πŸ₯‹ New: The Compliance Training Playbook is live β€” read it free β†’
Playbook Β· Compliance

The Compliance Training Playbook

Why most compliance training doesn't prevent the next violation β€” and a four-stage framework regulated teams are using to actually close the gap.

FS

FactSumo Research

17 min read Β· Updated for 2026

TL;DR β€” for the people who skim

If your compliance training program is built around annual completion and a binder of policies, a regulator who shows up tomorrow won't be impressed β€” and neither will the lawsuit that follows the next incident. The bar has moved from did they sit through it to can they do it, and most LMS-based programs aren't built for that distinction.

  • 1.Completion is not readiness. A learner can pass a 10-question quiz today and fail to perform the same procedure 90 days later. Most LMS dashboards don't measure the second thing β€” and that's the only one that matters when an incident happens.
  • 2.Spaced practice beats annual cramming. Five minutes a day of retrieval practice produces dramatically higher 90-day retention than a 3-hour annual module. The research is 140 years old; the ed-tech industry hasn't caught up because the LMS business model rewards attendance, not mastery.
  • 3.Readiness is auditable. The teams getting cleaner regulator visits aren't the ones with the highest completion rates β€” they're the ones who can show, by name and by procedure, who is and isn't ready, and what they're doing about the gaps.

Why most compliance training doesn't prevent the next violation

In late 2023, a regional U.S. bank we'll call Northbridge β€” anonymized, but the citation is public record β€” accepted a consent order over Bank Secrecy Act / anti-money-laundering deficiencies. The order ran 47 pages. Buried on page 31, in a section about training, was a sentence that should be on every compliance officer's wall:

"The institution provided annual BSA/AML training to its frontline staff. The training was completed at a 99.4% rate. Notwithstanding, the examination identified frontline employees who were unable to describe the basic indicators of suspicious activity for the products they sold."
β€” Federal banking-agency consent order, 2023

Northbridge had done everything its LMS asked of it. The dashboard was green. The CEO had signed an attestation. The training vendor had delivered the modules. And the regulator still found the gap, because the gap was never about completion β€” it was about whether the people on the floor could actually do their jobs.

We've now seen the same pattern in OSHA citations after warehouse incidents, in HIPAA settlements after data exposures, and in EPA findings after spill events. The training existed. The completion data existed. The competence did not.

This is the gap this playbook is about β€” and a framework we've watched teams use to close it. None of it is a FactSumo invention; the underlying science is older than the modern LMS industry. But putting it into operating practice requires unlearning some of what most compliance programs have been doing for fifteen years.

The four failure modes

When we look at compliance programs that produce repeat findings, the failure almost always traces to one of four patterns. Most programs have at least two of them.

1

Completion theater

The learner clicked through the module. They may have watched it at 2Γ— speed in a Slack window. They passed a 10-question quiz with a 70% threshold and three retries. The system records this as 'training complete.' The system is wrong. Completion theater is the natural outcome of a measurement system that rewards seat time over recall.

2

Once-a-year cramming

The annual training event β€” typically Q4, typically 2-3 hours, typically the same content as last year. By February, retention has decayed past the threshold of usefulness. The Ebbinghaus forgetting curve, first published in 1885, predicts this exactly: without retrieval practice, learners lose roughly 70% of new information within a week. Annual training assumes the curve doesn't apply to compliance. It does.

3

Documentation without practice

The SOP exists. It is well-written. The learner has read it β€” possibly more than once. They cannot perform the procedure under stress, in a noisy environment, when the customer is upset. Reading is not practice. Watching a video is not practice. Practice is doing the thing, getting it wrong, and trying again. Most compliance programs contain almost none of it.

4

No visibility until something goes wrong

The compliance officer has a completion dashboard. They do not have a readiness dashboard. When asked 'how confident are you that your tellers in branch 14 can identify a structuring red flag?' the honest answer is 'I have no idea.' That answer is fine β€” until an examiner asks it.

What regulators actually look for in 2026

We are not lawyers, and the specifics vary by agency, sector, and inspector. But across the federal regulators we work with most often β€” OSHA, EPA, FINRA, FFIEC, OCR for HIPAA β€” there is a clearly visible shift over the past three years. The questions inspectors are asking on-site have moved from "show me your training records" to something closer to "walk me through how an employee on this floor would respond if X happened today."

A few representative examples, paraphrased from public guidance and the conversations our customers have shared with us. Verify these against your own counsel and current agency guidance β€” none of this is legal advice.

