Skip to main content
Perspective:
Perspective
10 Jun 2021
5 minute read

Applying ISO 37301 Compliance management system (CMS) to the Financial Adviser sector

Australian Financial Services licensees are very familiar with their regulatory obligations and they are well-versed in using the regulatory guidance continually published by ASIC.  But even with this knowledge and understanding, sometimes for many various and important reasons, the ASIC Regulatory Guides do not have the specific guidance that an organisation needs, especially when it comes to the complex world of compliance systems in the financial advice sector. 

A new international standard for compliance management systems (CMS) was published on April 13, 2021.  Known as ISO 37301, the standard replaces ISO 19600. 

If your organisation is already aligned with ISO 19600, then you will have a head-start as ISO 37301 leverages a significant portion of its contents from ISO 19600.  The new standard can be applied to compliance functions of all sizes and all industries and at both national and international levels. 

 ISO 37301 states that “[a]n  effective,  organization-wide  compliance  management  system  enables  an  organization  to demonstrate its commitment to comply with relevant laws, regulatory requirements, industry codes and organizational standards, as well as standards of good governance, generally accepted best practices, ethics and community expectations” (ISO 37301:2021).

An organisation providing financial advice will benefit from using the guidance in ISO 37301 to complement their use of the existing ASIC regulatory guidance. 

 There are four key benefits of ISO 37301:

CMS involves more people than just the “responsible manager(s)” and “authorised representative(s)”.  ISO 37301 provides guidance on the specific tasks and responsibilities that must be performed by the governing body, the top management, the management and all other individuals who are engaged at the organisation, in order to establish, implement, maintain and continually improve a CMS.

The term “compliance culture” is given real meaning and guidance in ISO 37301.  While ASIC regulatory guidance may mention the concept of a culture of compliance, industry professionals are left with little understanding of what the regulator is seeking.  ISO 37301 provides guidance on a structured meaning and who is responsible for demonstrating what is required.  ISO 37301 also sets the standard that a well-designed CMS includes a code of conduct as an operational control which gives content and effect to a compliance culture.

ISO 37301 provides very prescriptive guidance on several elements which are critical to creating and maintaining an effective, organisation-wide CMS.  Among other things, there is specific and detailed guidance on the framework for a compliance policy, the actions necessary to address risk and opportunities, the plans required to achieve compliance objectives, the operational requirements, and performance evaluation.  This specific and detailed guidance, among other things, may help organisations in the financial advice sector “do all things necessary to ensure your financial services are provided efficiently, honestly and fairly”.

 ISO 37301 is articulated in directive language, such as ‘shall’ meaning that it is certifiable and that independent experts, regulators or courts may use the standard when assessing an organisation’s CMS.

How can Deloitte help? 

Deloitte has over 30 years’ experience supporting organisations to assess their CMS against prior standards, advising required changes and assisting with implementation. Deloitte provides end-to-end advice for the finance, risk, internal controls compliance, and treasury functions of your organisation.  We deliver value by working with our clients to define and embed good conduct, as well as to restore and galvanise trust through remediation programs.

We are also active committee members working with the Governance Risk and Compliance Institute (GRCI) who represent the International Federation of Compliance Associations (IFCA) in contributing to the draft development of ISO 37301.

Keep watching this space as we will be providing regular updates on the development of ISO 37301. If you require further information or other support with improving your CMS or preparing for ISO 37301, please contact us.

Recommendations

DDO Implementation – Learning lessons from MiFID II - Assurance & Advisory blog Deloitte Australia

There are a number of similarities between the Design and Distribution Obligations (DDO) and product governance aspects of the European Markets in Financial Instruments Directive (MiFID II).
Perspective
10 minute read
Blog

DDO – ASIC Draft Regulatory Guide - Assurance & Advisory

ASIC has published their draft Regulatory Guide for DDO and in this blog we look at some of the issues that have been addressed and how the guide can inform organisations’ implementation work.
Perspective
5 minute read
Blog

The lingering impacts of COVID-19 on boards sustaining business resilience

We unpack the critical issues directors will face in delivering effective board performance as they adapt to changes in societal, regulatory, and political expectations.
Perspective
5 minute read
Blog

The COVID Value-at-Risk (VaR) challenge - Assurance & Advisory Blog | Deloitte Australia

Given the increase in market volatility a sharp increase in Value-At-Risk (VaR) or the related tail risk metric Conditional VaR (CVaR) was largely expected due to the COVID-19 pandemic, but the magnitude of the increase for some markets has been beyond expectation. In this article we look at how best to deal with this volatility and cover model parameters, calibration and validation as well as VaR calculation and VaR explain.
Perspective
5 minute read
Blog