How to Evaluate an ISO 20022 Address Solution: The 25-Criterion Framework

Every address-solution vendor scores itself 5/5. Here is the open 25-criterion framework — with a 70-question evidence protocol and risk-adjustment model — to evaluate any ISO 20022 address solution before the 15 November 2026 deadline.

Share
How to Evaluate an ISO 20022 Address Solution: The 25-Criterion Framework

TL;DR

Every address-solution vendor scores itself 5/5. This article publishes the open framework — 25 weighted criteria, a 70-question evidence protocol, and a risk-adjustment model — so you can run the evaluation yourself, against any vendor, before the 15 November 2026 deadline.

Most demos show you the 12%. Parsing quality is table stakes — nearly every serious vendor is competent at it. The real differentiators sit in the 48% signature-capabilities category: preserving financial identifiers, handling SWIFT MT fields, citing the regulatory rule behind every correction.
The risk-adjusted score reveals what the composite hides. Loqate posts a composite of 2.22 / 5.00 — then the risk model applies −1.75 in penalties for disqualifying gaps, collapsing it to 0.47 / 5.00. A large gap between the two numbers means a structural hole, not a cosmetic weakness.
Three factors are deliberately excluded from the 25 criteria: time-to-value, integration-method fit, and application completeness. All three are decisive under a fixed deadline. A tool that matches the capability brief but arrives after 15 November 2026 has not met the brief.
The framework is fully public and reproducible. Criteria, weights (48 / 25 / 15 / 12), scale (0–5), and penalty rules are all on the page. Run it against every vendor on your shortlist — and against us. A checkable 4.90 is more useful than an uncheckable 5.00.
ISO 20022 Compliance Checklist

Four pages — validation rules, failure patterns, and joint-conversation questions. Forward inside payments and treasury teams.

Download Checklist →

I have read a lot of vendor decks over thirty years, and address-solution decks have a tell: every one of them scores itself five out of five.

The postal-verification platform is "fully ISO 20022 ready." The LLM structurer is "99% accurate." The free network utility is "production-grade." The geocoding gateway is "bank-grade." Each claim is technically defensible inside the vendor's own frame of reference — and useless to you, because none of the frames is the same, and none of them is yours: a regulated payment operation with a fixed deadline, an examiner who will ask why, and a sanctions-screening layer that inherits whatever your parser produces.

So how do you actually evaluate an ISO 20022 address solution when every option in front of you claims to be perfect? You need a scorecard the vendors did not write. Here is the one we use — and, to prove it is not marketing, here is us scoring ourselves with it in public, in the same tables as everyone else.

A score you cannot inspect is marketing. A score you can reproduce is evidence. This article is that framework, in full, so you can run it yourself — against every vendor on your shortlist, and against us.

The Cost of a Bad Choice Is Measured in Calendar, Not Licence Fees

Procurement under a hard deadline is where vague evaluation gets expensive. Choose a tool built for mailbox verification and discover in month four that it strips the BIC out of an address line, and you have not bought a nine-month head start — you have bought a nine-month detour.

That is the part most evaluations miss. The cost of a bad address-solution decision is not the licence fee. It is the time you lose discovering the tool was never built for your problem, with a regulatory clock running.

The clock is specific

The ISO 20022 structured-address mandate lands with the SWIFT CBPR+ cutover on 15 November 2026, at 02:30 UTC, with SEPA and other market infrastructures aligned to the same window. After that point, unstructured address data starts failing validation on cross-border payment messages. There is no partial credit for being "nearly ready" on the sixteenth.

Why Would a Vendor Publish Its Own Scorecard?

There is an obvious objection, and it deserves a real answer: of course the vendor who designed the framework comes out on top. Fair.

The reason to publish anyway is simple. The moment the criteria, the weights, and the evidence rules are on the page, a "4.90" stops being a boast and becomes a claim you can check, line by line, and overturn where we are wrong. A prospect who disagrees with our reading of a competitor's SWIFT MT handling does not have to take our word for it — the criterion is named, the weight is stated, the evidence tier is disclosed, and the score is one cell in a 25-row table. Disagreement becomes specific, which is the only kind of disagreement worth having in a procurement.

It disciplines us, too. It is much harder to award yourself a generous score on "regulatory explainability" when the definition of the criterion, the 0–5 scale, and the evidence standard are written down next to the number. Don't trust us — check us. Bias survives a hidden method; it does not survive a reproducible one.

The 25 Criteria — and the Weighting That Matters Most

The framework scores any address solution on 25 criteria, grouped into four categories. The category weights are the single most important design decision in the whole exercise, because they encode what the evaluation is for: not "which tool cleans addresses best," but "which tool meets the compliance brief for regulated payments."

