Halborn Logo

// Blog


Preparing for ISO 20022 and MiCA: A Guide for Cybersecurity Pros


Steve Walbroehl

June 30th, 2023

As we transition towards a novel quantum financial system, ISO 20022 is an international standard that facilitates a secure and uniform way of transferring financial communications between entities in the payment industry. The ISO 20022 standard is set to supersede the SWIFT financial messaging system, a tool that banks and financial institutions have utilized to conduct worldwide payments for half a century. ISO 20022 exceeds the capabilities of SWIFT in that it can handle larger data volumes and accelerated processing speeds. It's well-suited for instant payments, day-to-day liquidity management, compliance audits, as well as fraud detection and prevention, among other requirements. This is beneficial for blockchain and cryptocurrency companies in particular, as it promotes effective and efficient communication between other financial institutions, and fosters compatibility between existing protocols while supporting specific financial business processes.

The ISO 20022 standard also responds to the requirements of financial organizations seeking to establish a universally accepted communication language that enables the implementation of their financial business processes and facilitates collaboration, settlement, and rapid transactions with their partners. By 2025, ISO will be the universal standard for large-value payment systems across all reserve currencies, expected to manage 80% of all high-value transactions, which equates to 87% of global transactions. 

Both the European Central Bank and SWIFT have revealed the ISO 20022 go-live dates for this standard, and to establish a road map to standardization for high-value payments and real-time gross settlement (RTGS), the SWIFT, global central banks and market infrastructures have established the HVPS+ market practice task group.

We anticipate new capabilities, such as cross-chain interoperability and atomic swaps, which will likely characterize the new introductions. These features will permit users to seamlessly swap one cryptocurrency for another.

SWIFT, the globally recognized payment system, revealed its plan to postpone the execution of the ISO 20022 standard until March 2023. The burgeoning popularity of this international transaction standard, which supports data-rich payments over conventional formats, has financial institutions globally contemplating their strategies and schedules for the upgrade. These modifications will bolster the security and dependability of the ISO 20022 protocol, particularly for international and cross-border transactions.

As far as Regulation, the EU Parliament’s passage of the Markets in Crypto Assets (MiCA) is going to help onboard more banking services to cryptocurrency and blockchain institutions. With MiCA, these institutions are considered “crypto asset services providers” (CASPs) and must gain licenses from national authorities. CASPs must also implement a new standard of financial services requirements, such as additional governance and liquidity requirements. For instance, stablecoin issuers are to be authorized by the Central Bank and forced to hold sufficient reserves and reduce risk of security issues like “de-pegging.”

Preparing for ISO 20022 and MiCA

The execution of ISO 20022, and the regulatory requirements of MiCA, necessitates that all financial service establishments, market infrastructures, and cryptocurrency developers/platforms involved in international payment flows rethink their approaches to processing, preserving, and communicating cross-border payment data.

The potential advantages of ISO 20022 can only be tapped into with a comprehensive implementation that impacts everything from core payment applications, secure software development, hardened infrastructure, third party services for AML/KYC compliance, reporting applications, messaging interfaces, and customer interfaces. Consequently, organizations need to start mobilizing experts to devise an implementation timeline that aligns with requirements, and hire auditors and security advisors that are familiar with the regulations and standards set forth.

The transition of SWIFT from MT to ISO 20022 is expected to culminate soon. Banks need to upgrade and pre-test their messaging interfaces before November 2022 to ascertain compatibility with the novel payment communication standard. Banks face competitive pressure to migrate to this new standard, as the payment industry's overall shift towards instant payments exposes their existing products and services to potential risks.

As the ISO 20022 standard is more advanced and flexible than traditional legacy formats, it calls for considerably higher data volume processing. Therefore, banking systems and databases must be primed to manage these larger volumes at higher speeds, vital for real-time payments, day-to-day liquidity management, compliance checks, and fraud detection and prevention.

Security Needs for ISO 20022

Adequate time for testing is crucial to ensure accuracy in syntax and formatting information, as well as the data’s seamless migration into all connected payment and clearing systems. As part of any necessary software upgrade plan, meeting established deadlines and assuring future security of all operational systems is crucial. ISO 20022 is an intrinsically complex standard with interconnected processes that may prove formidable. An ISO message is often more extensive than a standard payment email. The swift growth of data demands the redesigning and updating of infrastructures to accommodate ISO 20022. Each character in messages must align precisely with the specifications. Format validation is carried out at various stages along the communication chain between senders and recipients. A single missing colon could result in a complete transfer refusal. 

In the realm of compliance, an official certification body for ISO 20022 has not been established yet. However, the ISO 20022 Compliance Checklist provided by the ISO 20022 Registration Authority (RA) and Technical Support Group (TSG) acts as a guide for those implementing, adopting, and using ISO 20022 messages. 

At Halborn, we can also help to make sure all aspects of your plan to adopt to the ISO 20022 standards are done in accordance to guidelines, and implemented securely.

Banks should keep their corporate clients abreast of the additional data that might be available and its intended use. Furthermore, these clients should be fully informed and actively involved in end-to-end testing.

ISO 20022 Readiness Checklist for Cryptocurrency Adoption

The following checklist delineates several factors that need consideration when implementing ISO 20022, including message structure, data types, message flows, and message versions. The list will assist organizations in aligning their implementations with the ISO 20022 standard, thus boosting interoperability.

  • Digital Token Identifiers (DTIs) function as unique numerical or symbolic representations of digital currencies. The chief issue with carrying out transactions in digital currencies is the lack of identifiers which financial institutions can utilize to distinguish between various token transactions. Under the new ISO 20022 standard, cryptocurrencies could be granted ISO codes provided they comply with ISO 20022. This could expedite their adoption by centralized banks and facilitate cross-border crypto payments via centralized financial institutions.

  • Message Definition: Messages should be formatted to utilize the official ISO 20022 message definitions published by ISO and accessible on the ISO 20022 website.

  • Business Transactions: The ISO 20022 standard prescribes a set of business transactions, and messages should be used according to these definitions.

  • Message Instances: The messages need to adhere to the structure and content rules stipulated by the ISO 20022 standard.

  • Message Constraints: This relates to the constraints determined by the ISO 20022 standard, such as maximum length, data type, and permissible values for particular fields.

  • Message Registered Code Values: The codes incorporated in messages must originate from the code lists registered and overseen by ISO.

  • Business Application Header: The standard header included in all ISO 20022 messages. It contains information about the message, including its type, sender, and receiver.

  • Supplementary Data Extensions: This will permit the inclusion of additional information in messages not accounted for by the standard message definitions. 

Halborn’s cybersecurity experts are available to assist with organizations seeking to securely adopt ISO 20022 standards in accordance with guidelines. For more information on how we can help, get in touch here.