A Swift Kick in the Nuts and Bolts of Banking

A Swift Kick in the Nuts and Bolts of Banking

The global financial services industry is undergoing a seismic shift and not enough people are truly aware of what this means. By November of this year, banks and other financial institutions must have in place a new process for payment systems that uses the ISO 20022 standard instead of SWIFT. This must be active by November and by 2025, all financial institutions will have to be compliant. This is a huge ask, made even greater by the increasing levels of instability, technological change, and cybercrime impacting the world’s nations. Banking is about to change, and that’s not something that banks anywhere like to hear.

As a platform for relaying electronic messages between financial institutions, the ISO 20022 standard uses Extensible Markup Language (XML) and Abstract Syntax Notation (ASN.1) protocols to communicate, making it more adaptable to various networks, delivering greater transparency and security, and having the capacity to work with non-Latin alphabets.

But that doesn’t mean the transition will be easy nor is it only a problem for the IT department.

There are significant parallels here with the transition faced by the mainframe community. Mainframe computing has been a staple of business for decades, and it comes with traditions and cultures that were slow to change. Much like banking, most people are not aware of just how much work mainframes still do in processing the massive amounts of data that are required for so much of what we use, as consumers and in industry to this day.

But mainframe has had to evolve with the times, falling in line with Agile and DevOps processes and retooling its systems to attract talent and to keep pace with the extreme demands of development and testing within a modern software development lifecycle.

Financial services have already been facing a similar challenge, specifically with the large-scale shift from proprietary platforms to APIs that serve a range of applications and devices. Some financial institutions have already moved a great deal of their business banking towards open banking and API's.

Now, they, and those who are following in their footsteps, must contemplate an immense change to their entire infrastructure, maintaining two systems – one legacy and the other state of the art – while simultaneously carrying on business as usual. It’s like the world’s largest tablecloth trick, pulling it off the table without disturbing any of the cutlery and glassware. With many APIs already in place, this demands a significant amount of planning around logistics and security, which should be made to be part of a broader scheme across the entire bank. This will give the CIO a standardised approach to looking at the risk of payments and transfers environment – something that was once so proprietary that such a view was impossible.

Despite the enormity of a typical bank’s IT department, it is vital that external experts be consulted to ensure that the transformation journey embeds security in such a way that internal operations can understand what is driving it. Take, as a single example, a new API around consumer validation. This must be secured correctly. The assumption that this can be handled in an open environment is incorrect. These are the challenges on which financial institutions must maintain sharp focus since any single error in its deployment will lead to significant delays in processing transactions for customers. ISO 20022 is good, but it must be used correctly.

Banks have four years of pressing deadlines ahead of them, starting with the first in November 2022. And that’s just for ISO 20022. This is an industry that, despite its centuries-long roots, must recognise that its only constant is change. There will also be changes to specific areas of service like PCI DSS for payment cards, and these, too will have much greater problems dealing with proprietary back-end systems as compared to up-to-date standards-based services.

The API economy, too, is going to see a lot of change, and the fact that qualified external experts can secure API's presents tremendous business value.

The challenge internally is quite enormous. It’s not just about the deployment of technologies needed to meet the ISO standard. There are also internal cultural differences that must be overcome. A specific department, debit cards, for example, may be familiar with – and comfortable with – a particular security vendor while the CISO of the entire organisation dismisses that vendor as having insufficient coverage. The ISO 20022 transition requires collaboration between the internal developer community and trusted external experts to ensure a seamless developer experience that makes it easier to inject security along the way.

Ultimately this is about community. It’s about solving problems at a moment in time when there are many problems to solve. Within the community of any bank or financial institution, there will be some people, departments or C-level officers who will not fully grasp what moving from a proprietary back end black box system to an open API will do for them. In a highly regulated industry, this kind of conversation is not just an IT thing, or a CISO thing. It must be a company-wide conversation about strategy and about the realities of a new marketplace that is just around the corner.

We know that there’s a planet’s worth of choice out there when it comes to professional companies that manage data and security. And every financial institution, bank, and company must either go it alone or put their trust in a specialist firm.

Our approach has been to get on with doing the good work, and let others put in the good word. Veracode has been named a Leader in the 2022 Gartner® Magic Quadrant™ for Application Security Testing for the ninth time and a Leader in the 2022 IDC MarketScape for Worldwide Application Security Testing, Code Analytics, and Software Composition Analysis. We let them tell the world how satisfied they are with us, and in the meantime, we keep focusing on keeping their assets safe.

To learn more about how Veracode can help with your transition to ISO 20022, go to our financial services resources page here.

Craig has over 20 years experience in working with global Financial Services businesses, helping these organizations improve, modernize and streamline their secure development processes. Building on a strong DevOps background, Craig is today challenging the status quo and identifying areas where the Sec can be built in to legacy and more modern DevSecOps practices. Financial Services topics of interest include Open Banking, PSD2 and ISO20022 which have, and will continue to ensure change, driving the need for Craig to review the People, Processes and Technology these organizations leverage today.