Standardization Landscape Mapping for Fintech

Home , ISO 10962, ISO 19011, ISO 19600, ISO 20022, ISO 4217, ISO 55000

Standardization landscape mapping for FinTech

Report of CEN/BT WG 220 'FinTech'

July 2018

Contents 1. Executive Summary...... 3 2. Introduction ...... 4 2.1 Background to report ...... 4 2.2 Scope of report ...... 5 3. Methodology ...... 7 4. Overview of standards relevant to FinTech ...... 8 4.1 FinTech standards mapping categorisation ...... 8 4.2 Non-formal, private and other standards relevant to FinTechs ...... 12 4.3 Selected key standards, descriptors and use cases ...... 13 5. National projects of interest to FinTech ...... 14 5.1 Call to identify national projects of relevance ...... 14 5.2 Insurance and ‘InsurTech’...... 15 6. Identified gaps ...... 15 6.1 Opportunities for Standards Development in FinTech ...... 16 7. Conclusion ...... 16 7.1 Recommendations...... 17 Appendix A: ...... 18 Appendix B – Key to standards identified by Figure 4 ...... 28

1. Executive Summary This report considers the standards landscape relevant to the financial technology (FinTech) industry, namely technology-enabled financial services and related industries. It deals primarily with formal standardization and work programmes developed via CEN (European Committee for Standardization) and ISO (International Organization for Standardization) and their national standards bodies. However, some relevant private, industry standards are included. It does not attempt to form a review of the relevant regulation and the activities of related regulatory agencies, although certain EU Directives such as PSD2, and mandatory international reporting standards, have been mentioned where applicable. The information contained in this report was prepared by the members of the CEN BT Working Group 220 on FinTech following a mandate by the European Commission Task Force on FinTech (TFFT) and a request for CEN to conduct a mapping of the existing standardization relevant to FinTech. The objective of the report is to highlight relevant standards committees, published standards, initiatives and to also identify possible gaps in the landscape where further standardization could be developed. The intent of this WG is not to develop specific new standards but to recommend areas of further exploration. Although FinTech has developed rapidly, there may be opportunities for regulation and voluntary standardization to provide consumer protection, promote access to markets (interoperability), innovation and competition across financial services. The FinTech Action Plan, published in 2018 by the European Commission, highlighted this potential role for standards in supporting FinTech markets. This review of the formal standards landscape, which considered programmes in financial services, information technology and security, data and organizational governance, has identified a number of published standards and technical committees (CEN and ISO) of relevance to FinTech. These are categorised here using the core domains, processes and service functions of a financial business. Although certain standards may be of relevance to FinTech based on their business activity, such as ISO 20022 Universal Messaging Schemes for payment services, most (e.g. Information Security standards and ISO 270001) were considered simply as having generic applicability to digital companies. This report has established that there are currently no FinTech-specific standards in development under the formal work programmes of CEN and ISO. However, there are a number of formal projects at a national level in development, along with private and industry standards, which have been identified as relevant to FinTech businesses. These include work by BSI, the UK’s National Standards Body, initiatives led by industry such as Open Banking (API) Standards and P2P Transparency Standards, the Berlin Group and its NextGenPSD2 Framework initiative that will be highly relevant to FinTech. In addition there are also many RegTech data initiatives based on reporting protocols. This report does not intend to duplicate or overlap with existing EC regulatory agencies. Based on analysis of the current standards landscape, it appears that no formal CEN and ISO committees exist and are currently developing standards in the following areas:  RegTech  Funding platforms (e.g. P2P) and;  AI specific to the finance context (Robo Advice). This mapping indicates a number of gaps where formal, private or industry standards could be developed to support specific FinTech propositions. As with the above, these will require investigation with FinTech industry stakeholders to determine where such standards would make a positive impact. Cross-sector issues for FinTech such as identity management and data protection, given the regulatory environment, were also identified as being potential areas where standards might provide assurance to customers and clients. It was equally considered that there was a gap for a standard set of definitions and terminologies for FinTech.

This report ultimately concludes with the recommendation that, as appropriate, standardization should be taken forward at a national, European (CEN) and international (ISO) context. Given the global nature of many FinTech businesses and financial markets however, the report will suggest standards should be developed at an international level.

2. Introduction

2.1 Background to report FinTech has been a fast developing industry over the last few years as new entrants, utilising digital technology, are challenging more established financial services providers with new products, services and platforms. The industry enbcombants are also taking advantage of such trends. Fintech has the potential to deliver further benefits to consumers, business, market infrastructure (e.g. RegTech) and local economies, if certain barriers are overcome. To help competition, government and regulators will need to remove certain barriers to growth, whilst providing an environment for innovation which is safe and protects both consumers and the integrity of the financial system. As the sector expands, there may be a need for enhanced supervision, regulation and standardization to promote well-functioning FinTech markets. This is recognised by the European Commission in their FinTech Action Plan1 published in 2018, which highlights that ‘common standards’ may be needed to promote interoperable markets and consumer protection. It was also stated that participation in their development should be unrestricted, with the procedure for adoption of the standards clear and transparent. Voluntary and open standards therefore have an important role to play in the governance of emerging technology-based markets such as FinTech. European Supervisory Authorities will also need to consider FinTech markets. The General Data Protection Regulation (GDPR) that came into force in May 2018, will impact financial institutions that collect and process personal data of EU citizens. GDPR will extend to organisations that process data such as cloud services providers. Much like PSD2, the Second Payment Services Directive requiring banks to make their customer data assets and payments infrastructure available to third-parties via API’s, FinTech solution providers will need to be aware of its implications from a regulatory compliance and operational risk perspective. This report primarily focuses on programmes developed via formal standardization bodies such as CEN and ISO and their national members, plus where possible also assess voluntary standards. Over the last year, new groups have also been established within CEN and ISO to advise on FinTech issues (e.g. ISO/TC 68/TAG 1, Fintech Technical Advisory Group).

2.1.1 Request by EC to CEN to undertake the work The European Commission Task Force on FinTech (TFFT), which includes the representatives DG CONNECT and DG FISMA, builds on the European Commission’s (EC) goal to develop a comprehensive strategy on FinTech. In February 2017, the TFFT formally approached CEN and CENELEC with a request to conduct a standardization mapping exercise for FinTech, referred to from herein as the ‘standards mapping project’. The scope of this project was to address national, European and international activities, such as identification of related technical committees and work programmes that may apply to FinTech and potential challenges that FinTech poses.

1 FinTech Action plan: For a more competitive and innovative European financial sector. Communication From The Commission To The European Parliament, The Council, The European Central Bank, The European Economic And Social Committee And The Committee Of The Regions. European Commission (March 2018) © 2018 CEN Copyrighted Page 4 of 30

2.1.2 Initial research done by CCMC The CEN-CENELEC Management Centre (CCMC) prepared an initial draft standardization roadmap which provided a global overview on FinTech Standardization activities (ISO and CEN), the most important topics regarding FinTech standardization (e.g. financial services, asset management and IT security, governance and services) and a focus on terminology standardization activities. CEN conducted research which included circulation of a questionnaire to national bodies. The output was a comprehensive breakdown of standards in a spreadsheet.

2.1.3 Membership of the working group In order to develop the FinTech standards mapping project, a new group (CEN/BT WG 220) was created to carry out the work. BSI, the UK National Standards Body, was granted the secretariat responsibilities. The aim of the CEN/BT WG 220 was to identify the EU needs related to FinTech standardization. This working group developed a mapping of existing standards initiatives on FinTech, along with a gap analysis. CEN member bodies were invited to put forward representatives to this working group from FinTech’s main stakeholder groups. The relevant stakeholder groups were identified as FinTech businesses (including networks and forums); financial services; banking; investment; technology; insurance and trade associations; government and regulatory bodies; legal bodies and consultancies; academia; and consumer bodies.

