ISO 20022: The new paradigm for the digital payments world

This post was first published on my corporate blog

The timeline for the migration to ISO 20022 has been decided, and the step could prove to be a quantum leap into the future of payment processing. Adoptions will need to begin in all financial institutions by November 2021 and completed by 2025. Ever since the launch of the Single Euro Payments Area (SEPA) almost 10 years ago, ISO 20022 is the opportunity for organizations to be able to meet the ever-increasing demand for service speed, efficient automation, and a richer quality of data.

For banks, this offers a chance to boost communication standards and even cut costs concerning processing payments, as ISO 20022 promises to take out the struggle out of compliance and the detection of financial frauds. While early adoption is beneficial for businesses towards avoiding any sudden disruption of business, it is equally important to understand what ISO 20022 is and how it can influence your business in the long and short run.

What is ISO 20022? Why is it significant?

While the European financial businesses well understand ISO 20022 for quite some time through the initiatives of SEPA and SWIFT (Society for Worldwide Interbank Financial Telecommunication), the registration authority for ISO 20022, North American banks are still getting to know the new language. These institutions have been working closely with its community to help secure the consensus on how the new standard can be used in the context of financial payments and reporting.

Given that the payments industry is iteratively evolving in light of digital technologies, the change is also being driven by real-time transaction and banking initiatives like Open Banking, Instant Payments, RTGS (Real Time Gross Settlement) and even cryptocurrencies and distributed ledger technologies. Each new development pushes the boundaries for traditional banks and market infrastructures, and the reality is that the move will lead to a common international standard for all financial data exchange and communications. Developed by the Organization for Standardization (ISO) and maintained globally under ISO’s governance, ISO 20022 is widely now identified as the “global, common language of financial communications” of the future. The proposed migration is one of the most significant and sweeping standardization moments for years to come, and even SWIFT guesses that by ~80% of high-value payments (by volume) and ~90% (by value), will already have migrated to the new norm by 2023.

The new common language for financial messaging

So why is the migration to ISO 20022 so significant for your business? Well, one of the primary reasons for this is that the ISO 20022 payments message carries far more qualitative data than the legacy formats commonly used today. There is also increased interoperability between data sets from the information within the message, which allows not only for cross-border and domestic payments but also for high-value transactions in real-time.

Additionally, ISO 20022-based transactions come with additional functionalities that follow XML-based approaches and offer improved remittance. Consequently, banks can now integrate formats that did not formerly allows for global operations, and also reduce risks and cost to the business. In fact, a number of HVPSs globally have already transitioned to the new language system, including Switzerland, China, and Japan. While the Eurozone is relatively experienced, adoption in Australia is at a reasonably early stage. However, going by the RBA (Reserve Bank of Australia) and Australian Payments Council’s interests in the new norm, the nation is aiming to complete their transition by 2024’s end, to be in time for global adoption.

How should you prepare?

The key to success with ISO 20022 is in the rich quality of data that can be transmitted between banks when communicating. The current payments infrastructure is limited in structure and space. As opposed to the current MT 103 system, for instance, the ISO 20022 allows for more unique references that enable accurate and efficient processing from end-to-end services for their end-customers.

The first step recommended by SWIFT for financial institutions is to map out and assess the impact of the business units and the success of their current payment processing applications are delivering. Typically, realizing the full business benefits of ISO 20022 will require banks to dedicate time and resources over a sustained period with a unified vision, so that they can combine their investments in both creating a center of knowledge, while at the same time sharpening their expertise. Before that, however, they would need to collaborate with domain specialists, ecosystem stakeholders, and regulators to gather a field-level understanding of the new standard payments messaging system.

Ultimately, the migration to ISO 20022 will involve hurdles and complexities beyond any technological transformation we have seen so far. A common system evaluates new business models, infrastructures, and market positioning holds the key to the digital future of payments and financial services.


Comparing GDPR & ISO 27001

This post was first published on my corporate blog

The EU adopted a newly harmonized data protection law called the General Data Protection Regulation (GDPR) during May 2016. As of May 25, 2018, the GDPR will be a directly applicable law in all member states within the EU and the European Economic Area (EEA). While the GDPR does not introduce many substantially new concepts, it increases the compliance requirements of data controllers and personal data processors. The GDPR encourages the use of certification schemes like ISO 27001 to serve the purpose of demonstrating that the organization is actively managing its data security in line with international best practice.

What’s the difference between GDPR and the Data Protection Act?

