AI assistant — not human

MNPI protection + information barriers + FINRA compliance + 17a-4 retention. Regulated-industry rollout methodology.
Last updated July 7, 2026 by Errin O'Connor, Founder & Chief AI Architect, EPC Group
Financial services Copilot deployment requires SOC 2 Type II + MNPI protection + information barriers + FINRA compliance + 17a-4 retention (broker-dealers) + Communication Compliance + audit trails. MNPI protection uses sensitivity labels + Purview classifiers + DLP + information barriers + Copilot Restrict Access. Information barriers segment M&A vs public-side, research vs banking, trading vs corp finance. FINRA guidance: AI must be in supervisory system, customer-facing content requires supervision. EPC Group Financial Services Copilot: SOC 2 Readiness $35K + MNPI Design $75K + Foundation Hardening $125K + Rollout $150K-$400K = $435K-$685K year-1.
Yes, with proper controls. Microsoft Copilot is deployed across investment banks, wealth managers, insurance carriers, and asset managers. Required controls before rollout: (1) SOC 2 Type II auditable configuration. (2) MNPI (material non-public information) protection via sensitivity labels + DLP + Insider Risk. (3) Information barriers for M&A / research / trading / private-side / public-side separation. (4) Communication Compliance for FINRA + SEC oversight. (5) Retention policies per SEC 17a-4 (broker-dealers) + 204-2 (investment advisers). (6) Audit trail configuration + tamper-proof storage. Financial services Copilot rollout typically takes 20-32 weeks + $300K-$800K.
Material Non-Public Information (MNPI) — inside information that would affect a security's price if disclosed. MNPI protection layers for Copilot: (1) Sensitivity labels — MNPI content labeled "Highly Confidential — MNPI" with encryption + audit + expiry. (2) Auto-classification — Purview trainable classifier detects MNPI patterns (M&A deal names, earnings before-earnings, product launch details). (3) DLP policies — block MNPI content from being sent to unauthorized recipients or non-approved channels. (4) Information barriers — prevent MNPI-cleared users from responding to Copilot queries from non-cleared users. (5) Copilot Restrict Access — hide MNPI SharePoint sites from Copilot general query surface.
Information barriers are policy-controlled restrictions preventing communication + collaboration between defined user groups. Financial services use cases: (1) M&A team vs public-side employees during active deals. (2) Research analysts vs investment bankers (Chinese wall for SEC compliance). (3) Trading desk vs corporate finance vs equity research. (4) Wealth management household separation. (5) Insider trading list vs general employees. Information barriers block: (1) Teams chat + calls between segmented groups. (2) SharePoint site access across boundaries. (3) OneDrive sharing across boundaries. (4) Copilot query surface — cleared user cannot pull data from other side of barrier. Implementation: Microsoft 365 E5 + Insider Risk add-on.
SEC Rule 17a-4 requires broker-dealers to preserve records for specified periods (3 years, 6 years, permanent, depending on record type) in write-once-read-many (WORM) format. Microsoft 365 Compliance implementation: (1) Retention policies applied to Exchange + SharePoint + OneDrive + Teams + Yammer/Viva. (2) Preservation Lock on retention policies (immutable, cannot be reduced). (3) Communication Compliance monitors employee communications for policy violations. (4) eDiscovery Premium for regulatory production requests. (5) 17a-4-compliant email archival via M365 with third-party WORM storage attestation. Broker-dealers deploying Copilot must extend 17a-4 compliance to Copilot generation + prompts + responses.
FINRA guidance on AI (as of 2026): (1) Firms must include AI in supervisory system per FINRA Rule 3110. (2) AI-generated content sent to customers must satisfy Rule 2210 (communications with the public) — approved, retained, supervised. (3) AI in trading + investment decisions requires vetting per Rule 3120. (4) AI in customer service + compliance monitoring requires audit trails. (5) FINRA Report on AI (June 2024) flagged risks: bias, hallucination, over-reliance, novel financial instrument disclosure. Copilot use case implications: internal productivity is largely uncontroversial; customer-facing content requires supervision workflow.
SOC 2 Type II auditors evaluate Copilot deployment against Trust Services Criteria: (1) Security — access controls + encryption + change management. (2) Availability — service uptime + incident response. (3) Confidentiality — data protection + sensitivity labels. (4) Processing Integrity — audit trails + authorization workflows. (5) Privacy — customer data processing + GDPR/CCPA alignment. Firms adding Copilot to SOC 2 scope must document: (1) Copilot licensing + purpose. (2) Data flow map (what customer data does Copilot access). (3) Access controls + user permissions. (4) Audit trail configuration. (5) Change management for prompt + configuration updates. (6) Incident response for AI-related issues.
EPC Group Financial Services Copilot methodology: (1) SOC 2 + FINRA Readiness Assessment ($35K, 4 weeks) — 12-gap + financial-services-specific controls audit. (2) MNPI + Information Barriers Design ($75K, 6 weeks) — sensitivity label taxonomy + Purview classifier + information barrier policy design. (3) Foundation Hardening ($125K, 10 weeks) — deployment of MNPI + information barriers + Communication Compliance + retention. (4) Copilot Pilot ($50K, 4 weeks) — 200-user pilot with segmented cohorts (research, banking, corporate). (5) Full Rollout + Governance ($150K-$400K, 20-32 weeks). Total year-1: $435K-$685K + Copilot licenses. Deep experience with wealth managers, insurance, community banks, RIAs.
$35K/4wk 12-gap + financial-services-specific audit. Call (888) 381-9725.
Monday-Friday, 8 AM - 7 PM CT
We respond to all inquiries within one business day