2.2 Scope of report

2.2.1 Definition of FinTech In the EC’s recent public consultation on FinTech and the financial sector2, FinTech is described as “technology-enabled innovation in financial services, regardless of the nature or size of the provider of the services.” The scope of the mapping was primarily concerned with standards activities specific to FinTech or with potential high relevance, such as finance standards and those for financial markets. However it was not limited to broader standardization concerning core business processes and domains, such as information security, IT and governance. Standardization relating to technologies relevant to FinTech’s, such as blockchain and Distributed-Ledger Technologies, were also considered, although not all were detailed. For the purposes of this report standardization is intended to include voluntary standards developed via organizations such as CEN (the European Committee for Standardization) and ISO (International Organization for Standardization) and their national member bodies. Such standards are distinct from regulation, and therefore not mandatory, and have been developed through open, consultative and consensus-based processes involving relevant stakeholder groups. However, a non-exhaustive search of other voluntary and industry standards have been included along with certain international standards. These include those developed by independent bodies such as the International Accounting Standards Board, which, although mandatory for listed companies, are separate from regulation and Directives and highly relevant to some applications of FinTech. Regulation and EU Directives are considered out of scope although these may be referred to during the report.

2 Consultation Document: FinTech: a more competitive and innovative European financial sector - European Commission: Directorate General Financial Stability, Financial Services and Capital Markets Union. Investment And Company Reporting: Economic Analysis and Evaluation (2017) © 2018 CEN Copyrighted Page 5 of 30

2.2.2 Objectives for the standards mapping project The core aim of the standards mapping exercise and report was to identify standardization, specific standards and standards activity or programmes, of relevance to FinTech and, where possible, to categorise for ease of navigation and to help identify potential gaps areas.

3. Methodology

3.1.1 Description of process followed to map standards The standards mapping project comprised desk research to identify relevant work programmes and committees within CEN and ISO, along with contributions from working group members. Members from national standards bodies were asked to summarise local activity and collect data (e.g. a review of publicly available sources and consulting with experts) to surface wider industry, private and independent standardization. The working group also took into consideration the EU consultation on FinTech, in particular the results of the survey published by the EC Task Force FinTech and the preliminary mapping work conducted by CEN. A categorization of business domains, based upon a diagram published by the Basel Committee on Banking Supervision (BCBS) in a 2018 report3 (see Figure 1), was utilized and expanded on to help highlight standardization activities relevant to both the core and cross-sector domains and functions within a financial institution. The 2018 report categorised ‘vertical’ sectoral innovations in banking against ‘horizontal’ support services to explain the implication of FinTech on banks, including core technologies, infrastructure and innovations. Committees developing relevant standards identified in the mapping were designed to help highlight standards that may apply both specifically and generically to FinTech markets and business applications, while also help highlighting gap areas.

Figure 1: Sectors of innovative services (BCBS, BIS - 2018)

3 Basel Committee on Banking Supervision (BCBS): Sound Practices - Implications of fintech developments for banks and bank supervisors (Bank for International Settlements (BIS), February 2018) © 2018 CEN Copyrighted Page 7 of 30

4. Overview of standards relevant to FinTech

4.1 FinTech standards mapping categorisation

The framework below (Figure 2) is intended to introduce the core business domains and functions (relevant to financial markets) with cross-domain services (e.g. internal functions) and assist in the categorisation of related standards, committees and themes of relevance for FinTech.

Consideration was given to:  CEN/CENELEC, ISO/IEC Technical Committees conducting standards work relevant to key business and process domains and services (See Appendix A)  Analysis of key FinTech segments by business type (e.g. Regtech and InsurTech) and core finance functions  Review of previous research carried out by BSI in 20164 and CEN Management Centre (CCMC)  Related available terminology and reports such as the BCBS, BIS report from 2018.

Figure 2: Introduction to core business process domains of relevance to FinTech.

Many FinTech innovations can be mapped to the existing core finance domains, base underlying technologies and cross-domain services. This categorisation has helped with the identification of existing standards and committees of relevance to FinTech (See Figures 3 and 4). The framework can also be used to highlight the following:  Criticality of standards to a FinTech  Maturity of underlying standards  Where gaps exist.

The core domains shown are not intended to capture all aspects of FinTech and its various categories, but intend to help with the grouping of standards by business type and theme (e.g. payments security).

A mapping of the existing CEN/ISO/IEC committees to the Core Domains and categorisation shown in Figure 2 can be found in Figure 3 below. This includes a summary of the main CEN and ISO Technical Committees (TC), Project Committees (PC), working groups (WGs) (as detailed in Appendix A) involved in developing standardization of potential relevance to FinTech. Examples of key published standards from each domain/category and how they are relevant to the committees identified is found in Figure 4. The mapping is current as of May 2018 and standards under development are not included.

Figure 3: Mapping of existing CEN/ISO/IEC committees to core domains and services

Business/Process Domain

RegTech Trading Infrastructure Payments Finance Funding Insurance CEN/TC 224 ISO/IEC JTC 1 ISO/IEC JTC 1 --- ISO/TC 68 ISO/TC 68 ISO/TC 222 --- CEN/TC 445 CEN/WS BDA ISO TC 68 ISO TC 68 Integration/Management Domain Identity Asset Reporting Predictive Analytics Immutable contract CEN/TC 434 CEN/WS XBRL CEN/TC 224 CEN/TC 225 ISO/TC 251 --ISO TC 225- ISO TC 307 CEN/TC 440 Common Services

Time DLT and blockchain Exchanges Financial messaging Data Interoperability

CEN/WS XFS CEN/TC 434 CEN/SS F12 --- ISO/TC 307 ISO/IEC JTC 1 ISO/TC 68 ISO/IEC JTC 1 CEN/TC 445 CEN/TC 445 ISO/TC 68

Security

IT Security Techniques IT Security and Data protection Anti-Fraud CEN/CLC/ETSI CEN/TC 224 CEN-CLC/JTC 13 CEN/TC 225 ISO/IEC JTC 1 ISO/TC 292 ISO/IEC JTC 1 Focus Group on CEN/TC 225 ISO/IEC JTC 1 Core Domains Core CEN/TC 224 CEN/WS 084 Cybersecurity CEN/WS 084 Risk

DomainServices Systemic Operation Business Continuity CEN/TC 365 ISO/IEC JTC 1 ISO/TC 171 CEN/CLC/WS SEP2 CEN/SS F20 ISO/TC 292 CEN/TC 279 CEN/WS 067 ISO/TC 279 CEN/TC 447 Cross Cross ISO/TC 154 ISO/TC 258 CEN/CLC/WS SEP-IoT ISO/TC 262 ISO/PC 302 CEN/TC 389 ISO/TC 176 CEN/SS F20 CEN/WS XFS Governance

Responsible innovation IT Governance CEN/WS SATORI ISO/IEC JTC 1 ISO/TC 309 CEN/BT WG 213 ISO/PC 317 CEN-CLC/JTC 8 IEC – SyC AAL ISO/IEC JTC 1 ISO/TC 211 ISO/TC 290 ISO/TC 312 CEN/CLC/ETSI/JWG eAcc

Base Technology Domain Data/Analysis Cloud based Programming Language Instrumentation and IOT Robotics/AI ISO/IEC JTC 1 ISO/TC 211 CEN/CLC/WS SEP2 ISO/IEC JTC 1 ISO/IEC JTC 1 ISO/IEC JTC 1 ISO/IEC JTC 1 ISO/TC 69 ISO/PC 295 CEN/CLC/WS SEP-IoT

