accompany adoption.

Benefit requires investment

However, firms will not automatically benefit from the transition to ISO 20022 in their financial crime programmes – there is quite a lot of work that most firms will need to do. For example, ISO 2022 brings with it many more data fields than the previous standard, and so financial crime technology will need to be able to screen all those fields, creating additional screening volume. Moreover, the increased volume of fields grows exponentially with each new message – creating a much greater overall quantity of data that financial crime technology will need to be able to process at speed.

Also, screening more fields will result in more alerts – that is a mathematical certainty – unless the financial crime technology has robust analytics that can maximise the potential that the ISO 20022 standard data has to offer.

In order to crunch all the new data, financial firms will need agile technology that has the scale and capacity to do so – it will need to be in the cloud. Firms will also need to work with financial crime technology that uses advanced matching technology that is able to cope with many more comparison objects. In some of today’s tools the matching technology shares a pedigree with the original 1970s messaging standard; some will not be able to adopt ISO 20022 without significant re-tooling.

Thinking strategically

Financial services firms that want to fully benefit from the adoption of ISO 20022 in their financial crime programmes will need to evaluate their current platform to see if it can meet these new demands – the answer is likely that it is not. Moving quickly now to bring in a financial crime technology platform that is ISO 20022 ready will deliver faster service within payment transactions, reduce customer friction, and greatly reduce the overall compliance burden. Firms that do not embrace the need for new technology could find themselves actually worse off, with accelerating levels of false positives.

Financial Firms Run Real Risks with Legacy Sanctions Screening Software

The financial crime technology most firms have in place today is ageing quickly and needs to evolve. Incumbent screening tech stacks for anti-money laundering (AML) compliance have not kept pace with the increasing complexity, scale and velocity of new risks.  This creates substantial operational pressures that are grow larger with each passing month.

A rapidly changing world

A good example of this situation can be found in the volume of Russian sanctions that have been implemented since February 2022. The US has put in place 1,375 Russian sanctions, the UK 1,375, and the EU 1,143. This is 73% of all the sanctions against Russia issued since 2014.[i] Legacy technology-based AML screening technology simply cannot respond with agility to this pace, and so firms have had to increase compliance headcount to support their sanctions screening processes. However, this expediency is unsustainable because of talent shortages, rising salaries and increasing training costs. Without robust sanctions screening processes, firms are exposed to considerable compliance risk and operational risk, which could lead to significant social consequences, regulatory action, and reputational damage.

Legacy screening technology is creaking under its own weight for other reasons, too. For example, most of today’s screening software is located in on-premises servers. However, current digital transformation programmes mean that most firms are increasingly moving their data and business processes to the cloud. Also – as a direct result of the pandemic – many client processes are being automated through new FinTech approaches, often breaking down internal silos. Legacy AML screening software usually struggles to operate outside of the silo in which it sits, and to integrate with cloud-based data and new technology – for example, with new customer management systems or onboarding portals – to create enterprise-wide end-to-end processes that firms need to stay competitive.  

Now is the time

Logically, firms should be investing in cloud-based sanctions screening technology today to close compliance gaps, reduce risk and enhance their organisation’s ability to achieve its strategic goals through digital transformation. Ironically, it is the rapid pace of current change that has put many firms off from implementing a new AML screening platform. They say that they are waiting for a “quieter time” to do this. The reality is that there will never be a “quiet” time because the world has changed. Firms need to take a new strategic approach to financial crime compliance or risk having this important part of their infrastructure fall behind, and non-robust processes increase the risk of getting sanctions wrong – leading to enforcement action, including fines.  

Screening in the cloud

To meet the demands of digital transformation and today’s compliance environment, firms need to embrace a cloud-based approach for AML sanctions screening. Taking this path will lower IT costs without compromising security or performance​. The cloud has big benefits, too. It is the best way to manage large or complex data volumes – a key requirement for today’s high velocity of sanctions issuance. Indeed, today’s screening platform should combine the cloud with a best-in-class core technology stack providing low-latency ETL and high-speed screening, capable of a million transactions a day.

Firms also need tools with high levels of self-configurability that can address requirements without product customisation or professional services. This enables firms to adapt to regulatory change quickly and easily in the future, without the weight of high cost installed software.

In addition, today’s screening platform should include APIs that enable the solution to exchange information directly with other systems, such as CRM platforms, no matter where those systems are located. This enables screening to overcome silos within firms – communicating and harvesting data across the whole enterprise at lightning speed.  

Financial firms that fail to invest in a cloud-based sanctions screening platform today are potentially significantly increasing the risks that they face, while also failing to meet the demands of digital transformation. Firms should think more strategically about sanctions screening technology and the benefits it can bring to their organisation today and in the future.


Effective screening and long-term sustainability

Delivering effective AML-CTF risk management is a complex and resource-intense task that requires institutional focus and resilience. The regulatory requirements of obliged institutions are progressively more complex, expansive, and volatile, requiring additional operational agility and capacity. Faced with additional workload, institutions can find it difficult to maintain control frameworks, even with significant increases in technology and FTE budgets. Finding an approach to delivering effective compliance – that is also sustainable – is critical. 

