Few would disagree that ISO 20022 will help standardise financial transaction messages on a much broader scale and reach than would ever be possible with SWIFT MT and legacy formats, with the new standard able to include much richer data. The limited MT and proprietary formats – where prior to the execution transaction data gets truncated in order to fit the message format – will be steadily phased out before finally disappearing by the end of the co-existence period in November 2025. 

But good things never come easily. Institutions will be moving at different speeds and, while ISO 20022 brings many long-term benefits, there will be some short-term challenges. With this in mind, what does exactly does ISO 20022 mean for compliance?

Obstacles in the road

As we introduce ISO 20022, the rich information and additional data elements may actually introduce new compliance challenges for the industry. The impact will be most acute for those who, due to limitations of their legacy AFC and compliance applications, are unable to implement ISO 20022 front to back from Day One.

In such cases, it is likely that the richer information will even lead to an increase in the number of false-positives in the short term, and the complete functionality, including the configuration of the various rules, may need to be reviewed and adjusted accordingly. While preparations are already well underway, banks will only see the real impact once ISO 20022 is deployed – and all potential scenarios will need to be planned for.

Organisations that plan to migrate to ISO 20022 at a later stage will still be required to perform the AFC due-diligence on the full ISO 20022 message, while all downstream applications, such as payment processing, will continue to use the embedded MT equivalent of the message. On the other side, banks with the capabilities to process ISO 20022 in their payment engines may not be able to process the full ISO 20022 in their legacy filtering and monitoring applications. They will either benefit from the multi-format message provided by SWIFT’s Transaction Manager, or implement an onsite translation into their own data model. Both options will unavoidably come with truncation issues and require a process to handle “exceptions” (a look-up of the full data in the ISO 20022 message).

Ensuring a safe journey

AFC/compliance functions are often perceived to be working in isolation. It is thought that behind our thick walls we conspire to create hurdles to frustrate clients and operations. While this is obviously not the case, the misperception means we are often only consulted on a project late in the day. This approach, however, will not work for the ISO 20022 migration. It is not a single-institution project, but an industry-wide transformation – and compliance must be looped into internal processes early on. We must also play a role in external processes – collaborating closely with other industry participants to:

• Review and understand the new messages and to agree on best practice guidelines where appropriate. A good start is the work done with 14 global and regional banks, steered by SWIFT on the “Guiding principles for screening ISO 20022 transactions”.
• Intensify the communication with corporate clients on the mandatory necessity for structured beneficiary address information on cross-border payments, starting in November 2022 with the minimum of country and town. Corporates should be reminded that their payments will lead to delays, queries and potential rejects, if not compliant by November 2025.
• Standardise messages and processes on what is known as the “Request for Information Right to Left” (related to payments in flow hitting one of the filters prior to execution).

Pain versus gain

With so much more data being transported – and with truncation as a clear challenge during the coexistence phase – you might expect an increase in potential compliance hits in the long-term. But you would be mistaken. The well-defined structure, granularity and the clear business definition of the data elements will actually facilitate a more targeted Anti-Financial Crime (AFC) due-diligence – for processes such as Sanctions Filtering, Anti-Money Laundering (AML), Combating the Financing of Terrorism (CTF) or fraud detection – and support further automation. For example, a false-positive that is erroneously flagged for review due to a street name including part of the sanctioned company name should no longer be an issue, given that there is a dedicated data field for each part of the address. 

Does this mean that ISO 20022 will prevent payments being used for financial crime? Unfortunately not. Criminals will be able to easily adopt ISO 20022 and if somebody wanted to mask the beneficiary of a payment – as they can today – they will be able to do this with ISO 20022 in future. The additional data fields will not necessarily help, as even if a payment is filled in correctly and passes all controls it could still be used to commit financial crime. As we do today, we will of course continue to maintain “alarm lists” for false names such as “Mickey Mouse and family” in the various filters – these will remain and are likely to grow with the accelerated digitalisation.

A unique opportunity

All this being said, what is the message of this blog? My aim is to raise attention to this once-in-a-lifetime opportunity and to seek the help of my peers to steer the industry in the right direction. While, from an AFC perspective, the co-existence period will prove trying, it is the right thing to do to protect the industry from misuse in the long-term. And while it seems like it will only be a matter of time before we achieve market and client acceptance of the “ISO vision”, global legal frameworks may yet need to be harmonised to ensure all providers – whether traditional or new entrants – are treated equally. This topic will be the focus of a future blog.

  by Joachim Brietzke,
  Anti-Financial Crime – Head of Transaction Screening & AFC List ManagementBack