Microsoft Copilot for Financial Services: FINRA + SEC + NYDFS (2026)

Why Copilot in FSI Requires a Different Governance Posture

Microsoft 365 Copilot in financial services requires a different governance template than commercial deployments. FSI Copilot must meet three key supervisory regimes:

SEC for investment advisers, broker-dealers, and investment companies
FINRA for member firms
State regulators such as NYDFS, California DFPI, and Texas DoB for state-chartered entities

Additionally, it must comply with:

NAIC for insurance
CFPB for consumer financial products
OCC for national banks
Federal Reserve for state member banks and holding companies

This creates a complex regulatory landscape.

EPC Group's FSI Copilot governance framework connects regulatory requirements with Microsoft 365 capabilities. It offers deployment evidence and documentation that is ready for auditors.

This framework is based on 47 controls and is designed specifically for the financial services industry (FSI).

Identity + Access
Data Protection
Information Barriers
Audit + Communication Compliance
eDiscovery + Legal Hold
Incident Response
Insider Risk
Vendor + BAA Management

FINRA Rule 3110 Supervisory Framework

FINRA Rule 3110 supervision for Copilot requires Communication Compliance to scan prompts and responses for several key issues:

Suitability concerns: Customer-specific recommendations without documented suitability analysis.
MNPI references: Mentions in conversations or document drafting.
Insider information leakage.
Manipulation patterns: Spoofing and layering language.
Customer complaint language.
Gift and entertainment thresholds.
FINRA Rule 2210 violations: Fair-and-balanced issues in customer-facing drafts.

Reviewer queues focus on high-risk interactions. Supervisory procedures are documented and align with the firm’s Written Supervisory Procedures (WSPs).

Annual supervisory testing and reporting are integrated with the firm’s compliance and risk reporting schedule.

SEC 17a-4 + FINRA 4511 Books-and-Records

SEC Rule 17a-4 modernization began in June 2023. This rule replaced WORM-only electronic recordkeeping with audit-trail-based records.

Interactions with Microsoft 365 Copilot are recorded in Microsoft Purview Audit Premium.

This solution includes:

A 10-year retention period
Configuration to meet 17a-4 requirements
Compliance with 4511 requirements

Additionally, Microsoft 365 Purview retention policies prevent deletion. The audit log can be exported in a tamper-evident format, which is suitable for SEC and FINRA examination.

Before 2026, many companies relied on third-party recordkeeping vendors like Smarsh, Global Relay, and Mimecast. With the 17a-4 modernization, Microsoft 365 Purview can now act as the main recordkeeping system. This change simplifies both supervisory and IT processes.

EPC Group provides the necessary documentation to support this transition with every FSI Copilot deployment.

Information Barriers for Ethical Walls

FSI Information Barriers applied to Copilot enforce ethical walls beyond the standard Teams + SharePoint scope:

Research vs Investment Banking (Section 15D / Regulation AC) — research analysts cannot use Copilot to access IB content; IB cannot use Copilot to surface research
Broker-Dealer vs RIA — for dual-registrants, IB policies prevent fiduciary RIA data from being surfaced in BD-context Copilot queries
Trading Desk vs Back Office — Copilot cannot bridge front-to-back office content access
Audit firm independence (for Big 4 + national accounting) — audit-side Copilot cannot surface advisory-side content
Lateral partner moves — lateral employees cannot use Copilot to access prior-firm content

High-Value Copilot Use Cases for FSI

Investment research. Research analyst Copilot for company analysis, financial modeling, peer comparison, industry research synthesis. With Restricted Search + IB for MNPI + research-only content boundaries.

Deal team support. M&A advisor Copilot for due diligence document review, pitch deck drafting, financial model annotation, market sizing, comparable transactions research.

Wealth advisor briefing. Pre-meeting client briefing generation pulling from CRM + portfolio + interaction history + market commentary. Communication Compliance scanning for suitability + UDAAP + fiduciary concerns.

