It’s wrong but what can you do?


As recent legislation highlights the failings of the industry default employee T&C model, many compliance and risk professionals are increasingly feeling uncomfortable and questioning if there is a more authentic solution. One that promotes a genuine culture of compliance rather than a cynical box-ticking approach that alienates employees and management and is unnecessarily expensive.

Calling time on the tick-box compliance model?

As the regulator presses ahead with a cultural suitability agenda, many compliance and risk professionals reflect on the employee T&C regime in their firm and bemoan its role in landing a culture where the customer is genuinely at the centre of business decisions and employees are genuinely part of the first line of defence. Could it be that firms are finally calling time on the traditional tick-box compliance model?

“We have a model like most firms; where we do annual refresher training via e-learning, and employees get a test at the end of each module and get as many goes as they need to pass. Everybody knows it’s a pointless waste of time and is actually worse than useless, as it pi*%s everybody off and everybody blames compliance!”

This would be reflective of conversations I have every day with compliance professionals in financial services firms. This tick-box approach to compliance is the worst kept secret in the market!

So, not only is the current approach not fit for purpose, but it also alienates and disenfranchises employees

A survey conducted by Elephants Don’t Forget in December 2021 – that was the trigger for this paper – concluded that, on average, firms in the sector issued 10 hours of mandated refresher training every year. Some firms chose to spread the “pain” over the year, others delivered it all in one month. In every instance it was a source of discontent in the business and invariably meant an administrative challenge of chasing down employees who had yet to comply, with increasing levels of threats.

Whilst this current industry default model might provide cosmetic evidence that employees are competent in-role, it certainly doesn’t meet any authentic test, arguably creates a false sense of security, and has a toxic impact on employee culture. Bold statement perhaps, but unlikely to see many disagreeing with it.

More recently, as wave after wave of more complex and far-reaching legislation breaks on the market, compliance professionals are increasingly uncomfortable and seeking a better model.

Pros and cons of the default approach

Charitably, let’s acknowledge the advantages of the current model. Apparently, it doesn’t cost a lot.

Now that we have comprehensively addressed the advantages, let’s unpick what’s wrong with the current default model!

Firstly, it is not fit for purpose. It fails in the most basic element. It does not deliver employees who are capable, competent and understand the respective legislation as it pertains to their role. It is unlikely that many who are reading this will disagree with this statement but, for those who do, perhaps understand how we know this to be undeniably true.

Last year we managed more than 100 million individual knowledge assessments, the majority in firms like yours with employees not dissimilar to yours. And the actual level of average competency was just 52%. In other words, on average, employees knew about half of what the law required them to know.

The idea the regulator isn’t aware of the fact that the industry default T&C model is little more than a box-ticking exercise is fanciful. Obviously, the regulator is aware and, inevitably, more recent legislation will increasingly bring such practices under closer regulatory scrutiny; most compliance professionals recognise this. And it is these recent changes: SM&CR, Conduct Rules and now new Consumer Duty that is catalytic for many SMF16s, 17s and 4s.

The failings of the default approach

The default, tick-box model doesn’t just fail to deliver against the primary purpose, it also has several unintended consequences.

Perhaps the most significant unintended consequence is that employees and line management resent it. Employees are generally not stupid; they recognise that this model doesn’t actually improve their knowledge and understanding of the legislation. They recognise they are just facilitating the ticking of a box.

Generally, this training is delivered every year, regardless of the individual employee’s actual subject-matter knowledge and competency. So, not only is the current approach not fit for purpose, but it also alienates and disenfranchises employees. Many firms admit that in the annual employee engagement survey, questions around training and development score poorly, and many point to their firm’s approach to regulatory training as a driver of that sentiment.

If one stops and considers the extent to which an employee’s life outside of work is almost entirely personalised and contrasts this with how your firm (probably) treats refresher training, it couldn’t be much further apart. No wonder firms are reporting large scale employee compliance fatigue.

In addition to disenfranchising the workforce, the current model is actually quite expensive. Not perhaps in terms of the physical costs of sourcing and distributing the training (often via e-learning), rather in the lost productive time that annual refresher training drives.

“If you conservatively estimated that the average fully costed hourly rate of an employee in the sector was just £30, then 10 hours a year is costing the firm £300 an employee. And this is only the direct costs, it entirely ignores the lost opportunity cost of those 10 hours per employee, when they would otherwise be doing productive revenue-generating work.”

