Key Insights from the “2025 OCEG™ Survey on the State of Compliance & Ethics Training, and how firms can build more effective, measurable and risk-based learning programmes

Compliance training is at a turning point, as for many organisations it has traditionally been treated as an annual requirement focused on assigning courses, monitoring completion, issuing certificates, and retaining evidence for audit or regulatory review. While this approach still plays an important role in demonstrating formal compliance, it is increasingly misaligned with the realities of modern risk environments, where regulators and stakeholders are placing greater emphasis on whether training genuinely influences behaviour, reduces risk, and strengthens ethical decision-making across the organisation.

The modern regulatory environment demands more, requiring firms to evidence not just that training has occurred, but that it delivers real improvements in competence, decision-making, controls, ethics, and risk outcomes.

The  2025 Survey on the State of Compliance & Ethics Training conducted by OCEG and sponsored by SAI360, provides timely insight into the current landscape of compliance and ethics training. Based on 347 qualified responses from GRC professionals involved in the design, delivery, or oversight of such programmes, the report highlights a critical challenge: organisations continue to prioritise measuring training activity over demonstrating real impact.

For regulated firms – including financial services organisations, professional services providers, and corporate groups operating across Europe, the UK, and international markets – this finding warrants serious reflection and, in many cases, a reassessment of current training approaches. Regulatory obligations continue to expand at pace across AML/CFT, sanctions, governance, conduct risk, market abuse, operational resilience, data protection, digital finance, ESG, outsourcing, cybersecurity, and financial crime prevention, creating an increasingly complex and interconnected compliance landscape.

In this context, compliance training is no longer simply a learning and development exercise.  It is a core element of governance effectiveness, risk management maturity, and organisational culture.

At EIMF, we see this shift reflected clearly in the evolving expectations of our clients and learners.  Organisations are increasingly seeking training that is not only practical, current, and role-specific, but also demonstrably effective and measurable in terms of outcomes. Professionals need more than awareness of regulatory requirements – they require the confidence, judgement, and competence to apply those expectations consistently in real-world, often high-pressure, situations.

Completion is not the same as effectiveness

Perhaps the most significant finding from the OCEG™ survey is the persistent gap between training activity and training effectiveness.

The survey found that 44% of respondents use employee feedback or surveys, 40% rely on knowledge assessments or quizzes, and 39% monitor completion rates and certifications. These are useful measures, but they mainly show whether people attended, completed or reacted positively to training. They do not necessarily show whether employees can apply what they have learned in practice.

By contrast, only 21% of respondents track behavioural metrics such as policy violations, disciplinary actions or incident rates, while 6% have no formal effectiveness assessment at all. The report warns that this can create a false sense of confidence: organisations may interpret high completion rates as evidence of effective training, even where underlying compliance behaviours remain unchanged.

This distinction is essential for regulated firms. A firm may be able to demonstrate that employees completed AML training, conduct risk training or governance training. But can it demonstrate that employees know when to escalate suspicious activity? Can managers recognise conflicts of interest? Can board members challenge risk information effectively? Can front office staff apply conduct standards in client interactions? Can operations and IT teams understand the compliance implications of outsourcing, cyber risk and operational resilience?

The next phase of compliance learning must therefore move beyond attendance and completion. Firms need to connect training to behavioural outcomes, risk indicators, audit findings, control weaknesses, complaints, escalation quality, incident trends and regulatory priorities.

This shift is reflected in EIMF’s approach to professional training, which places strong emphasis on practical application. Across our compliance, AML, risk, governance and financial regulation programmes, the objective is not only to transfer knowledge, but to help professionals apply that knowledge in their roles.

Time pressure remains the biggest barrier

The survey also highlights a very practical challenge: time. The report found that 36% of respondents identify competing priorities and time constraints as the primary barrier to training engagement, while 22% cite training content perceived as boring or irrelevant.

This is a familiar reality for firms. Compliance obligations are increasing, but professionals are already managing demanding workloads. Compliance officers, MLROs, risk managers, internal auditors, senior executives, board members, customer-facing teams, operations staff and technology teams all need continuous development, but their time is limited.

The answer is not simply to provide more training. The answer is to provide better designed training.

Effective compliance learning should be targeted, relevant and connected to day-to-day responsibilities. It should include short interventions, practical case studies, role-specific scenarios, live discussions, regulatory updates, workshops and focused refreshers. Training should help professionals perform their roles more effectively, rather than feeling like an additional administrative burden.