There are considerable differences between the Data Protection Act and GDPR. The GDPR is explicitly risk based, the risk being to the fundamental right of a person with regard the processing of personal data – data controllers and processors must manage that risk. In contrast the Data Protection Act implies management of risk. The core difference between the Data Protection Act and GDPR is that the Data Protection Act applies only to the UK while the GDPR applies to the whole of the EU and, crucially, also to any global company which holds data on EU citizens. The Data Protection Act is enforced by the Information Commissioner’s Office (ICO) while the GDPR compliance will be monitored by a Supervisory Authority in the UK with each European country having its own Supervisory Authority.

Non-compliance of the Data Protection Act can result in fines of up to £500,000 or 1% of the annual turnover. While for the GDPR, the potential penalties for non-compliance are much more severe with fines of up to €20 million or 4% of the businesses annual global turnover. In the case of the GDPR, a Data Protection Officer is mandatory for any business or organization with more than 250 employees. Under the Data Protection Act, in the current legislation there is no need for any business to have a dedicated Data Protection Officer. Any data breach must be reported to the Supervisory Authority within 72 hours of the incident under the GDPR, while in the Data Protection Act, businesses are under no obligation to report data breaches, though they are encouraged to do so.

Protection Impact Assessments (PIAs) are not a legal requirement under the Data Protection Act but in GDPR,

PIAs will be mandatory and must be carried out when there is a high risk to the freedom of the individual. Under the DPA , data collection does not necessarily require an opt-in under the current Data Protection Act.

The need for consent underpins GDPR. Individuals must opt-in whenever data is collected and there must be clear privacy notices. Those notices must be concise and transparent and consent must be able to be withdrawn at any time.

 Applies only to the UKApplies to the whole of EU and, crucially, also to any global company which holds data on EU citizens.
Non-compliance can result in fines of up to £500,000 or 1% of the annual turnover Non-compliance is much more severe with fines of up to €20 million or 4% of the annual global turnover
A dedicated Data Protection Officer is not mandatoryA Data Protection Officer is mandatory for any business or organization with more than 250 employees
No obligation to report data breaches, though they are encouraged to do soAny data breach must be reported to the Supervisory Authority within 72 hours of the incident
Enforced by the Information Commissioner’s Office (ICO)Monitored by a Supervisory Authority in the UK with each European country having its own supervisory authority.
Protection Impact Assessments (PIAs) are not a legal requirementPIAs will be mandatory and must be carried out when there is a high risk to the freedom of the individual

How are EU GDPR, ISO 27001 and 27018 related?

ISO 27001 is a framework that in essence requires a risk based approach to the management of critical and sensitive data and information and their associated supporting assets. The GDPR is about managing the risk to the fundamental right that a natural person has regarding personal data. Both are risk orientated and require the identification of risk, and planning and implementation of the necessary controls to modify levels to an acceptable level. ISO 27001 includes encryption of personal data and as part of the business continuity planning the ability to restore and recover information and data in a timely manner.  

According to the GDPR, personal data is critical information that all organizations need to protect. However, there are some EU GDPR requirements that are not directly covered in ISO 27001, such as supporting the rights of personal data subjects: the right to be informed, the right to have their data deleted, and data portability. If an organization stores processes personal data in the cloud, it can also use ISO 27018 to cover many GDPR requirements. Therefore, if the implementation of ISO 27001 identifies personal data as an information security asset, and those that stores/processes personal data in the cloud follow ISO 27018 recommendations, most of the GDPR requirements will be covered.

The ISO 27000 series of standards provide the means to ensure this protection. There are many points where the ISO 27001 and ISO 27018 standards can help achieve compliance with this regulation. Listed below are a few of the most relevant ones:

  • Because of the high fines defined in GDPR and the major financial impact on organizations, it will be natural that the risk found during risk assessment regarding personal data is too high to not be dealt with. On the other side, one of the new requirements of the GDPR is the implementation of Data Protection Impact Assessments, where companies will have to first analyze the risks to their privacy, the same as is required by ISO 27001. While implementing ISO 27001, personal data must be classified as high criticality.
  • By implementing ISO 27001, it is mandatory to have a list of relevant legislative, statutory, regulatory, and contractual requirements. If the organization needs to be compliant with GDPR, this regulation will have to be part of this list.
  • Breach notification – Companies will have to notify data authorities within 72 hours after a breach of personal data has been discovered. The implementation of ISO 27001 will ensure a consistent and effective approach to the management of information security incidents, including communication on security events. According to GDPR, data subjects will also have to be notified, but only if the data poses a high risk to data subjects’ rights and freedom. The implementation of incident management, which results in detection and reporting of personal data incidents, will bring an improvement to the organization wishing to conform to GDPR.
  • Asset management – The ISO 27001 leads to inclusion of personal data as information security assets, and allows organizations to understand what personal data is involved and where to store it, how long, its origin, and who has access, which are all requirements of the GDPR too.
  • The adoption of Privacy by Design, a GDPR requirement, becomes mandatory in the development of products and systems. ISO 27001 ensures that information security is an integral part of information systems across the entire lifecycle.