Figure 4: Mapping of published standards from committees identified in Appendix A and Figure 3 (key is provided in Appendix B) Business/Process Domain RegTech Trading Infrastructure Payments Finance Funding Insurance ISO 4217 EN 726 EN 419251 ISO 20022 ISO 12812-1 ISO 20022 --- ISO 10962 EN 419212 ENV 14062 ISO/IEC 7501 ISO/IEC 17839 ISO 22222 ------ISO 10383 ISO/IEC 25010 ISO 12812 ISO/IEC 10536 ISO/IEC 24727 ISO 4217 Integration/Management Domain Identity Asset Reporting Predictive Analytics Immutable contract EN 726 EN 419251 CEN/TS 16931 EN 419212 ENV 14062 ISO 55000 to 55002 ------CEN/TR 17014 & 17015 EN 419211 CEN/TR 16669 to 16685 Common Services

Time DLT and Blockchain Exchanges Financial messaging Data Interoperability EN ISO/IEC 30121 CWA 13937 CEN/TS 16931 ISO/IEC 30190-93 ------ISO 20022 ISO 6166 ISO 15022 EN ISO/IEC 27037 - 27043 CWA 14923 ISO 1861 to 1864 ISO/IEC 29121 & 29171 EN ISO/IEC 27000 - 27002 CWA 16008 Security IT Security Techniques IT Security and Data protection Anti-Fraud ISO/IEC 27000 ISO/TS 22301 & 22313-18 EN 726 EN 419251 EN ISO/IEC EN 726 EN 419251 EN ISO/IEC 15416

Services ISO/IEC 27001 ISO/TR 22320 -25 & 22351 EN 419212 ENV 14062 15416 to 15438 EN 419212 ENV 14062 to 15438 Core Domains Core ISO/IEC 27017 ISO 22397-98 ISO 27001 CEN/TR 16669 to 16685 ISO/IEC 24745 EN 419211 CEN/TR 16669 to 16685 ISO /IEC 24745 Risk Systemic Operation Business Continuity CEN/TS 16080 CWA 16926 prCWA 95000 CWA 13449 ISO 7372 ISO 6196, 6198 to 6200 EN ISO 9000, 9001 & 9004 EN ISO/IEC 27000, 27001 & ISO/TS 22301 & 22313-18 EN ISO 9000, 9001 & 9004 CWA 14050 ISO 8601 ISO 21500 EN ISO/IEC 30121 27002 ISO/TR 22320 -25 & 22351 ISO 22301 EN 12973

Cross Cross Domain CWA 15748 ISO 9735 ISO 21503 to 21505 EN ISO/IEC 27037 to 27043 ISO 31000, 31004 & 31010 ISO 22397-98 CEN/TS 16555 CWA 16649 CWA 16374 ISO 14533 Governance Responsible innovation IT Governance CWA 17145 ISO 19101 to 19163 ISO 19600 ISO 37001 EN 301549 ISO/IEC 20000

Base Technology Domain Data/Analysis Cloud based Programming Language Instrumentation and IOT Robotics/AI ISO 19101 to ISO/IEC 17788 ISO/IEC 1539 ISO 16269 ISO/IEC TR 24715 to 24772 prCWA 95000 --- 19163 ISO/IEC 17789 ISO/IEC 10514

4.2 Non-formal, private and other standards relevant to FinTechs Standards exist that are potentially relevant to FinTech that have been developed and published by organisations outside of the formal standardization system. This includes open standards developed by industry, private standards initiatives and standards developed by recognised independent bodies such as the International Accounting Standards Board (IASB/IFRS). The IASB publishes standards that listed companies are required to meet as part of their financial reporting obligations. Other bodies (such as the Object Management Group) have a formal liaison relationship with ISO and also develop international standards. Some FinTech businesses have designed platforms and RegTech services to help organisations meet with their compliance and regulatory reporting obligations under IFRS and in relation other to key EU regulation (e.g. MIFID II, GDPR). Below is a sample list of other European or international standards or initiatives that are relevant to FinTechs.

4.2.1 International Accounting Standards (IAS) and International Financial Reporting Standards (IFRS) as issued by the International Accounting Standards Board • IFRS 9 Financial Instruments • IFRS 10 Consolidated Financial Statements • IAS 29 Financial Reporting in Hyperinflationary Economies

4.2.2 Other identifiers for securities • Guidelines for Ticker Symbol • Reuters Instrument Code • Financial Instrument Global Identifier (see Object Management Group below)

4.2.3 Messaging formats • Financial Information eXchange (FIX) Protocol, https://www.fixtrading.org/standards/

4.2.4 Reporting standards • XBRL Standard, https://specifications.xbrl.org/

4.2.5 Berlin Group – pan European payments interoperability standards and NextGenPSD2 Framework initiatives.

 SEPA Card Clearing (SCC) Framework that offers a message extension to the SEPA Direct Debit definition for including additional card originated data in ISO20022 payment messages.5  NextGenPSD2 'Access to Accounts Framework' which offers an open and interoperable set of Application Programming Interfaces (APIs) compliant to the relevant EBA Regulatory Technical Standards.

4.2.6 Banking Industry Architecture Network (BIAN)

 A collaborative, not-for profit network of banks, technology providers and academics, that was established with an aim to define technology framework to standardize core banking architecture.

4.2.7 Object Management Group specifications Data Interoperability or Instrument Identifiers - https://www.omg.org/spec/ • Object Management Group - Date-Time Vocabulary

• Object Management Group – Financial Industry Business Ontology (FIBO) • Object Management Group – Financial Instrument Global Identifier (FIGI) • Object Management Group – Languages, Countries and Codes

4.3 Selected key standards, descriptors and use cases A review of the formal standards landscape, which considered relevant CEN and ISO work programmes in financial services, information technology and security, data and governance, identified a number of published standards of potential general or high relevance to FinTech. Some key standards are described here with use cases provided in several cases. Descriptions of certain accounting and reporting standards, which are relevant to some FinTech service propositions such as RegTech, have also been included. ISO 20022: 2013 Universal Financial Industry Messaging Scheme Developed by ISO TC 68/SC9 Information exchange for financial services Scope/purpose A common language for the financial industry to support the exchange of information for use in payments, transfer of funds and communications. ISO 20022 is a multi-part standard covering meta-models, XML schema, UML, registrations. Use cases The standard is used by the industry to increase interoperability and has been adopted widely by financial institutions, markets (infrastructure) and business. It can act as a unifier and enabler FinTech innovations and solutions6. According to research by SWIFT, this may include supporting cross-business system alignment to deliver data mining solutions, API-based technology, mobile payments and other financial transactions. The EPC SEPA Instant Payments (Credit Transfer), which uses APIs to exchange information such as payment data between third-party providers and financial institutions, is based on ISO 20022 messaging and will comply with PSD2.

ISO/IEC 27001:2013 Information security management systems – requirements Developed by ISO/IEC JTC 1/SC 27, IT Security techniques Scope/Purpose Specifies requirements for an effective information security management system within an organization. It includes requirements for the assessment and treatment of information security risks tailored to the needs of the organization. ISO 27001 is part of a family of standards focussed on information security management such as ISO 27018:2014 – Code of Practice for protection of personally identifiable information in public clouds. Use cases Many large financial institutions have implemented ISO 27001 and require compliance with standards from their suppliers in order to comply with their obligations regarding cyber security. This is likely to increase with the introduction of GDPR. The ISO 27001 series provides the fundamentals for cyber security and is likely to be highly relevant to FinTech companies who may need to demonstrate awareness of such standards, especially in data-driven, risk and compliance markets and when providing Software as a Service (SaaS).

