Financial Services

Why Microsoft Now for Financial Services

In 2026, financial services firms face several challenges related to regulation, technology, and competition. These issues have changed the conversation around platforms.

The modernization of SEC Rule 17a-4 has played a key role in this shift. This rule:

• Started in June 2023
• Will be fully enforced by 2024
• Replaced WORM-only electronic recordkeeping with audit-trail-based records

For the first time, Microsoft 365 and Microsoft Purview can now function as a primary recordkeeping system.

Additionally, the NYDFS 23 NYCRR 500 (Cybersecurity Regulation) amendments, effective November 2023, introduced specific requirements for:

• CISO governance
• MFA (Multi-Factor Authentication)
• Encryption
• Vendor risk management
• Incident reporting
• CISO certifications

These requirements support the use of Microsoft 365 E5, Defender XDR, Sentinel, and Purview. Additionally, several regulations have raised the expectations for documentation and control in regulated financial institutions:

• Federal Reserve System SR Letter 23-4 on cyber incident notification
• SEC cyber incident disclosure rules (Item 1.05 of Form 8-K effective December 2023)
• FFIEC IT Examination Handbook updates
• Office of the Comptroller of the Currency's Heightened Standards

Generative AI is changing the productivity landscape in financial services. Key areas that benefit from Microsoft 365 Copilot include:

• Investment research
• Deal team support
• Wealth advisor briefing
• Claims adjudication
• Fraud investigation
• AML transaction analysis
• Customer service

To ensure success, firms must implement Copilot within a control framework that considers FINRA, SEC, and NYDFS regulations. Delaying deployment can create a productivity gap compared to competitors.

Deploying without proper governance can lead to risks, including:

• Supervision issues
• Regulatory challenges
• Reputational damage

The Engagement Operating Model approach offers a solution. This includes:

• Establishing clear governance structures
• Ensuring compliance with regulations
• Mitigating risks effectively

• Assessing the firm's regulatory posture
• Architecting specific solutions
• Building with phase gates
• Validating against supervisor expectations
• Deploying with documented controls
• Running with continuous monitoring

EPC Group's financial services practice is founded on a strong approach. It is led by Errin O'Connor, a former Lead Architect at the Federal Reserve Bank of New York. The firm has successfully completed Microsoft engagements for:

• Financial institutions
• Investment firms
• Insurance companies

• Banking
• Insurance
• Investment Management

• Regional banks
• Broker-dealers
• Registered Investment Advisors (RIAs)
• Asset managers
• Hedge funds
• Life and Property & Casualty (P&C) insurance carriers
• Federally-regulated entities, including federal credit unions, GSEs, and federal reserve member banks

The combination of Microsoft platform expertise and regulatory experience sets us apart.

M365 Copilot for FINRA + SEC + NYDFS

Microsoft 365 Copilot for financial services needs a control framework that covers three main regulatory areas:

• SEC for investment advisers, broker-dealers, and investment companies.
• FINRA for broker-dealer member firms.
• State regulators such as NYDFS, California DFPI, and Texas DoB for state-chartered entities.

The EPC Group Copilot governance framework for financial services addresses each of these areas.

SEC 17a-4 + FINRA 4511 books-and-records. Microsoft Purview Audit Premium captures Copilot prompts and responses. It keeps this data for 10 years to comply with the rules of 17a-4 and 4511.

Additionally, Microsoft 365 Purview retention policies ensure that data cannot be deleted.

The audit log can be exported in a tamper-evident format. This format is appropriate for SEC and FINRA examinations.

FINRA Rule 3110 supervision. Microsoft Purview Communication Compliance policies monitor Copilot interactions for key supervisory issues. These include:

• Suitability concerns
• MNPI references
• Insider information
• Manipulation patterns
• Customer complaint language
• Gift and entertainment thresholds

Reviewers receive prioritized queues. Documented supervisory procedures align with Copilot's interface as part of the firm's Written Supervisory Procedures (WSPs).

