noodls browser compatibility check

The security settings of your browser are blocking the execution of scripts.

To use noodls, javascript support must be enabled. Please change your browser's security settings to enable javascript.

If you have changed your browser's security settings, you can click here.

related announcements

Financial Services

Brookfield Infrastructure Income[...]

Amendment to Tender Offer Statement (Form SC TO-I/A)
Office of Science and Technology[...]

First Lady Melania Trump Secures $25 Million Investment in President’s[...]
HSBC USA Inc.

Free Writing Prospectus (Form FWP)

Economy, Business and Finance

Protiviti Inc.

03/21/2025 | News release | Archived content

ISO 20022 Compliance Countdown

Breadcrumb

ISO 20022 Compliance Countdown

Download

By Edwin Oloo and Benjamin Kelly

The new global messaging standard ISO 20022 provides a unified language for electronic data interchange between financial institutions. It is intended to result in increased transparency, speed and inoperability. It will also provide valuable enriched data to enhance financial crime compliance efforts. For those institutions yet to adopt the new standard, preparing for migration and dealing with the attendant compliance requirements and opportunities require thoughtful planning. And the adoption clock is counting down.

Introduction

ISO 20022 - the so-called new language of payments - was published in 2022 to create a common language for financial institutions and market infrastructures around the world which, in turn, will streamline payment processing and improved data analytics.

As the global payment ecosystem aligns itself to ISO 20022, payment systems, such as SWIFT, have allowed for a co-existence period in which legacy and new message formats co-exist until the end of the full industry migration period which is scheduled for November 2025. Prudential regulators have not issued explicit guidance on their expectations during the co-existence period but, as a general rule, expect financial institutions to use all available data to meet their compliance requirements. The regulatory view of ancillary information treatment - such as that which ISO 20022 can provide - is demonstrated through a historical review of published violations. For example, financial institutions have been previously cited for not utilizing information available (i.e., "knowable) within its systems but separate from the payment record itself. This can include information that has historically been communicated separately on SWIFT MT-199 messages - or even via e-mail. As that relates to financial crimes compliance, it suggests that financial institutions sending or receiving the new message format should make adjustments to their financial crime compliance programs now, even if they are still within the co-existence period - which is also scheduled to end in November 2025 - to ensure all relevant data within an institution's possession is being used to support sanctions and anti-money laundering (AML) compliance obligations.

Download

Topics

Risk Management and Regulatory Compliance Digital Transformation Technology Enablement

Industries

Banking and Capital Markets Payments Asset and Wealth Management

Leveraging the data provided by ISO 20022

The enriched data provided by the ISO 20022 message format may create the need, among other considerations, for financial institutions to modify their sanction screening and transaction monitoring systems to include the additional data. The level of effort required to do this should not be underestimated since it will require recalibration and retuning of these systems, respectively. In the case of transaction monitoring systems, it may also include modification of existing transaction scenarios and/or introduction of new scenarios to optimize the use of the enriched data. Similarly, the availability of additional data may present opportunities to enhance Know Your Customer (KYC) procedures and Customer Risk Assessment (CRA) methodologies. The following sections illustrate some of the potential opportunities for improving financial crime compliance effectiveness by leveraging the enriched data.

Sanctions Compliance

Potential opportunities:

Improved fielding (additional keyword screening opportunities)
Investigation aid - more information to aid analysts in their investigations of potentially suspicious information and more quickly dismiss false positive alerts
Additional attributes to enrich artificial intelligence (AI)/machine learning (ML) algorithms

ISO 20022 will offer enhanced data fields and enable the flow of ancillary information not previously transmitted on a payment instruction. For example, one such area is the structured remittance information where details about the names and addresses of invoicers and invoicees may now be available on some payments and can help identify additional linkages if not outright exposures. In addition, the additional information available through ISO 20022 can potentially be used to assist with improving the quality of the alerts through direct detection enhancements or secondary scoring techniques. For those alerts that reach analysts' queues, the additional information about the context of the payment may help them disposition alerts more quickly once an analyst is trained on the availability and potential uses of newly available information.

For more information on sanction-specific considerations related to ISO 20022, please refer to the ISO 20022 Transition Challenges & Strategies paper.

Transaction Monitoring

Potential opportunities:

Development/incorporation of new rules
Use of payment purpose to highlight unusual activity or potentially to reduce false positives, e.g., is payment purpose aligned to the type of business?
Aid in alert investigation process as there will be more details to inform analysts about the payment
Potential additional attributes to feed AI/ML algorithms

The improved data quality and payment details from ISO 20022 will provide an opportunity to introduce additional attributes into transaction monitoring (TM) processes. During evaluation of detection events, these attributes can assist with risk-driven triaging and decision-making - whether automated or manual. For example, the enriched payment information can highlight exposures to additional parties or geographies via structured remittance items as well as improve the reliability of information that already is being transmitted with payments such as originator country information. Additionally, providing more detailed information about a payment to alert review analysts in the case management user interface can help them understand the payment better. This includes details like payment line items and payment purpose indicators. Further, link analysis processes may benefit from identification of additional relationships within the payment data. The creation of new rules may be possible such as comparison of payment purpose fields with the customer's type or industry to identify payment activity that is out of character.

