ISO 20022 Compliance Countdown

Leveraging the data provided by ISO 20022

The enriched data provided by the ISO 20022 message format may create the need, among other considerations, for financial institutions to modify their sanction screening and transaction monitoring systems to include the additional data. The level of effort required to do this should not be underestimated since it will require recalibration and retuning of these systems, respectively. In the case of transaction monitoring systems, it may also include modification of existing transaction scenarios and/or introduction of new scenarios to optimize the use of the enriched data. Similarly, the availability of additional data may present opportunities to enhance Know Your Customer (KYC) procedures and Customer Risk Assessment (CRA) methodologies. The following sections illustrate some of the potential opportunities for improving financial crime compliance effectiveness by leveraging the enriched data.

Sanctions Compliance

Potential opportunities:

• Improved fielding (additional keyword screening opportunities)
• Investigation aid – more information to aid analysts in their investigations of potentially suspicious information and more quickly dismiss false positive alerts
• Additional attributes to enrich artificial intelligence (AI)/machine learning (ML) algorithms

ISO 20022 will offer enhanced data fields and enable the flow of ancillary information not previously transmitted on a payment instruction. For example, one such area is the structured remittance information where details about the names and addresses of invoicers and invoicees may now be available on some payments and can help identify additional linkages if not outright exposures. In addition, the additional information available through ISO 20022 can potentially be used to assist with improving the quality of the alerts through direct detection enhancements or secondary scoring techniques. For those alerts that reach analysts’ queues, the additional information about the context of the payment may help them disposition alerts more quickly once an analyst is trained on the availability and potential uses of newly available information.

For more information on sanction-specific considerations related to ISO 20022, please refer to the ISO 20022 Transition Challenges & Strategies paper.

Transaction Monitoring

Potential opportunities:

• Development/incorporation of new rules
• Use of payment purpose to highlight unusual activity or potentially to reduce false positives, e.g., is payment purpose aligned to the type of business?
• Aid in alert investigation process as there will be more details to inform analysts about the payment
• Potential additional attributes to feed AI/ML algorithms

The improved data quality and payment details from ISO 20022 will provide an opportunity to introduce additional attributes into transaction monitoring (TM) processes. During evaluation of detection events, these attributes can assist with risk-driven triaging and decision-making – whether automated or manual. For example, the enriched payment information can highlight exposures to additional parties or geographies via structured remittance items as well as improve the reliability of information that already is being transmitted with payments such as originator country information. Additionally, providing more detailed information about a payment to alert review analysts in the case management user interface can help them understand the payment better. This includes details like payment line items and payment purpose indicators. Further, link analysis processes may benefit from identification of additional relationships within the payment data. The creation of new rules may be possible such as comparison of payment purpose fields with the customer’s type or industry to identify payment activity that is out of character.

Finally, many of the ISO 20022 capabilities that could be of value to compliance processes are dependent on systems and processes outside of compliance. Therefore, a key component of any ISO 20022-related compliance effort is evaluation of those upstream payment data and processes for availability of the TM-useful information and feasibility of requiring or encouraging data supply where not currently available.

Know Your Customer / Customer Risk Assessment

Potential opportunities:

• Improved visibility into payment activity may identify additional high-risk relationships
• Stated business purpose can be better compared with actual activity (periodic reviews)
• Additional linkages may be identified through payment details
• Improved data capture may permit the activity component of risk to be assessed more accurately
• The availability of additional well-structured demographic data on payments provides additional ways to identify risk exposures

With the additional information that can be captured for each payment, such as payment purpose, KYC information collection processes can potentially be modified to ask more pointed questions regarding expected account activity than just, for example, “Expected number of domestic funds transfers.” Specifically, a list of expected payment purposes or purpose categories can be collected that can serve not only to assist with measurement of risk but also to benchmark future activity.

Furthermore, as customers conduct payment activity, it will be possible to analyze activity risk more accurately as a component of overall customer risk. For example, some payment purposes, as specified through the external payment purpose code, may be considered riskier than others. For example, quasi-cash payments, which may be indicative of gambling activity, or payments related to precious metals would typically be considered riskier than tax or payroll payments, and this differentiation of activity risk can be reflected within the activity risk component of the customer risk rating model. In addition, given the availability of more well-structured information, ISO 20022 can provide opportunities to identify geographical, entity, or individual relationships within the data that can assist a financial institution with improved evaluation of the risk presented by a particular customer. If a financial institution reviews the newly available and better structured information compared to what is currently being used in customer risk evaluation, it may find new ways to improve its measurement of customer risk exposures.

Conclusion

The adoption of ISO 20022 provides multiple opportunities to enhance an organization’s sanctions, transaction monitoring, and KYC/CRA processes now with not only improved data quality but also, potentially, additional risk-relevant content. Those organizations that recognize ISO 20022’s benefits and adapt their processes to take advantage of its capabilities should realize increased productivity, improved risk insights, and ultimately more optimal outcomes.

How Protiviti can help

Protiviti’s financial services practice can assist financial institutions with the following:

• Surge staffing support – Banks of all sizes are seeing an increase in customer service calls and other operational activities. As smaller banks make and field calls to reassure customers that their money is safe, larger banks must manage a surge in new account onboarding requests.
• Liquidity and capital – Board members across the industry are seeking reassurance that what happened to SVB, Signature, Credit Suisse, etc., won’t happen to their institutions. We’ve built a proprietary risk scorecard and industry-benchmarking database to help address this concern. We can also help banks with strategy and implementation of remediation activities if the initial risk diagnostic reveals concerns that need to be addressed.
• Reporting and data – Helping banks design more holistic key risk and performance indicator dashboards to measure financial risk (e.g., interest rate, market, credit, etc.) and build the data infrastructure to make this information available on a real-time basis.
• Regulatory compliance – We see the regulatory environment heating up in two main ways:
  • As noted above, US regulators are under the microscope because of the banks that failed under their supervision and are dramatically ramping up the intensity of exams. We help banks prepare for these reviews and manage and resolve the issues (up to and including formal enforcement actions) that result from them. Over the medium-term, we expect supervisory policies to swing back in the direction of the original enhanced prudential standards passed as a part of Dodd-Frank and relaxed in the 2018 regulatory relief bill. Given the fractured political environment in Washington, we don’t necessarily expect significant new legislation in this area, but regulators have a number of levers they can pull to functionally raise the standards that banks are held to even if Congress does not act.
• Merger and acquisition integration – As banks are forced into mergers, have to sell assets, or are liquidated, a significant amount of integration work is created that the acquirer often does not have sufficient capacity to manage.