FINRA Rule 2210 communications with the public. Customer-facing Copilot outputs include any content sent to clients. These outputs are managed by Communication Compliance and DLP. They undergo a review process to ensure they meet fair and balanced standards.

Records are kept according to rules 2210 and 4511.

Information Barriers. Microsoft 365 Information Barriers create ethical walls between different sectors. These include:

• Research and investment banking (Section 15D / Regulation AC)
• Broker-dealer and RIA
• Trading desk and back office

Information Barrier policies apply to Teams chat, SharePoint sites, OneDrive sharing, and Copilot content access. EPC Group's Copilot governance design includes the IB segmentation as a primary deliverable.

MNPI handling. Restricted SharePoint Search prevents Copilot from displaying MNPI sites in search results. Sensitivity labels from Microsoft Purview Information Protection classify MNPI content. These labels utilize Customer Key encryption to manage tenant-controlled keys.

DLP for Copilot helps prevent MNPI exposure in:

• Prompts
• Responses
• Agents

The full checklist is documented at /blog/finra-sec-microsoft-copilot-controls-checklist-2026.

Microsoft Fabric for Risk + Finance + Surveillance

Microsoft Fabric replaces the disconnected systems of Teradata, Oracle, Hadoop, Snowflake, and Databricks in financial services. EPC Group has effectively migrated banks, asset managers, and insurance carriers to Fabric. Below are some key use cases:

• Improved data integration and management.
• Enhanced analytics for better decision-making.
• Streamlined operations across financial institutions.

• Data integration and management
• Advanced analytics and reporting
• Real-time data processing

Portfolio risk aggregation. We provide position-level, counterparty-level, and market-data-level aggregation across various asset classes. These include:

• Equities
• Fixed income
• Derivatives
• FX
• Commodities
• Structured products

We offer real-time analytics for intraday risk. Our services include a Lakehouse for end-of-day risk, stress testing, and scenario analysis. We also use Power BI semantic models for:

• Data visualization
• Interactive reporting
• Enhanced decision-making

• Data visualization
• Interactive reporting
• Advanced analytics

• Risk committee reporting
• Regulatory submissions, including Basel III risk-weighted asset reporting
• CCAR / DFAST stress testing
• ICAAP for European entities

Trade surveillance. This process involves collecting trade, order, market data, and communication into Fabric Real-Time Analytics and Lakehouse. We use custom KQL and Spark analytics to find patterns such as:

• Unusual trading activity
• Market manipulation
• Insider trading

• Unusual trading activity
• Market manipulation
• Insider trading

• Spoofing
• Layering
• Front-running
• Wash trading
• Insider trading

Our system integrates with NICE Actimize and NASDAQ SMARTS, along with custom rule sets. It is documented as the surveillance system of record for the firm's WSPs.

Regulatory reporting. We provide a consolidated regulatory reporting platform for:

• FINRA OATS / CAT (Consolidated Audit Trail)
• MiFID II / MiFIR
• SFTR
• EMIR
• FRTB (Fundamental Review of the Trading Book)
• LIBOR transition tracking

Fabric Warehouse serves as the regulatory-grade store of record. It ensures audit-quality lineage through Microsoft Purview.

Counterparty exposure + credit risk. We aggregate counterparty-level exposure across various products, entities, and jurisdictions. This includes:

• Margining and collateral management
• Pre-trade and post-trade credit risk
• Default risk modeling (PD, LGD, EAD) using Fabric Notebooks and Azure ML

AML transaction monitoring. This process includes collecting transaction, customer, counterparty, and sanctions data. We use custom rule sets and machine-learning models to identify suspicious activity.

Furthermore, we integrate case management with operational AML platforms. This integration is recorded as the AML data layer for the firm's BSA / AML program.

Power BI for Risk + P&L + Regulatory Dashboards

Power BI is the leading analytics and reporting tool for financial services. EPC Group has delivered Power BI Premium, Embedded, and Fabric capacity deployments to:

• Banks
• Broker-dealers
• Asset managers
• Hedge funds
• Insurance carriers

We focus on creating effective dashboard patterns for these sectors.

