ISO20022 is coming – but is the banking sector ready?

By John Smith, Chief Technology Officer, EMEA at Veracode.

ISO 20022 brings a raft of new security benefits, but ensuring a smooth transition won’t be easy

At a time of huge turbulence and uncertainty, financial institutions are facing yet more upheaval, with the introduction of ISO 20022. From November, all financial institutions will need to have the ISO 20022 process active, and by 2025 they must be fully compliant. But many in the sector are still grappling with what this will mean and the impact it will have.

ISO 20022 is an open global standard for financial information, creating a common language for payments worldwide. So, the purpose of these changes is to provide greater transparency and security – the use of Extensible Markup Language (XML) and Abstract Syntax Notation (ASN.1) protocols means that ISO 20022 can adapt to various networks, and has greater capacity to work with non-Latin alphabets.

The idea is that financial institutions will be able to use ISO 20022’s capacity to interoperate to their advantage in order to increase efficiency all while reducing cost and risk exposure. With the threat landscape evolving at pace, protocols which strengthen financial institutions’ defences against cybercrime should be welcomed. It is unsurprising that the banking sector is a prime target for cyber criminals, given the value at stake; the average cost of a data breach in the financial sector is around $5.72 million.

Research from Veracode has demonstrated that while financial institution applications typically have fewer flaws than other sectors but, where there are vulnerabilities, these tend to be more serious – with 18 percent ranked as ‘high severity’. Furthermore, the sector is lagging behind when it comes to fix rate, which sits at 22 percent. Addressing and remediating vulnerabilities throughout the software development lifecycle will, therefore, be vital to ensure a secure transition.

We have seen in the past that managing transitions from legacy systems is not easy. The large-scale shift from proprietary platforms toward open banking and APIs has left banks juggling two platforms simultaneously, presenting significant challenges. Logistics and security will need to take centre stage so that CIOs can have a standardised view and minimise risk.

To navigate this complex transition, training and consultancy is of the utmost importance. Equipping developer teams with the right skills to remediate any flaws that are found will result in better outcomes when it comes to speed and effectiveness of remediation. Ensuring that security is embedded at every step of the transformation journey is vital to avoid any errors in deployment that could lead to significant delays in processing transactions. Successful implementation requires collaboration between the developer community and wider business, while bringing in external experts to consult and advise on the process ensures that the integration of security is seamless.

Interdepartmental collaboration is key, and communication will be required to ensure teams fully grasp the reasons behind and benefits of the transition. ISO 20022 cannot exist in an IT or security silo – it needs to be a company-wide conversation about broader strategy. CISOs must work closely with the wider C-suite to help them understand the benefits of moving from a proprietary black box system to an open API and ensure buy-in across the organisation.

The November deadline is a significant step in a period of sweeping transition for the sector. Despite being deeply rooted in tradition, banking needs to evolve with a rapidly changing world. We can expect to see further changes down the line to specific areas of service, such as PCI DSS for payment cards. Ultimately, this will require departments coming together to find solutions to complex challenges. If financial institutions can get the implementation of ISO 20022 right, it will pave the way to a smoother transition when it comes to other developments and regulatory changes.