The Payment Messaging Standard and its Future: ISO 20022

Are you being opportunistic while adopting the new ISO 20022 messaging standard?

ISO 20022 is a universal financial industry message scheme using Extensible Markup Language (XML) and Abstract Syntax Notation (ASN) protocols for exchanging payments data. Today, a world of varying messaging types has led to a disjointed payments landscape across different countries and financial institutions sending and receiving payments, presenting an obstacle for seamless straight-through processing (STP). The manual intervention required has led to considerably longer processing times and increased costs. The ISO 20022 messaging standard is trying to effectively solve this puzzle.

Central banks globally, including the Bank of England in the UK and the European Central Bank, have initiated major programmes to adopt the new payment messaging standard. The cross-border payments gateway SWIFT is also moving from the traditional message type (MT) to the newer type (MX). Across the globe, Asia-Pacific appears to be leading the race, followed by Europe.

Apart from its core purpose of standardising the way payment messages are exchanged and processed, the standard unlocks the potential to streamline data and analytics, and ultimately to drive a better understanding of customers and how to service them. It also offers an opportunity to rethink and revamp the back-office payments infrastructure of financial institutions as they have complex legacy systems and bespoke messaging formats.

Financial organisations need to avail themselves of this unique opportunity and make sensible investments to come up with a strategy to both adopt the new ISO 20022 messaging standard and synergise it with improved and efficient payment operations. This requires a clear vision, a well-defined strategy, careful planning of the transformation programme and successful execution to meet the intended business objectives and regulatory deadlines. With some organisations, it could be that they are already on a multi-year digital or payments transformation journey. They will need to include the necessary changes for ISO 20022 messaging standard adoption. In some areas of payment services involving Second Payment Services Directive (PSD2) and Open Banking, ISO 20022 messages have already been adopted. Hence, it is time for financial institutions to go back to the drawing board.

Data and analytics play a vital role in shaping the transformation book of work on how message attributes could be put to best use in identifying potential new or improved business product offerings and efficient operations. Software systems suppliers (vendors) and service providers (system integrators and operational or infrastructure support vendors) also need to be considered to deliver the programme outcomes.

In summary, financial institutions should consider the following points while embarking on a change journey to adopt the ISO 20022 messaging standard:

·??????Assess the extent of change that could be brought in to standardise all payment messages across the firm’s payments IT estate, including adopting Application Programming Interfaces (APIs).

·??????Enhance and integrate the back-office applications, especially legacy systems, migrating them to newer platforms if there is enough appetite.

·??????Design meaningful data analysis to introduce new products and services, and to improve business and IT operations.

·??????Refine and, if required, embark on new third party relationships including cloud providers and support structures.

·??????Ensure quality, integrity, and resilience of payment operations through these transformation initiatives.

Role of Internal Audit (IA)

As the adoption of the ISO 20022 messaging standard both opens more disruption to the status quo and its implementation creates an impactful change, we as IT internal auditors need to be part of the journey to assess the control environment to ensure that senior management have got the strategy correct and are effectively implementing the change.

IT internal auditors could provide the required governance and oversight, and challenge 1LoD on the following areas:

·??????Conceptualisation: IT IA needs to work together with 1LoD very early to ensure that the overall strategy to implement the ISO 20022 messaging standard is effectively defined. The IA team could add value by providing deeper insights into optimising the investments. Depending on the risk landscape of the organisation, IT IA could suggest prioritising the implementation of sub-components of the strategy as required, within the target timelines. IT IA could also validate the timelines if they match the regulatory deadlines.

·??????Transformation: IT IA should provide the necessary challenge throughout the transformation programme through (a) continuous reviews, (b) milestone reviews and (c) technology deep-dive reviews. IT IA should form part of the Governance Committee(s) established to provide challenge and oversight. Since the transformation could touch upon various parts of the payments IT landscape and operations, general controls and application-specific controls need to be thoroughly assessed. Since ISO 20022 and other peripheral change initiatives tend to be more IT-focused, technology deep-dive audits could be conducted to strengthen the control landscape and to suggest better alternatives where required. Implementation readiness assessment is another area that IT IA could ensure the change is implemented risk-free and without any issues. More importantly, during the ‘co-existence’ period (previous and the new messaging standards are allowed to operate concurrently), all the risks are identified and mitigated as required.

·??????Continuous monitoring: As per usual audit practice, the implementation of the ISO 20022 messaging standard needs to be monitored at least annually to ensure the control environment is effective. Also, it is recommended to audit the benefits realised against the strategy defined by senior management.

As you can see, IA needs to be embedded into the transformation agenda to assist organisations to demonstrate compliance with the ISO 20022 messaging standards and also derive additional benefits in the future. This is essential to both deliver business outcomes and long-term value to its customers.

Note: The views reflected in this article are the views of the authors and do not necessarily reflect the views of the global EY organisation or its member firms.