IFRS 9 International Financial Reporting Standard (IFRS) 9, Financial Instruments Developed by IASB (International Accounting Standards Board Scope/Purpose IFRS 9 specifies how an entity should classify and measure financial assets and

liabilities and recognise these in its financial statements when party to contractual provisions. Use cases Information management and Regulatory Technology (RegTech) solutions and platforms are being developed to help firms meet their compliance obligations around IFRS 9 and other financial reporting requirements.

5. National projects of interest to FinTech

5.1 Call to identify national projects of relevance During the period of data collection, members of the CEN/BT WG 220 were asked to identify local projects of interest to FinTech, with a particular focus on national groups, committees, standards and industry initiatives. The following national activities on FinTech standards were identified. As these are local activities they are not been included in Figure 4. Input into this section came primarily from the UK, where work on FinTech standards seems more active. 5.1.1 UK BSI, the UK National Standards Body, has established a national FinTech Advisory Group to act as a focal point for the community and to provide guidance on standards issues and priorities. BSI’s existing standards committees (e.g. IST/12 – Financial Services, mirroring ISO/TC 68) was consulted regarding the work and provided input to both the advisory group and this report. The UK has a number of standards and initiatives in development of relevance to FinTech. This includes development of a new BSI Publicly Available Specification (PAS), which has seen BSI working closely with UK industry and government, via the FinTech Deliver Panel, to develop guidance on the partnering between FinTechs and banks (and other financial institutions). PAS 201 Supporting FinTechs in engaging with financial institutions - Guide, currently in development, will provide guidance to FinTech companies on the terms and approaches used by financial institutions to help with them prepare for collaboration and to help with commercialisation of new tools and propositions. The PAS intends to outline the key internal checks, controls and business processes (due diligence, procurement, and contractual process), along with the terms and definitions that FinTechs (and other tech companies) may encounter. BSI has already published national standards of possible relevance to FinTech in the following areas:  BS 8611:2016 Robots and robotic devices. Guide to the ethical design and application of robots and robotic systems  PAS 212:2016 Automatic resource discovery for the Internet of Things. Specification  BS 10012:2017 Data protection. Specification for a personal information management system.

Nationally, a number of industry-led standards have also been developed in the UK to support FinTech. They include: • Peer To Peer Finance Association (P2PFA) Transparency Standards (http://p2pfa.org.uk/p2pfa- unveils-new-transparency-standards/) • UK Open Banking APIs and Data Standards ( https://www.openbanking.org.uk/standards/)

Several voluntary codes specific to banking and finance, for example Lending Standards Board and Asset- Based Lending, may also be relevant to some FinTech business in the form of challenger banks and finance platforms.

5.2 Insurance and ‘InsurTech’ CEN/TC 445 Standardization in the field of digital information interchange in the European insurance industry, provided details of national-level standards initiatives relevant to InsurTech (Insurance Technology) which can be defined as ‘technology-enabled innovation in insurance services’.

5.2.1 Austria Leading insurance companies and the trade associations started in 2015 an initiative to establish a common standard for digital interchange. OMDS 3.0, developed by the Association of Austrian Insurance Companies (Versicherungsverband Österreich) provides free of charge service-definitions for market participants. To date, the OMDS 3.0 standard currently comprises: authentication services; portal services for quotation, insurance contracts, claims and partner-management; transfer of electronic insurance documents and local broker-data sets; and claims notification.

5.2.2 Belgium The insurance sector uses the national Telebib2 standard provided by the insurers association Assuralia and the intermediaries associations FVF, UPCA/BVVM and FEPRABEL. The following InsurTech services are based on the Telebib2 standard: policy data portal for all lines of business; sector catalog with the general data (terms and conditions) for all insurance products; invoice portals with payment facility; and Qualified Electronic Signature compliant with EIDAS regulation.

5.2.3 Finland A service is provided for digital interchange from insurer to insurer about policy data in case of insurer change. The service is based on a standard developed by the Workers Compensation Center of Finland.

5.2.4 Germany In Germany the insurance sector uses the national insurance standard provided by BiPRO, an organization supported by all insurance stakeholders. The following services are supported by the standard: portal services for quotation, offer and order of insurance contracts; transfer of electronic insurance documents.

5.2.5 Netherlands In the Netherlands the insurance sector uses the national insurance standard provided by SIVI, an organization supported by the insurance companies. The SIVI standard supports a: policy data portal for consumer private lines business, motor claims notification.

6. Identified gaps Based on analysis shown in figure 3 and Appendix A; along with the standards identified nationally and locally, it appears no formal committees are currently actively developing standards in the areas below:  RegTech  Funding (e.g. equity financing)  Robotics/AI specific to the finance context; and  Predictive Analytics (although ISO standards on digital analytics have been published in the market research context, ISO 19731:2017)

The gaps identified do not necessarily signify that no standards are in development. We recognise parallel industry work streams may already be in development. Work on immutable contracts for example may be dealt with by the ISO TC 307 Blockchain and Distributed Ledger Technologies, which has eight standards projects in development, including smart contracts (ISO/AWI TS 23259).

There are some standards activities related to InsurTech, although CEN TC 445 currently has no active standards in development in this field as yet. Although a number of generic business standards may be highly applicable to FinTech, in the formal setting there appears a clear absence of FinTech-specific standards projects, both published and in development.

6.1 Opportunities for Standards Development in FinTech Observations regarding the potential challenges, issues and subsequent opportunity areas for FinTech standards were provided by contributors to the report (see below), but it is recognised that these would benefit from validation from FinTech companies or wider stakeholders. These mostly relate to the need for standards to help encourage transparency, interoperability, scalability of FinTech operations and consumer confidence. Examples include:

 P2P Lending (e.g. platform based, asset finance) o Underwriting

o Transparency in terms and small print for lenders and borrowers, e.g. plain language, risk warnings, disclaimers

o Transparency in Loan book

 Equity Crowdfunding Platforms

o Transparency standards, e.g. due diligence processes in what constitutes a 'sophisticated investor' and potential losses and risk

 Payments and Remittance

o Know Your Client (KYC) (interoperability, scalability and process)

o Anti-money laundering (AML) (interoperability, scalability and process)

o Consumer transparency (e.g. relationships with financial institutions and potential conflicts of interest)

 Wealth and Robo Advisory

o Transparency around fees and transaction monitoring

 API standards relating to platform interoperability (e.g. Open Banking)

The potential for standards to address significant cross-sector issues, such as consistent requirements for identity management, data protection, KYC and AML was also an area recognised as potentially relevant for future standards development. These gaps require further investigation with the wider FinTech industry to determine market need and potential benefits.

7. Conclusion This report has identified a range of existing formal standards relevant to FinTechs, but it is recognized that most of these have a broader application in financial services, such as banking and securities reference data and semantics, messaging formats and related security, and ICT. Some formal standards development is taking place at a national level, a number of industry-led standards have also been developed by trade

bodies, private consortia and not-for-profit networks. This includes open source standards, codes and specifications for Open Banking APIs, p2p Platform standards, interoperability standards for payments and InsurTech standards. This mapping indicates a number of gaps where formal, private or industry standards could be developed to support specific FinTech propositions. Each area will require extensive validation with FinTech industry stakeholders to determine where such standards would make a positive impact.

