Building a Risk-Aware Culture in Financial Services: How Bite-Sized Training Embeds Compliance Into Daily Workflows

In 2025, the FCA imposed over £124 million in fines on UK financial services firms - and almost every enforcement notice flagged the same root cause: staff did not understand, follow, or apply the controls they had been trained on.¹ Annual financial risk management training programmes were complete on paper. Behaviour on the ground told a different story.

That gap is not a content problem. It is a memory problem, a relevance problem, and a delivery problem. Research shows employees forget around 70% of new training within 24 hours and 90% within a week without reinforcement, a pattern documented since Hermann Ebbinghaus's original forgetting-curve studies.² For regulated firms, that decay sits between a clean audit trail and a £40 million fine.

This article is for compliance officers, MLROs, and heads of risk in regulated firms. It covers why annual training no longer changes behaviour, what the FCA expects from a risk-aware culture, and how bite-sized, AI-personalised learning embeds risk awareness into the working day - with a five-step framework you can take to your CRO.

Why Annual Risk Training Fails to Change Behaviour

Most UK financial services firms still run risk and compliance training the same way they did a decade ago: a 45-minute mandatory module per topic - AML training, market abuse, sanctions, conduct - completed once a year, signed off in a dashboard, and quietly forgotten. The FCA has been increasingly direct about how that approach lands.

In its 2025 enforcement work, the FCA imposed fines totalling £124m, with the majority tied to financial crime and AML systems and controls failures.¹ Barclays was fined £39.3m for inadequate AML risk monitoring. Monzo was fined £21.1m after rapid customer growth outpaced its compliance controls. Nationwide received the year's largest single penalty at £44m for systems and controls failings.³ Each firm had documented training programmes. The problem was the gap between completion and capability. The FCA has flagged this pattern for years: an analysis of final notices found that 45% of FCA final notices identified deficiencies in firms' training programmes, typically around "one-size-fits-all" delivery or training that failed to translate into real decisions on the desk.⁴

What failure actually looks like on the desk

A relationship manager passes the AML and financial crime training module in January with 90%. In March, a long-standing corporate client refers a new entity for onboarding. The entity's UBO sits in a high-risk jurisdiction, has political exposure, and the source-of-funds rationale is thin. The RM, focused on the existing relationship, treats it as an extension and waves the EDD requirement through. Eight months later, the FCA is asking why the firm onboarded a politically exposed person without enhanced due diligence. The training existed. The completion record is clean. The behaviour failed.

There is a behavioural reason for this. Hermann Ebbinghaus's forgetting-curve research - replicated multiple times since, including a 2015 study reproducing his original results - shows that without reinforcement, learners lose roughly half of new information within an hour and up to 90% within a week.² A meta-analysis of more than 800 controlled experiments found that spaced repetition improves long-term retention by around 200% compared with single-session learning.⁵ Annual training breaks every rule of how human memory actually works.

The result is a structural mismatch. The FCA's Training and Competence sourcebook (TC 1.1.1R onwards) and SYSC 6.1 both require firms to maintain ongoing competence, not just initial training. Annual delivery, however well-designed, can only show what someone knew six months ago - not what they know on the day they make a decision.

What "Risk-Aware Culture" Actually Means to the FCA

"Culture" is a word the FCA uses precisely. In its 2025 commentary on enforcement priorities, the regulator's COO Emily Sheppard noted that investigations into consumer protection and market conduct failures repeatedly surface the same cultural root causes.⁶ When the FCA talks about a risk culture or compliance culture, it points to four concrete things - and most of them are training-driven. (For the full regulatory baseline of courses, see our guide to compliance training for financial services firms in 2026.)

Principle 3 and Principle 2 - systems, controls, and care

In the past decade, 20 of 27 AML enforcement cases involved breaches of Principle 3 (adequate systems and controls), with another 5 turning on Principle 2 (due skill, care, and diligence).⁷ Principle 3 covers whether staff are competent and consistent in applying controls; Principle 2 covers whether individuals exercise the standard of care expected of them. Both are training and reinforcement questions, not technology questions.