Finally, many of the ISO 20022 capabilities that could be of value to compliance processes are dependent on systems and processes outside of compliance. Therefore, a key component of any ISO 20022-related compliance effort is evaluation of those upstream payment data and processes for availability of the TM-useful information and feasibility of requiring or encouraging data supply where not currently available.

Know Your Customer / Customer Risk Assessment

Potential opportunities:

Improved visibility into payment activity may identify additional high-risk relationships
Stated business purpose can be better compared with actual activity (periodic reviews)
Additional linkages may be identified through payment details
Improved data capture may permit the activity component of risk to be assessed more accurately
The availability of additional well-structured demographic data on payments provides additional ways to identify risk exposures

With the additional information that can be captured for each payment, such as payment purpose, KYC information collection processes can potentially be modified to ask more pointed questions regarding expected account activity than just, for example, "Expected number of domestic funds transfers." Specifically, a list of expected payment purposes or purpose categories can be collected that can serve not only to assist with measurement of risk but also to benchmark future activity.

Furthermore, as customers conduct payment activity, it will be possible to analyze activity risk more accurately as a component of overall customer risk. For example, some payment purposes, as specified through the external payment purpose code, may be considered riskier than others. For example, quasi-cash payments, which may be indicative of gambling activity, or payments related to precious metals would typically be considered riskier than tax or payroll payments, and this differentiation of activity risk can be reflected within the activity risk component of the customer risk rating model. In addition, given the availability of more well-structured information, ISO 20022 can provide opportunities to identify geographical, entity, or individual relationships within the data that can assist a financial institution with improved evaluation of the risk presented by a particular customer. If a financial institution reviews the newly available and better structured information compared to what is currently being used in customer risk evaluation, it may find new ways to improve its measurement of customer risk exposures.

Conclusion

The adoption of ISO 20022 provides multiple opportunities to enhance an organization's sanctions, transaction monitoring, and KYC/CRA processes now with not only improved data quality but also, potentially, additional risk-relevant content. Those organizations that recognize ISO 20022's benefits and adapt their processes to take advantage of its capabilities should realize increased productivity, improved risk insights, and ultimately more optimal outcomes.

About the Authors

Edwin Oloo is an associate director in Protiviti's Risk and Compliance practice, specializing in regulatory compliance and advanced data analytics. He has over 10 years of experience building multivariable statistical and machine learning models in the areas of financial crime compliance, anti-money laundering, counter-terrorist financing, eDiscovery, customer risk-rating analysis, risk assessment, fraud, alert risk-scoring, forensics investigations and process automation. He is adept with data privacy laws and building machine learning applications adhering to GDPR requirements. Oloo delivers consulting and advisory services through a quantitative perspective, implementing project management best practices and advanced technical insights while identifying opportunities to integrate data-science solutions.

Benjamin Kelly is an associate director in Protiviti's Risk and Compliance practice with a focus on financial crimes compliance technology and data solutions. His client experiences span several Fortune 100 companies including multiple top 10 banks, multinational conglomerates, and insurance companies as well as several organizations across a variety of industries including credit card processing, electronics, vehicle financing, healthcare, and defense with focus over the last approximately 20 years on risk and compliance. Past employment includes solution delivery with a large, multi-national technology and services provider in both technical leadership and hands-on technical roles.

How Protiviti can help

Protiviti's financial services practice can assist financial institutions with the following:

Surge staffing support - Banks of all sizes are seeing an increase in customer service calls and other operational activities. As smaller banks make and field calls to reassure customers that their money is safe, larger banks must manage a surge in new account onboarding requests.
Liquidity and capital - Board members across the industry are seeking reassurance that what happened to SVB, Signature, Credit Suisse, etc., won't happen to their institutions. We've built a proprietary risk scorecard and industry-benchmarking database to help address this concern. We can also help banks with strategy and implementation of remediation activities if the initial risk diagnostic reveals concerns that need to be addressed.
Reporting and data - Helping banks design more holistic key risk and performance indicator dashboards to measure financial risk (e.g., interest rate, market, credit, etc.) and build the data infrastructure to make this information available on a real-time basis.
Regulatory compliance - We see the regulatory environment heating up in two main ways:
- As noted above, US regulators are under the microscope because of the banks that failed under their supervision and are dramatically ramping up the intensity of exams. We help banks prepare for these reviews and manage and resolve the issues (up to and including formal enforcement actions) that result from them. Over the medium-term, we expect supervisory policies to swing back in the direction of the original enhanced prudential standards passed as a part of Dodd-Frank and relaxed in the 2018 regulatory relief bill. Given the fractured political environment in Washington, we don't necessarily expect significant new legislation in this area, but regulators have a number of levers they can pull to functionally raise the standards that banks are held to even if Congress does not act.
Merger and acquisition integration - As banks are forced into mergers, have to sell assets, or are liquidated, a significant amount of integration work is created that the acquirer often does not have sufficient capacity to manage.

Smartlinks | Protiviti Inc. | Financial Services | Private Companies | Consulting Firms

Back

View original format