7.1 Recommendations Most of the standardization relevant to FinTech occurs at an international level, although there is early stage standards activity at a national level. Given the existence of an ISO FinTech TAG, any additional standards development at a European level can be open for discussion. In the future, if the FinTech European market was to diverge in some way from other regional markets due to a difference in regulatory approach, for example, this development position may change. This report is designed to provide a consolidated view, a base point from which further analysis and discussions can be generated.

Before any further standards creation activity is undertaken it is recommended that the following actions take place:  Validation from FinTechs of any standards and gaps identified. This should include both large organizations in the FinTech space, such as financial institutions and regulators, along with any FinTechs themselves.  Further development of the FinTech standards mapping categorisation so that relevance of the standards identified is clear to FinTechs. It is proposed that these should be grouped as follows: o By type of business (e.g. FinTech category, service-type) o By key theme (risk, governance, security, etc.)

The standards landscape mapping contained within this report is a consolidated base-level assessment intended to assist interested stakeholders in further discussions on the gaps and priorities for fintech standardization and increase awareness of existing standardization initiatives.

Appendix A: Includes a list of currently active CEN/IEC/ISO technical committees (TC, in bold); subcommittees (SC, in italics); advisory groups (AG); working groups (WG); focus groups; and task forces (TF) undertaking standardization work that might be potentially relevant to the FinTech industry7. Where possible, the principal topics covered are illustrated within the subcommittees and related working groups for each technical committee. The total number of standards published and those under development are also indicated. [NB: not all standards within a committee may be relevant to the FinTech industry] (Data correct as of March 2018). Other abbreviations include: ad-hoc group (AHG); committee advisory groups (CAG); joint working group (JWG); specialist advisory groups (SAG); and specialist working group (SWG).

COMMITTEE TITLE/THEME PUBLISHED STANDARDS STANDARDS UNDER DEVELOPMENT CEN/BT WG 220 - FinTech CEN/BT WG 213 - Strategic Advisory Group on Accessibility (SAGA) CEN/CLC/ETSI Focus Group on Cybersecurity 4 1 CEN/CLC/ETSI/JWG eAcc - eAccessibility 4 1 CEN-CLC/JTC 8 - Privacy management in product and services 0 0 CEN-CLC/JTC 13 - Cybersecurity & Data Protection 0 0 CEN/CLC/WS SEP2 - Industry Best Practices and an Industry Code 0 1 of Conduct for Licensing of Standard Essential Patents in the field of 5G and Internet of Things CEN/CLC/WS SEP-IoT - Workshop on Best Practices and a Code of 0 1 Conduct for Licensing Industry Standard Essential Patents in 5G and the Internet of Things (IoT), including the Industrial Internet CEN/SS F12 - Information Processing Systems 10 0 CEN/SS F20 - Quality assurance 7 1 CEN/TC 224 - Personal identification and related personal devices 44 13 with secure element, systems, operations and privacy in a multi- sectorial environment WG 6 User Interface WG 11 Transport applications WG 15 European citizen card WG 16 Application Interface for smart cards used as Secure Signature Creation Devices WG 17 Protection Profiles in the context of SSCD WG 18 Biometrics WG 19 Breeder Documents CEN/TC 225 - Automatic identification and data capture 25 3 technologies WG 1 Optical Readable Media WG 3 Security and data structure WG 4 Automatic ID applications WG 5 RFID, RTLS and on board sensors WG 6 Internet of Things - Identification, Data Capture and

7 Sources: ISO – https://www.iso.org/technical-committees.html, CEN - https://standards.cen.eu/dyn/www/f?p=CENWEB:6:::NO, IEC - http://www.iec.ch/dyn/www/f?p=103:6:0 © 2018 CEN Copyrighted Page 18 of 30

Edge Technologies CEN/TC 279 - Value management - Value analysis, function 2 1 analysis WG 2 Value management, value analysis, functional analysis WG 3 Function analysis CEN/TC 287 - Geographic Information 48 13 CEN/TC 365 - Internet Filtering 1 0 CEN/TC 389 - Innovation Management 7 0 WG 1 Collaboration and Creativity Management WG 2 Innovation Management System WG 3 Innovation Self-Assessment Tools WG 4 Design Thinking WG 5 Intellectual Property Management WG 6 Strategic Intelligence Management CEN/TC 434 - Electronic Invoicing 9 2 WG 1 Core semantic data model WG 2 List of syntaxes WG 3 Syntax bindings WG 4 Guidelines at transmission level WG 5 Extension methodology WG 6 Test methodology and test results CEN/TC 440 - Electronic Public Procurement 2 6 WG 1 Architecture WG 2 Terminology WG 3 e-Notification WG 4 e-Tendering WG 5 e-Catalogue WG 6 e-Ordering WG 7 e-Fulfilment CEN/TC 445 - Digital information Interchange in the Insurance 0 0 Industry CEN/TC 447 - Horizontal standards for the provision of services 0 3 WG 1 Service agreements and contracts WG 2 Performance management WG 3 Communications and Engagement WG 4 Service Procurement CEN/WS 067 - General Framework and Guidelines for Early 1 0 Recognition, Monitoring and Integrated Management of Emerging New Technology Related Risks (iNTeg-Risk) CEN/WS 084 - Self-Sovereign Identifier for Personal Data 0 0 Ownership and Usage Control (CEN WS ISÆN) CEN/WS BDA - Big Data 1 0 CEN/WS XFS - eXtensions for Financial Services 194 0 CEN/WS SATORI - Ethical impact assessment framework for 2 0 research and innovation CEN/WS XBRL - Improving transparency in financial reporting - - IEC/SyC AAL - Active Assisted Living 0 2

ISO/IEC JTC 1 – Information technology 3120 527 SG 03 "3D Printing and scanning" (of which 512 (of which 21 are SWG 07 "JTC 1 JAG Group on Emerging Technologies and are under under direct Innovations (JETI)" direct responsibility) WG 09 "Big Data" responsibility) WG 11 "Smart cities" ISO/IEC JTC 1/JAG - JTC 1 Advisory Group ISO/IEC JTC 1/SC 2 Coded character sets 53 3 WG 02 “Universal coded character set” ISO/IEC JTC 1/SC 6 Telecommunications and information exchange 374 20 between systems WG 01 "Physical and data link layers" WG 07 "Network, transport and future network" WG 10 "Directory, ASN.1 and Registration" ISO/IEC JTC 1/SC 7 Software and systems engineering 177 36 AG 01 "Life Cycle Processes Harmonization Advisory Group (LCPHAG)" JWG 28 "Joint ISO/IEC JTC 1/SC 7 - ISO/TC 159/SC 4 WG; "Common Industry Formats for Usability Reports" STTF "Spanish translation task force" SWG 01 "JTC1/SC7 Business Planning Group (BPG)" SWG 05 "Standards management group" SWG 22 "Vocabulary validation" WG 02 "System software documentation" WG 04 "Tools and environment" WG 06 "Software Product and System Quality" WG 07 "Life cycle management" WG 10 "Process assessment" WG 19 "Techniques for Specifying IT Systems" WG 20 "Software and systems bodies of knowledge and professionalization" WG 21 "Information technology asset management" WG 24 "SLC Profile and guidelines for VSE" WG 26 "Software testing" WG 42 "Architecture" ISO/IEC JTC 1/SC 17 Cards and security devices for personal 112 36 identification CAG 01 "Chairman advisory group" SG 01 "Mobile identification" SWG 01 "Registration Management Group (RMG)" WG 01 "Physical characteristics and test methods for ID-cards" WG 03 "Identification cards - Machine readable travel documents" WG 04 "Integrated circuit card with contacts" WG 05 "Identification cards — Identification of issuers" WG 08 "Integrated circuit cards without contacts" WG 10 "Motor vehicle driver licence and related documents"

