Mandatory Compliance Training in the UK: The 2026 Guide

The Legal Framework: Why Compliance Training Is a Statutory Obligation

There is no single UK law that mandates a 'compliance training programme.' Instead, training obligations flow from multiple pieces of legislation - each creating its own duty on employers, and each enforced by a different regulator.

The foundational pieces are the Health and Safety at Work Act 1974, which requires employers to provide information, instruction, and training to employees, and the Management of Health and Safety at Work Regulations 1999, which reinforces this through risk assessment and role-specific training requirements. These apply to virtually every employer in Great Britain.

Beyond health and safety, UK GDPR requires employers to implement appropriate technical and organisational measures to protect personal data - with staff training identified by the ICO as a primary measure. The Equality Act 2010 creates vicarious liability for discriminatory acts by employees, with training the primary defence. The Money Laundering Regulations 2017 impose documented training requirements on regulated firms. The Bribery Act 2010 requires training as part of 'adequate procedures.' Each carries its own regulator, its own enforcement power, and its own penalty structure.

Statutory vs. mandatory: understanding the distinction

HR and compliance professionals use these terms interchangeably, but they have different legal bases and different risk profiles.

The practical implication for compliance officers: both types carry real risk. Statutory gaps trigger regulatory action. Mandatory gaps create civil liability, insurance exposure, and - increasingly - tribunal risk where a claimant can argue the employer failed to take reasonable steps.

Key regulators and enforcement powers

• Health and Safety Executive (HSE): Enforces the Health and Safety at Work Act 1974 and regulations. Powers include improvement notices, prohibition notices, prosecution, and unlimited fines. The largest HSE penalty to date - £6 million - was issued to Cambridgeshire County Council in April 2025 for safety failures on its Guided Busway over a 10-year period.
• Information Commissioner's Office (ICO): Enforces UK GDPR and the Data Protection Act 2018. Maximum penalty: £17.5 million or 4% of global annual turnover. In 2025, the ICO issued fewer fines overall but its average fine rose to over £2.8 million per case, including a £14 million settlement with Capita for a 2023 data breach affecting 6.6 million people.
• Financial Conduct Authority (FCA): Regulates financial services firms. Total fines in 2024 reached £176 million - three times the 2023 level. Enforcement increasingly targets control failures rather than one-off misconduct.
• Care Quality Commission (CQC) and Ofsted: Inspect and regulate health, social care, and education settings. Both have powers to impose conditions, suspend, or cancel registrations for providers who fail to meet training standards.
• Counter Terrorism Policing / Home Office: Oversees Prevent duty compliance for specified public bodies.

Core Compliance Training Required Across UK Workplaces

These training obligations apply across most UK employers, regardless of sector. HR managers building a compliant training programme should treat these as non-negotiable foundations. Compliance officers should note the specific legislative basis and enforcement regime for each.

Health and safety training

Legal Basis

Health and Safety at Work Act 1974, s.2(2)(c); Management of Health and Safety at Work Regulations 1999, Regulation 13

Employers must provide training to all employees that is appropriate to the risks identified in their workplace risk assessments. Training must be role-specific and must remain current.

legislation.gov.uk - Health and Safety at Work Act 1974

Employers must provide training appropriate to the risks identified in their workplace risk assessments. Training must cover safety protocols, risk assessment procedures, emergency procedures, and equipment use. Content must be role-specific - a desk-based worker requires different training to a warehouse operative or a care worker.

The HSE does not prescribe a universal refresh cycle, but expects training to remain current. Annual refreshers are standard practice; high-risk roles require more frequent updates. 2025 enforcement context: HSE's top penalties that year included British Airways (£3.2 million) for fall-from-height failures at Heathrow Terminal 5 and Biffa Waste Services (£2.48 million) after a worker was killed at its Bradford facility.

Fire safety training

Legal Basis

Regulatory Reform (Fire Safety) Order 2005, Article 21

The responsible person must ensure all employees receive adequate fire safety training on joining and when exposed to new or increased risk.

legislation.gov.uk - Regulatory Reform (Fire Safety) Order 2005

The 'responsible person' (typically the employer) must ensure all employees receive adequate fire safety training on joining and when exposed to new or increased risk. At minimum, training must cover evacuation procedures, alarm systems, fire equipment locations, and emergency assembly points. Designated fire marshals require additional training. New starters must be trained before beginning work.