At EIMF, this is reflected in the way we structure our executive training and professional development programmes. Our live online, classroom and in-house formats allow firms and individuals to access focused learning in areas such as AML, compliance, governance, risk management, financial regulation, data protection, DORA, FinTech, ESG and corporate administration.

For firms, this creates an opportunity to build an annual learning plan that combines short CPD updates, targeted technical training, directors and management workshops and deeper professional development pathways.

Generic training is no longer fit for a risk-based world

Another major finding from the report is that generic training remains too common. The survey found that 28% of organisations use the same training approach for all employees regardless of location, role or risk level. Only 36% differentiate training by role, job function or department, while only 26% consider risk level in training design and delivery.

This is a significant concern. Risk does not arise equally across all roles. A board member, senior manager, compliance officer, AML analyst, relationship manager, portfolio manager, trader, internal auditor, corporate administrator, data protection officer and IT specialist do not face the same decisions or responsibilities.

A one-size-fits-all approach may be easier to administer, but it is rarely the most effective way to build competence.

A risk-based learning model should reflect the responsibilities of different groups:

•  Board members and senior executives need training on governance, accountability, oversight, risk appetite, culture and regulatory expectations

•  Compliance officers and MLROs need technical depth, practical interpretation, regulatory updates and the ability to advise the business.

•  AML and financial crime teams need specialised training on customer due diligence, enhanced due diligence, transaction monitoring, sanctions, suspicious activity reporting and typologies.

•  Front-office and client-facing staff need practical guidance on conduct risk, conflicts of interest, client communication, suitability, complaints and escalation.

•  Risk and internal audit teams need to understand control effectiveness, assurance, monitoring, testing and regulatory expectations

•  Operations, IT and outsourcing teams increasingly need training on operational resilience, cybersecurity, DORA, ICT risk, data governance and third-party risk.

•  Corporate administration and fiduciary professionals need training on governance records, filings, beneficial ownership, due diligence and compliance documentation.

This is where EIMF’s open courses and in-house training solutions work together. Open programmes support individual professionals and teams who need focused development in specific areas. In-house training allows organisations to tailor learning to their own structure, policies, procedures, products, clients, risk profile and regulatory obligations.

For firms that want to move away from generic annual training, customised in-house learning can be one of the most effective ways to turn compliance training into a practical risk management tool.

Managers and leaders need dedicated compliance learning

The report also draws attention to the importance of management-specific training. Some organisations still provide managers with the same training as other employees, while others offer only limited additional content. This is a missed opportunity.

Managers are central to compliance culture. They influence how policies are interpreted, how concerns are escalated, how commercial pressure is managed and how ethical behaviour is reinforced. Employees pay attention not only to what the training says, but to what managers prioritise, tolerate and reward.

This means managers need more than basic compliance awareness. They need to understand their role in setting expectations, identifying risks, supporting escalation, challenging poor behaviour and embedding controls in daily work.

Leadership development is therefore an important part of compliance effectiveness. Through its governance, risk, compliance and leadership-related programmes, EIMF supports the development of professionals expected to exercise sound judgement, effective oversight and meaningful accountability within increasingly complex regulatory environments.

Developing these capabilities often requires more than short-form technical training. Academic and longer-form programmes therefore play an important role in supporting deeper professional development and long-term capability across governance, risk and compliance functions. Firms increasingly need both.

Short courses help professionals stay current. Academic programmes help build long-term capability.  Firms need both.

Compliance training is now multidisciplinary

One of the most valuable insights in the OCEG™ report is that compliance training is no longer owned by one function alone. Respondents came from compliance and ethics, risk management, operations, legal, education and training, HR, internal audit, quality assurance and other specialist roles.

This reflects the reality of modern GRC. Effective compliance training requires a combination of regulatory knowledge, risk management, operational understanding, adult learning methodology, behavioural insight, governance awareness and technology awareness.

Compliance professionals may understand the regulations well but not always possess formal instructional design expertise. Learning and development teams may understand training methods but may need deeper regulatory context. Business managers understand where risks arise in practice but may need support translating that knowledge into learning objectives. Internal audit can identify recurring weaknesses that should inform training priorities. Senior management can connect learning to culture, accountability and strategy.

The strongest training programmes are therefore cross-functional. They bring together compliance, risk, legal, HR, internal audit, operations, technology and business leadership.

