How to Evaluate an ISO 20022 Address Solution: The 25-Criterion Framework
Every address-solution vendor scores itself 5/5. Here is the open 25-criterion framework — with a 70-question evidence protocol and risk-adjustment model — to evaluate any ISO 20022 address solution before the 15 November 2026 deadline.
TL;DR
Every address-solution vendor scores itself 5/5. This article publishes the open framework — 25 weighted criteria, a 70-question evidence protocol, and a risk-adjustment model — so you can run the evaluation yourself, against any vendor, before the 15 November 2026 deadline.
Four pages — validation rules, failure patterns, and joint-conversation questions. Forward inside payments and treasury teams.
I have read a lot of vendor decks over thirty years, and address-solution decks have a tell: every one of them scores itself five out of five.
The postal-verification platform is "fully ISO 20022 ready." The LLM structurer is "99% accurate." The free network utility is "production-grade." The geocoding gateway is "bank-grade." Each claim is technically defensible inside the vendor's own frame of reference — and useless to you, because none of the frames is the same, and none of them is yours: a regulated payment operation with a fixed deadline, an examiner who will ask why, and a sanctions-screening layer that inherits whatever your parser produces.
So how do you actually evaluate an ISO 20022 address solution when every option in front of you claims to be perfect? You need a scorecard the vendors did not write. Here is the one we use — and, to prove it is not marketing, here is us scoring ourselves with it in public, in the same tables as everyone else.
A score you cannot inspect is marketing. A score you can reproduce is evidence. This article is that framework, in full, so you can run it yourself — against every vendor on your shortlist, and against us.
The Cost of a Bad Choice Is Measured in Calendar, Not Licence Fees
Procurement under a hard deadline is where vague evaluation gets expensive. Choose a tool built for mailbox verification and discover in month four that it strips the BIC out of an address line, and you have not bought a nine-month head start — you have bought a nine-month detour.
That is the part most evaluations miss. The cost of a bad address-solution decision is not the licence fee. It is the time you lose discovering the tool was never built for your problem, with a regulatory clock running.
The ISO 20022 structured-address mandate lands with the SWIFT CBPR+ cutover on 15 November 2026, at 02:30 UTC, with SEPA and other market infrastructures aligned to the same window. After that point, unstructured address data starts failing validation on cross-border payment messages. There is no partial credit for being "nearly ready" on the sixteenth.
Why Would a Vendor Publish Its Own Scorecard?
There is an obvious objection, and it deserves a real answer: of course the vendor who designed the framework comes out on top. Fair.
The reason to publish anyway is simple. The moment the criteria, the weights, and the evidence rules are on the page, a "4.90" stops being a boast and becomes a claim you can check, line by line, and overturn where we are wrong. A prospect who disagrees with our reading of a competitor's SWIFT MT handling does not have to take our word for it — the criterion is named, the weight is stated, the evidence tier is disclosed, and the score is one cell in a 25-row table. Disagreement becomes specific, which is the only kind of disagreement worth having in a procurement.
It disciplines us, too. It is much harder to award yourself a generous score on "regulatory explainability" when the definition of the criterion, the 0–5 scale, and the evidence standard are written down next to the number. Don't trust us — check us. Bias survives a hidden method; it does not survive a reproducible one.
The 25 Criteria — and the Weighting That Matters Most
The framework scores any address solution on 25 criteria, grouped into four categories. The category weights are the single most important design decision in the whole exercise, because they encode what the evaluation is for: not "which tool cleans addresses best," but "which tool meets the compliance brief for regulated payments."
The four category weights — signature capabilities dominate at 48%; parsing quality is table stakes at 12%.
| Category | Weight | Why it dominates |
|---|---|---|
| Signature Capabilities | 48% | Preserving financial identifiers, resolving historical place names, citing regulatory rule sources — the differentiators a payment pipeline requires |
| Enterprise Operations | 25% | SLAs, security posture, monitoring, audit trail, support — near-pass/fail for a regulated deployment |
| Payments Domain | 15% | SWIFT MT field handling, sanctions-screening integration, correspondent-banking awareness |
| Parsing Quality | 12% | Structured address output, multi-country coverage — table stakes; nearly every serious vendor is competent here |
Category weights sum to 100%. Parsing quality — the thing most demos show off — is the smallest category, because it is table stakes, not a differentiator.
