Last year, CySEC handed out millions in fines, with anti-money laundering and sanctions controls named specifically as an enforcement priority. Conotoxia had its license suspended over AML directive breaches. Many other firms were fined for AML shortcomings. None of these firms set out to break the rules. In almost every case on record, the failure traces back to something more mundane: staff who didn't fully understand what the current rules required.That's the part of the compliance conversation that tends to get skipped. Everyone talks about fines as a line item. Almost nobody talks about training as the thing that would have prevented them.Where the failures come fromLook at the pattern behind AML enforcement globally, not just in Cyprus. Inadequate customer due diligence, missed suspicious activity reports, transaction monitoring systems nobody configured properly for a new product line. These aren't usually technology failures. They're knowledge failures, sitting downstream of someone who either never learned the current framework or learned it years ago and never updated it. CySEC's 2025 supervisory report specifically flagged AML/CFT controls, sanctions compliance, and governance as areas of concentrated risk, which is regulatory language for "this is where firms keep getting it wrong."The 2025 sanctions regime overhaul is a useful example of how fast the ground moves under compliance teams. Since August last year, sanctions breaches in Cyprus became a criminal offence, not just a regulatory one, following the implementation of EU Directive 2024/1226. A compliance officer trained on the old civil-penalty framework and never updated is now operating with a dangerously outdated picture of their own personal exposure, not just the firm's.What untrained staff costThe direct fine is rarely the biggest number. Firms with a public enforcement history struggle to maintain banking relationships, since correspondent banks increasingly run their own due diligence on a regulated firm's compliance track record before extending or renewing services. A firm flagged for AML deficiencies doesn't just pay CySEC. It pays again in slower banking relationships, harder-won institutional partnerships, and investors who ask uncomfortable questions during due diligence.There's a personnel cost too, and it's becoming more direct. Regulators globally have shifted toward holding individuals, not just institutions, accountable for compliance failures. Executives and compliance officers who knowingly ignored or should have caught a control failure are increasingly named in enforcement actions and, in some jurisdictions, banned from working in the sector for years. Singapore's Monetary Authority issued prohibition orders against individuals over a 2023 case, barring them from capital markets work for three to six years. That pattern is spreading. A compliance officer who never received proper AML training isn't shielded by that gap. If anything, "we didn't train our staff" is close to the worst possible answer a firm can give a regulator conducting a post-failure review.Why this connects back to CPDThis is precisely the gap CySEC's Continuous Professional Development requirement is designed to close. It isn't a bureaucratic hoop. It's the regulator's mechanism for forcing firms to keep their people current on a framework that keeps changing, specifically because outdated knowledge has a demonstrated track record of producing exactly the failures CySEC keeps fining people for. The AML certification's CPD hours have to map to the current legislative framework for a reason: generic training doesn't catch a compliance officer up on a sanctions regime that changed its criminal exposure eight months ago. This is where FM Academy comes in, with a robust suite of CPD courses on offer.Firms that treat CPD as a box to tick, sourcing whatever cheap generic course gets a certificate stamped by December 31, are missing the actual point of the requirement. The hours exist because the alternative, someone operating on a five-year-old understanding of AML obligations, is measurably how firms end up in enforcement reports.The real calculationWeigh the cost of a properly resourced, accredited CPD program against a single enforcement action. For example, a €40,000 fine alone would fund years of accredited training for an entire compliance team. That's before counting legal fees, the reputational hit, the banking relationship strain, or the possibility of personal liability for the compliance officer who signed off on a process nobody had properly trained them to run.Poor compliance training doesn't show up as its own line item on a firm's books. It shows up quietly, in a control failure eighteen months later, in a fine that gets reported with the firm's name attached, in a correspondent bank's risk committee asking harder questions than they used to. The cost is real. It's just deferred, and deferred costs are the ones that catch finance leaders off guard. See what FM Academy .This article was written by Finance Magnates Staff at www.financemagnates.com.