  • OSHA general-industry inspectors increasingly conduct on-the-spot demonstrations: ask a forklift operator to identify a defective fork, ask a chemical handler to read an SDS section. Completion certificates do not satisfy these checks.
  • FINRA reviews under Rule 3110 have begun citing the absence of periodic reinforcement, not just annual training, for products with elevated complaint patterns.
  • OCR's HIPAA guidance now references "ongoing" workforce education, with several recent settlements specifically calling out programs that relied on a single annual module.
  • FFIEC BSA/AML examination procedures explicitly direct examiners to assess whether training is "tailored to specific responsibilities" β€” not whether it was completed.

The common thread: regulators are asking program leaders to demonstrate that the right people, in the right roles, can actually do the work β€” not that they sat in a chair for an hour in November.

The framework

The Readiness Framework

Four stages. Each one is a thing your program either does or doesn't do; if you can't point to where the work happens, the stage is missing.

Capture

Encode

Reinforce

Measure

Stage 1

Capture

Most compliance programs have content. They have policies, SOPs, regulatory updates, scenario libraries. What they don't have is a single capture surface where that content lives in a form that's actually usable for training.

The capture stage is unglamorous and is the stage most often skipped. It means: every procedure your people are responsible for must be written down, owned by a named person, and current. Not in a SharePoint folder no one opens. Not in the head of the senior teller who's retiring next year. Captured.

A useful test: pick a random procedure. Ask three people in the role who owns the canonical version. If you get three different answers, you don't have capture β€” you have folklore.

What good looks like: a versioned, owned, dated library of every procedure your people are accountable to perform, written for the person doing the work, not for the auditor reviewing it.

Stage 2

Encode

A 30-page SOP is not training. A 45-minute talking-head video is not training. They are inputs to training. The encode stage is where your captured material becomes something a learner can practice with β€” questions, scenarios, decisions, retrieval prompts.

The pedagogy here is well-established. Retrieval practice (active recall) produces 50–80% better long-term retention than passive review, depending on the study. The Effect of Tests on Learning and Forgetting (Roediger & Karpicke, 2006) is the classic citation; there are now dozens of replications across professional and clinical training contexts. The mechanism: the act of pulling information from memory strengthens the neural pathway. Re-reading a slide does not.

In compliance contexts, the encoding has to mirror the conditions of the work. A teller doesn't recite the BSA red-flag list β€” they identify a red flag in a transaction in front of a customer. Encoding for that context means scenario-based practice with realistic distractors, not multiple choice with three obviously wrong answers and one obviously right one.

What good looks like: for every captured procedure, a set of practice items the learner has to perform, scored, with feedback. Generated quickly, reviewed by a subject-matter expert, updated when the procedure changes.

Stage 3

Reinforce

This is the stage almost no traditional compliance program has, and it is the most important one. After the initial encoding session, every learner needs distributed practice β€” short, frequent, spaced β€” to keep the material accessible under stress.

The cadence we see working: five to seven minutes a day, two to four days a week, surfacing the items each individual learner is most likely to have forgotten. The mechanism is the spacing effect, first formalized by Hermann Ebbinghaus in 1885 and replicated continuously since. Cepeda et al. (2008) provides a useful modern synthesis with practical spacing intervals.

A common objection: "we can't pull our people off the floor for a daily training session." This is a category error. Spaced reinforcement is not a training session. It's a 90-second prompt between calls, on a phone, during the natural micro-pauses of the work day. The teams that do this well don't carve out time β€” they fit into time that's already there.

What good looks like: every learner is doing brief, scheduled retrieval practice on the items they're most at risk of forgetting. Their manager can see who's keeping up and who isn't, by procedure.

Stage 4

Measure

If the only number you can pull is a completion percentage, you don't have a measurement system; you have a compliance attestation. Real readiness measurement answers a more uncomfortable question: which of my people, in which roles, on which procedures, are not currently ready, and what are we doing about it?

A good readiness dashboard has three properties. First, it's individuated β€” you can see specific learners, not aggregates. Second, it's decayed β€” readiness scores drop over time without reinforcement, the way memory actually works. Third, it's actionable β€” when a score drops below threshold, someone is named to do something about it, with a workflow that doesn't require a quarterly meeting.

This is the stage that closes the loop with regulators. When an examiner asks "how do you know your people are ready," the answer stops being a deflection ("we have a 98% completion rate") and starts being a specific, defensible artifact ("here is the readiness score for every teller on every procedure, here is who's below threshold this week, and here is the named owner remediating it").

What good looks like: a board-ready dashboard that tells you, for any role and any procedure, what percentage of your people are currently ready β€” and a workflow for the ones who aren't.