GDPR and data protection training

Legal Basis

UK GDPR, Article 32 (appropriate technical and organisational measures); ICO guidance on staff training as a required safeguard

Employers must implement appropriate measures to protect personal data. The ICO identifies staff training as one of the primary measures demonstrating compliance with Article 32.

ico.org.uk - UK GDPR accountability guidance

Any employee who handles personal data must receive data protection training. The ICO treats staff training as one of the primary measures that demonstrates compliance with Article 32. Training must cover the lawful bases for processing personal data, data subject rights, breach reporting obligations under Article 33 (72-hour notification window to the ICO), subject access requests, and secure data handling.

ICO enforcement signal: what 'adequate training' now means

Between 2024 and 2026, the ICO cited inadequate staff training as a contributing factor in multiple enforcement cases - even where training had technically been delivered. In several instances, training was not 'proportionate to the role or the risk involved.' Delivery of training is not the standard. Demonstrable fitness for purpose is. The ICO's 2025 enforcement pattern - fewer fines but average penalties exceeding £2.8 million - signals a focus on systemic governance failures, not one-off incidents.

Equality, diversity, and inclusion training

Legal Basis

Equality Act 2010, s.109 (vicarious liability); Worker Protection (Amendment of Equality Act 2010) Act 2023 — in force October 2024; Employment Rights Act 2025 — 'all reasonable steps' from October 2026

Employers can be held vicariously liable for discriminatory acts by employees unless they demonstrate they took all reasonable steps to prevent discrimination. From October 2026, the standard strengthens to 'all reasonable steps' for sexual harassment prevention.

The Equality Act 2010 does not mandate EDI training by name. It does, however, hold employers vicariously liable for discriminatory acts by employees - unless the employer can demonstrate it took all reasonable steps to prevent the discrimination. Training is the primary way to establish that defence.

Since October 2024, employers have been under a positive duty to take 'reasonable steps' to prevent sexual harassment under the Worker Protection Act 2023. From October 2026, the Employment Rights Act 2025 raises this standard to 'all reasonable steps' - and reintroduces employer liability for third-party harassment by customers, clients, suppliers, and contractors. A tribunal will now ask not just whether training was delivered, but whether it was effective, current, role-appropriate, and genuinely designed to change behaviour.

The Employment Rights Act 2025 also doubles the tribunal time limit from three months to six months (expected October 2026), significantly increasing employer exposure. People and compliance professionals should review and strengthen their harassment prevention training frameworks now - not in October.

October 2026: third-party liability returns

Any organisation where staff interact with customers, clients, or contractors - hospitality, retail, financial services, healthcare - needs a specific risk assessment and training programme for third-party harassment scenarios before October 2026. A completion certificate alone will not be a sufficient defence in a tribunal claim.

Anti-bribery training

Legal Basis

Bribery Act 2010, s.7 (failure of commercial organisations to prevent bribery); Ministry of Justice Guidance on Adequate Procedures

Organisations have a defence against prosecution only where they can demonstrate they had 'adequate procedures' in place. Ministry of Justice guidance identifies training as one of the six key components.

The Bribery Act 2010 creates a corporate offence of failing to prevent bribery. The statutory defence requires demonstrating 'adequate procedures' - and Ministry of Justice guidance identifies training as a key component. Penalties include unlimited fines for organisations and up to 10 years imprisonment for individuals.

Training must cover what constitutes a bribe (including gifts, hospitality, and facilitation payments), the organisation's anti-bribery policy, reporting obligations, and relevant sector-specific scenarios. Training records should be maintained as evidence of adequate procedures.

Cybersecurity training

Legal basis: UK GDPR, Article 32 (security of processing); National Cyber Security Centre (NCSC) guidance on staff awareness.