Risk committee reporting. Organizations must monitor various types of risks. These include:

• Market risk: VaR, expected shortfall, and stress test results.
• Credit risk: Concentration, sector exposure, and counterparty risk.
• Operational risk: Loss events and scenario analysis.
• Liquidity risk: LCR and NSFR for banks.
• Interest rate risk: IRRBB.
• Capital adequacy: Basel III CET1, Tier 1, and Total Capital ratios.

P&L attribution. P&L decomposition by desk + book + strategy + product + risk factor. Greeks attribution for derivatives portfolios. Realized vs unrealized P&L. Brokerage + commission + financing cost attribution.

Wealth management. Advisor + practice + client + household analytics. AUM growth + net new assets + flow analytics. Pipeline + opportunity tracking. Compliance + suitability monitoring.

Insurance. Loss ratio + combined ratio + expense ratio by line of business. Claims aging + reserve adequacy. Underwriting performance. Reinsurance optimization. Catastrophe modeling integration.

Cybersecurity — NYDFS 23 NYCRR 500 + Reg S-P + GLBA Safeguards

EPC Group's cybersecurity reference architecture for financial services integrates three key Microsoft products: Microsoft Defender XDR, Microsoft Sentinel, and Microsoft Purview. This unified approach aligns with regulatory frameworks.

• NYDFS 23 NYCRR 500 mapping

Section 500.7 Access Privileges. Microsoft Defender for Identity + Entra ID Conditional Access + Privileged Identity Management for just-in-time elevation + access reviews + identity governance.

Section 500.12 Multi-Factor Authentication. Entra ID MFA enforced via Conditional Access for all human + privileged service accounts. FIDO2 phishing-resistant authentication for privileged users. Number-matching enforcement.

Section 500.14 Training + Monitoring. Microsoft Defender for Office 365 attack simulation training. Microsoft Sentinel UEBA for behavioral anomaly detection.

Section 500.15 Encryption. Microsoft Information Protection offers sensitivity labels for nonpublic information. This includes:

• Customer Key and Double Key Encryption when suitable.
• Encryption in transit using TLS 1.3.
• Encryption at rest with either Microsoft-managed or customer-managed keys.

Section 500.16 Incident Response Plan. Microsoft Sentinel SOAR runbooks are aligned with the firm's incident response plan. The system includes:

• 72-hour superintendent notification automation
• SEC Form 8-K Item 1.05 4-business-day notification automation

Section 500.17 Notice to Superintendent. Documented + tested notification workflow integrated with Sentinel + Microsoft 365 Defender.

Reg S-P customer information safeguards: DLP for nonpublic personal information, sensitivity labels for customer data, conditional access policies for customer-data systems, audit log retention for examination support.

Microsoft Cloud for Financial Services — Industry Accelerators

Microsoft Cloud for Financial Services (MCfFS) combines Microsoft 365 + Dynamics 365 + Power Platform + Azure with industry-specific accelerators:

Banking customer onboarding. Our solution offers pre-built workflows for retail banking customer onboarding. This includes:

• KYC document collection
• Identity verification integration
• Fraud screening
• Account opening

This approach replaces fragmented onboarding vendors with a unified Microsoft-native onboarding experience.

Financial advisor workspace. This unified workspace supports advisors with various features, including:

• Client 360
• Opportunity management
• Pipeline management
• Suitability documentation
• Meeting management
• Householding

It integrates with portfolio management, planning, and custody platforms such as Envestnet, Orion, Black Diamond, Tamarac, Charles Schwab, and Fidelity custody.

Claims management (insurance). First Notice of Loss intake, claim triage, adjuster workspace, fraud screening integration, settlement workflow. Replaces legacy claims systems for digital-first carriers.

Customer engagement hub. Multi-channel customer engagement (phone, email, chat, mobile, in-branch / in-agent) with unified customer profile + interaction history + next-best-action.

