ISO/TC 68/SC 9 - Information exchange for financial services

This document provides a set of mandatory and optional conformity tests applicable to all versions of the FIX session layer standard.

This document provides the normative specification of the FIX tagvalue encoding, which is one of the possible syntaxes for FIX messages.

This document provides the normative specification of the FIX session layer standard and its session profiles.

This document provides guidelines for data point modelling for supervising experts. The main body consists of four sections. The interrogative form helps in choosing which section may best answer your question and lead you to a good understanding of the subject matter. After this first introductory section and the section containing terms and definitions, the main part starts to provide basic knowledge about different types of data models and data modelling approaches. The first and the second sections provide an overview of data models in general, in contrast to the third section that highlights the necessity of data modelling for supervisory data. This third section draws on the objectives and background information of the preceding sections. Furthermore, a paragraph classifies the Data Point Model introduced by the Eurofiling Initiative and elaborated by EIOPA and EBA, where many new terms related to DPM are introduced. Another paragraph explains the areas of application for the DPM. The third section concludes with a paragraph introducing a subset of the technical constrains that need to be considered in the creation process of the DPM. The fourth section gives step-by-step instructions on how to create a DPM. The paper concludes with remarks on the progress achieved so far, and provides an outlook on the software that is being developed at the moment to support you during the creation process.

This document aims to provide an introduction to the topic of creating a conceptual model for storing multidimensional data which is received as XBRL instances that follow the rules defined by European taxonomies published by the European Banking Authority (EBA) or by the European Insurance and Occupational Pensions Authority (EIOPA).

This document defines the Data Point Methodology for the creation of Data Point Models in the context of European supervisory reporting. Data Point Models are published by a European supervisory authority. To reflect the defined structures in a machine-readable form, they can be accompanied by an XBRL taxonomy. It is also possible to extend the described methodology to other environments.

This document defines the framework, function and protocols for an API ecosystem that will enable online synchronised interaction. Specifically, the document: — defines a logical and technical layered approach for developing APIs, including transformational rules. Specific logical models (such as ISO 20022 models) are not included, but they will be referenced in the context of specific scenarios for guidance purposes; — will primarily be thought about from a RESTful design point of view, but will consider alternative architectural styles (such as WebSocket and Webhook) where other blueprints or scenarios are offered; — defines for the API ecosystem design principles of an API, rules of a Web-service-based API, the data payload and version control; — sets out considerations relevant to security, identity and registration of an API ecosystem. Specific technical solutions will not be defined, but they will be referenced in the context of specific scenarios for guidance purposes; — defines architectural usage beyond query/response asynchronous messaging towards publish/subscribe to support advanced and existing business models. This document does not include: — a specific technical specification of an API implementation in financial services; — the development of JSON APIs based on the ISO 20022 specific message formats, such as PAIN, CAMT and PACS; — a technical specification that is defined or determined by specific legal frameworks.

ISO/TS 12812-3:2017 specifies the interoperable lifecycle management of applications used in mobile financial services. As defined in ISO 12812‑1, an application is a set of software modules and/or data needed to provide functionality for a mobile financial service. This document deals with different types of applications which is the term used to cover authentication, banking and payment applications, as well as credentials. Clause 5 describes the basic principles required, or to be considered, for the application lifecycle management. Because several implementations are possible with impacts on the lifecycle, this document describes the different architectures for the location of the application and the impacts of the different scenarios regarding the issuance of the secure element when present (see Clause 6), the different roles for the management of the application lifecycle and the domains of responsibilities (see Clause 7). It also specifies functions and processes in the application lifecycle management (see Clause 8) and describes scenarios of service models and roles of actors (see Clause 9).

ISO/TS 12812-4:2017 provides comprehensive requirements and recommendations, as well as specific use cases for implementation of interoperable mobile payments-to-persons. The emphasis is placed on the principles governing the operational functioning of mobile payments-to-persons systems and processes, as well as the presentation of the underlying technical, organizational, business, legal and policy issues, leveraging legacy infrastructures of existing payment instruments (see ISO 12812‑1:2017, Annex C). ISO/TS 12812-4:2017 includes the following items: a) requirements applicable to mobile payments-to-persons; b) recommendations regarding mechanisms involved in the operation of interoperable mobile payments-to-persons; c) a description of the different use cases for mobile payments-to-persons; d) a generic interoperability model for the provision of different mobile payments-to-persons; e) recommendations for the technical implementation of the generic architectures for the mobile payments-to-persons program; f) recommendations for mobile remittances; g) use cases with the corresponding transaction flows; h) discussion of the financial inclusion of unbanked and underbanked persons (Annex A); i) some legal aspects to consider for mobile payments-to-persons (Annex B). ISO/TS 12812-4:2017 is structured as follows: - Clause 6 sets forth the requirements that a mobile payments-to-persons program must comply with. - Clauses 7, 8 and 9 provide the different levels of implementation for the interoperability of mobile payments-to-persons. - Clause 7 describes the interoperability principles for mobiles payments-to-persons. - Clause 8 describes: a three-layer high-level architecture for mobile payments-to-persons programs; payments instruments sustained by these programs; processing details for a series of significant use cases of mobile payments-to-persons using these payment instruments. - Clause 9 provides a step-by-step data flow description for different mobile payments-to-persons implementations: bank-centric, non-bank centric and card-centric. They can be mapped into the processing use cases of Clause 8, where abstraction is made in the nature of the payment service providers.