No single law mandates 'cybersecurity training' by name, but the ICO's data protection enforcement makes clear that staff awareness training is expected as a technical and organisational measure. The NCSC recommends cybersecurity training as a baseline control for all organisations handling personal or sensitive data.

Training should cover phishing awareness, password security, secure data handling, use of personal devices, and incident reporting. Human error remains a primary cause of data breaches - and the ICO's 2025 enforcement, which focused heavily on systemic security failures, makes clear that staff training is part of the expected control framework.

Sector-Specific Mandatory Compliance Training

The training above applies broadly. These additional requirements apply to regulated sectors and carry their own enforcement regimes, documentation standards, and refresh cycles.

Anti-money laundering (AML) training

Legal Basis

Money Laundering, Terrorist Financing and Transfer of Funds Regulations 2017 (MLR 2017), Regulation 24; FCA Financial Crime Guide (FCG)

Regulation 24(1) requires relevant persons to take appropriate measures to make relevant employees aware of UK law on money laundering and terrorist financing, and to regularly train those employees.

legislation.gov.uk - MLR 2017, Regulation 24

AML training is mandatory for employees of firms in the regulated sector, which includes financial services firms, legal practices, accountants, tax advisors, estate agents, letting agents, and high-value dealers. The FCA requires AML training at least every 24 months for relevant staff. Training must be documented, role-appropriate, and demonstrably effective - not just completed.

2024 enforcement context: Metro Bank was fined £16.7 million in November 2024 after its transaction monitoring system failed to screen over 60 million transactions worth £51 billion between 2016 and 2020. The FCA found breaches of Principle 3 and SYSC 6.1.1 and 6.3.1. Starling Bank was fined £28.9 million in October 2024 for financial crime controls the FCA described as 'shockingly lax'. Total FCA fines in 2024 reached £176 million.

Safeguarding training

Legal basis: Children Act 1989 and 2004; Care Act 2014; Working Together to Safeguard Children (statutory guidance, updated 2023); CQC Fundamental Standards.

Safeguarding training is mandatory for anyone working with children or vulnerable adults. This includes staff in education, healthcare, social care, early years settings, and voluntary organisations with contact with these groups. Training is tiered by role and responsibility:

• All relevant staff: Basic safeguarding awareness - recognising signs of abuse or neglect, understanding reporting obligations.
• Designated safeguarding leads (DSLs): Advanced training, typically refreshed every two years, covering case management, multi-agency working, and local safeguarding frameworks.
• Organisations regulated by Ofsted or the CQC must meet their specific training standards, which are inspected - gaps can result in conditions being imposed, ratings being reduced, or registrations being suspended.

Prevent duty training

Legal basis: Counter-Terrorism and Security Act 2015, s.26 (Prevent duty); Channel Duty Guidance (statutory guidance).

The Prevent duty applies to a specified range of public bodies including schools, further and higher education institutions, local authorities, NHS bodies, prisons, and certain police authorities. Staff must understand the indicators of radicalisation, know how to make a Channel referral, and understand the organisation's responsibilities under the duty. For healthcare workers, Prevent training is typically refreshed every three years.

Infection prevention and control

Legal basis: Health and Social Care Act 2008, Code of Practice on the prevention and control of infections (updated 2022).

Mandatory for health and social care workers. Training must cover hand hygiene, use of personal protective equipment, waste management, decontamination, and infection outbreak reporting. The CQC inspects against these requirements and uses compliance with the Code of Practice as a quality measure. Non-compliance can result in enforcement action, conditions on registration, or prosecution.

Compliance Training Refresh Frequency at a Glance

There is no single mandated refresh cycle across all compliance training. Each regulator sets its own expectations. Regulators increasingly expect additional refreshers when regulations change, after incidents, or when employees change roles.

These are minimum starting points. Regulators - particularly the ICO and HSE - expect training to be refreshed following regulatory changes, significant incidents, or material changes to an employee's role or risk exposure.

Why Traditional Compliance Training Fails the Regulatory Standard

Most compliance training is not working - and regulators increasingly know it. The issue is not content quality. It is delivery method.