WG 11 "Application of biometrics to cards and personal identification" WG 12 "Drone license and drone identity module" ISO/IEC JTC 1/SC 22 Programming languages, their environments and 113 17 system software interfaces WG 04 "COBOL" WG 05 "Fortran" WG 09 "Ada" WG 14 "C" WG 17 "Prolog" WG 21 "C++" WG 23 "Programming Language Vulnerabilities" AHG 001 "OWG LSB" ISO/IEC JTC 1/SC 23 Digitally Recorded Media for Information 138 0 Interchange and Storage ISO/IEC JTC 1/SC 24 Computer graphics, image processing and 79 8 environmental data representation WG 06 "Augmented reality continuum presentation and interchange" WG 07 "Image processing and interchange" WG 08 "Environmental representation" WG 09 "Augmented reality continuum concepts and reference model" ISO/IEC JTC 1/SC 25 Interconnection of information technology 192 12 equipment TG 01 "Project Team; Taxonomy and Terminology (PTTT)" WG 01 "Home electronic systems" WG 03 "Customer premises cabling" WG 04 "Interconnection of computer systems and attached equipment" ISO/IEC JTC 1/SC 27 IT Security techniques 173 64 AG 01 "Management Advisory Group" SWG-T "Transversal Items" WG 01 "Information security management systems" WG 02 "Cryptography and security mechanisms" WG 03 "Security evaluation, testing and specification" WG 04 "Security controls and services" WG 05 "Identity management and privacy technologies" ISO/IEC JTC 1/SC 29 Coding of audio, picture, multimedia and 583 119 hypermedia information AG 01 "Advisory group on management" WG 01 "Coding of still pictures" WG 11 "Coding of moving pictures and audio" ISO/IEC JTC 1/SC 31 Automatic identification and data capture 116 30 techniques WG 01 "Data carrier" WG 02 "Data and structure" WG 04 "Radio communications" WG 08 "Application of AIDC standards" © 2018 CEN Copyrighted Page 21 of 30

ISO/IEC JTC 1/SC 32 Data management and interchange 77 29 AHG 01 "Ad Hoc Group of WG 2 and WG 4" WG 01 "eBusiness" WG 02 "MetaData" WG 03 "Database language" WG 04 "SQL/Multimedia and application packages" ISO/IEC JTC 1/SC 34 Document description and processing languages 80 14 AG 01 "Forward planning" JWG 07 "Joint JTC 1/SC 34-TC 46/SC 4-IEC/TC 100/TA 10 WG; EPUB" WG 04 "Office Open XML" WG 06 "OpenDocument Format" WG 08 "Document processing and presentation" ISO/IEC JTC 1/SC 35 User interfaces 69 19 AHG 01 "Internet of Things (IoT) User interfaces" SG 01 "Accessibility aspects of Active Assisted Living (AAL) use cases" WG 01 "Keyboards, methods and devices related to input and its feedback" WG 02 "Graphical user interface and interaction" WG 04 "User interfaces for mobile devices" WG 05 "Cultural and linguistic adaptability" WG 06 "User interfaces accessibility" WG 07 "User interfaces object, actions and attributes" WG 08 "User interfaces for remote interactions" ISO/IEC JTC 1/SC 36 Information technology for learning, education and 39 14 training AG 01 "Business planning and communications" AHG 02 "Terminology" AHG 03 "Emerging technologies related to LET" WG 01 "Vocabulary" WG 02 "Collaborative and intelligent technology" WG 03 "Learner information" WG 04 "Management and delivery" WG 05 "Quality assurance and descriptive frameworks" WG 06 "Platform, Services, and Specification Integration" WG 07 "ITLET - Culture, language and individual needs" WG 08 "Learning Analytics Interoperability" ISO/IEC JTC 1/SC 37 Biometrics 124 32 WG 01 "Harmonized biometric vocabulary" WG 02 "Biometric technical interfaces" WG 03 "Biometric data interchange formats" WG 04 "Technical Implementation of Biometric Systems" WG 05 "Biometric testing and reporting" WG 06 "Cross-Jurisdictional and Societal Aspects of Biometrics" ISO/IEC JTC 1/SC 38 Cloud Computing and Distributed Platforms 13 8 AG 01 "Communications committee"

WG 03 "Cloud Computing Fundamentals (CCF)" WG 04 "Cloud Computing Interoperability and Portability (CCIP)" WG 05 "Data in cloud computing and related technologies" ISO/IEC JTC 1/SC 39 Sustainability for and by Information Technology 8 18 AHG 01 "Potential scope and/or title change for SC 39" WG 01 "Resource Efficient Data Centres" WG 02 "Green ICT" WG 03 "Sustainable facilities and infrastructures" ISO/IEC JTC 1/SC 40 IT Service Management and IT Governance 23 9 CAG 01 "Chairman Advisory Group" SG 05 "Standardization of IT service management of infrastructure" SG 06 "Business analytics for ITES-BPO" WG 01 "Governance of Information Technology" WG 02 "Maintenance and development of ISO/IEC 20000 Information technology – Service management" WG 03 "IT-enabled services / Business process outsourcing" WG 04 "IT Service management of infrastructure" ISO/IEC JTC 1/SC 41 Internet of Things and related technologies 15 5 ISO/IEC JTC 1/SC 42 Artificial intelligence 0 2 ISO/TC 68 - Financial services 52 10 AG 02 "Standards Advisory Group" AHG 01 "Industry engagement" CAG "Chairman's advisory group" SG 04 "Communications" TAG 01 "FinTech Technical Advisory Group" WG 05 "ISO 20022 Semantic Models" ISO/TC 68/SC 2 Financial Services, security 19 5 AHG 04 "Security aspects of digital currencies" SG 01 "Third party providers (TPP’s)" WG 08 "Public key infrastructure management for financial services" WG 11 "Encryption algorithms used in banking applications" WG 13 "Security in retail banking" ISO/TC 68/SC 8 Reference data for financial services 12 3 CAG "Chair Advisory Group" SG 01 "Identification of financial instruments" SG 02 "Use of the CFI as part of the Unique Product Identifier (UPI)" WG 01 "Classification of financial instruments" WG 02 "Specification for description of banking products or services" WG 03 "Second tier registry for digital currency codes" ISO/TC 68/SC 9 Information exchange for financial services 27 2 TG 01 "Cards standards" © 2018 CEN Copyrighted Page 23 of 30

WG 01 "ISO 20022 Semantic Models" WG 02 "Web service based application programming interface in financial services" ISO/TC 69 - Applications of statistical methods 109 36 CAG "Chairman Advisory Group" (of which 14 (of which 3 are WG 03 "Statistical interpretation of data" are under under direct WG 12 "Big data analytics" direct responsibility) responsibility) ISO/TC 69/SC 1 Terminology and symbols 4 1 WG 02 "Revisions of ISO 3534" WG 06 "Terminology for emerging areas of statistical applications" ISO/TC 69/SC 4 Applications of statistical methods in product and 16 11 process management WG 10 "Revision of control charts standards" WG 11 "Process capability and performance" WG 12 "Implementation of statistical Process Control" ISO/TC 69/SC 5 Acceptance sampling 25 4 WG 02 "Sampling procedures for inspection by attributes (Revision of ISO 2859)" WG 03 "Sampling procedures and charts for inspection by variables for percent nonconforming (Revision of ISO 3951)" WG 10 "Audit sampling" ISO/TC 69/SC 6 Measurement methods and results 33 5 WG 01 "Accuracy of measurement methods and results" WG 05 "Capability of detection" WG 07 "Statistical methods to support measurement uncertainty evaluation" ISO/TC 69/SC 7 Applications of statistical and related techniques for 11 4 the implementation of Six Sigma AHG 03 "Gap analysis review and NWI recommendation" WG 01 "Design of experiments" WG 02 "Process measurement and measurement capability" WG 03 "Six sigma methodology" ISO/TC 69/SC 8 Application of statistical and related methodology 6 8 for new technology and product development WG 01 "Sample survey" WG 02 "Transformation" WG 03 "Optimization" ISO/TC 154 - Processes, data elements and documents in 24 9 commerce, industry and administration CAG "Co-ordination Advisory Group" JWG 01 "Joint syntax working group (with UN/ECE)" WG 05 "Representation of dates and times" WG 06 "Trusted eCommunications" WG 07 "Digital business" Functions