ISO/TS 12812-5:2017 focuses on mechanisms by which a person ("consumer", "payer" or "business") uses a mobile device to initiate a payment to a business entity ("merchant" or "payee"). Such a payment may use the traditional merchant point of interaction (POI) system, where the manner of settling the payment follows well-established merchant services paradigms. Additionally, there are other ways for a consumer to make a payment to a merchant, using the mobile device to initiate, authorize and process transactions outside of traditional payment networks using secure payment instruments. Accordingly, this document supports both "push" and "pull" payments (i.e. transactions that are pushed or transmitted from a mobile device into a POI or pulled or received into a mobile device or POI), which are initiated and/or confirmed by a consumer to purchase goods and or services, including proximate payments, remote secure server payments, as well as mobile payments that leverage other technologies [e.g. cloud computing, quick response ("QR") codes, biometrics, geo-location and other methods to authenticate and authorize the transaction]. One of the most important aspects of the MFS environment is mobile payments to businesses. There are many ways a consumer, or a business as a consumer, can make a payment to a merchant. ISO 12812 provides a comprehensive standard for using the mechanisms involved in mobilizing the transfer of funds regardless of who is involved in the process. This document is intended to be used by potential implementers of mobile retail payment solutions, while ISO 12812-4 is intended for potential implementers of solutions for mobile payments to persons. NOTE ISO 12812‑1:2017, 5.4 explains the differences in the use of these terms. As such, the ISO 12812 (all parts) seeks to support all possible technologies and is not designed to highlight or endorse specific technologies in the competitive marketplace. Although this document deals with mobile payments made by a consumer or a business acting as a consumer, which transactions are subject to a variety of consumer protection requirements, in terms of the relationship to the MFSP, the consumer (or business) is the customer of the MFSP. Nevertheless, this document will use the term "consumer."

ISO 12812-1:2017 defines the general framework of mobile financial services (payment and banking services involving a mobile device), with a focus on: a) a set of definitions commonly agreed by the international financial industry; b) the opportunities offered by mobile devices for the development of such services; c) the promotion of an environment that reduces or minimizes obstacles for mobile financial service providers who wish to provide a sustainable and reliable service to a wide range of customers (persons and businesses), while ensuring that customers' interests are protected; d) the different types of mobile financial services accessed through a mobile device including mobile proximate payments, mobile remote payments and mobile banking, which are detailed in other parts of ISO 12812; e) the mobile financial services supporting technologies; f) the stakeholders involved in the mobile payment ecosystems. ISO 12812-1:2017 includes the following informative annexes: - an overview of other standardization initiatives in mobile financial services (Annex A); - a description of possible mobile payment business models (Annex B); - a description of typical payment instruments which may be used (Annex C).

ISO 12812-2:2017 describes and specifies a framework for the management of the security of MFS. It includes - a generic model for the design of the security policy, - a minimum set of security requirements, - recommended cryptographic protocols and mechanisms for mobile device authentication, financial message secure exchange and external authentication, including the following: point-to-point aspects to consider for MFS; end-to-end aspects to consider; security certification aspects; generation of mobile digital signatures; - interoperability issues for the secure certification of MFS, - recommendations for the protection of sensitive data, - guidelines for the implementation of national laws and regulations (e.g. anti-money laundering and combating the funding of terrorism (AML/CFT), and - security management considerations. In order to avoid the duplication of standardization work already performed by other organizations, this document will reference other International Standards as required. In this respect, users of this document are directed to materials developed and published by ISO/TC 68/SC 2 and ISO/IEC JTC 1/SC 27.

ISO 1004-1:2013 specifies the shape, dimensions, magnetic signal level, and tolerances for the E-13B characters which include 10 numerals and four special symbols printed in magnetic ink and used for the purpose of character recognition. It describes the various known types of printing defects and other printing considerations, together with the tolerances permitted.

ISO 1004-2:2013 specifies the shapes, dimensions and tolerances for the 10 digits 0 to 9, five symbols, and 26 letters, to be printed with magnetic ink for the purpose of character recognition. It describes the various types of printing defects and other printing considerations, together with the tolerances permitted, and also contains specifications to signal level measurement.