Annual e-learning modules create what learning scientists call 'the forgetting curve.' Research shows people forget up to 80% of what they learn within 30 days without reinforcement. Gallup data shows only 10% of employees report that compliance training has meaningfully changed their behaviour at work. Long sessions create cognitive overload, completion rates collapse, and annual content refreshes mean staff may be acting on outdated information for most of the year.

The regulatory standard is shifting to match. As the Employment Rights Act 2025 puts it explicitly, tribunals will now ask not just whether training existed, but whether it was 'effective, current, role-appropriate, and genuinely designed to equip people to handle real situations.' The ICO has taken a similar position in recent enforcement cases, finding against organisations where training was delivered but not 'proportionate to the role or risk involved.' A completion certificate is not a compliance defence.

What regulators now examine

Both the HSE and ICO have moved beyond 'was training delivered?' as the compliance test. Current expectations include: training was role-appropriate; content reflected current regulations; employees can apply what they learned in practice; records show ongoing reinforcement, not just annual completion; and the organisation can demonstrate training was updated following regulatory changes or incidents. Paper certificates and LMS completion reports are no longer sufficient evidence for audit purposes in higher-risk sectors.

How Microlearning Meets the 2026 Compliance Training Standard

Microlearning - delivering training in focused sessions of three to ten minutes - directly addresses the delivery failures that cause traditional compliance training to fall short. It is not just a more engaging format. It is the format most likely to satisfy the 'all reasonable steps' standard that regulators now apply.

5Mins.ai's compliance training library covers GDPR, health and safety, anti-bribery, AML, safeguarding, fire safety, and more. Each lesson targets one or two learning objectives, fits into the flow of work, and is designed to change specific behaviours - not just transfer information.

Completion rates: the problem microlearning fixes

Traditional LMS platforms average under 5% completion for compliance courses. 5Mins achieves 95%+ completion rates across its customer base. The difference is not content - it is format. Three-to-five-minute TikTok-style lessons that fit on a phone, between meetings, or during a shift are completed. Forty-five-minute desktop modules are not.

Retention: spaced repetition as a compliance tool

Spaced repetition - revisiting training content at intervals rather than in a single session - is one of the most well-evidenced approaches to long-term retention in learning science. Research shows spaced reinforcement delivers 150% better retention compared to a single-session equivalent. For compliance purposes, this is the mechanism that moves training from 'completed' to 'applied.'

Microlearning is naturally suited to spaced repetition. Short daily or weekly lessons reinforce previous learning without requiring employees to complete the full course again. HR and L&D managers can schedule automated refreshers aligned to regulatory refresh cycles - turning an annual compliance event into an ongoing learning habit.

Audit-ready tracking: what regulators actually need to see

When the FCA asks for evidence of AML training completion across your team, or the ICO examines your data protection controls following a breach, what they want is not a spreadsheet. They want role-level completion data, timestamps, assessment scores, and evidence that training was appropriate to the role and current at the time of the incident.

Modern microlearning platforms generate this data automatically. HR managers can produce audit-ready compliance reports in minutes. Compliance officers can demonstrate to regulators that training was delivered, role-appropriate, and regularly refreshed - without manual tracking or end-of-quarter data pulls.

A Practical Framework for Compliance Officers, HR, and L&D Managers

Whether you are building a programme from scratch or auditing an existing one, this five-step framework reflects current regulatory expectations.

Staying Compliant in 2026: The Standard Has Changed

UK compliance training obligations are more demanding in 2026 than they were two years ago. The FCA collected £176 million in fines in 2024. The HSE issued its largest-ever single penalty. The ICO's average fine now exceeds £2.8 million per case. The Employment Rights Act 2025 raises the harassment prevention standard to 'all reasonable steps' from October 2026.

For HR managers, L&D professionals, People leaders, and compliance officers, the challenge in 2026 is not just 'what training is required?' It is 'how do we make it effective, evidence it properly, and keep it current?' Regulators are no longer satisfied with completion certificates. They want evidence that training changed behaviour.

Explore the 5Mins.ai compliance training catalogue to see how bite-sized, AI-powered microlearning can replace your annual compliance programme with something employees actually complete - and that produces the audit trails regulators now expect. Start your free trial today.

