The Agony and the Opportunity of Compliance Training
I’ve held a dark secret as a risk and compliance professional for over 20 years. For some, this statement will validate what you’ve felt for years; for others, it may feel like I’ve lost my second line of defense mind.
Most annual compliance training sucks.
In its current construction, compliance training is operationally inefficient - it costs considerable time, energy, money, and focus, and it’s unclear whether employees are actually absorbing the training material and applying it to their current role.
There are clear opportunities to significantly improve how compliance training could lead to better employee development throughout an institution, though first I want you to think about how it feels to receive your annual compliance training notifications. How it feels as a new hire to have somewhere between 20-40 hours of mandatory compliance training that seems entirely distinct from their operations training. How it feels as an HR or Compliance Officer designing the enterprise-wide training calendar and getting ready to send out those emails that engender a collective groan and eye roll throughout the institution.
If you have a program that follows the themes outlined below to create dynamic, engaging, integrative training conversations, employees are probably more excited and committed to their development and operational improvement.
If, however, your employees (or you) feel a sense of dread, gloom, pessimism, or sadness (or perhaps even some animosity toward Compliance), we’ve provided a checklist to explain why your compliance training program might not be well received by employees or the institution as a whole.
1. It’s the same content, different year.
Offering the same content year over year screams “check the box” function. Your employees will recognize the lack of effort in providing stale content and often respond with the same lethargic effort to complete the training modules.
2. It’s the same test questions, different year.
This is almost inexcusable within the compliance function; this enables employees to share and/or store answer keys to breeze through the module’s quiz without having to engage with the module’s content.
3. The material isn’t relevant to the role and the business.
It is challenging to attune a “one-size-fits-none” module to specific roles (“What do I need to take away from this module”) or to the business itself. Identifying and leveraging relevant, practical examples of day-to-day situations can significantly increase engagement.
4. There is no test-out option.
Employees often demonstrate their ability to integrate compliance into their daily job function; they live and breathe the information that’s being provided. Consider offering a pre-test to identify strengths and areas to focus on within the module.
5. It’s timed, and there’s not enough engaging content.
Some certifications and licenses require a certain amount of training in hours. Taking a module with required page or section time minimums can be particularly frustrating and counterproductive when the page or section does not reasonably have enough content to engage the user for that period of time.
Make sure that the videos, exercises, activities, and material don’t feel rushed or drawn out, and consider offering additional content (and recognizing your subject matter experts) if someone finishes the core content before the required training time has elapsed.
6. There are no rewards for early completion and going above and beyond.
Understanding that compliance training is an obligation, it can be viewed as an opportunity for employee development. Often times, it feels like “finish your training…or else.”
Instead of threatening corrective action for non-completion, try creating an incentive to absorb the material to complete tests on the first try. Gift cards, team outings, gamification, or recognition and appreciation from senior leadership for completion can all create positive influences for completing training exercises, especially when they are provided at the individual, department, and enterprise-wide levels.
7. Everyone needs to be compliant; not everyone wants to be a compliance officer.
Employees need to understand how the regulation applies to processes, procedures, and their specific role, along with why certain controls were put into effect. There continues to be excessive rote memorization and broad details incorporated into training modules and subsequent quiz questions. This dynamic fails to engage employees who need to understand how to apply this information to their daily function within the organization.
Compliance training offers a huge opportunity to identify best practices, recognize potential gaps, and have a meaningful conversation about these compliance rules, why those requirements are important, and how your institution addresses those obligations (and whether there are gaps in those controls).
It’s incredibly valuable to have someone who understands how the business operates and the regulatory obligations that underlie those processes. The ability to understand and communicate with subject matter experts in the line of business and in Risk and Compliance is immensely important for key growth areas such as marketing, new product development, and mergers and acquisitions.
Best Practices for Compliance Development
In the universe of “less is more” and “going lean,” you may think that it’s too costly in terms of time, energy, money, and resources to energize your existing training program.
Keep in mind that access to most compliance libraries already costs your institution tens of thousands of dollars, and that each employee may use 10-20 hours toward completion (notwithstanding the energy and time spent monitoring completion progress across the institution). That’s a pretty significant cost for simply checking a box if there’s no material development benefit across the organization.
With that in mind, there are some fun and innovative ways to leverage this time for employee and business development.
1. Discuss relevant business examples.
If you’re a marine lender, talk about cases where the value of the yacht was used to hide illicit activity or situations where a boat sale was completely fabricated. If you’re a mortgage financier, discuss cases involving inappropriate appraisals, quick flips, or title fraud. Have the facts of the case speak to your controls, including whether those controls were able to mitigate the concern.
If you take cash as a regular function of your business, talk about ways in which those transactions have been structured between branches, ATMs, accounts, and account owners. Talk about examples where your customer authentication controls failed or cases where a perpetrator attempted to social engineer information from your customer service staff. Discuss cases where a customer service agent was asked to explain the reason for a loan application denial.
Create an interactive conversation with the controls your institution deploys, and how they could potentially be improved. Making the content relevant and pertinent to an employee’s role will help to increase engagement in the material.
2. To catch a criminal…
Consider an exercise where you split your employees into “criminal masterminds” and control owners. Ask your “masterminds” to consider ways in which they could launder money through your organization, how they might breach your privacy controls, how they might complete an account takeover, initiate internal fraud, or how they might execute a cybersecurity attack. Ask your control owners how they might prevent, deter, or mitigate such events. You might find that this activity helps set the stage for performing a risk assessment.
3. Use gamification and achievement.
Most people love contests, points, achievements and the spirit of friendly competition, and people are often driven by the presence of a leaderboard. This could include a pre-test or post-test bonus for the highest scores across the organization.
4. Have your employees engage in role play.
There is nothing quite being in the shoes of your customer. Whether it’s a decline on a loan, a potentially fraudulent account, an unauthorized transaction, or a data security breach, it’s important to recognize how you might feel as a customer in certain situations. In most cases, the regulations, obligations, and the controls were created for the benefit of your institution’s customers. Why the regulation exists and how it was implemented in your institution are important concepts but recognizing how these efforts protect both the customer and the company often create an immersive “aha” moment. Being able to understand compliance obligations and operational best practices helps facilitate a “customer-champion” mentality in all communication.
5. Consider recognition and certification for high-performing employees.
Certification helps build professional credibility for your organization and your individual employees and recognizes skills and knowledge across associations and industries.
Recognition and certification also help to provide differentiating factors when thinking about raises, bonuses, and promotions (or requests for additional training).
Summary
We can’t expect employees to embrace compliance training when it feels repetitive, is unassociated with their function or role, and fails to materially add to their development or value at the company. While your current training program may check an annual box with your regulator, there is a valuable opportunity for Compliance and your lines of business to actively engage, discuss, and learn from each other during this period.
Turn “Mandatory Compliance Training” into “Employee Compliance Development” today!
Follow NAQF and Geoff Kreller on LinkedIn for additional insights. For more information on how NAQF can help your organization with annual compliance training requirements, contact us at contact@naqf.org.
