Posted: 10 Jun. 2021 5 min. read

Applying ISO 37301 Compliance management system (CMS) to the Financial Adviser sector

Australian Financial Services licensees are very familiar with their regulatory obligations and they are well-versed in using the regulatory guidance continually published by ASIC.  But even with this knowledge and understanding, sometimes for many various and important reasons, the ASIC Regulatory Guides do not have the specific guidance that an organisation needs, especially when it comes to the complex world of compliance systems in the financial advice sector. 

A new international standard for compliance management systems (CMS) was published on April 13, 2021.  Known as ISO 37301, the standard replaces ISO 19600. 

If your organisation is already aligned with ISO 19600, then you will have a head-start as ISO 37301 leverages a significant portion of its contents from ISO 19600.  The new standard can be applied to compliance functions of all sizes and all industries and at both national and international levels.   

ISO 37301 states that “[a]n  effective,  organization-wide  compliance  management  system  enables  an  organization  to demonstrate its commitment to comply with relevant laws, regulatory requirements, industry codes and organizational standards, as well as standards of good governance, generally accepted best practices, ethics and community expectations” (ISO 37301:2021).

An organisation providing financial advice will benefit from using the guidance in ISO 37301 to complement their use of the existing ASIC regulatory guidance.  There are four key benefits of ISO 37301:

  1. CMS involves everyone - CMS involves more people than just the “responsible manager(s)” and “authorised representative(s)”.  ISO 37301 provides guidance on the specific tasks and responsibilities that must be performed by the governing body, the top management, the management and all other individuals who are engaged at the organisation, in order to establish, implement, maintain and continually improve a CMS.
  2. Compliance culture including conduct - The term “compliance culture” is given real meaning and guidance in ISO 37301.  While ASIC regulatory guidance may mention the concept of a culture of compliance, industry professionals are left with little understanding of what the regulator is seeking.  ISO 37301 provides guidance on a structured meaning and who is responsible for demonstrating what is required.  ISO 37301 also sets the standard that a well-designed CMS includes a code of conduct as an operational control which gives content and effect to a compliance culture.
  3. Prescriptive guidance - ISO 37301 provides very prescriptive guidance on several elements which are critical to creating and maintaining an effective, organisation-wide CMS.  Among other things, there is specific and detailed guidance on the framework for a compliance policy, the actions necessary to address risk and opportunities, the plans required to achieve compliance objectives, the operational requirements, and performance evaluation.  This specific and detailed guidance, among other things, may help organisations in the financial advice sector “do all things necessary to ensure your financial services are provided efficiently, honestly and fairly”.
  4. Certification – ISO 37301 is articulated in directive language, such as ‘shall’ meaning that it is certifiable and that independent experts, regulators or courts may use the standard when assessing an organisation’s CMS.

How can Deloitte help? 

Deloitte has over 30 years’ experience supporting organisations to assess their CMS against prior standards, advising required changes and assisting with implementation. Deloitte provides end-to-end advice for the finance, risk, internal controls compliance, and treasury functions of your organisation.  We deliver value by working with our clients to define and embed good conduct, as well as to restore and galvanise trust through remediation programs.

We are also active committee members working with the Governance Risk and Compliance Institute (GRCI) who represent the International Federation of Compliance Associations (IFCA) in contributing to the draft development of ISO 37301.

Keep watching this space as we will be providing regular updates on the development of ISO 37301. If you require further information or other support with improving your CMS or preparing for ISO 37301, please contact us.

More about the author

Heather Loewenthal

Heather Loewenthal

Partner, Audit & Assurance

As part of the GRC team in Audit & Assurance, Heather’s focus is on Compliance operating models - design, implementation and embedding - including the development of RegTech solutions to achieve more with less. Over the last 20 plus years, Heather’s work at the C-suite level in financial services has included reviewing, designing, implementing and testing compliance operating models and advising boards and management on how to develop a positive compliance culture as well as negotiating and interacting with regulators, politicians and industry bodies across Europe, the Americas, Middle East, Africa and Australasia. If organisations plan to build resilience and increase profitability post the requirements flowing from the Royal Commission, they must take a different approach. Bolting-on people, processes and systems in the second line is not an answer but rather empowering the first line and utilising existing and new systems and new technologies (including Regtech) will have impact and sustainable outcomes. Without a cross-organisational approach and a positive compliance culture, change will be ineffective.