EIMF is well placed to support this multidisciplinary need because our work sits at the intersection of professional education, financial regulation, governance, risk, compliance, AML, corporate administration and executive development. Our programmes are designed not only for compliance teams, but also for directors, senior managers, risk professionals, internal auditors, financial services professionals, fund industry professionals, corporate administrators and other professionals operating in regulated environments.

AI in compliance training: opportunity, caution and human oversight

The survey also explores artificial intelligence. It found that 46% of organisations express substantial concerns about AI integration in compliance training, 42% are not currently using AI in their training programmes, and 24% identify employee distrust of AI-driven tools as a concern.

This caution is understandable. Compliance training deals with sensitive and high-consequence topics. Inaccurate or poorly contextualised training content can create regulatory, legal and reputational risk. Firms need to consider quality control, data protection, bias, transparency, employee trust and the appropriate level of human review.

At the same time, AI can support better learning when used responsibly. It can help develop draft scenarios, personalise learning pathways, analyse learning data, identify knowledge gaps, support content updates and provide targeted refreshers. It can also support more adaptive and engaging learning experiences.

The right approach is not to replace human expertise. The right approach is human-led, technology-enabled learning.

This is increasingly important for firms navigating digital transformation, operational resilience, RegTech, FinTech, ICT risk and AI-related regulation. EIMF’s training in areas such as AI Governance, DORA, ICT risk, FinTech regulation, cybersecurity, data protection and digital compliance can support professionals and firms as they consider both the opportunities and risks of technology adoption.

Keeping content current is now a compliance challenge

The report also identifies weaknesses in content management. Some organisations rely on ad hoc updates when regulations change, while others conduct annual content audits. In a fast-moving regulatory environment, this is often not enough.

Training content must remain current. It should reflect new legislation, regulatory guidance, supervisory priorities, enforcement trends, emerging risks and changes in business models.

This is especially important in areas such as AML/CFT, sanctions, digital operational resilience, crypto-assets, sustainable finance, outsourcing, cybersecurity, governance, data protection and conduct risk.

For firms, this means training should not be treated as a once-a-year exercise. It should be part of an ongoing compliance learning calendar. Regulatory updates, thematic workshops, technical refreshers and scenario-based sessions should be scheduled throughout the year and linked to the firm’s risk assessment, audit findings, compliance monitoring results and business developments.

EIMF supports this need through continuously updated executive training, specialist programmes, certification preparation and in-house training. Firms can use these solutions to keep teams informed, competent and ready to respond to regulatory change.

Certification matters but competence matters more

Certifications, completion records and assessments remain important. The OCEG™ report does not suggest otherwise. They provide evidence, structure and accountability. In regulated sectors, professional certifications and CPD are essential parts of maintaining competence.

However, certification should not be viewed as the final objective. It should be part of a broader professional development journey.

EIMF supports professionals preparing for regulatory and professional certifications, including AML-related certification preparation and anti-financial crime qualifications. As the ACAMS, AGRC and CISI accredited training partner in Cyprus, we also support professionals seeking to strengthen their anti-money laundering and financial crime prevention credentials.

But the aim is not only to pass an exam. The aim is to develop professionals who can apply their knowledge in complex, real-world situations.

This is why our certification preparation, executive training and academic programmes are complementary. Together, they support professional competence at different stages of a career.

In-house training: turning survey findings into firm-specific action

One of the strongest implications of the OCEG™ report is that firms need training that reflects their own risks. This is where in-house training can have significant impact.

Open courses are valuable for individual development, CPD and regulatory updates. But when a firm needs to address its own policies, procedures, client base, products, governance structure, risk appetite, control weaknesses or regulatory obligations, customised training is often more effective.

Through EIMF’s in-house training solutions, firms can design programmes for specific teams and functions, including:

•  board members and senior management;

•  compliance officers and MLROs;

•  AML and financial crime teams;

•  risk management and internal audit functions;

•  investment services professionals;

•  fund and asset management professionals;

•  payment and electronic money institution teams;

•  crypto and digital finance teams;

•  customer-facing staff;

•  operations, IT and outsourcing teams;

•  corporate administration and fiduciary teams.

This allows training to be aligned with the firm’s actual risk profile and operational reality. It also supports the move from generic training to targeted, role-based learning.

In-house training can also be used to respond to specific events, such as regulatory findings, internal audit observations, compliance monitoring results, policy changes, new product launches, business expansion, remediation projects or changes in legislation.

Academic programmes: building long-term GRC capability

The survey makes clear that compliance training has become a sophisticated discipline requiring diverse expertise. This cannot be addressed only through annual refreshers.