The weighting is deliberately counter-intuitive. Parsing quality — the thing most demos show off — is the smallest category at 12%, because in our testing nearly every serious vendor is competent at it. It is table stakes, not a differentiator.
The differentiators sit in signature capabilities at 48%: preserving financial identifiers, resolving historical place names, citing the rule behind every correction. A tool can parse a German address beautifully and still be unusable in a payment pipeline because it treats an embedded IBAN as a street token. That failure lives in the 48%, not the 12% — which is exactly why the 48% dominates.
Each criterion is scored 0–5 (0 = not supported, 5 = exceptional), and the weighted sum across all 25 is the composite score — a number between 0.00 and 5.00.
Four pages — validation rules, failure patterns, and joint-conversation questions. Forward inside payments and treasury teams.
The 70-Question Evidence Protocol
A criterion is only as good as the evidence behind the score. Behind the 25 criteria sits a 70-question research protocol — the specific, answerable questions we put to each solution's public footprint: its API reference, product documentation, published benchmarks, datasheets, security pages, and marketing. Seventy questions across twenty-five criteria means most criteria are triangulated from two or three independent observations rather than a single claim.
Every answer carries an evidence tier:
The three evidence tiers behind every score in the 70-question protocol.
API specifications, documented benchmarks, schema definitions. If a vendor has published an API spec that demonstrates financial-identifier handling, that is a Tier-1 claim.
Datasheets, whitepapers, named production customers, certification listings. Directional and meaningful, but not as strong as primary technical documentation.
Website copy, blog posts, launch press releases. A "99% accurate" banner with no methodology is a Tier-3 claim, and is scored as one — not as a dispositive finding.
NOT-FOUND is scored conservatively, and labelled — because undocumented is not the same as absent; where an assessment leans on inference, we say so rather than dress it up as a finding.
Public-source discipline costs us the private roadmap and the NDA datasheet. But it buys the one thing that matters: anyone can check the same sources. The evaluation is reproducible precisely because it is built only from what is publicly inspectable.
Risk Adjustment: Where Marketing Scores Go to Die
Here is the mechanism that does the most work, and the one most vendor scorecards omit.
A composite score measures breadth — the weighted average of everything a tool does. But breadth can hide a fatal gap. A solution can post a respectable composite while scoring zero on the one capability that makes it unusable in a payment pipeline. Averages forgive; regulators do not.
So on top of the composite we compute a risk-adjusted score that applies penalties for disqualifying gaps:
| Gap type | Penalty | Rationale |
|---|---|---|
| Any signature-capability score of 0 | −1.00 (applied once) | A zero on a 48%-weighted capability is a structural disqualifier, not a weakness to average away |
| Each enterprise-operations criterion below 2 | −0.50 | Bank-grade operation is close to pass/fail |
| Each payments-domain criterion below 2 | −0.25 | Narrower, but still gating for a payment pipeline |
| Floor | 0.00 | Score cannot go below zero regardless of penalty accumulation |
The composite asks "how much does this tool do?" The risk-adjusted score asks "what would I find if I looked at the worst part?"
The Loqate worked example — a 2.22 composite collapses to a 0.47 risk-adjusted score once the penalties apply.
Take a worked example. Loqate (GBG) is a genuinely excellent postal-verification platform — certified postal accuracy, a 250-country reference database, real Tier-1 references. On breadth, it earns a composite of 2.22 / 5.00 against this framework. Then apply the risk model:
Loqate — Risk Adjustment Worked Example
That collapse from 2.22 to 0.47 is not a criticism of Loqate as a product. It is a deployment-scope verdict. Loqate was never built to parse SWIFT MT or ring-fence financial identifiers — and the risk model exposes exactly that in one number.
