Implementation of ISO 37301 in the financial sector
Season 6 Episode 04
Transcript
Juan José Ríos (Host):
Regulatory and reputational pressure on financial institutions continues to increase. Today we face an increasingly complex regulatory environment, with regulations evolving rapidly at both the national and international levels.
From the recommendations of the Financial Action Task Force (FATF) and the AMLA law in the United States—which is particularly relevant for correspondent banking—to data protection and cybersecurity laws and many other key regulations for the financial sector.
In this context, having a robust compliance management system is not only good practice, but a strategic necessity.
Welcome to Mundo Financiero Seguro, the Plus TI podcast. I'm Juan José Ríos.
In this episode, we will discuss ISO 37301, the certifiable international standard for compliance management systems that is gaining traction among financial institutions. Why? Because it provides a structured and effective framework for demonstrating to regulators and stakeholders that regulatory risks are being managed proactively and transparently. In addition, it strengthens the culture of integrity, improves corporate governance, and helps build trust both inside and outside the organization.
Today we are joined by two experts:
- Siomara Saavedra, Compliance Manager at Banco Popular Colombia, specialist in risk management, with over 15 years of experience as a compliance officer.
- Raúl Castellanos, Compliance Solutions Manager at Plus TI, with over 20 years of experience in the financial industry and certified by FIBA as an associate in money laundering prevention.
Siomara Saavedra:
Good morning, Juan José and Raúl. It is a pleasure to be with you today, and a very special greeting to everyone listening to this podcast.
Raúl Castellanos:
Hello, Juan José. It is a pleasure to share with you once again, and on this occasion, to be joined by Siomara Saavedra, an outstanding compliance professional whom I have had the pleasure of knowing for several years. I am confident that this episode will be of great benefit to all our listeners.
Juan José Ríos:
If you agree, let's get down to business. Siomara, Banco Popular de Colombia has been a pioneer in adopting international standards. From your experience, tell us about the ISO 37301 and ISO 37001 certification process and the main reasons for taking on this challenge.
Siomara Saavedra:
At Banco Popular, we have been working for several years to achieve our strategic objectives, focusing on our value proposition for the Silver segment, official entities, and small and medium-sized enterprises.
The compliance team is committed to going beyond the minimum regulatory requirements for managing the risks of money laundering, terrorist financing, bribery, and corruption, seeking to implement best practices.
In this regard, the international standards ISO 37301 and ISO 37001 have been ideal tools for delivering value and ensuring sound business practices, both for Banco Popular and for society as a whole.
Going through this certification process was a major challenge and very rewarding. We have a highly committed team and we rigorously addressed each requirement of the standard. We worked on risk assessment, defining controls, analyzing the internal and external context, updating policies, strengthening reporting channels, consequence programs, and securing the active commitment of senior management.
We also address training, ethical awareness, change management, and process automation, acquiring technical skills in tools such as Modeler, Python, and Power BI. All of this is done with a focus on monitoring and continuous improvement, with strong support from senior management.
Juan José Ríos:
Based on this experience, Siomara, how would you recommend planning a certification project like this, considering the participation of different areas?
Siomara Saavedra:
The first step was to clearly define the scope of the certification and the processes to be evaluated. We then identified the requirements of the standard in relation to our current situation.
We selected the certifying body, carried out the contracting processes, and gained an in-depth understanding of its evaluation methodology. We then conducted an internal audit, developing specific ISO competencies, identifying gaps, and closing them.
The certifier conducted a preliminary assessment, identifying minor adjustments, mainly in language and policy alignment, which had to be approved by the board of directors. Finally, we entered the formal certification process, which lasted two weeks and involved the entire bank.
From start to finish, the process took approximately nine months. From there, we continued with follow-up audits and, subsequently, recertification.
Juan José Ríos:
Raúl, from your perspective, how important is an automated system in the implementation of ISO 37301?
Raúl Castellanos:
The implementation of this standard involves a wide variety of tasks and actors. There are peripheral tools for analysis and modeling, but it is essential to have a centralized system that acts as a common thread.
An automated system enables strategic alignment, traceability of policies, procedures, and evidence, as well as monitoring of performance and risk indicators. Centralizing information reduces human error and facilitates continuous oversight, which is essential today given the operational complexity of organizations.
Juan José Ríos:
What functional characteristics should this type of system have, and in what areas can it be used?
Raúl Castellanos:
It must be a comprehensive system, capable of integrating with multiple platforms, receiving and providing feedback on information. Data orchestration is key.
In addition, it must be highly interactive, facilitate the management of tasks, times, controls, and promote constant communication with users, whether through reminders, forms, or collaborative tools.
It is also important to leverage technologies such as artificial intelligence—generative or support robots—to accompany the processes. In summary: integration, efficiency, ease of use, continuous interaction, and leveraging advanced technology.
Juan José Ríos:
Siomara, what benefits have you identified following the implementation of these standards, and how have they impacted the organizational culture?
Siomara Saavedra:
There are strategic and tactical benefits. Among the strategic benefits, I would highlight increased competitiveness, enhanced reputation, improved perception among customers and regulators, and a proactive compliance culture.
On a tactical level, we managed to integrate risk management systems through internal and external context analysis, vulnerability identification, trigger definition, continuous monitoring, and the use of artificial intelligence.
We also strengthened our ethical culture, from senior management down to all levels of the organization, establishing key indicators to measure the maturity of the compliance program.
Juan José Ríos:
Raúl, how does a computer system support decision-making and policy compliance?
Raúl Castellanos:
A centralized system provides reliable, up-to-date, and contextualized information at the right time. This is key to avoiding decisions based on false positives or incomplete data.
The system must be interactive and support the user in real time. It is important to emphasize that technology does not replace human decision-making, but rather strengthens it, facilitating more informed and timely decisions.
Juan José Ríos:
Siomara, what recommendations would you give to institutions wishing to start a project of this magnitude?
Siomara Saavedra:
My main recommendation is to take the first step and commit to continuous improvement. Compliance programs have a positive impact on society and institutions.
He highlighted the importance of technology, automation, ethical culture, and the establishment of indicators to measure results, maturity, and monitoring effectiveness.
Raúl Castellanos:
Beyond certification, institutions should consider these reference frameworks, such as ISO 37301, for their global recognition and contribution to competitiveness.
These standards strengthen governance, reduce regulatory risks, enhance reputation, and are highly valued by new generations who prioritize ethics, sustainability, and social responsibility.
Juan José Ríos:
It has been an extremely enriching conversation. We would like to thank Siomara Saavedra and Raúl Castellanos for sharing their experience and knowledge on the implementation of ISO 37301 and its positive impact on the financial sector.
Thank you for joining us on Mundo Financiero Seguro, the Plus TI podcast.
I'm Juan José Ríos. We'll see you in the next episode.