ISO 20022-2:2013 defines the UML Profile for ISO 20022. In essence, it defines how to use UML to create models that conform to the ISO 20022 Metamodel, which is defined in ISO 20022-1:2013. In so doing, it defines a UML-based concrete syntax for the Metamodel. It does not preclude the specification of additional concrete syntaxes for the Metamodel, such as a textual concrete syntax. The Profile defines how to represent in UML each of the Metamodel's Scope Level Elements (Level 1), Business Level Elements (Level 2) and Message Level Elements (Level 3), as well as Metamodel Elements that are scoped across the levels. Therefore, the Profile covers all of the Metamodel's Packages, except for the following: · ISO20022::Metamodel::ConceptualLevel::MessageTransport · ISO20022::Metamodel::LogicalLevel::Reversing · ISO20022::Metamodel::LogicalToPhysicalTransformation · ISO20022::Metamodel::PhysicalLevel The Profile also covers the ISO20022::TypeLibrary Package, upon which the Metamodel has some dependencies. ISO 20022-2:2013 is only applicable when UML is used.

ISO 20022-4:2013 was prepared to complement the ISO 20022 Metamodel, as specified in ISO 20022-1:2013, with the XML syntax transformation rules to be applied by the ISO 20022 Registration Authority in order to translate an ISO 20022 compliant MessageDefinition into an XML Schema for the description and validation of XML Messages. It specifies the transformation rules from level 3 to level 4. It is a deterministic transformation, meaning that the resulting XML Schema is completely predictable for a given MessageDefinition. There is neither manual input to the transformation itself nor manual adjustment to the result of the transformation.

ISO 20022-5:2013 was prepared to complement ISO 20022-1:2013. The reverse engineering guidelines explain how to extract relevant information from existing IndustryMessageSets in order to prepare the submission to the ISO 20022 Registration Authority of equivalent, ISO 20022 compliant BusinessTransactions and MessageSets. The ISO 20022 Repository will contain all ISO 20022 compliant BusinessTransactions and MessageSets, as outlined in ISO 20022-1:2013.

ISO 20022-3:2013 describes the modelling workflow, complementing ISO 20022-1:2013 and ISO 20022-2:2013. The modelling workflow describes the required steps a modeller follows in order to develop and maintain standardized BusinessTransactions and MessageSets. ISO 20022-3:2013 is not intended to describe what will be the permissible artefacts and/or documents to be submitted to the Registration Authority (this information is contained in ISO 20022-7). Examples are provided only to illustrate the modelling methodology and are not normative.

ISO 20022-6:2013 specifies the characteristics of the MessageTransportSystem required for an ISO 20022 BusinessTransaction and MessageDefinition. Changes to the value of the MessageTransport Characteristics can affect the BusinessTransaction and MessageDefinition. Each BusinessTransaction in the ISO 20022 Repository is associated with a MessageTransportMode. The MessageTransportMode specifies the values for the MessageTransportCharacteristics.

ISO 20022-1:2013 consists of: the overall description of the modelling approach; the overall description of the ISO 20022 Repository contents; a high-level description of the input to be accepted by the Registration Authority to feed/modify the Repository's DataDictionary and BusinessProcessCatalogue; a high-level description of the Repository output to be made publicly available by the Registration Authority. BusinessTransactions and Message Sets complying with ISO 20022 can be used for electronic data interchange among any industry participants (financial and others), independently of any specific communication network. Network-dependent rules, such as message acknowledgement and message protection, are outside the scope of ISO 20022.

ISO 20022-7:2013 specifies the responsibilities of the following bodies, which are involved in the registration and maintenance of the ISO 20022 Repository. The Registration Authority (RA) is the operating authority responsible for the registration and maintenance of the ISO 20022 Repository and for providing access to the information described in ISO 20022-1:2013. The RA is assisted by different Standards Evaluation Groups (SEG), i.e. groups of industry experts responsible for specific Business Areas of the Repository. A Technical Support Group (TSG) advises the SEGs, the RA, developers and communities of users on the technical implementation of ISO 20022. The Registration Management Group (RMG) is the governing body of the overall registration process and the appeal body for the communities of users, Submitting Organisations, the RA, the SEGs and the TSG. It monitors the registration process performance.

ISO 20022-8:2013 describes the transformation rules to generate ASN.1 abstract syntax from an ISO 20022 compliant MessageDefinition. The generated abstract syntax is for the description and validation of Messages. The transformation rules are a transformation from Level 3 to Level 4. It is a deterministic transformation, meaning that the resulting ASN.1 is completely predictable for a given MessageDefinition. There is neither manual input to the transformation itself nor manual adjustment to the result of the transformation. ISO 20022-8:2013 is the ASN.1 equivalent of ISO 20022-4:2013. In ISO 20022-4:2013 the abstract syntax generated is XML Schema; in ISO 20022-8:2013 it is ASN.1. In ISO 20022-4:2013 the only encoding supported is UTF-8 XML; in ISO 20022-8:2013 there are multiple encodings supported for ASN.1. These include all the standard encodings, but in addition the ability to register custom encodings in ECN.