Pragmatic and tactical capability – but limited strategic potential 

The roll-out of an enterprise-wide platform with the flexibility and capacity to manage risks across jurisdictions, lines of business and products is a goal for many financial institutions. In reality, despite considerable progress, AML-CFT controls are still often based on complex frameworks with multiple points of evolution. Instead of centralised platforms with holistic reporting and governance controls, many institutions use an array of different core Reg-Tech platforms and point solutions. Such scenarios are typically the outcome of a series of pragmatic decisions designed to meet critical and immediate challenges. However, the result is difficult and expensive to scale to new risks. It is also difficult for institutions to standardise a consistent approach to compliance across all areas of a large business. Furthermore, the complexity of these arrays often leads to a very conservative approach to technology innovation – driven by the fear that change could cause unintended consequences. Whilst enabling short-term compliance, this tactical approach impedes the development of a comprehensive FCRM technology and operations strategy that can respond – effectively and efficiently – to risks and obligations over the long-term.  

Risks evolve – but has technology kept pace? 

The definition, scope and not least the risks of money laundering and terrorism financing have evolved significantly since the times when financial institutions first started addressing these issues as a legal responsibility. However, much compliance technology infrastructure is still based on cores that were built to respond to challenges as they existed 10-20 years ago. For example, sanctions screening technology often has a direct lineage to the first generation of OFAC screening tools. Similarly, some screening products are based on simple extensions of sanction filters. These pedigrees have some advantages, such as longevity, stability, and resilience. However, these attributes also make it harder to scale capabilities, to deploy with agility and to enable transparent decisioning. In parallel, the evolution of banking and financial institutions – from digitisation, payments standards, open banking, and new products – can lead to a gap between the original design purpose of screening technology and today’s requirements. 

Inertia versus the cost of change 

Deploying new generation FCRM technology platforms in place of legacy arrays offers many advantages, most tangibly in the form of improved compliance effectiveness and operational efficiency. A new approach can also provide clear lines of sight that enable insightful operational and regulatory reporting, enterprise-wide standards of governance and compliance consistency across all areas of a complex organisation. Despite these advantages, institutions might defer replacing older incumbent systems due to the perceived cost of change. The complexity and effort required to migrate and engineer new tools should not be under-estimated. However, cost-of-change should not be an impediment to implementing a strategic plan for FCRM controls. Maintaining the status quo has an intrinsic expense that grows as older technology becomes more difficult to support. However, the greatest potential cost is that older tools are progressively less capable of responding to new risks and regulatory requirements. Sweating FCRM technology to the limit of efficacy or utility raises the risk of a control failure. In this context, the cost of organisational inertia is far greater than the cost of technology change. 

Improving screening effectiveness

In a volatile AML-CTF landscape it is critical to improve the speed-to-compliance. However, achieving a faster response can be self-defeating if it introduces compromises to compliance effectiveness. Simply making existing processes faster might yield short-term tactical gains but can lead to a primary focus on supporting the status quo. This approach can lead to a lesser resource capacity for continuous compliance improvement. Innovation in screening programmes must therefore also consider how the standards of compliance effective can be raised in the short-term whilst also delivering capability and capacity that is ready for future challenges.

Screening capabilities for all target types

Compliance screening used to be a relatively binary process: governments issued lists of sanctioned geographies, persons, or entities; these lists were then screened, with the outcome of a determination if a target matched against a client record or transaction. Today the task is more complex. Screening requirements now include a broader range of risk types, for example, beneficial owners, persons of significant ownership, family members and professional associates, or even certain capital markets instruments, financial services, or manufactured goods. Furthermore, not all sanctions targets are cited on tangible lists or even pseudo-lists. This reality requires more investment in understanding screening data requirements and for the procurement of the right data. Institutions must also ensure that screening technology has a comprehensive technical capability to screen the full spectrum of risk, regardless of type. To be successful, appropriate screening methodologies must be implemented and maintained for each type of sanctions target.

Matching techniques for diverse risks

Expansive and complex sanctions requirements require a continuous review of the rules used to determine potential correspondence to risk. For example, would an alert be triggered for a sanctioned company from Russia if a Ukrainian variant of that name was transcribed phonetically for use in Germany? Phonetic name matching has been developed into many screening tools. However, achieving a deep understanding of how matching technology works – so that rules can be defined and maintained properly – is difficult if the “explainability” of matching algorithms is not a fundamental design feature.

Additional false negatives countermeasures

False positives reduction, or optimisation, is a priority for many institutions managing the inevitable consequences of screening massive client or transaction data volumes. Much progress has been made in these scenarios to deploy robotic automation or machine learning to investigate, categorise and route alerts quickly and efficiently. This push to increase operational efficiency has clear compliance benefit of releasing resources for more qualitative tasks. However, institutions could also consider implementing a second layer of controls to reduce the risk of false negatives. For example, re-screening data that did not trigger alerts in a primary screening process could identify undetected risks, notably when newer technology is used in a secondary process.

Responsive impact assessments

The intensity and velocity of AML-CTF screening – and the high cost of a compliance failure – has created operational environments that have little time to model the impact of new requirements and then to configure accordingly. This is often an issue when there is a dependency on older, less nimble technology that is difficult or time-consuming to test new rules quickly. The lack of a timely impact assessment can then create downstream operational issues. Moving to towards more responsive testing and modelling in can mitigate these issues and ensure a better focus on managing risk.

Beware – Technology Debt

In summary, technology should always be an enabler of compliance effectiveness, never an inhibitor. The focus of screening technology is, inevitably, on short-term imperatives. However, the impact of technology debt on long-term compliance should not be underestimated.