ISO/TC 171 - Document management applications 91 16 AG 01 "Advisory group" (of which 50 TF 01 "Micrographics Standards Maintenance" are under direct responsibility) ISO/TC 171/SC 1 Quality, preservation and integrity of information 19 7 WG 08 "Trusted WORM Functionality and Technical Requirements" WG 09 "Document management - Information stored electronically" ISO/TC 171/SC 2 Document file formats, EDMS systems and 22 9 authenticity of information WG 05 "Joint TC 171/SC 2 - TC 42 - TC 46/SC 11 - TC 130 WG; Document management applications - Application issues - PDF/A" WG 07 "PDF/Engineering" WG 08 "PDF specification" WG 09 "PDF universal accessibility" WG 10 "Preservation file format guidelines" WG 11 "EDMS Guidelines" ISO/TC 176 - Quality management and quality assurance 23 12 AHG "Adhoc Group" (of which 14 (of which 2 are CAG 02 "SPTF; Strategic Planning Task Force" are under under direct CSAG "Chair's Strategic Advisory Group" direct responsibility) STTF "Spanish translation task force" responsibility) TF 03 "Document archive" TF 04 "Future concepts in quality management" TG 01 "Communications and product support" TG 02 "ISO 9001 Brand Integrity" WG 03 "Quality management for electoral assurance" WG 04 "Quality management systems – Application of ISO 9001 in local government" ISO/TC 176/SC 1 Concepts and terminology 1 0 TG 02 "Consistency of use of concepts, terms and definitions in ISO/TC 176 standards" TG 03 "Harmonization of terms and definitions with other bodies" WG 01 "Development of ISO 9000" ISO/TC 176/SC 2 Quality systems 6 2 AG 01 "Strategic planning and operations" AHG 03 "Input into the ISO/TMB/TAG 13-JTCG" WG 22 "Interpretations" WG 25 "Revision of ISO 9004" WG 26 "Revision of ISO 10005" WG 27 "Revision of ISO 10006" ISO/TC 176/SC 3 Supporting technologies 14 8 CAG "Chairman Advisory Group" JWG 20 "Joint ISO/TC 176/SC 3 - ISO/TC 260 WG; Revision of ISO 10015" JWG 21 "Joint ISO/TC 176/SC 3 - ISO/TC 260 WG; Revision of ISO 10018"

TF 01 "CSLT" WG 18 "Customer satisfaction" WG 19 "Revision of ISO 10013" WG 22 "Revision of ISO/TR 10017" WG 23 "Revision of ISO 10014" ISO/TC 211 – (Digital) Geographic information/Geomatics 77 28 AG 01 "Outreach Advisory Group" AG 03 "Programme maintenance group (PMG)" AG 04 "Joint advisory group (JAG) ISO/TC 211 – OGC" AG 05 "Harmonized model maintenance group (HMMG)" AG 06 "Ontology maintenance group (GOM)" AG 07 "Terminology maintenance group (TMG)" AG 08 "Sustainable development goals (SDG)" AG 09 "Business plan revision" AHG 01 "Control body for the ISO geodetic registry" WG 01 "Framework and reference model" WG 04 "Geospatial services" WG 06 "Imagery" WG 07 "Information communities" WG 09 "Information management" WG 10 "Ubiquitous public access" ISO/TC 222 Personal financial planning [on standby] 1 0 ISO/TC 251 - Asset management 3 3 AHG 01 "Spanish Translation Task Group" AHG 02 "Value" CAG 01 "Chairman’s Advisory Group" WG 03 "Communications" WG 04 "Product improvement" WG 05 "Finance" WG 06 "Revision of ISO 55002" WG 07 "Development of ISO 55011" ISO/TC 258 - Project, programme and portfolio management 4 3 AHG 08 "Competencies" CAG 01 "Chairman's Advisory Group" SBP AHG "Ad Hoc Group" TDG 01 "Technical Development Group" WG 03 "Vocabulary" WG 06 "Work Breakdown Structure" WG 07 "Earned Value Management (EVM)" WG 09 "Project management" WG 10 "Overarching document" ISO/TC 262 - Risk management 3 2 CAG "Chair's Advisory Group" STTF "Spanish Translation Task Force" TCG 01 "Terminology Coordination Group" TG 01 "Strategic Business Plan Task Group" TG 02 "Communications" WG 05 "Management of Legal Risk" WG 06 "Guidance Handbook" ISO/TC 279 - Innovation management 6 0 WG 01 "Innovation management system"

WG 02 "Terminology, terms and definitions" WG 03 "Tools and methods" WG 04 "Innovation management assessment" ISO/TC 286 - Collaborative business relationship management 1 1 WG 02 “Guidelines” ISO/TC 290 - Online reputation 1 0 WG 01 “Online Consumer Reviews” ISO/TC 292 - Security and resilience 27 18 CG "Communication group" DCCG "Developing Countries Cooperation Group" UNCG "UN Cooperation Group" WG 01 "Terminology" WG 02 "Continuity and organizational resilience" WG 03 "Emergency management" WG 04 "Authenticity, integrity and trust for products and documents" WG 05 "Community resilience" WG 06 "Protective security" ISO/PC 295 - Audit data collection 1 0 WG 01 “Audit Data Collection” ISO/PC 302 - Guidelines for auditing management systems 1 0 JWG 01 - Joint ISO/PC 302 - ISO/CASCO WG: Revision of ISO 19011: 2011 ISO/TC 307 - Blockchain and distributed ledger technologies 7 0 SG 01 "Reference architecture, taxonomy and ontology" SG 02 "Use cases" SG 03 "Security and privacy" SG 04 "Identity" SG 05 "Smart contracts" SG 06 "Governance of blockchain and distributed ledger technology systems" SG 07 "Interoperability of blockchain and distributed ledger technology systems" WG 01 "Foundations" WG 02 "Security, privacy and identity" WG 03 "Smart contracts and their applications" ISO/TC 309 - Governance of organizations 2 1 AG 01 "Communications and Engagement" AHG 01 "Strategic Business Plan" AHG 03 "Whistleblowing" CAG 01 "Chairman's Advisory Group" TG 04 "Anti-bribery management systems" TG 05 "Compliance management systems" TG 06 "Terminology Co-ordination" WG 01 "Guidance for the governance of organizations" ISO/TC 312 - Excellence in service 0 0 TG 01 “Communication” TG 02 “Strategic Business Plan”

ISO/PC 317 - Consumer protection: privacy by design for consumer 0 0 goods and services

Appendix B – Key to standards identified by Figure 4 [Standard number, Title (Committee responsible)]

