Skip to content
CityLearning
Guide

How to build a compliance training plan that stands up to the FCA

A practical, step-by-step approach to mapping mandatory training to roles and risk, and evidencing it to the regulator.

By Margaret Hassett

A compliance training plan stands up to the FCA when it is built in five steps: map every regulatory obligation that applies to your firm, match those obligations to role groups, set a frequency tied to risk, evidence completion with time-stamped records, and review the plan whenever the rules change.

Most regulated firms know they need compliance training. Far fewer can show, on demand, that the right people completed the right training at the right time. When the FCA asks how you know your staff understand their obligations, a stack of completion certificates will not answer the question, but a documented training plan will.

This guide sets out how to build one that maps to roles and risk, and produces the evidence a supervisor expects to see.

Step 1: How do you map your firm’s regulatory obligations?

Start with the regulatory obligations that apply to your firm: the Senior Managers and Certification Regime, Consumer Duty, the Money Laundering Regulations, market abuse, data protection. List each obligation and write down who it applies to. That list is the foundation of the plan.

A common mistake is to begin with a course catalogue and work backwards. Start from the obligations instead:

  1. Identify the regulatory regime you operate under (for most, the FCA Handbook and the Senior Managers and Certification Regime).
  2. Add the sector-specific rules: Consumer Duty for retail firms, the Money Laundering Regulations for firms in scope, and market abuse rules for those handling inside information.
  3. Add the cross-cutting law that applies regardless of sector: data protection, anti-bribery, whistleblowing.

For each obligation, note who it applies to.

Step 2: How do you map compliance training to roles and risk?

Build a role matrix that assigns mandatory modules to each group based on the obligations that apply. Not everyone needs everything, and a blanket approach wastes learner time and is hard to defend as proportionate.

Build the matrix like this:

  1. List your role groups: for example, all staff, customer-facing staff, certified persons, senior managers, and higher-risk functions such as onboarding or payments.
  2. Assign mandatory modules to each group. All staff might take data protection, anti-bribery and an information-security refresher. Customer-facing staff add Consumer Duty and vulnerable-customers training. Certified persons add the Conduct Rules at the appropriate tier.
  3. Layer training on risk. Where a role carries elevated financial-crime risk, add anti-money-laundering and sanctions modules, and consider a higher frequency.

The result is a statement you can defend to a supervisor: this person, in this role, completes these modules because of these obligations.

Step 3: How often should compliance training be completed?

Let risk drive the frequency. Annual refresher training is the baseline for general awareness modules. Role-critical training such as the Conduct Rules or anti-money laundering should be assigned on joining, then refreshed annually. Event-driven updates should happen whenever the rules change, an incident occurs, or someone changes role.

Set the cadence in tiers:

  1. Annual for general awareness modules across the firm.
  2. On joining, then annually for role-critical training such as the Conduct Rules or anti-money laundering.
  3. Event-driven when the rules change, when an incident reveals a gap, or when someone changes role.

Record the reasoning behind each frequency. Being able to explain why you chose it carries far more weight with a supervisor than the number on its own.

Step 4: What completion evidence does the FCA expect?

The FCA expects time-stamped records showing who was assigned which training, when they completed it, and which version of the course they took. Summary completion percentages are not enough on their own. A plan is only as good as the records behind it, so make the evidence easy to produce.

You should be able to produce, quickly and without a project:

  1. Who was assigned what, and why.
  2. Completion status and dates, including overdue learners.
  3. A clear audit trail when training was added or updated in response to regulatory change.

A platform matters most here. Chasing completions through spreadsheets and email does not scale, and it leaves gaps exactly where you can least afford them. Reporting that shows assignment, completion and follow-up in a single view replaces guesswork with evidence.

Step 5: How often should a compliance training plan be reviewed?

Review the plan at least annually, and whenever the regulatory perimeter shifts. New obligations, restructures, role changes and internal incidents all change who needs what training. Give the plan a named owner and keep it under regular review.

A review comes down to three questions:

  1. Have new obligations appeared? Consumer Duty and operational-resilience expectations are recent reminders that the perimeter moves.
  2. Have role groups changed? Growth, restructures and new products all change who needs what.
  3. Did anything go wrong? Complaints, near-misses and audit findings are the best guide to where training needs strengthening.

Done well, a training plan is the simplest way to answer the regulator’s toughest question, and to know for yourself that your people are equipped to do the right thing.

Common questions about building a compliance training plan

How do you build a compliance training plan for an FCA-regulated firm? Start by mapping every regulatory obligation that applies to your firm and the roles it touches. Build a matrix assigning mandatory modules to role groups. Set a frequency tied to risk: annual for most topics, and more frequent for high-risk roles. Then record completion evidence that shows who was trained on what, and when.

What should a compliance training plan include? A compliance training plan should list every regulatory obligation that applies to the firm, map those obligations to role groups, assign the relevant modules to each group, set a review frequency tied to risk, and specify how completion will be evidenced. The plan should be defensible to the FCA and grounded in the firm’s obligations.

How often should compliance training be refreshed? Annual refreshers are the norm for general awareness modules. Role-critical training such as AML or SM&CR Conduct Rules should be assigned on joining and refreshed annually. Event-driven updates, triggered by a regulatory change, internal incident or role change, should sit alongside the annual cycle.

How do you evidence a compliance training plan to the FCA? Firms must be able to show who was assigned what training and why, completion status and dates (including overdue learners), and a clear audit trail when training was updated in response to regulatory change. Time-stamped completion records that identify the learner, module, version and date are what supervisors look for.


CityLearning provides modular, sector-tailored compliance eLearning for UK regulated firms, updated annually and delivered with reporting built for evidencing training to the FCA. Request a demo to see how it maps to your training plan.

Keep your firm ahead of regulatory change

Book a short demo to see how CityLearning keeps your training current and your evidence audit-ready.