ISO 11649:2009 specifies the elements of a structured creditor reference (RF Creditor Reference) used to facilitate the processing of data in data interchange and in the financial services, as well as between other business domains. The RF Creditor Reference is designed for use in an automated processing environment, but can also be implemented in other media interchanges (e.g. paper document exchange). ISO 11649:2009 does not specify internal procedures, file organization techniques, storage media, languages, etc. to be used in its implementation. It is applicable only to the textual data that can be conveyed through a system or network.

ISO 22307:2008 recognizes that a privacy impact assessment (PIA) is an important financial services and banking management tool to be used within an organization, or by “contracted” third parties, to identify and mitigate privacy issues and risks associated with processing consumer data using automated, networked information systems. ISO 22307:2008 describes the privacy impact assessment activity in general, defines the common and required components of a privacy impact assessment, regardless of business systems affecting financial institutions, and provides informative guidance to educate the reader on privacy impact assessments. A privacy compliance audit differs from a privacy impact assessment in that the compliance audit determines an institution's current level of compliance with the law and identifies steps to avoid future non-compliance with the law. While there are similarities between privacy impact assessments and privacy compliance audits in that they use some of the same skills and that they are tools used to avoid breaches of privacy, the primary concern of a compliance audit is simply to meet the requirements of the law, whereas a privacy impact assessment is intended to investigate further in order to identify ways to safeguard privacy optimally. ISO 22307:2008 recognizes that the choices of financial and banking system development and risk management procedures are business decisions and, as such, the business decision makers need to be informed in order to be able to make informed decisions for their financial institutions. ISO 22307:2008 provides a privacy impact assessment structure (common PIA components, definitions and informative annexes) for institutions handling financial information that wish to use a privacy impact assessment as a tool to plan for, and manage, privacy issues within business systems that they consider to be vulnerable.

ISO 8583-1:2003 specifies a common interface by which financial transaction card originated messages may be interchanged between acquirers and card issuers. It specifies message structure, format and content, data elements and values for data elements. The method by which settlement takes place is not within the scope of this part of ISO 8583.

ISO 8583-3:2003 establishes the role of the maintenance agency (MA) and specifies the procedures for adding messages and data elements to ISO 8583-1 and to codes listed in Annex A of ISO 8583-1. The responsibilities of the MA relate to all message type identifiers and classes, data elements and sub-elements, dataset identifiers and codes within ISO 8583-1, with the exception of Institution Identification Codes.

ISO 18245:2003 defines code values used to enable the classification of merchants into specific categories based on the type of business, trade or services supplied. Values are specified only for those merchant categories that are generally expected to originate retail financial transactions. ISO 18245:2003 also establishes the procedures for a Registration and Maintenance Management Group (RMMG), which considers requests for new code values, and a Maintenance Agency (MA), which provides the administrative procedures required to maintain an up-to-date list of codes. It is not within the scope of ISO 18245:2003 to mandate the use of merchant category codes in any given situation.

This part of ISO 15022 consists of: - the description of the Enhanced ISO 7775 syntax and message design rules; - the contents and organization of the dictionary of Enhanced ISO 7775 and EDIFACT fields for securities messages; and - the contents and organization of the catalogue of securities messages built in the Enhanced ISO 7775 and EDIFACT syntaxes. It refers to the EDIFACT syntax when necessary to ensure an easy cross-reference between Enhanced ISO 7775 concepts and EDIFACT concepts. The EDIFACT syntax is not described in this part of ISO 15022; it is defined in ISO 9735 which is incorporated by reference. This part of ISO 15022 is used for electronic data interchange between securities industry participants, independently of the communication network. Network dependent rules, for example, on how to specify where and when the message is to be sent, message acknowledgement and message protection are outside the scope of this part of ISO 15022. The maintenance of this part of ISO 15022 is described in part 2 of ISO 15022.

This part of ISO 15022 describes the responsibilities of the parties involved in the maintenance of the Data Field Dictionary (DD) and the Catalogue of Messages (CM). There is a Registration Authority (RA) which is the operating authority responsible for maintaining the Data Field Dictionary and the Catalogue of Messages, and a Registration Management Group (RMG). The RMG is the governing body of the RA, and monitors its performance.

Specifies the format required for the transmission on electronic media of certificate numbers to other organizations or establisments. Applies to all types of securities, regardless of issuer or country of issuance. Replaces the first edition.

Defines: the location and size of one or more areas on the securities for the printing of a line of characters; the position of this line; the structure and the contents of this line. Annexes A, B, C and D form an integral part of this standard.