3 seats free. No card. Upgrade per seat as you grow.
Free forever for teams up to 3 seats.
Your newest hires learned from YouTube, not textbooks. Here's why your training is failing them.
Free download. No credit card required.
A field guide for VPs of Compliance and Directors of Internal Audit · 2026
Annual recertification produces a completion record. The exam team and internal audit ask a different question: did the policy stick on the day it mattered? The completion record cannot answer that. This paper covers why, what the artifact your audit team actually wants looks like, and how to produce it using the documents you already maintain — without uploading anything sensitive to evaluate the approach.
In short: “Training was completed” is an output. “Training was retained” is an outcome. Your auditor is asking about outcomes.
Most compliance directors have seen a training-effectiveness finding in a recent exam. The language varies by regulator — OCC, FDIC, Fed, FDA, Joint Commission, state DOI — but the underlying question is the same:
“We see the training was assigned and completed. How do you know the policy was retained on the day the front-line employee needed it?”
The honest answer at most institutions is: we do not know. We have a completion record. We have an end-of-module knowledge check from the day of training. We do not have a measurement that survived to month six.
This is not a minor finding. It is the finding the regulator returns to because the institution returned to the same answer.
In short: Memory has a half-life. Annual cycles fall on the wrong side of it.
The forgetting curve is one of the longest-running findings in cognitive science. Ebbinghaus first published it in 1885: in the absence of practice, recall of unfamiliar material drops to ~30% within 24 hours and ~10% within a month. The shape has been confirmed repeatedly in modern corporate contexts (Cepeda et al., Psychological Bulletin, 2006; Roediger & Karpicke, 2006).
The implication for an annual recertification program is straightforward. The employee scored well on the end-of-module check in May. By November, the same employee would likely score in the 30-40% range on the same content — not because they are not capable, but because recall without practice decays. The annual cycle measures the wrong moment.
Spaced retrieval — short, frequent practice attempts spaced out over time — reverses the curve. Cepeda 2006 documented a ~2× retention improvement over equivalent-time cramming in well-controlled studies. The mechanism is the practice itself, not the content.
In short: A per-role record of percent correct over time, on the specific policies that matter.
The artifact a regulator finds satisfying is not a single mastery percentage on a scorecard. It is a record that lets the auditor answer three questions for any policy under review:
This is not an official certification of competence — nothing a vendor delivers can produce that conclusion on its own; that determination belongs to your audit team and to the regulator. What it is, is the data your audit team can stand on when the question arrives.
In short: Daily 60-second drills, built from the policies you already maintain.
Compliance training does not need a new theory. It needs a different rhythm. Daily 60-second drills tied to short passages of your existing policies produce the spaced retrieval the science calls for, without requiring a re-author of your training stack.
The practice layer is not a replacement for your LMS. The LMS continues to deliver annual recertification and produce completion records. The practice layer runs in the months between recertifications. When the policy changes mid-year, the practice layer reflects the change the next morning — not in the next annual cycle.
For most compliance programs the completion record is already in place. What the training-effectiveness finding asks for is the evidence of retention the completion record cannot show. The practice layer is built to produce exactly that, and the determination of whether it satisfies the finding stays with your audit team and your examiner.
In short: Open the heatmap. Read the columns. Pick one intervention.
The day-to-day administrative pattern is short:
This is the workflow that produces the look-back evidence the auditor asks for. The artifact is generated as a side effect of the practice.
In short: Drop a FFIEC manual section. See exactly what your front line would see.
Compliance directors do not upload internal policies to unvetted vendors. You do not need to.
The drill loop works identically on public material. A FFIEC BSA/AML examination manual section, a recent FinCEN advisory, a Joint Commission survey readiness guide, a CFR section, an OCC bulletin — any of these can be the test document. The drill set generated from a public document gives you the visual artifact the exam team would see; the question of whether your internal policies would generate equivalent drill sets is largely a function of how cleanly your policies are written.
If the five-minute test with a public document reads as useful, our recommendation is to complete a vendor security questionnaire (we turn one around in 5 business days) before uploading any internal material.
In short: Honest answers to the three questions every compliance director asks.
“We already have an LMS. Why add another tool?” You do not replace the LMS. The LMS is the system of record for assignment and completion — required for the audit-trail dimension. The practice layer sits alongside, producing the retention evidence the LMS was not built to surface. Most customers run both.
“What about SOC 2, audit-log retention, data residency?” HeyLoopy is built on SOC 2 Type II-certified AWS infrastructure following SOC 2-aligned controls (we are not ourselves SOC 2 certified today). Customer data lives in AWS us-east-1; EU/UK transfers are governed by Standard Contractual Clauses in our DPA. AES-256 at rest, TLS for all customer-facing traffic, vendor security questionnaire completion within 5 business days. Full posture on the trust page.
“HIPAA and BAA?” HeyLoopy processes SOPs and procedural training content, not Protected Health Information. We do not store PHI and do not offer a Business Associate Agreement. For healthcare-vertical compliance customers, the practice content is the bundle/protocol/policy; patient data stays in your EHR.
In short: Sign up free, drop a public reference document, take a drill yourself.
The simplest evaluation path is the one we offer to every regulated-audit prospect: sign up at heyloopy.com (three seats free, no credit card), drop a FFIEC manual section or recent OCC bulletin into the chat with Loopy, and answer the first drill yourself. Five minutes from signup to a working module.
If that experience reads as useful for your context, the next conversations are about scope (which policies, which roles), procurement (DPA, VSQ, MSA), and rollout sequencing.
To get started: heyloopy.com/signup, or email support@heyloopy.com directly.
3 seats free · no card · first drill in five minutes