First Draft of ISO 20022 Standard for Real-Time Payments Released, Raises Potential Privacy and Security Concerns
On August 10, 2015 the International Organization for Standardization (ISO) Real-Time Payments Group (RTPG) published for review and comment the first draft of the ISO 20022 Standard (ISO 20022).
As part of an international project to harmonize standards for cross-border real time payments, over 50 global experts at RTPG worked on developing ISO 20022 to support interoperability between real time payment systems across the world. Once implemented, participating financial institutions will be able to use more consistent terminology through the use of a common set of messages and language for global payments clearing and settlement. ISO 20022 is an open voluntary standard that any financial institution can use.
Why is ISO 20022 relevant in Canada?
As part of a multi-year initiative to modernize Canada’s national payments infrastructure, the Canadian Payment Association (CPA) is looking to incorporate ISO 20022 in Canada, beginning with Automated Funds Transfer (AFT) payments, with voluntary adoption for AFT payments to begin in 2016. The CPA also issued on August 10 a Consultation Paper, Creating New Opportunities in Canadian Payments, in respect of the proposed use of ISO 20022 in Canada.
What are the benefits of ISO 20022?
The CPA lists the following benefits to adopting the new international standard in Canada:
- Payment messages will carry enhanced remittance information;
- Increased end-to-end straight-through processing and automated reconciliation;
- Greater interoperability in both domestic and global markets;
- A common "payments language";
- Reducing the number of payment standards used in Canada today, and the costs of managing these standards;
- Efficiencies in managing/supporting payment systems;
- Opportunity for innovation and competition amongst financial institutions; and
- Opportunity for development of new value-added services, such as services that could support electronic invoicing and payment reconciliation and that could provide enhanced reporting to customers.
What are the potential concerns with using ISO 20022?
In the Consultation Paper, the CPA highlights the privacy and security risks associated with transmitting information through ISO 20022. As the new standard will allow for more information to be contained in payment messages (the enhanced remittance information), the risk of possible breaches of personal and confidential information would likely increase. In addition, security risk could increase as harmful content (such as a malicious code) could be included in the payment message.
The Consultation Paper outlines CPA’s proposals to address these risks:
- Requiring all participating members to employ security controls to protect the privacy and confidentiality of personal and financial information;
- Making the CPA participating member introducing the item into the clearings liable for such item, and requiring that the introducing members indemnify the CPA and other participating members for losses incurred as a result of such items;
- Requiring participating members to prohibit their payment originators from including harmful content in remittance elements, and from including any personal information where consent has not been obtained in accordance with privacy legislation; and
- Restricting the inclusion of URLs to the Related Remittance element of ISO 20022.
The CPA is accepting comments on the Consultation Paper until September 30, 2015. In addition, the draft ISO 20022 Standard is expected to be discussed in Singapore on October 12 – 15, 2015 at the international SWIFT banking conference.
The payments industry is already undergoing a period of rapid innovation and change and it will be interesting to see the impact that ISO 20022 will have on the industry, and to what extent ISO 20022 will accelerate the pace of innovation. At the same time, the industry will need to be mindful of the privacy and security risks associated with the new standard and how best to manage these. In particular, the various Canadian privacy commissioners will likely have comments on the Consultation Paper and the payments industry will want to be alert to the concerns they may raise, as they have indicated in the past that compliance with a particular standard does not necessarily equate to compliance with privacy legislation.
payments privacy standards