FINRA + SEC Microsoft Copilot Controls Checklist (2026)

FINRA + SEC Microsoft Copilot Controls Checklist

The 38-control checklist for FINRA-regulated broker-dealers + SEC-registered investment advisers (RIAs) deploying Microsoft 365 Copilot. Use as a procurement + readiness gating tool.

Scope reminder. This checklist applies to Microsoft 365 tenants where Copilot may be exposed to MNPI (material non-public information), client trading data, suitability records, communications with retail customers, or other FINRA/SEC-regulated content. Coordinate with your compliance officer + outside counsel.

Quick Answer

FINRA + SEC Microsoft Copilot deployment requires controls across 8 families: communications surveillance (FINRA Rule 3110), books and records (SEC 17a-4 + FINRA 4511), supervision (FINRA 3110), customer best interest (Reg BI for broker-dealers; fiduciary duty for RIAs), cybersecurity (Reg S-P + Reg SCI), records retention (6-7 years), MNPI handling, and AML/KYC.

The 38-Control Checklist

Family 1: Communications Surveillance (FINRA Rule 3110, 3120) — 6 controls

• ☐ 1. Microsoft Purview Communication Compliance policy: ALL Copilot prompts + responses scanned
• ☐ 2. Policy: outbound customer communications (email, Teams chat) scanned for suitability red flags
• ☐ 3. Policy: internal-only Copilot responses to customer-facing employees scanned
• ☐ 4. Reviewer assignment: Chief Compliance Officer + named supervisor team
• ☐ 5. Remediation SLA: 24 hours for surveillance hit
• ☐ 6. Quarterly false-positive tuning + supervisor calibration session

Family 2: Books and Records (SEC 17a-4 + FINRA Rule 4511) — 6 controls

• ☐ 7. Microsoft Purview Audit (Premium) enabled with 10-year retention
• ☐ 8. Audit log streaming to WORM-compliant storage (Azure Immutable Storage or 3rd-party)
• ☐ 9. Microsoft 365 Copilot interaction audit: prompts, responses, grounding sources
• ☐ 10. Retention label R-7 applied to all customer-facing Copilot outputs
• ☐ 11. Litigation hold capability for customer-specific data
• ☐ 12. Annual records retention attestation by named officer

Family 3: Supervision Framework (FINRA Rule 3110) — 5 controls

• ☐ 13. Written supervisory procedures (WSP) updated to reference Microsoft Copilot
• ☐ 14. Designated principal for Copilot oversight (registered + named)
• ☐ 15. Annual Copilot supervision certification by CCO
• ☐ 16. Branch office supervision policy includes Copilot use cases
• ☐ 17. Heightened supervision for high-risk personas (registered reps, traders)

Family 4: Best Interest / Fiduciary (Reg BI for BDs; Investment Advisers Act for RIAs) — 4 controls

• ☐ 18. Copilot use case approval list (which personas use Copilot for which workflows)
• ☐ 19. Suitability decision documentation: Copilot must not be the sole basis for recommendation
• ☐ 20. Customer disclosure: AI assistance used in operations (if material)
• ☐ 21. Conflict of interest review: Copilot prompts not steered toward proprietary product

Family 5: Cybersecurity (Reg S-P + Reg SCI for SROs) — 6 controls

• ☐ 22. Conditional Access: Copilot access requires phishing-resistant MFA
• ☐ 23. Microsoft Defender for Cloud Apps anomaly alerts
• ☐ 24. Information Barrier policy: research vs investment banking (where applicable)
• ☐ 25. Microsoft Sentinel financial-services analytics rules
• ☐ 26. Annual penetration test scope includes Copilot
• ☐ 27. Incident response playbook updated for Copilot-specific scenarios

Family 6: MNPI Handling — 4 controls

• ☐ 28. Sensitivity label "MNPI-Restricted" with encryption + do-not-forward
• ☐ 29. Restricted SharePoint Search excludes MNPI sites from Copilot grounding
• ☐ 30. DLP for Copilot: blocks MNPI keywords + ticker symbols in M&A pipeline
• ☐ 31. Quarterly MNPI exposure review with named reviewers