Every competitor assessed against the payments criteria shows the same shape to different degrees: postal platforms and reference-data vendors floor at 0.00; LLM structurers lose most of their composite to determinism and explainability penalties; the strongest specialists keep a meaningful risk-adjusted score. The single number tells you, at a glance, whether a tool's weaknesses are cosmetic or disqualifying.
What the Scorecard Leaves Out — and Why the Deadline Makes It Decisive
The composite and the risk-adjusted score answer one question well: what can this tool do? They are, deliberately, capability measures. They say nothing about a second question a fixed-deadline mandate makes just as important: will you actually be live before 15 November 2026?
We keep three factors out of the 25-criterion scorecard on purpose — they are the ones a vendor could most easily weight in its own favour, and a scorecard you can game is not worth publishing. But out of the scorecard is not out of the decision.
Two solutions can post an identical composite and still differ by a calendar quarter in how long they take to reach production. A free library that must be wrapped in a secured, monitored REST service with a review workflow is a three-to-six-month project before it processes a single compliant message. Time-to-compliance is the single most expensive variable in a fixed-deadline mandate.
A capability you cannot connect to your stack in time is a capability you do not have by November. The question is not only what a tool does but how many ways it will meet your architecture — REST API, secure file transfer, enterprise message queue, direct database integration, event streaming, agent-ready protocol — versus a single library you must build a service around.
A regulated deployment is not a parser; it is the operational stack around it — a maker-checker exceptions workbench for low-confidence resolutions, live dashboards for STP rate and exception ageing, a developer portal for self-service onboarding. In the scorecard, the workbench maps to a 2%-weighted criterion. In practice, it is the difference between shipping and building.
The scorecard tells you whether a tool can meet the brief; the delivery factors tell you whether you will be live before the deadline. A tool has to win both.
Run It on Any Vendor — Including Us
The framework is fully specified, which means you can reproduce it. Applying it to a shortlist takes four steps:
Because every input is public — the criteria, the weights, the scale, the penalty rules, and the evidence for each score — our own 4.90 is checkable in exactly the same way, in the same tables, by the same rules, dated with the same discipline. If your reading of a criterion differs from ours, the disagreement lands on one specific cell with a specific weight and a specific piece of evidence. That is the most useful place a procurement disagreement can land.
Where to See the Framework Fully Worked
The framework is applied end-to-end, criterion by criterion, on the comparison pages — the summary scoreboard and full capability matrix at ionova.ai/compare/, plus head-to-head assessments including ioNova vs the SWIFT AI Parser, vs Loqate (GBG), vs Smarty, vs Melissa, and vs GeoPostCodes.
The comparison pages show the 70 evidence questions mapped to specific documentation sources for each vendor — so you are not reading a conclusion, you are reading the path that led to it. A framework you can run against us is a framework you can trust when you run it against anyone.
The Two Questions a Deadline Forces
Remember the ritual from the opening — every deck scoring itself five out of five? The problem was never that vendors are dishonest. It is that a self-scored five, on a frame the vendor chose, tells you nothing about your problem.
Thirty years of building payments and screening systems has taught me that under a deadline, capability and delivery are two different questions, and you have to ask both. A tool that matches the brief on paper but arrives after 15 November 2026 has not, in any way that matters, met the brief.
That is also the philosophy behind publishing a scorecard you can overturn rather than a banner you have to trust. It is the same instinct that made us build an engine to resolve and fix, not validate and block — to repair the address and preserve the identifier, rather than reject the payment and hand you an exception. Show your work, and let the buyer check it.
So run the framework. Run it on every vendor on your desk. Then run it on us.
Parth Desai is Founder and Chairman of ioNova AI, where he leads the development of AI-native ISO 20022 address infrastructure for financial institutions. Over thirty years he has built payments straight-through-processing and sanctions-screening systems for Tier-1 banks worldwide. He writes on ISO 20022, address intelligence, and payments compliance in the Resolved newsletter.
Key Takeaways
Frequently Asked Questions
Get the Four-Page Compliance Checklist
The validation rules, failure patterns, and joint-conversation questions distilled to four pages. Forwardable inside payments and treasury teams.
Download Checklist →