Firms also need long-term capability building. They need professionals who understand governance, risk, compliance, ethics, regulation, controls, culture and business operations.

In this context the EIMF Master in Governance, Risk and Compliance (MGRC) supports professionals who want to develop deeper capability in GRC and prepare for more senior responsibilities in GRC, financial services, governance and regulatory affairs. Our Diploma in Corporate Administration and Compliance is designed to strengthen practical skills for those working in corporate administration, governance support and compliance functions.

For employers, these programmes can support succession planning, talent development and the creation of stronger internal pipelines for compliance, risk, governance and corporate administration roles.

This is especially important at a time when firms need more skilled professionals who can operate across regulatory, operational and strategic dimensions.

Executive training: keeping professionals current

Alongside academic programmes, executive training remains essential. Regulatory change is constant, and firms need timely, practical and expert-led learning.

EIMF’s executive training portfolio supports professionals across compliance, AML, financial regulation, risk management, corporate governance, data protection, DORA, FinTech, ESG, internal audit and corporate administration.

Firms can use executive training to create structured development plans, including:

•  quarterly regulatory updates;

•  annual AML and financial crime refreshers;

•  board and senior management governance workshops;

•  conduct risk and consumer protection training;

•  DORA and operational resilience sessions;

•  sanctions and financial crime case studies;

•  ESG and sustainable finance training;

•  data protection and privacy updates;

•  internal audit and risk management development;

•  corporate administration and governance training.

This approach turns training from a reactive obligation into a planned professional development strategy.

A practical maturity roadmap for firms

The OCEG™ report proposes a strategic training maturity framework built around five priorities: transform measurement systems, address time constraints, implement role-specific customisation, optimise cross-functional collaboration and develop strategic AI adoption approaches.

Firms can use this as a practical roadmap.

•  First, review what is being measured. Completion rates should remain part of the evidence base, but firms should also assess application, behaviour, control outcomes and risk indicators.

•  Second, redesign training to respect time constraints. Programmes should be focused, relevant and practical.

•  Third, customise learning by role and risk. High-risk roles, senior managers and control functions should be prioritised.

•  Fourth, create cross-functional ownership. Compliance, risk, HR, legal, internal audit, business teams and senior management should all contribute.

•  Fifth, use technology and AI responsibly. AI should support learning design, analytics and personalisation, but expert oversight remains essential.

EIMF can support firms at each stage of this maturity journey through executive training, academic programmes, certification preparation and customised in-house solutions.

How EIMF can support firms

The OCEG™ survey provides a diagnosis. EIMF can help firms act on it.

We can support organisations in moving from activity-based training to impact-focused learning by designing programmes with clear learning outcomes, practical assessments and real-world application.

We can help firms move from generic annual training to role-specific learning pathways through customised in-house programmes.

We can support continuous professional development through executive courses, regulatory updates and specialist technical training.

We can help build long-term GRC capability through academic programmes such as the Master in Governance, Risk and Compliance and the Diploma in Corporate Administration

We can support professional certification and competence through AML, compliance, financial crime and regulatory certification preparation.

We can help firms address emerging areas such as DORA, FinTech regulation, data protection, ESG, operational resilience, AI, cybersecurity and digital compliance.

Most importantly, we can help firms treat compliance learning not as a one-off requirement, but as part of a wider governance, risk and compliance strategy.

Conclusion: from training records to training impact

The 2025 OCEG™ Compliance & Ethics Training Survey Report makes one message clear: compliance training must evolve.

Completion rates, attendance records and certificates remain necessary, but they are not enough. Firms need training that is measurable, practical, role-specific, current and

For regulated organisations, this is not only an L&D issue. It is a governance issue, a conduct issue, a risk management issue and a business resilience issue.

The firms that will be best prepared for the future are those that treat compliance learning as a strategic capability. They will measure impact, tailor training to risk, support managers as culture carriers, use technology responsibly and invest in long-term professional competence.

At EIMF, we see this shift clearly in the evolving needs of our clients and learners. Firms increasingly require training that is practical, current, role-specific and measurable. Professionals need more than awareness; they need the confidence and competence to apply regulatory expectations in real situations, exercise sound judgement and contribute meaningfully to stronger governance and compliance outcomes. Ultimately, effective professional education should help people think more critically, make better decisions and lead with confidence and integrity.

If you need any further information or advice, please do not hesitate to contact us at [email protected] or call us on +357 22 274470