CEN/TR 15449 series Geographic information - Spatial data infrastructures (CEN/TC 287) CEN/TR 16669 to 16685 Information technology (RFID) (CEN/TC 225) CEN/TR 17014 & 17015 Electronic public procurement - Business interoperability interfaces (BII) (CEN/TC 440) CEN/TS 16080 Internet Content and communications filtering software and services (CEN/TC 365) CEN/TS 16555 series Innovation Management (CEN/TC 389) CEN/TS 16931 series Electronic invoicing (CEN/TC 434) --- CWA 13449 series Extensions for Financial Services (XFS) interface specification (CEN/WS XFS) CWA 13937 series J/eXtensions for Financial Services (J/XFS) for the Java Platform (CEN/WS JXF) CWA 14050 series Extensions for Financial Services (XFS) interface specification - Release 3.0 (CEN/WS XFS) CWA 14923 series J/eXtensions for Financial Services (J/XFS) for the Java Platform (CEN/WS JXF) CWA 15748 series Extensions for Financial Services (XFS) interface specification - Release 3.10 (CEN/WS XFS) CWA 16008 series J/eXtensions for Financial Services (J/XFS) for the Java Platform (CEN/WS JXF) CWA 16374 series Extensions for Financial Services (XFS) interface specification Release 3.20 (CEN/WS XFS) CWA 16649 Managing emerging technology-related risks (CEN/WS 067) CWA 16926 series Extensions for Financial Services (XFS) interface specification Release 3.30 (CEN/WS XFS) CWA 17145 series Ethics assessment for research and innovation (CEN/WS SATORI) CEN/CLC/WS SEP-IoT - Workshop on Best Practices and a Code of Conduct for Licensing Industry Standard Essential Patents in 5G and the Internet of Things (IoT), including the Industrial Internet --- EN 726 series Identification card systems - Telecommunications integrated circuit(s) cards and terminals (CEN/TC 224) EN 12973 Value management (CEN/TC 279) EN 301549 Accessibility requirements suitable for public procurement of ICT products and services in Europe (CEN/CLC/ETSI/JWG eAcc) EN 419211 series Protection profiles for secure signature creation device (CEN/TC 224) EN 419212 series Application Interface for Secure Elements for Electronic Identification, Authentication and Trusted Services (CEN/TC 224) EN 419251 series Security requirements for device for authentication (CEN/TC 224) --- EN ISO 19101 to 19157 Geographic information (CEN/TC 287) EN ISO 9000, 9001 & 9004 Quality management systems (CEN/SS F20) EN ISO/IEC 15416 to 15438 Information technology - Automatic identification and data capture techniques (CEN/TC 225) EN ISO/IEC 27037 to 27043 Information technology - Security techniques (CEN/SS F12) EN ISO/IEC 27000, 27001 & 27002 Information technology - Security techniques - Information security management systems (CEN/SS F12) EN ISO/IEC 30121 Information technology - Governance of digital forensic risk framework (CEN/SS F12) ENV 14062 series Identification card systems - Surface transport applications - Electronic fee collection (CEN/TC 224) --- ISO 1861 to 1864 Information processing (ISO/IEC JTC 1) ISO 4217 Codes for the representation of currencies (ISO/TC 68) ISO 6166 Securities and related financial instruments -- International securities identification numbering system (ISIN) (ISO/TC 68) ISO 6196, 6198 to 6200 series Micrographics (ISO/TC 171) ISO 7372 Trade data interchange (ISO/TC 154) ISO 8601 Data elements and interchange formats -- Information interchange -- Representation of dates and times (ISO/TC 154) © 2018 CEN Copyrighted Page 28 of 30

ISO 9735 series Electronic data interchange for administration, commerce and transport (EDIFACT) -- Application level syntax rules (ISO/TC 154) ISO 10383 Securities and related financial instruments — Codes for exchanges and market identification (MIC) (ISO/TC 68) ISO 12812-1 Core banking -- Mobile financial services -- Part 1: General framework (ISO/IEC JTC 1) ISO 15022 Securities Scheme for Messages (ISO/TC 68) ISO 14533 series Processes, data elements and documents in commerce, industry and administration – Long-term signature profiles (ISO/TC 154) ISO 16269 series Statistical interpretation of data (ISO/TC 69) ISO 10962 Securities and related financial instruments - Classification of financial instruments (CFI code) (ISO/TC 68) ISO 19101 to 19163 Geographic information (ISO/TC 211) ISO 19600 Compliance management systems – Guidelines (ISO/TC 309) ISO 20022 Universal Financial Industry Message Scheme (ISO/TC 68) ISO 21500 Guidance on project management (ISO/TC 258) ISO 21503 to 21505 Project, programme and portfolio management (ISO/TC 258) ISO 22222 Personal financial planning -- Requirements for personal financial planners (ISO/TC 222) ISO 22301 Societal security -- Business continuity management systems – Requirements (ISO/TC 292) ISO 22397-98 Societal security (ISO/TC 292) ISO 31000, 31004 & 31010 Risk management (ISO/TC 262) ISO 37001 Anti-bribery management systems -- Requirements with guidance for use (ISO/TC 309) ISO 44001 Collaborative business relationship management systems -- Requirements and framework (ISO/TC 286) ISO 55000 to 55002 Asset management (ISO/TC 251) --- ISO/IEC 1539 series Information technology -- Programming languages (ISO/IEC JTC 1) ISO/IEC 7501 series Identification cards -- Machine readable travel documents (ISO/IEC JTC 1) ISO/IEC 10514 series Information technology -- Programming languages (ISO/IEC JTC 1) ISO/IEC 10536 series Identification cards -- Contactless integrated circuit(s) cards (ISO/IEC JTC 1) ISO/IEC 11694 series Identification cards -- Optical memory cards (ISO/IEC JTC 1) ISO/IEC 17788 Information technology. Cloud computing. Overview and vocabulary (ISO/IEC JTC 1) ISO/IEC 17789 Information technology. Cloud computing. Reference architecture (ISO/IEC JTC 1) ISO/IEC 17839 series Information technology -- Biometric System-on-Card (ISO/IEC JTC 1) ISO/IEC 24727 series Identification cards -- Integrated circuit card programming interfaces (ISO/IEC JTC 1) ISO/IEC 24745 Information technology -- Security techniques -- Biometric information protection (ISO/IEC JTC 1) ISO/IEC 25010 Systems and software engineering -- Systems and software Quality Requirements and Evaluation (SQuaRE) -- System and software quality models (ISO/IEC JTC 1) ISO/IEC 27000 Information technology – Security techniques – Information security management systems – Overview and vocabulary (ISO/IEC JTC 1) ISO/IEC 27001 (ISO27001) Information technology – Security techniques – Information security management systems – Requirements. (ISO/IEC JTC 1) ISO/IEC 27017 (ISO 27017) Information technology – Security techniques – Code of practice for information security controls based on ISO/IEC 27002 for cloud services. (ISO/IEC JTC 1) ISO/IEC 29121 and 29171 Information technology -- Digitally recorded media for information interchange and storage (ISO/IEC JTC 1) ISO/IEC 30190-93 Information technology -- Digitally recorded media for information interchange and storage (ISO/IEC JTC 1) --- ISO/IEC TR 24715 to 24772 Information technology -- Programming languages, their environments and system software interfaces (ISO/IEC JTC 1) --- ISO/TS 22301 & 22313-18 Societal security -- Business continuity management systems (ISO/TC 292) --- ISO/TR 22320 -25 & 22351 Societal security -- Emergency management (ISO/TC 292) --- prCWA 95000 Industry Best Practices and an Industry Code of Conduct for Licensing of Standard Essential Patents in the field of 5G and Internet of Things (CEN/CLC/WS SEP2)