The Legal Framework: Why Compliance Training Is a Statutory Obligation

There is no single UK law that mandates a 'compliance training programme.' Instead, training obligations flow from multiple pieces of legislation - each creating its own duty on employers, and each enforced by a different regulator.

The foundational pieces are the Health and Safety at Work Act 1974, which requires employers to provide information, instruction, and training to employees, and the Management of Health and Safety at Work Regulations 1999, which reinforces this through risk assessment and role-specific training requirements. These apply to virtually every employer in Great Britain.

Beyond health and safety, UK GDPR requires employers to implement appropriate technical and organisational measures to protect personal data - with staff training identified by the ICO as a primary measure. The Equality Act 2010 creates vicarious liability for discriminatory acts by employees, with training the primary defence. The Money Laundering Regulations 2017 impose documented training requirements on regulated firms. The Bribery Act 2010 requires training as part of 'adequate procedures.' Each carries its own regulator, its own enforcement power, and its own penalty structure.

Statutory vs. mandatory: understanding the distinction

HR and compliance professionals use these terms interchangeably, but they have different legal bases and different risk profiles.

The practical implication for compliance officers: both types carry real risk. Statutory gaps trigger regulatory action. Mandatory gaps create civil liability, insurance exposure, and - increasingly - tribunal risk where a claimant can argue the employer failed to take reasonable steps.

Key regulators and enforcement powers

• Health and Safety Executive (HSE): Enforces the Health and Safety at Work Act 1974 and regulations. Powers include improvement notices, prohibition notices, prosecution, and unlimited fines. The largest HSE penalty to date - £6 million - was issued to Cambridgeshire County Council in April 2025 for safety failures on its Guided Busway over a 10-year period.
• Information Commissioner's Office (ICO): Enforces UK GDPR and the Data Protection Act 2018. Maximum penalty: £17.5 million or 4% of global annual turnover. In 2025, the ICO issued fewer fines overall but its average fine rose to over £2.8 million per case, including a £14 million settlement with Capita for a 2023 data breach affecting 6.6 million people.
• Financial Conduct Authority (FCA): Regulates financial services firms. Total fines in 2024 reached £176 million - three times the 2023 level. Enforcement increasingly targets control failures rather than one-off misconduct.
• Care Quality Commission (CQC) and Ofsted: Inspect and regulate health, social care, and education settings. Both have powers to impose conditions, suspend, or cancel registrations for providers who fail to meet training standards.
• Counter Terrorism Policing / Home Office: Oversees Prevent duty compliance for specified public bodies.

Core Compliance Training Required Across UK Workplaces

These training obligations apply across most UK employers, regardless of sector. HR managers building a compliant training programme should treat these as non-negotiable foundations. Compliance officers should note the specific legislative basis and enforcement regime for each.

Health and safety training

Legal Basis

Health and Safety at Work Act 1974, s.2(2)(c); Management of Health and Safety at Work Regulations 1999, Regulation 13

Employers must provide training to all employees that is appropriate to the risks identified in their workplace risk assessments. Training must be role-specific and must remain current.

legislation.gov.uk - Health and Safety at Work Act 1974

Employers must provide training appropriate to the risks identified in their workplace risk assessments. Training must cover safety protocols, risk assessment procedures, emergency procedures, and equipment use. Content must be role-specific - a desk-based worker requires different training to a warehouse operative or a care worker.

The HSE does not prescribe a universal refresh cycle, but expects training to remain current. Annual refreshers are standard practice; high-risk roles require more frequent updates. 2025 enforcement context: HSE's top penalties that year included British Airways (£3.2 million) for fall-from-height failures at Heathrow Terminal 5 and Biffa Waste Services (£2.48 million) after a worker was killed at its Bradford facility.

Fire safety training

Legal Basis

Regulatory Reform (Fire Safety) Order 2005, Article 21

The responsible person must ensure all employees receive adequate fire safety training on joining and when exposed to new or increased risk.

legislation.gov.uk - Regulatory Reform (Fire Safety) Order 2005

The 'responsible person' (typically the employer) must ensure all employees receive adequate fire safety training on joining and when exposed to new or increased risk. At minimum, training must cover evacuation procedures, alarm systems, fire equipment locations, and emergency assembly points. Designated fire marshals require additional training. New starters must be trained before beginning work.

