Compliance

Compliance Training & Competency

Foundational

In a regulated business, knowing the rules that apply to your work is not optional. Being able to show that our people are trained and competent is itself a regulatory expectation. Keep your required training current, actually apply what it teaches, and treat "I didn't know" as a gap to close, not an excuse.

Regulators expect firms to make sure staff understand their obligations (AML, data protection, security, and role-specific rules) and to evidence that training happened. For engineers this is doubly true. We build the systems that enforce, or fail to enforce, compliance. So understanding why the rules exist makes us far less likely to design a violation by accident. Training is not a tick-box. It is how the standards in these guidelines stay in people's heads.

This connects Continuous Learning (keep skills current), Compliance by Design (apply it in what you build), and Auditability & Evidence (training records are evidence).

Stay trained and competent

AlwaysComplete required compliance training (AML, GDPR/data protection, security) on time and keep it current. It is a condition of working in a regulated firm.
DoActually apply what training teaches in your work. Understanding the reasons behind AML, privacy, and security rules helps you build them in correctly (see Compliance by Design, Security by Design).
DoKeep up with changes relevant to your role (regulatory updates, new threats). Competency is ongoing, not a one-off (see Regulatory Change Management, Continuous Learning).
DoAsk when you are unsure whether something is compliant. It is always better to check than to guess (see Speaking Up / Raising Concerns).

Treat it seriously

DoRecognise that training records are evidence we may need to show a regulator. Completing them accurately matters (see Auditability & Evidence).
DoShare knowledge: help colleagues (especially new or junior ones) understand the compliance context behind what we build (see Developer Onboarding, Collaboration).
AvoidClicking through training without engaging. The point is competence, not just completion. You will be building the controls it describes.
NeverFalsify training records, or claim competency or completion you do not have (see Professional Ethics & Integrity).

Self-review checklist

AskIs my required compliance training up to date?
AskDo I actually understand the AML, privacy, and security rules that apply to what I am building, enough to implement them correctly?
AskAm I keeping up with changes relevant to my role?
AskWhen unsure if something is compliant, do I check rather than guess?

Why it matters: Regulators require that staff are trained and competent, and that we can prove it. Beyond the obligation, engineers who understand why the rules exist build compliant systems by default and avoid designing violations by accident. Current training and real competency are how the standards in this handbook actually get applied in the work.