In a nutshell, the GDPR mostly deals with personal data collection, while ISO 27001 helps ensure that this collection of confidential data is secure. Also, the GDPR will expand on Data Protection Act and it’s focused on looking after the privacy and rights of the individual, and based on the premise that consumers and data subjects should have knowledge of what data is held about them, how it’s held, and other core information that the Data Protection Act did not demand.


Everything your need to know about GDPR

This post was first published on my corporate blog

With the help of advanced business analytics and AI, companies are using the power of data to its best use. But what is this data? It comprises of personal details of citizens of the European Union (EU). Therefore, it is imperative to act according to a set standard of consumer rights in order to protect the data from being misused.

The standard by which the EU is currently working with the Data Protection Act was formed in the year 1998. The world of business intelligence has advanced beyond expectations since then. In the modern world, consumer data can be exploited in unimaginable ways. The need for a more comprehensive regulation that protects the consumer data from being exploited in the current world scenario is a must. Thus, the formulation of all new General Data Protection Regulation (GDPR).

What is GDPR?

In simple words, GDPR that is slated to come into effect as on 25th May 2018, is a regulation designed to protect the personal data of citizens of the European Union from possible misuse by the corporates. Non-compliance with the strict regulations of GDPR may result in hefty fines for the businesses.

GDPR will supersede the previous Data Protection Act and with refined and stricter regulations, EU hopes to safeguard customer privacy in the upcoming Digital Economy.

The provisions of GDPR is consistent across the 28 European Union member states that make it only one standard required to be met by the businesses. Although, the guidelines are strict and the standard expected by companies operating under EU is severely high; adhering to the GDPR will ensure a smooth running of a business for the enterprises.

Not only will GDPR act as a stringent master in controlling the customer privacy and data, it will also make the business atmosphere simpler for EU companies. GDPR is expected to offer a simpler legal environment for businesses to operate by making the law for data security identical all through the single market.

Who and How does GDPR effect the companies?

GDPR is aimed at making businesses more accountable for protecting and monitoring data of the customers. These data include-

  • Customer identity including IP address, location, RFID tags, and cookies.
  • Genetic and general health data
  • Biometric Data
  • Ethnic/ Racial data
  • Political belief
  • Sexual Preferences

GDPR essentially is applicable to every company that accesses, stores, processes, any kind of personal data of any of the EU citizen. It does not matter whether the presence of the business is within EU states or not, the company still has to comply with GDPR if it uses EU citizen’s data in any way. For any company with more than 250 employees GDPR is mandatory, but even if the company operates with less than 250 employees and uses the data of the EU citizens, it must comply with the GDPR.

The Six principles of GDPR You Must Know About

Emphasizing the aim to drive the GDPR compliance, the six principles summarize the main responsibilities of the organizations towards managing the personal data of the consumers. These six principles are:

1. Fair practice, Lawfulness, and Transparency

The first law of GDPR says that personal data of any kind must be processed impartially, lawfully and with transparency. In order to follow GDPR lawfully, the companies must meet the data acquisition and processing criteria laid out in the guidelines.

2. Legitimate Purpose Limitation

The principle clearly states that the personal data can be collected for explicit, legitimate, and specified purposes only. Although the scope in GDPR is widened for certain categories, the principle essentially means “do what you say and say what you mean”.

3. Data Minimization

According to article 5, clause 1© of the law, the personal data collected must be relevant, adequate, and limited to only the necessary info with reference to the purposes for which they are to be processed. The principle explicitly means that nothing more than the bare minimum required data should be retained for processing.

4. Accuracy of Personal Data

The principle states that the accuracy of data must be maintained. Care and protection must be taken to safeguard personal data from theft and leaks. Also, rectification of the inaccurate personal data must be done without any delay.

5. Limitation on Storage of Data

The principle applies to limit the storage of unwanted data. Data that is no longer required must be securely removed. There are a few exceptions added to this principle such as the data collected for scientific purposes and for the public interest.

6. Confidentiality and Integrity

The principle comes as a result of protecting the fundamental right of data security. The integrity and confidentiality of data must always be maintained. Controlling the number of people accessing the data is a great way of achieving it.