GDPR and data protection training

Legal Basis

UK GDPR, Article 32 (appropriate technical and organisational measures); ICO guidance on staff training as a required safeguard

Employers must implement appropriate measures to protect personal data. The ICO identifies staff training as one of the primary measures demonstrating compliance with Article 32.

ico.org.uk - UK GDPR accountability guidance

Any employee who handles personal data must receive data protection training. The ICO treats staff training as one of the primary measures that demonstrates compliance with Article 32. Training must cover the lawful bases for processing personal data, data subject rights, breach reporting obligations under Article 33 (72-hour notification window to the ICO), subject access requests, and secure data handling.

ICO enforcement signal: what 'adequate training' now means

Between 2024 and 2026, the ICO cited inadequate staff training as a contributing factor in multiple enforcement cases - even where training had technically been delivered. In several instances, training was not 'proportionate to the role or the risk involved.' Delivery of training is not the standard. Demonstrable fitness for purpose is. The ICO's 2025 enforcement pattern - fewer fines but average penalties exceeding £2.8 million - signals a focus on systemic governance failures, not one-off incidents.

Equality, diversity, and inclusion training

Legal Basis

Equality Act 2010, s.109 (vicarious liability); Worker Protection (Amendment of Equality Act 2010) Act 2023 — in force October 2024; Employment Rights Act 2025 — 'all reasonable steps' from October 2026

Employers can be held vicariously liable for discriminatory acts by employees unless they demonstrate they took all reasonable steps to prevent discrimination. From October 2026, the standard strengthens to 'all reasonable steps' for sexual harassment prevention.

The Equality Act 2010 does not mandate EDI training by name. It does, however, hold employers vicariously liable for discriminatory acts by employees - unless the employer can demonstrate it took all reasonable steps to prevent the discrimination. Training is the primary way to establish that defence.

Since October 2024, employers have been under a positive duty to take 'reasonable steps' to prevent sexual harassment under the Worker Protection Act 2023. From October 2026, the Employment Rights Act 2025 raises this standard to 'all reasonable steps' - and reintroduces employer liability for third-party harassment by customers, clients, suppliers, and contractors. A tribunal will now ask not just whether training was delivered, but whether it was effective, current, role-appropriate, and genuinely designed to change behaviour.

The Employment Rights Act 2025 also doubles the tribunal time limit from three months to six months (expected October 2026), significantly increasing employer exposure. People and compliance professionals should review and strengthen their harassment prevention training frameworks now - not in October.

October 2026: third-party liability returns

Any organisation where staff interact with customers, clients, or contractors - hospitality, retail, financial services, healthcare - needs a specific risk assessment and training programme for third-party harassment scenarios before October 2026. A completion certificate alone will not be a sufficient defence in a tribunal claim.

Anti-bribery training

Legal Basis

Bribery Act 2010, s.7 (failure of commercial organisations to prevent bribery); Ministry of Justice Guidance on Adequate Procedures

Organisations have a defence against prosecution only where they can demonstrate they had 'adequate procedures' in place. Ministry of Justice guidance identifies training as one of the six key components.

The Bribery Act 2010 creates a corporate offence of failing to prevent bribery. The statutory defence requires demonstrating 'adequate procedures' - and Ministry of Justice guidance identifies training as a key component. Penalties include unlimited fines for organisations and up to 10 years imprisonment for individuals.

Training must cover what constitutes a bribe (including gifts, hospitality, and facilitation payments), the organisation's anti-bribery policy, reporting obligations, and relevant sector-specific scenarios. Training records should be maintained as evidence of adequate procedures.

Cybersecurity training

Legal basis: UK GDPR, Article 32 (security of processing); National Cyber Security Centre (NCSC) guidance on staff awareness.

No single law mandates 'cybersecurity training' by name, but the ICO's data protection enforcement makes clear that staff awareness training is expected as a technical and organisational measure. The NCSC recommends cybersecurity training as a baseline control for all organisations handling personal or sensitive data.