FedRAMP + Federally-Regulated Entities

For federally-regulated financial entities — Federal Reserve System member banks, GSEs (Fannie Mae, Freddie Mac, Federal Home Loan Banks), federal credit unions (NCUA-supervised), federally-regulated insurance, and OCC-supervised national banks — Microsoft 365 GCC and GCC High provide FedRAMP-aligned posture. EPC Group has shipped GCC + GCC High deployments for federally-regulated financial entities, with Azure workloads deployed within a CAF-aligned Azure landing zone architecture that maps to FFIEC + Federal Reserve supervisory expectations. The Federal Reserve Bank of New York pedigree (Errin O'Connor previously held a Lead Architect role at FRBNY) is reflected in EPC Group's familiarity with Federal Reserve System examination + supervisory expectations.

Engagement Operating Model — Financial Services Application

The 7-phase Engagement Operating Model (Discover → Architect → Plan → Build → Validate → Deploy → Run) — at /engagement-model — applied to financial services:

Discover. We assess your regulatory posture by examining:

• Which regulators are involved
• The examination cycle
• Open MRAs, MRIAs, and supervisory letters

We also evaluate your:

• Current Microsoft tenant
• WSP inventory
• Information Barrier inventory
• Books-and-records system inventory
• AML and sanctions screening platform inventory
• Cybersecurity posture, including NYDFS attestation, FFIEC CAT, and NIST CSF maturity

Architect. We provide governance design for Copilot tailored to your regulatory needs. Our services include:

• Fabric data platform architecture for risk, finance, and surveillance
• Power BI capacity sizing for risk, finance, and wealth management reporting
• Defender and Sentinel SOC architecture
• Information Barrier segmentation design

Plan. The rollout will occur in phases. First, we will implement Copilot for non-customer-facing roles, focusing on:

• Research support
• Internal productivity

Next, we will introduce it for customer-facing roles. This will ensure full Communication Compliance. Finally, we will roll it out to agents.

This process will include change management for:

• Compliance
• Legal
• Supervisory
• Business stakeholders

Build. Tenant configuration, identity + access design, sensitivity label deployment, Communication Compliance policies, Information Barriers, Fabric workspaces + warehouses, Power BI deployment, Sentinel analytics rules + SOAR runbooks.

Validate. Pre-examination readiness review, mock examination, supervisor pre-briefing, control validation against documented WSPs, penetration testing including financial-services-relevant attack patterns (BEC, fraudulent wire patterns, MNPI exfiltration).

Deploy. Production rollout with hypercare. Coordination with WSP supervisor + compliance officer + CISO. Documentation prepared for next examination cycle.

Run. Managed Microsoft Support for ongoing operations. Quarterly compliance + supervisory reviews. Annual NYDFS 23 NYCRR 500 attestation support. Pre-examination preparation cycles.

Engagement Investment

EPC Group financial services engagement tiers:

Foundation ($175K-$350K, 12-20 weeks): This package includes options for:

• Copilot governance
• Fabric risk platform
• Defender + Sentinel implementation
• Information Barrier deployment

It is suitable for a single-line-of-business firm or a focused workload.

Enterprise ($400K-$900K, 24-36 weeks): This option offers a multi-workload deployment along with a complete lifecycle for the Engagement Operating Model. It also includes the transition to Managed Microsoft Support.

This package is suitable for:

• Mid-size banks
• Mid-size broker-dealers
• Mid-size asset managers

Platform ($900K-$3M, 40-60 weeks): This offering includes a complete deployment of Microsoft Cloud for Financial Services. It features the Fabric platform and a Center of Excellence. It also supports multi-entity federation.

This solution is ideal for:

• Large banks
• Government-sponsored enterprises (GSE)
• Large insurance carriers
• Federally-regulated entities

Ongoing operations via /managed-microsoft-support-tiers — 24x7x365 tier appropriate for trading + customer-facing financial services workloads.