What ISO 20022’s Extra Data Means in the Fight Against Fraud
July 9th, 2021
Following years of exponential developments and delays, ISO 20022 is finally experiencing more pervasive adoption. This global standard for financial services-related messaging is already live in many global payments systems, including The Clearing House’s (TCH) Real- Time Payments (RTP) rail in the U.S., and the Real Time Rails (RTR) in Canada. It is also being implemented in Target2 and CHAPs systems, and numerous market infrastructures, such as SWIFT, have deployed multi-year migration strategies.
As a universal messaging language and model for communication, ISO 20022 has emerged during a pivotal time in payment transformation. Financial services organizations (FSOs) are preparing for and refining their approaches toward real-time payments and responding to the rapid modernization of global payment ecosystems and accelerated interconnectivity.
ISO 20022 is a machine-readable XML format that augments payment messaging context and content via the expansion of data from approximately 100 characters to around 9,000 characters. For users, this means a better degree of clarification for both data types and tags per individual message components.
While it’s widely acknowledged that ISO 20022 provides potential benefits to financial services firms, from improved reconciliation to rationalization of formats, the standard’s impact on financial crime for both anti-money laundering (AML) and fraud is often overlooked.
Fraud Challenges Persist
One of the biggest issues, particularly in correspondent banking, is the ability to understand and assess risk across all of the counterparties within the payment chain. This capability has become increasingly more difficult as additional parties are introduced, such as TTPs in Europe under the Payment Services Directive (PSD2), which typically involves an intermediary in the process.
Another challenge is that, at present, there can be many parties involved in a cross-border payment in addition to the sending bank. This can include correspondent banks, facilitating firms such as PSP or corporate (Payment/Collection on Behalf Of – POBO/COBO), TPP PSP in the case of Open Banking and an end beneficiary.
These problems lead to a potential lack of information and data, which may inhibit the ability of FSOs to understand the true risk of payments across their networks. This inhibition could lead to an inability to properly meet regulatory responsibilities, which then results in corresponding fines and associated reputational and financial damage.
Furthermore, progressing toward compliance in a real-time environment magnifies existing concerns and challenges, including growing alert volumes, increasingly complex workloads, know your customer (KYC), AML and the need to significantly reduce decision-making timeframes while eliminating the potential for human error.
Examining these challenges from a fraud lens, these elements can be divided into two easily characterized forms of fraud: unauthorized fraud and authorized fraud. Authorized fraud differs from more traditional approaches to account takeover (ACTO) as it is the customer, not the fraudster, that initiates and authenticates the payment. Authorized Push Payment (APP) fraud is a scam within this category that’s accelerating today, whereby an unsuspecting individual is manipulated into making a payment to or sharing sensitive data with a fraudster.
However, the many and varied types of authorized frauds, from romance and phishing scams to Business Email Compromise (BEC), are on the rise and have become an area of concern for FSOs and regulators. One of the primary issues associated with this growing problem is that with legacy messaging standards, such as SWIFT MT, short field lengths can truncate elements like names and addresses. This makes it harder to corroborate identities or understand the full beneficiary details.
This will be particularly noticeable where there are cross-border payments to non-ISO 20022 standards, such as the Faster Payment system in the U.K. that uses ISO8583, which only features 18 characters for the beneficiary name. With this minimal amount of data, neither the beneficiary nor the sending bank can be completely confident that the payment is being directed to the correct recipient.
This has led to the regulatory enforcement of main U.K. banks to provide a name checking service, Confirmation of Payee (COP), which went into effect on March 31, 2020. The service aims to resolve the errors surrounding fraudulent or unintentional misdirection of electronic payments by performing instantaneous name verification against the payee’s account.
Opportunities Arise from ISO 20022’s Richer Data Schema
The richer data schema of ISO 20022 provides new opportunities for FSOs to elevate payment messages and strengthen their fraud and AML programs. Both sending and beneficiary banks could directly share risk scores or other data relating to the customer or payment in the communications. Additionally, the payment network could add a supplementary network risk score to the message.
Initiatives that could benefit from these improvements are underway to aggregate and centralize KYC data, such as those developed in the 2019 FCA Techsprint and the Dutch KYC registry. These initiatives will be supported by both the increased structure of the extra data and the universal standardization.
This additional data can also help thwart unauthorized fraud by helping to identify the fraudulent payments and improve the automation of the investigation. In terms of remediation, the extra, more structured data in the original payment messages can then be deployed to improve how recovered funds are returned to victims. For example, recovered funds could be returned to the original beneficiary without typically long and cumbersome processes, potentially via multiple banks and jurisdictions. This reduces operational costs that can be better reallocated elsewhere, such as improving the client’s digital banking experience.
Examining cross-border specific challenges, such as the Bangladesh Bank style attacks (which used fraudulent instructions sent via the SWIFT networks to transfer nearly a billion dollars from a Federal Reserve account to accounts in the Philippines), these types of frauds have made headlines largely due to the monumental cost of the fraud loss. While the initial issues were apparently related to the quality of infrastructure and processes at the affected FSOs, these types of cross-border attacks have evolved to become more complex, faster and difficult to detect.
These changes, combined with increased activity, means that real-time profiling is required if FSOs expect to be successful in thwarting these types of frauds. The extra data that ISO 20022 brings to messaging models can then be used to reduce the false positive rate (FPR) and help automate the investigation and remediation processes.
ISO 20022 Improves the Fraud and Financial Crime Ecosystem
There are a few key areas of the financial crime ecosystem where the extra data from ISO 20022 can provide improvements to existing processes.
Transaction monitoring systems
FSOs can better understand the complete end-to-end payment flow, and any concerns regarding any counterparties along the way. Beneficiary firms will be better able to understand the true, intended purpose of the payment, improve verification for the beneficiary and raise alerts in instances of anomalies or suspicious activity. Transactions processed via Faster Payments services increased by over 10 percent by the end of March 2020. New, faster payments solutions can result in faster fraud, and the acceleration of real-time payments can make it difficult to protect systems and transactions from fraud.