SMCR Conduct Rules

Section 64B of the Financial Services and Markets Act requires firms to train staff on how the SMCR Conduct Rules apply to their actual roles - not as a generic module, but tied to the work they do.⁸

Consumer Duty

The FCA has explicitly warned that firms not training staff well enough to support good consumer outcomes will face supervisory scrutiny. Conduct Rule 6 makes this individual: every employee must act to deliver good outcomes for retail customers.

Regulatory note - what the FCA is really measuring

The FCA's Training and Competence (TC) sourcebook does not prescribe how training is delivered. It focuses on outcomes: do staff have the knowledge, skills, and behaviours to perform their roles, and can the firm prove it? That language matters - "behaviours" is in the rule. A completion certificate is not enough.

Read together, these anchors point in one direction. The FCA is not assessing whether training existed. It is assessing whether the firm can demonstrate, on the day of the breach, that the relevant employee knew the rule, understood it in context, and had been recently reminded of it. Annual training cannot meet that test.

The Behavioural Science: Why Bite-Sized, Daily Learning Embeds Risk Awareness

If annual training fights human memory, bite-sized daily learning works with it. Three well-established mechanisms - the spacing effect, retrieval practice, and in-the-flow-of-work delivery - explain why short, frequent risk-management training outperforms long, infrequent sessions on every retention metric that matters.

The spacing effect

Cepeda and colleagues' 2006 meta-analysis of more than 800 spacing-effect studies found that distributed practice improves long-term retention by around 200% compared with massed practice.⁵ Subsequent workplace studies have consistently reproduced the effect.⁹ For risk training, this means reviewing core concepts (a sanctions-screening principle, an SMCR Conduct Rule, a market abuse red flag) at expanding intervals across weeks rather than packing them into one module.

Retrieval practice

Active recall - being asked to retrieve a fact, scenario, or judgment - strengthens memory more than passive review. A multiple-choice scenario asking a payments-team analyst to identify a suspicious-transaction red flag is a far more powerful retention tool than a slide explaining what one looks like.

In-the-flow-of-work delivery

Microlearning delivered in 3-5 minute segments produces around 25% higher comprehension and reduces cognitive overload by roughly 37% compared with longer sessions.¹⁰ When the same content is delivered into the platforms employees are already in - Slack, Teams, mobile - completion rates rise sharply, because the training stops competing with the working day and starts living inside it.

The implication for compliance leaders is that bite-sized risk management training is not a watered-down version of annual training. It is a different intervention with a different mechanism, producing the one outcome the FCA actually cares about: behaviour change that holds up under regulatory scrutiny.

How AI Personalises Training to Individual Risk Exposure

Bite-sized delivery solves the retention problem. AI personalisation solves the relevance problem - and in a financial services context, relevance is where most generic risk and compliance training programmes break down.

The risk a junior KYC analyst faces in a payments fintech is not the risk a senior trader faces on a market-making desk. A wealth adviser handling vulnerable clients faces a different conduct test from a CASS-regulated investment ops manager. Yet most enterprise risk management training programmes - and most risk management training online libraries - deliver the same core modules to all of them. AI-driven learning platforms change this in three ways:

• Role-based pathways. Content is mapped to the regulatory obligations of a specific role - Conduct Rule 6 and Consumer Duty for client-facing advisers, MAR market abuse for traders, CASS Principle 10 for client-money operations, MLR 2017 Reg 24 for AML-relevant staff. Staff stop sitting through topics they will never touch.
• Exposure-based prioritisation. Where AI sees that a function (say, onboarding) is processing more high-risk customers or operating in a flagged jurisdiction, it raises the frequency of relevant red-flag scenarios and KYC refreshers for that team - without manual rebuilding of the curriculum.
• Adaptive reinforcement. Assessment data feeds back into the schedule. If a payments-team analyst struggles with sanctions screening scenarios, the platform automatically schedules more frequent micro-refreshers on that topic, before a real-world miss becomes a regulatory issue.