The four category weights — signature capabilities dominate at 48%; parsing quality is table stakes at 12%.

CategoryWeightWhy it dominates
Signature Capabilities48%Preserving financial identifiers, resolving historical place names, citing regulatory rule sources — the differentiators a payment pipeline requires
Enterprise Operations25%SLAs, security posture, monitoring, audit trail, support — near-pass/fail for a regulated deployment
Payments Domain15%SWIFT MT field handling, sanctions-screening integration, correspondent-banking awareness
Parsing Quality12%Structured address output, multi-country coverage — table stakes; nearly every serious vendor is competent here

Category weights sum to 100%. Parsing quality — the thing most demos show off — is the smallest category, because it is table stakes, not a differentiator.

The weighting is deliberately counter-intuitive. Parsing quality — the thing most demos show off — is the smallest category at 12%, because in our testing nearly every serious vendor is competent at it. It is table stakes, not a differentiator.

The differentiators sit in signature capabilities at 48%: preserving financial identifiers, resolving historical place names, citing the rule behind every correction. A tool can parse a German address beautifully and still be unusable in a payment pipeline because it treats an embedded IBAN as a street token. That failure lives in the 48%, not the 12% — which is exactly why the 48% dominates.

Each criterion is scored 0–5 (0 = not supported, 5 = exceptional), and the weighted sum across all 25 is the composite score — a number between 0.00 and 5.00.

ISO 20022 Compliance Checklist

Four pages — validation rules, failure patterns, and joint-conversation questions. Forward inside payments and treasury teams.

Download Checklist →

The 70-Question Evidence Protocol

A criterion is only as good as the evidence behind the score. Behind the 25 criteria sits a 70-question research protocol — the specific, answerable questions we put to each solution's public footprint: its API reference, product documentation, published benchmarks, datasheets, security pages, and marketing. Seventy questions across twenty-five criteria means most criteria are triangulated from two or three independent observations rather than a single claim.

Every answer carries an evidence tier:

The three evidence tiers behind every score in the 70-question protocol.

Strongest basis for a score
Tier 1 — Primary Technical Evidence

API specifications, documented benchmarks, schema definitions. If a vendor has published an API spec that demonstrates financial-identifier handling, that is a Tier-1 claim.

Named and verifiable
Tier 2 — Secondary Evidence

Datasheets, whitepapers, named production customers, certification listings. Directional and meaningful, but not as strong as primary technical documentation.

Directional only
Tier 3 — Marketing

Website copy, blog posts, launch press releases. A "99% accurate" banner with no methodology is a Tier-3 claim, and is scored as one — not as a dispositive finding.

Two rules that keep the protocol honest

NOT-FOUND is scored conservatively, and labelled — because undocumented is not the same as absent; where an assessment leans on inference, we say so rather than dress it up as a finding.

Public-source discipline costs us the private roadmap and the NDA datasheet. But it buys the one thing that matters: anyone can check the same sources. The evaluation is reproducible precisely because it is built only from what is publicly inspectable.

Risk Adjustment: Where Marketing Scores Go to Die

Here is the mechanism that does the most work, and the one most vendor scorecards omit.

A composite score measures breadth — the weighted average of everything a tool does. But breadth can hide a fatal gap. A solution can post a respectable composite while scoring zero on the one capability that makes it unusable in a payment pipeline. Averages forgive; regulators do not.

So on top of the composite we compute a risk-adjusted score that applies penalties for disqualifying gaps:

Gap typePenaltyRationale
Any signature-capability score of 0−1.00 (applied once)A zero on a 48%-weighted capability is a structural disqualifier, not a weakness to average away
Each enterprise-operations criterion below 2−0.50Bank-grade operation is close to pass/fail
Each payments-domain criterion below 2−0.25Narrower, but still gating for a payment pipeline
Floor0.00Score cannot go below zero regardless of penalty accumulation

The composite asks "how much does this tool do?" The risk-adjusted score asks "what would I find if I looked at the worst part?"

The Loqate worked example — a 2.22 composite collapses to a 0.47 risk-adjusted score once the penalties apply.

Take a worked example. Loqate (GBG) is a genuinely excellent postal-verification platform — certified postal accuracy, a 250-country reference database, real Tier-1 references. On breadth, it earns a composite of 2.22 / 5.00 against this framework. Then apply the risk model:

Loqate — Risk Adjustment Worked Example

Composite score2.22 / 5.00
SIG-1: financial identifier preservation= 0 → −1.00
PAY-1: SWIFT MT field handling= 0 → −0.25
PAY-3: correspondent banking= 0 → −0.25
PAY-2: sanctions integration= 1 → −0.25
0.47 / 5.00

That collapse from 2.22 to 0.47 is not a criticism of Loqate as a product. It is a deployment-scope verdict. Loqate was never built to parse SWIFT MT or ring-fence financial identifiers — and the risk model exposes exactly that in one number.