Training should cover phishing awareness, password security, secure data handling, use of personal devices, and incident reporting. Human error remains a primary cause of data breaches - and the ICO's 2025 enforcement, which focused heavily on systemic security failures, makes clear that staff training is part of the expected control framework.

Sector-Specific Mandatory Compliance Training

The training above applies broadly. These additional requirements apply to regulated sectors and carry their own enforcement regimes, documentation standards, and refresh cycles.

Anti-money laundering (AML) training

Legal Basis

Money Laundering, Terrorist Financing and Transfer of Funds Regulations 2017 (MLR 2017), Regulation 24; FCA Financial Crime Guide (FCG)

Regulation 24(1) requires relevant persons to take appropriate measures to make relevant employees aware of UK law on money laundering and terrorist financing, and to regularly train those employees.

legislation.gov.uk - MLR 2017, Regulation 24

AML training is mandatory for employees of firms in the regulated sector, which includes financial services firms, legal practices, accountants, tax advisors, estate agents, letting agents, and high-value dealers. The FCA requires AML training at least every 24 months for relevant staff. Training must be documented, role-appropriate, and demonstrably effective - not just completed.

2024 enforcement context: Metro Bank was fined £16.7 million in November 2024 after its transaction monitoring system failed to screen over 60 million transactions worth £51 billion between 2016 and 2020. The FCA found breaches of Principle 3 and SYSC 6.1.1 and 6.3.1. Starling Bank was fined £28.9 million in October 2024 for financial crime controls the FCA described as 'shockingly lax'. Total FCA fines in 2024 reached £176 million.

Safeguarding training

Legal basis: Children Act 1989 and 2004; Care Act 2014; Working Together to Safeguard Children (statutory guidance, updated 2023); CQC Fundamental Standards.

Safeguarding training is mandatory for anyone working with children or vulnerable adults. This includes staff in education, healthcare, social care, early years settings, and voluntary organisations with contact with these groups. Training is tiered by role and responsibility:

• All relevant staff: Basic safeguarding awareness - recognising signs of abuse or neglect, understanding reporting obligations.
• Designated safeguarding leads (DSLs): Advanced training, typically refreshed every two years, covering case management, multi-agency working, and local safeguarding frameworks.
• Organisations regulated by Ofsted or the CQC must meet their specific training standards, which are inspected - gaps can result in conditions being imposed, ratings being reduced, or registrations being suspended.

Prevent duty training

Legal basis: Counter-Terrorism and Security Act 2015, s.26 (Prevent duty); Channel Duty Guidance (statutory guidance).

The Prevent duty applies to a specified range of public bodies including schools, further and higher education institutions, local authorities, NHS bodies, prisons, and certain police authorities. Staff must understand the indicators of radicalisation, know how to make a Channel referral, and understand the organisation's responsibilities under the duty. For healthcare workers, Prevent training is typically refreshed every three years.

Infection prevention and control

Legal basis: Health and Social Care Act 2008, Code of Practice on the prevention and control of infections (updated 2022).

Mandatory for health and social care workers. Training must cover hand hygiene, use of personal protective equipment, waste management, decontamination, and infection outbreak reporting. The CQC inspects against these requirements and uses compliance with the Code of Practice as a quality measure. Non-compliance can result in enforcement action, conditions on registration, or prosecution.

Compliance Training Refresh Frequency at a Glance

There is no single mandated refresh cycle across all compliance training. Each regulator sets its own expectations. Regulators increasingly expect additional refreshers when regulations change, after incidents, or when employees change roles.

These are minimum starting points. Regulators - particularly the ICO and HSE - expect training to be refreshed following regulatory changes, significant incidents, or material changes to an employee's role or risk exposure.

Why Traditional Compliance Training Fails the Regulatory Standard

Most compliance training is not working - and regulators increasingly know it. The issue is not content quality. It is delivery method.