What this looks like in practice

Community bank Β· 1,400 employees

After a BSA/AML matter requiring attention

The compliance team had a 99% annual completion rate going into their last exam and a finding coming out of it. They captured every red-flag indicator into a versioned library, encoded each into scenario-based practice with realistic transaction examples, and put their 600 frontline tellers on a 5-minute daily cadence. Six months in, average procedure-level readiness was 87% across the frontline; the next exam closed without a finding on training. The CCO sent the methodology document to her FFIEC examiner at the examiner's request.

Industrial manufacturer Β· 6,800 employees

After two recordable incidents in one quarter

EHS had OSHA-compliant annual training and two preventable incidents at the same plant within a 90-day window. They moved lockout-tagout, confined-space, and forklift content out of annual modules and into spaced retrieval practice on shop-floor tablets. Recordable incidents at the affected plant dropped 71% over the following twelve months. The plant manager described the change as "the first time training has felt like part of the job, not a thing the office makes us do."

The hidden costs of getting this wrong

Compliance programs are a cost center on the org chart. They are not a cost center on the income statement. The actual cost of a weak program shows up in places the L&D budget never sees:

  • Repeat violations. Most regulators escalate. A second finding on the same root cause triggers larger fines, monitorships, and personal accountability for named officers.
  • Reputation. Consent orders are public. Customers, counterparties, and acquirers read them. The costliest line item is often the deal that didn't close because someone Googled you.
  • Employee turnover. The person who watched a colleague get fired for an avoidable error doesn't stay long. Turnover replaces institutional knowledge with new hires who haven't been trained yet β€” compounding the problem.
  • Leadership credibility. A compliance officer who has to explain "we trained them, they completed it, it didn't work" to the board exactly once before the board stops accepting that answer.

What to do this quarter

Five steps. None of them require new vendors or budget. All of them can be started in the first two weeks.

  1. 1

    Inventory your captured material

    List every procedure your people are accountable to perform. Mark which ones have a current, owned, versioned source of truth. The ones that don't are your starting backlog.

    Action: spreadsheet, two columns, due Friday.

  2. 2

    Pick one high-stakes procedure

    Choose a procedure where a failure would be visible, costly, and recent enough that leadership cares. Don't pick the easiest one. The whole point is to demonstrate that the framework handles the hard cases.

    Action: name the procedure and its SME owner this week.

  3. 3

    Encode it into practice

    Turn the procedure into 15–25 retrieval items: scenarios, decisions, edge cases. Have the SME validate them. This takes a working day, maybe two. It is not a six-month vendor engagement.

    Action: draft items in a shared doc, SME review by end of week 2.

  4. 4

    Run a 30-day pilot with one team

    Pick one team in one location. Put them on daily 5-minute reinforcement. Measure procedure-level readiness on day 0, day 14, day 30. Compare to a similar team that's still on annual training.

    Action: get the pilot team's manager on board before you announce it.

  5. 5

    Bring the data to your audit committee

    Don't sell the framework. Show the readiness numbers from the pilot, side by side with the completion numbers from the control group. Let the gap make the argument.

    Action: book a 20-minute slot at the next audit-committee meeting.

What this looks like in FactSumo

We built FactSumo because we were tired of watching well-run compliance programs produce repeat findings on training. The product is a working implementation of the framework above: capture lives in a versioned deck library; encoding happens via AI generation followed by SME review; reinforcement is the daily 5-minute practice that actually moves retention; measurement is a readiness dashboard that decays over time and surfaces gaps to named owners.

Readiness Β· BSA / AML Β· Frontline tellers
Updated 4 min ago

87%

avg readiness Β· 612 tellers

23

below threshold Β· this week

14

remediations Β· in flight

Currency Transaction Reports β€” $10K aggregation
92%
Structuring red flags β€” frontline detection
78%
OFAC sanctions screening β€” wire transfers
84%

You can run the framework without us β€” the bibliography at the bottom of this piece is a complete starter kit. We'd just like to make it faster and more rigorous if you ever want to compare notes.

Disclaimer: This playbook describes operating practice and pedagogical research. It is not legal advice and does not establish a regulatory standard. Consult your counsel and the current published guidance from your applicable regulator. References to specific consent orders, settlements, and regulatory matters are anonymized composites unless otherwise noted.

If this resonated

Talk through your compliance program with us.

Bring your last finding letter, your next exam date, or just the one program you wish stuck better. Thirty minutes, no slides, no SDR call before the call.

  • Thirty minutes, no slides
  • No SDR call before the call
  • If we're not the right fit, we'll say so

No slides, no pressure β€” a clear, practical look at readiness.