Every competitor assessed against the payments criteria shows the same shape to different degrees: postal platforms and reference-data vendors floor at 0.00; LLM structurers lose most of their composite to determinism and explainability penalties; the strongest specialists keep a meaningful risk-adjusted score. The single number tells you, at a glance, whether a tool's weaknesses are cosmetic or disqualifying.

What the Scorecard Leaves Out — and Why the Deadline Makes It Decisive

The composite and the risk-adjusted score answer one question well: what can this tool do? They are, deliberately, capability measures. They say nothing about a second question a fixed-deadline mandate makes just as important: will you actually be live before 15 November 2026?

We keep three factors out of the 25-criterion scorecard on purpose — they are the ones a vendor could most easily weight in its own favour, and a scorecard you can game is not worth publishing. But out of the scorecard is not out of the decision.

The most expensive variable
Time-to-Value

Two solutions can post an identical composite and still differ by a calendar quarter in how long they take to reach production. A free library that must be wrapped in a secured, monitored REST service with a review workflow is a three-to-six-month project before it processes a single compliant message. Time-to-compliance is the single most expensive variable in a fixed-deadline mandate.

A capability you cannot connect is one you don't have
Integration-Method Fit

A capability you cannot connect to your stack in time is a capability you do not have by November. The question is not only what a tool does but how many ways it will meet your architecture — REST API, secure file transfer, enterprise message queue, direct database integration, event streaming, agent-ready protocol — versus a single library you must build a service around.

Difference between shipping and building
Application Completeness

A regulated deployment is not a parser; it is the operational stack around it — a maker-checker exceptions workbench for low-confidence resolutions, live dashboards for STP rate and exception ageing, a developer portal for self-service onboarding. In the scorecard, the workbench maps to a 2%-weighted criterion. In practice, it is the difference between shipping and building.

The scorecard tells you whether a tool can meet the brief; the delivery factors tell you whether you will be live before the deadline. A tool has to win both.

Run It on Any Vendor — Including Us

The framework is fully specified, which means you can reproduce it. Applying it to a shortlist takes four steps:

01 List the 25 criteria down a spreadsheet with the weights (they sum to 100%): one row per criterion, one column per vendor.
02 Score each vendor 0–5 per criterion from public sources — an API reference, a benchmark, a security page, an address validation API's own documentation — and record the evidence tier beside each score. Mark anything you cannot evidence as NOT-FOUND and score it conservatively.
03 Compute the composite as the weighted sum, and the risk-adjusted score by applying the penalty rules: signature-zero −1.00 once; each enterprise criterion below 2, −0.50; each payments criterion below 2, −0.25; floor at 0.00.
04 Read the gap between the two numbers. A small gap means the tool's weaknesses are spread thin. A large gap means it has a disqualifying hole — investigate that hole before you investigate anything else.

Because every input is public — the criteria, the weights, the scale, the penalty rules, and the evidence for each score — our own 4.90 is checkable in exactly the same way, in the same tables, by the same rules, dated with the same discipline. If your reading of a criterion differs from ours, the disagreement lands on one specific cell with a specific weight and a specific piece of evidence. That is the most useful place a procurement disagreement can land.

Where to See the Framework Fully Worked

The framework is applied end-to-end, criterion by criterion, on the comparison pages — the summary scoreboard and full capability matrix at ionova.ai/compare/, plus head-to-head assessments including ioNova vs the SWIFT AI Parser, vs Loqate (GBG), vs Smarty, vs Melissa, and vs GeoPostCodes.

The comparison pages show the 70 evidence questions mapped to specific documentation sources for each vendor — so you are not reading a conclusion, you are reading the path that led to it. A framework you can run against us is a framework you can trust when you run it against anyone.

The Two Questions a Deadline Forces

Remember the ritual from the opening — every deck scoring itself five out of five? The problem was never that vendors are dishonest. It is that a self-scored five, on a frame the vendor chose, tells you nothing about your problem.

Thirty years of building payments and screening systems has taught me that under a deadline, capability and delivery are two different questions, and you have to ask both. A tool that matches the brief on paper but arrives after 15 November 2026 has not, in any way that matters, met the brief.

That is also the philosophy behind publishing a scorecard you can overturn rather than a banner you have to trust. It is the same instinct that made us build an engine to resolve and fix, not validate and block — to repair the address and preserve the identifier, rather than reject the payment and hand you an exception. Show your work, and let the buyer check it.

So run the framework. Run it on every vendor on your desk. Then run it on us.