Rights of Data Subjects under GDPR

Data subjects are essentially the ones whose data is being captured. In cases where the data subjects want to exercise their rights, the processors have to be answerable to them under the scope of their rights. There are 8 fundamental rights for data subjects, listed as under:

1. The right to be informed

The GDPR asks the processors or data collectors to dutifully and clearly inform the subjects regarding the data storage and their rights towards the data procured.

2.The right of access

The data subjects have the right to know how the data concerning them are being processed.

3. The right to rectification

In case of a scenario where the personal data is incorrect or false, it is the responsibility of the data collectors to correct it with immediate effect.

4. The right to erasure

The data subjects have the right to ask to be forgotten i.e. to get their personal data erased.

5. The right to restrict the processing

There may be certain circumstances where the data subject may not be able to get the data erased or forgotten but can restrict the processing to a certain extent. For example, in defense or legal claims cases, this right can be exercised.

6. The right to data portability

Data subjects enjoy the right to transfer their data from one online platform to another.

7. The right to object to processing

As stated in the clauses of GDPR, the controllers (data collectors) must process the data lawfully and with full transparency. However, in cases where the lawful bases are not absolute, the data subjects have the right to object.

8. Rights in relation to automated decision making and profiling.

Data subjects can use their rights in certain cases with respect to profiling of their information.

The Obligation of Data Controllers

Under GDPR, as soon as an enterprise gain access to the personal data of the consumers, it becomes obligated to use it responsibly and follow all the principles and guidelines stated in the regulation. As a data processor/ controller, the following obligations holds great significance

  1. Proper implementation of appropriate technical and organizational measures to ensure and demonstrate that the data controllers comply with the principles of GDPR. Internal data policies such as processing activities audits, HR policies review, and staff training may be included in it.
  2. To maintain relevant documentation regarding processing activities.
  3. Wherever required, the appointment of a qualified officer to monitor data protection should be done.
  4. Implementation of adequate measures that suffice the principles of data protection at the time of designing the process itself.
  5. The inclusion of data protection impact assessments wherever required.

RPA PoCs – Are you doing it wrong?

Proof of what exactly?

For any technology adoption, a proof of concept is the usual approach to evaluate the usefulness and effectiveness of the technology. Howeve,  RPA is a different animal altogether. The usual proof of concept does not work because it’s not even clear what is being proven.

The unknowns in any RPA roll-out

  • Ease of use of the RPA tool?
  • Does it work with the applications that need to be automated? RPA tools are very finicky and sometimes even the simplest looking automation needs are hard to accomplish.
  • What’s the performance and accuracy?
  • Is it enterprise grade? What’s the approach to technology best practices around documentation, version control, peer reviews, testing, release and configuration management, security, auditing etc.
  • Will it work in the environment it needs to be deployed?
  • Will it scale?
  • Will it seamlessly fit in the companies processes – release, change management, deployment, support. What changes are needed to the processes?
  • Are the company’s processes standardized enough to start RPA journey?
  • How will the employees feel about automation of their tasks?

Of all these questions a typical RPA PoC only answers the first question. An irrelevant question that usually gets an incorrect answer as well. At the end of these PoCs the bot created is nothing more than a demoware, which quickly gets forgotten.

A better RPA test

A good test for RPA is to pick a real process which has just enough technology and organizational complexity that provides a good test bed but not so much to kill the project even before it gets started.

  • Process involving a complex mix of technology. Don’t go easy here. If the process is a candidate for RPA, then RPA should be able to work with all of the technical stack. It’s better to get a realistic picture of what are the limitations of the RPA tool now.
  • Process should involve multiple business units to check the organizational dynamics
  • Process should have some number of business rules and data quality issue
  • Take a process that’s performance sensitive – either high volumes or large effort but which is not critical. You should be able to take the bot live without much risk.

During the enter development, deployment and production phase make copious notes of what went right and what did not meet expectations. After at least a month of going live, hold a retrospective on the same and try to answer the questions laid out in the first part of this article.

When you have all the answers you can decide the outcome of the POC and the next steps.


Delivering the RPA Hype

Look at any sales or marketing pitch around Robotic Process Automation and you’ll see these statements repeated in some form or other.

  • 50-80% reduction in cost.
  • It’s easy to get started. No special skills needed. Even the process executive can ‘train’ the bot
  • By extension, this is not coding and doesn’t need formal processes/change management
  • RPA can automate (almost) any manual process


TCS’s Santhanam brushes aside the fears of robots taking over jobs, dubbing them an “exaggeration.” It is merely the next level after the past few decades of digitisation.

I agree with him.