Regulatory reporting implications of the ISO 20022 migration
07 February 2022
07 February 2022
Domestic and cross-border electronic payments rely on a structured messaging framework to facilitate the flow of funds between financial institutions (FIs).
The dominant global payment messaging platform, known as the Society for Worldwide Interbank Financial Telecommunications (SWIFT), presently uses an ISO 15022-based framework to transmit information and instructions through its global network of ~10,000 FIs. A number of shortcomings have been identified with the ISO 15022 standard including a lack of transparency of the underlying parties to the transaction due to certain data elements being non-mandatory, and a limitation in the number of characters allowed in some message fields. To resolve these shortcomings, SWIFT have decided to adopt the ISO 20022 message standard ("the ISO 20022 standard") for selected cross-border message types.
The ISO 20022 standard has definitions and structures that aim to improve the transparency and efficiency of cross-border payments, and simplify compliance by enabling richer data to move with each cross-border payment and cash management message sent or received between participants.
Migration to the ISO 20022 standard is complex, involving significant changes to commonly-used cross-border SWIFT message types known as "MT1xx", "MT2xx" and "MT9xx". FIs have a number of factors to consider, including resourcing and executing the required technology changes, technology and business testing activities, and aligning data fields in payment and customer system(s) to comply with the ISO 20022 standard and its relevant requirements.
SWIFT's migration to the ISO 20022 standard will begin in November 2022, followed by a three-year co-existence period. Legacy SWIFT MT standards will cease to operate by November 2025.
While changes to payment types and data schemas are significant under the ISO 20022 standard, if an FI is also an AUSTRAC reporting entity, its IFTI reporting obligations under section 45 of the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth) (AML/CTF Act) and Chapters 16 and 17 of the Anti‑Money Laundering and Counter‑Terrorism Financing Rules Instrument 2007 (No. 1) (Cth) (AML/CTF Rules)) remain unchanged.
Accordingly, such FIs must make the necessary changes to their payments and customer data systems in order to facilitate the migration to the ISO 20022 standard, while ensuring their IFTI reporting remains compliant with the AML/CTF Act and Rules. In some cases, the more structured and granular information required under the new ISO 20022 standard may assist some FIs complying with their IFTI reporting obligations under the AML/CTF Act and AML/CTF Rules, particularly in regards to the completeness and accuracy of IFTI reports. This, in turn, may also help streamline financial crime compliance activities given that a payment can be traced through a payment chain more effectively.
FIs are required to remain compliant during system changes and upgrades, such as a migration to the ISO 20022 standard, and to not disrupt internal AML/CTF processes and IFTI reporting obligations. Many FIs rely on legacy, in-house developed, systems to submit IFTI reports to AUSTRAC. Making and testing significant changes to those legacy systems in order to align them with the ISO 20022 standard could be a risky exercise. Some of the risks which may need to be considered when transitioning to the new standard include:
As a starting point, FIs should perform a gap analysis between the old standard and new standard to identify the process, system and reporting changes that will need to be made to meet the new requirements. While the transition period is occurring over a three-year period, system changes can take a long time to implement and therefore FIs should start the process as soon as possible.
As part of the migration strategy, some FIs may also consider mitigating their risks by implementing an industry-proven regulatory reporting system that produces compliant IFTI reports, based on their current payment and customer system data, and that is proven to also produce IFTI reports using information obtained via the ISO 20022 standard.
Ashurst Risk Advisory Pty Ltd (ABN 74 996 309 133) provide services under the Ashurst Consulting brand. Ashurst Consulting services do not constitute legal services or legal advice, and are not provided by Australian legal practitioners. The laws and regulations which govern the provision of legal services in the relevant jurisdiction do not apply to the provision of non-legal services.
For more information about the Ashurst Group and the services offered, please visit www.ashurst.com.
Liability limited by a scheme approved under Professional Standards Legislation (Ashurst Risk Advisory only).
Authors: Tim Brookes, Director; Brien Coram, Director; Smantha Carroll, Counsel