Family 7: AML / KYC / Suspicious Activity (BSA + FinCEN) — 4 controls

• ☐ 32. Copilot prompts on customer accounts scanned for SAR indicators
• ☐ 33. Customer due diligence documents flagged for retention
• ☐ 34. OFAC sanctions screening integrated with Copilot grounding
• ☐ 35. Annual BSA/AML attestation by BSA officer

Family 8: Governance + Vendor Management — 3 controls

• ☐ 36. Microsoft BAA + DPA + standard contractual clauses verified
• ☐ 37. Third-party Copilot Studio agents reviewed via vendor management process
• ☐ 38. Annual third-party audit (SOC 2 + customized) includes Copilot scope

Reg BI vs Investment Advisers Act Differences

Broker-Dealer (Reg BI): Customer-specific best interest standard. Disclosure of material conflicts. Reasonable basis for recommendation. Compliance with Form CRS.

Investment Adviser (Advisers Act): Fiduciary duty of care + loyalty. Mid-contract disclosure obligations. Form ADV updates.

Both: Copilot recommendations cannot be the SOLE basis for customer-facing recommendation. Human-in-the-loop required.

Microsoft 365 E7 vs E5 for FINRA/SEC Copilot

Capability	E5 + Copilot	M365 E7
Microsoft 365 Copilot	Add-on ($30/user/mo)	Bundled
Communication Compliance	E5 included	E7 included
Information Barriers	E5 included	E7 included
Purview Audit Premium	E5 included	E7 included
Microsoft Agent 365	Add-on $45/user/mo	Bundled
Per user/month	$90+	$99 ($84.15 CSP promo through Dec 31 2026)

E7 wins for any broker-dealer or RIA running 200+ Copilot licenses (Agent 365 governance becomes operational at scale).

Implementation Sequence

Phase 1 (Weeks 1-4): Foundation — Identity (C22), Audit Premium (C7), Communication Compliance policy authoring (C1-5).

Phase 2 (Weeks 5-12): Data Classification — sensitivity label taxonomy + MNPI controls (C28-31) + Information Barriers (C24).

Phase 3 (Weeks 13-20): Supervision Framework — WSP update (C13), designated principal (C14), branch office training (C16).

Phase 4 (Weeks 21-26): Validation — quarterly tuning (C6), penetration test (C26), CCO attestation (C15).

Total: 26 weeks (6 months) to fully-controlled state. Pilot can begin at end of Phase 1.

Bottom Line

Use this 38-control checklist as a procurement + readiness gate before Copilot rollout. Map each control to a named owner. EPC Group ships a tailored version of this checklist with every financial services Copilot governance engagement.

Frequently Asked Questions

Q: Is Microsoft 365 Copilot FINRA-compliant out of the box?
A: No. Microsoft provides the platform + audit + Communication Compliance capabilities. Customer must configure + supervise per FINRA + SEC requirements.

Q: How long until Copilot is FINRA-safe to roll out?
A: 12-16 weeks for pilot with disciplined execution; 24-26 weeks for enterprise rollout with EPC Group support.

Q: What about Microsoft Copilot Studio agents in BD/RIA environments?
A: Each agent must go through vendor management + governance review. Treat as a third-party AI system. Document agent purpose, data path, retention, supervision.

Q: Does Copilot replace human supervision under FINRA Rule 3110?
A: No. Copilot is a tool. Supervision remains a human registered principal responsibility. Document the supervision-Copilot interaction model.

Q: What about state-registered investment advisers?
A: Apply state-specific overlays (e.g., NY BitLicense, California SB 327 IoT, etc) on top of this federal baseline.

Q: Why EPC Group?
A: 29 years Microsoft + financial services consulting. Errin O'Connor previously held a Lead Architect role at the Federal Reserve Bank of New York. Microsoft Solutions Partner with all six designations. See /reviews.

Next Steps

• Schedule a FINRA/SEC Copilot Discovery: /contact
• Productized readiness assessment: /services/microsoft-365-copilot-readiness-assessment
• Ongoing engagement: /services/copilot-governance-consulting
• Call (888) 381-9725