Six questions to ask any compliance training provider

1. Can you map content to specific FCA Handbook references and MLR 2017 obligations - and show the mapping to my auditor?
2. Does the platform schedule reinforcement automatically based on individual assessment performance, or is it the same content for everyone?
3. How quickly can you turn a regulatory update (e.g. new sanctions list, FCA Dear CEO letter) into a published lesson - hours, days, or weeks?
4. What percentage of your FS customers achieve 90%+ completion, and what is the average time-to-completion per lesson?
5. What audit-ready evidence is exportable? Specifically: assessment scores by individual, decay over time, and remediation actions taken.
6. Can the platform deliver in-the-flow-of-work via Slack and Microsoft Teams, on mobile, with offline capability for branch and field staff?

This is the layer many FS firms are now investing in. The Bank of England and FCA's 2024 AI survey found that 84% of UK financial services firms already have an accountable person for their AI framework, and most are deploying AI across multiple use cases including risk monitoring.¹¹ Applying the same capability to compliance training is a natural extension. Platforms like 5Mins deliver this through AI-personalised, TikTok-style micro-lessons mapped to specific obligations - including AML, SMCR Conduct Rules, CASS, market abuse, financial crime prevention, and Consumer Duty - with completion rates of 95%+ versus the industry average of under 5%. Our compliance training for financial services page sets out the methodology in full, and our piece on AI in compliance training for financial services goes deeper on predictive analytics in this space.

A 5-Step Framework: Embedding Risk Awareness Into Daily Workflows

Moving from annual to bite-sized governance, risk and compliance training is a programme redesign, not just a delivery change. This is the framework we see working in regulated FS firms, mapped to the FCA's outcomes-based view of training and competence.

What Good Looks Like: Real-World Outcomes from Financial Services Firms

The case for bite-sized, AI-personalised compliance training in financial services is not theoretical. Several FS firms have already moved off annual mandatory modules onto continuous microlearning, with consistent results.

The contrast with what happens when training does not keep pace with growth is sharp. Starling Bank was fined £29m by the FCA in September 2024 for sanctions screening control failures.¹³ The bank had grown from 43,000 customers in 2017 to 3.6 million by 2023; its compliance training and controls did not scale with that growth. The lesson is that financial crime training cannot be a one-off event in a fast-scaling FS firm - it has to be continuous, role-personalised, and exposure-weighted. That is exactly what bite-sized financial crime prevention training delivers when designed properly.

AZA Finance, a global cross-border payments firm, moved compliance training onto a bite-sized, AI-personalised platform after participation rates stalled at 30-40%. Within months, participation more than doubled to around 80%, while training reach expanded by 2x at a 30% lower cost per learner. Premo Ojokojo, Chief People Officer, has called the ROI "limitless."¹²

PayNet, a 600-employee Malaysian payments business, saw a 200% increase in learning engagement after switching to bite-sized lessons delivered in the flow of work. For a regulated payments firm with constant rule changes, that engagement level is what makes ongoing compliance maintainable rather than a quarterly fire-drill.¹²

These numbers matter for two reasons. First, the FCA's outcomes-based test is hard to satisfy when most of the workforce never engages with training. Second, completion at scale is achievable when the format respects how people consume content - 95%+ in deployed FS programmes versus an industry baseline under 5% changes what is realistic for a risk-aware culture. For the priority course list at the foundation of an FS programme, see our top 5 financial compliance courses for 2026.

Where to Take This Next

The case for moving off annual mandatory training is now well-supported - by FCA enforcement patterns, by behavioural science, and by the operational results FS firms are publishing. The harder question is sequencing: which controls do you redesign first, and how do you keep audit evidence intact during the transition?

A practical starting point is a single high-risk topic - usually AML or SMCR Conduct Rules - converted to bite-sized, role-personalised delivery for one team, with assessment data tracked alongside the existing annual cycle for one quarter. The contrast in retention and behaviour data tends to make the case for wider rollout on its own. To explore how this works for FS-specific obligations, see our compliance training for financial services page, or browse the full compliance training catalogue.