About the Author

Parth Desai is Founder and Chairman of ioNova AI, where he leads the development of AI-native ISO 20022 address infrastructure for financial institutions. Over thirty years he has built payments straight-through-processing and sanctions-screening systems for Tier-1 banks worldwide. He writes on ISO 20022, address intelligence, and payments compliance in the Resolved newsletter.

Key Takeaways

1 Every vendor scores itself 5/5 on its own frame. You need a scorecard the vendors did not write — one where the criteria, weights, and evidence rules are fixed before the scores are entered.
2 Most demos show you the 12%. Parsing quality is table stakes. The real differentiators sit in the 48% signature-capability category: financial identifier preservation, SWIFT MT handling, regulatory explainability.
3 The risk-adjusted score reveals what the composite hides. Loqate: 2.22 composite → 0.47 risk-adjusted. A large gap between the two numbers means a disqualifying hole, not a cosmetic weakness.
4 Three factors the scorecard deliberately excludes: time-to-value, integration-method fit, application completeness. All three are decisive under a fixed deadline. A tool has to win the scorecard and the delivery test.
5 The framework is fully public. Run it against every vendor — including ioNova. A checkable 4.90 is more useful evidence than an uncheckable 5.00.

Frequently Asked Questions

Why did ioNova score itself 4.90 and not 5.00?

Because the framework penalises documentation gaps, and we hold ourselves to the same evidence rule as everyone else. Our sub-5 scores cluster on criteria where the public evidence — an independent third-party accuracy benchmark, published latency percentiles, formal attestation status — is not yet posted, so we score them 4/5 rather than claim a 5 we cannot yet evidence. A vendor scoring itself a clean 5.00 on its own framework should worry you more than one that leaves visible gaps.

Aren't self-scores inherently biased?

Yes — which is why the defence is not "trust us," it is "check us." The criteria, weights, evidence tiers and penalty rules are all published, and every score sits in the same table as the competitors', computed identically. Bias survives when the method is hidden; it does not survive a method a reader can reproduce line by line.

What is a risk-adjusted score, and why is it lower than the composite?

The composite is the weighted average across all 25 criteria — it measures breadth. The risk-adjusted score subtracts penalties for disqualifying gaps: a zero on any signature capability, or a near-zero on enterprise or payments criteria. It answers the examiner's question — what would I find if I looked at the worst part? — and it is lower whenever a tool's average hides a hole a regulated payment flow cannot tolerate.

Can I get the framework as a template to run myself?

Everything you need to rebuild it is in this article: the 25 criteria, the four category weights (48 / 25 / 15 / 12), the 0–5 scale, and the penalty model. Put the criteria down the rows of a spreadsheet, vendors across the columns, score from public sources, weight-sum for the composite, and apply the four penalty rules for the risk-adjusted number. The comparison pages show the framework fully worked for ten solutions at ionova.ai/compare/.

Does the framework score how fast I can deploy?

No — deliberately. The 25 criteria measure capability (what a tool can do), not delivery (how fast you can get it live). We keep time-to-value out of the scorecard because it is the factor a vendor could most easily weight in its own favour — but under a fixed-deadline mandate it is decisive. A tool that matches the brief on paper but arrives after 15 November 2026 has not met it.

Get the Four-Page Compliance Checklist

ISO 20022 Compliance Checklist

The validation rules, failure patterns, and joint-conversation questions distilled to four pages. Forwardable inside payments and treasury teams.

Download Checklist →

Continue Reading

Compliance The Compliance Dividend: How ISO 20022 Structured Addresses Transform Financial Crime Compliance Sanctions, AML, KYC, Travel Rule — how structured addresses cut false positives 25–30% and transform audit evidence across four FATF domains simultaneously. Read article → Technology November 2026: The ISO 20022 Deadline That Changes Everything The SWIFT CBPR+ enforcement date, what it requires, and why institutions that treat it as a compliance project will miss the bigger opportunity. Read article → Regulation What Regulators Actually Require: EPC, SWIFT, and CPMI Decoded The specific field requirements behind the mandates — and what "compliant" actually means for each standards body. Read article → Implementation Structured vs. Hybrid Addresses: Why It's Not Either/Or Structured is the superset. Hybrid is the subset. Here's the mathematical relationship between the two formats — and why it settles the debate. Read article → Economics Same Effort, Better Outcome: The Case for Structured Addresses by Default Structured and hybrid ISO 20022 addresses require identical implementation effort — but only one delivers 30–50× better outcomes. Read article → Data Quality The ISO 20022 Paradox: Why Message Migration Is the Easy Part Format compliance without data readiness is a pattern that's repeated for 30 years — and it always ends the same way. Read article → Data Quality ISO 20022: This Time, Let's Get Payments Data Right The ISO 20022 migration is the payments industry's best chance in thirty years to fix cross-border data quality. The question is whether we seize it. Read article →