Annual e-learning modules create what learning scientists call 'the forgetting curve.' Research shows people forget up to 80% of what they learn within 30 days without reinforcement. Gallup data shows only 10% of employees report that compliance training has meaningfully changed their behaviour at work. Long sessions create cognitive overload, completion rates collapse, and annual content refreshes mean staff may be acting on outdated information for most of the year.

The regulatory standard is shifting to match. As the Employment Rights Act 2025 puts it explicitly, tribunals will now ask not just whether training existed, but whether it was 'effective, current, role-appropriate, and genuinely designed to equip people to handle real situations.' The ICO has taken a similar position in recent enforcement cases, finding against organisations where training was delivered but not 'proportionate to the role or risk involved.' A completion certificate is not a compliance defence.

What regulators now examine

Both the HSE and ICO have moved beyond 'was training delivered?' as the compliance test. Current expectations include: training was role-appropriate; content reflected current regulations; employees can apply what they learned in practice; records show ongoing reinforcement, not just annual completion; and the organisation can demonstrate training was updated following regulatory changes or incidents. Paper certificates and LMS completion reports are no longer sufficient evidence for audit purposes in higher-risk sectors.

How Microlearning Meets the 2026 Compliance Training Standard

Microlearning - delivering training in focused sessions of three to ten minutes - directly addresses the delivery failures that cause traditional compliance training to fall short. It is not just a more engaging format. It is the format most likely to satisfy the 'all reasonable steps' standard that regulators now apply.

5Mins.ai's compliance training library covers GDPR, health and safety, anti-bribery, AML, safeguarding, fire safety, and more. Each lesson targets one or two learning objectives, fits into the flow of work, and is designed to change specific behaviours - not just transfer information.

Completion rates: the problem microlearning fixes

Traditional LMS platforms average under 5% completion for compliance courses. 5Mins achieves 95%+ completion rates across its customer base. The difference is not content - it is format. Three-to-five-minute TikTok-style lessons that fit on a phone, between meetings, or during a shift are completed. Forty-five-minute desktop modules are not.

Retention: spaced repetition as a compliance tool

Spaced repetition - revisiting training content at intervals rather than in a single session - is one of the most well-evidenced approaches to long-term retention in learning science. Research shows spaced reinforcement delivers 150% better retention compared to a single-session equivalent. For compliance purposes, this is the mechanism that moves training from 'completed' to 'applied.'

Microlearning is naturally suited to spaced repetition. Short daily or weekly lessons reinforce previous learning without requiring employees to complete the full course again. HR and L&D managers can schedule automated refreshers aligned to regulatory refresh cycles - turning an annual compliance event into an ongoing learning habit.

Audit-ready tracking: what regulators actually need to see

When the FCA asks for evidence of AML training completion across your team, or the ICO examines your data protection controls following a breach, what they want is not a spreadsheet. They want role-level completion data, timestamps, assessment scores, and evidence that training was appropriate to the role and current at the time of the incident.

Modern microlearning platforms generate this data automatically. HR managers can produce audit-ready compliance reports in minutes. Compliance officers can demonstrate to regulators that training was delivered, role-appropriate, and regularly refreshed - without manual tracking or end-of-quarter data pulls.

A Practical Framework for Compliance Officers, HR, and L&D Managers

Whether you are building a programme from scratch or auditing an existing one, this five-step framework reflects current regulatory expectations.

Staying Compliant in 2026: The Standard Has Changed

UK compliance training obligations are more demanding in 2026 than they were two years ago. The FCA collected £176 million in fines in 2024. The HSE issued its largest-ever single penalty. The ICO's average fine now exceeds £2.8 million per case. The Employment Rights Act 2025 raises the harassment prevention standard to 'all reasonable steps' from October 2026.

For HR managers, L&D professionals, People leaders, and compliance officers, the challenge in 2026 is not just 'what training is required?' It is 'how do we make it effective, evidence it properly, and keep it current?' Regulators are no longer satisfied with completion certificates. They want evidence that training changed behaviour.

Explore the 5Mins.ai compliance training catalogue to see how bite-sized, AI-powered microlearning can replace your annual compliance programme with something employees actually complete - and that produces the audit trails regulators now expect. Start your free trial today.