To be clear, I am not advocating that firms should cease annual refresher training to reduce these costs. On the contrary, I am advocating there is a much smarter model that has a far lower impact on employee lost time.

The other obvious downfall of the current model – despite the widespread acceptance of its failings – is that it tends to provide management and C-Suite with a false sense of security. How can your first line of defence be anything other than weak if your employees know half of what you and the regulator needs them to know to optimally perform their role?

It is no wonder that IT professionals report that 95% of cyber security breaches are the direct result of human error, with employees failing to do what they have been trained.V The thing is, the nature of the beast means that the consequences of an employee getting a cyber hack response wrong are usually obvious and relatively quickly identified. When your employees fail to spot a vulnerable customer, don’t give the correct investment advice, fail to diligently apply KYC rules, get essential procedures wrong, etc., the consequences may never be noticed until it is too late.

Conclusion: what’s the alternative?

If, as I purport, the current model is so obviously flawed, why haven’t the great and good in the sector dumped it for an alternative? It is a fair question with no single simple answer.

In some instances, firms might not have bought into the benefits of embracing the spirit and letter of regulation. In others, it might just be an issue of bad corporate timing or as senior personnel are scheduled to retire, etc. I would like to think that in the vast majority of cases it’s more a function of firms not realising a better tried and tested model exists; one that is actually cheaper than the existing model.

The alternative uses Artificial Intelligence (AI) to assess every employee gently, continually, in the flow of their daily work, taking little more than a minute of their working day. The AI enables you to treat every single employee as an individual, establish strengths and weaknesses, and (with no human intervention) gently repair every employee’s individual knowledge and competency gaps.

The outcome is that, over time, we financially guarantee that every employee in your firm will learn and retain what you need them to know to become competent in-role. We will also provide independent, granular evidence of this fact, warranted accurate, should the regulator require it at any time.

A biproduct of our approach is that, on average, firms reduce the amount of refresher training delivered each year by 50%. In addition, those who have employees that require CPD credits harvest at least 4 hours, high-quality, independently verified CPD per employee, per annum. What’s more, research shows that 9/10 employees prefer this approach to the default model.

With the regulator rightly focused on the culture of a firm – rather than counting ticks in boxes – a continual assessment methodology that delivers authentically against the legal requirements – and is preferred by the employees – is understandably a step in the right direction for a genuine culture of compliance. If your employees genuinely know what they have been trained and can translate this to in-role competence, your current illusion of a first line of defence becomes a reality. It all sounds too good to be true. Of course, it is; if all your firm is seeking is a cheaper and faster way to tick a box.

The downside of any successful AI deployment is that it cannot be “done to” the employee base. It must be embraced and for that to happen it must be owned by the executive of that business and communicated and lived by the management. And any employee non-participation must be called out and dealt with immediately. Similarly, the organisation must be prepared to deal with the truth as it becomes known and not brush it under the carpet but deal with it in a timely and professional manner.

“Example: learning that the average level of employee competence with regards to vulnerable customer legislation is just 35% would necessitate immediate intervention and retraining of all those employees presenting less than perhaps 60% competence. That will cost time and money. But it is undeniably the correct action to take. Some firms might prefer not to know…”

It may be a complete coincidence, but our client list, whilst diverse in industry and scale, shares a common theme. Reputation was hard won and fiercely guarded, where employee satisfaction is important and positive culture an endless journey, not another box to tick.

Elephants Don’t Forget are world leaders in the use of Artificial Intelligence to improve and deliver best-in-class evidence of employee regulatory compliance. Learn more.


iElephants Don’t Forget, Culture Measurement – Help is here’, webinar available here:

iiElephants Don’t Forget, Avoiding Conduct and Culture Fatigue’, webinar available here:

iiiElephants Don’t Forget, Redefining your approach to vulnerable customers in 2022’, webinar available here:

ivElephants Don’t Forget, ‘Duty Calls: Complying with higher standards of consumer protection’, webinar available here:

vCyber Solutions, ‘15 Alarming Cyber Security Facts and Stats’, available here:


About Author

Avatar photo

Adrian Harvey is CEO at Elephants Don't Forget. Elephants Don’t Forget are world leaders in the use of Artificial Intelligence to augment how each employee learns, retains and evidences in-role knowledge and competency. We support employee competency and compliance training of some the world’s most recognised brands including Microsoft, Vodafone, Experian, Allianz, Old Mutual, Aviva, Eon and Volvo.

Leave A Reply