Claims adjudication. Insurance adjuster Copilot for claim review, fraud pattern detection, settlement letter drafting, customer correspondence with compliance review.

AML investigation. AML analyst Copilot for case review, transaction pattern analysis, SAR drafting (with Communication Compliance preventing accidental disclosure to subjects).

Customer service. First-line customer service Copilot Studio agents for account inquiries, simple troubleshooting, fee explanations. Escalation to human agents for advisory + complex issues.

Engagement Investment

Foundation ($175K-$350K, 12-20 weeks): Single-workload Copilot governance pilot — 47-control framework + IB design + Communication Compliance + WSP update + pilot rollout
Enterprise ($400K-$900K, 24-36 weeks): Multi-workload + EOM full lifecycle + Managed Microsoft Support transition
Platform ($900K-$3M, 40-60 weeks): Enterprise + Microsoft Cloud for Financial Services + Fabric platform + Center of Excellence + multi-entity federation

License costs are separate. Microsoft 365 Copilot is $30 per user per month, in addition to E3 at $36 per user or E5 at $57 per user.

For Financial Services Industry (FSI), E5 is usually necessary. This is due to its embedded compliance and security features.

FAQ

Can broker-dealers and RIAs use Microsoft 365 Copilot under FINRA + SEC supervision?

Yes — with appropriate governance configuration. Microsoft 365 Copilot interactions (prompts + responses) are captured in Microsoft Purview Audit Premium with 10-year retention configured to satisfy SEC 17a-4 + FINRA Rule 4511 books-and-records. Microsoft Purview Communication Compliance scans Copilot for FINRA Rule 3110 supervisory red flags (suitability, MNPI, insider information, manipulation patterns). Customer-facing Copilot output gated by Communication Compliance + DLP for FINRA Rule 2210 fair-and-balanced standards. EPC Group ships a tailored FINRA + SEC controls checklist with every FSI Copilot engagement.

How do you prevent MNPI exposure through Copilot?

MNPI Copilot controls: (1) Restricted SharePoint Search prevents Copilot from indexing MNPI-flagged sites; (2) Microsoft Purview Information Protection sensitivity labels with Customer Key + Double Key Encryption for the highest-sensitivity MNPI; (3) DLP for Copilot prevents MNPI exposure across prompts + responses + agents; (4) Information Barriers ensure research analysts cannot use Copilot to access investment banking content (and vice versa); (5) Insider Risk Management policies monitor for MNPI exfiltration patterns including Copilot-generated content.

How does Copilot for Power BI affect financial services analytics governance?

Copilot for Power BI enables natural-language queries against semantic models. Governance considerations: (1) RLS + OLS enforced through Copilot — users only get answers from data they're authorized to see; (2) Restricted SharePoint Search prevents Copilot from indexing MNPI Power BI workspaces; (3) Audit log captures every Copilot query + response for SEC 17a-4; (4) Information Barriers prevent cross-departmental queries that would violate ethical walls. EPC Group ships Copilot for Power BI alongside the broader Power BI for FSI deployment.

What is the FINRA Rule 3110 supervisory framework for Copilot?

FINRA Rule 3110 requires firms to establish + maintain supervisory procedures reasonably designed to achieve compliance with applicable securities laws. For Copilot, the supervisory framework includes: (1) Pre-deployment risk assessment + Written Supervisory Procedures (WSPs) update; (2) Communication Compliance reviewer queues with prioritized scoring; (3) Pre-use review for customer-facing Copilot output (Rule 2210); (4) Documented supervisory procedures with named supervisors; (5) Annual supervisory testing + reporting. EPC Group ships the WSP updates + Communication Compliance configuration in every FSI Copilot deployment.

What about NYDFS Cybersecurity Regulation compliance?

NYDFS 23 NYCRR 500 amendments (effective November 2023) added explicit cybersecurity requirements that map to Microsoft 365 Copilot deployment: Section 500.7 Access Privileges → Entra ID + Conditional Access; Section 500.12 MFA → Entra MFA with phishing-resistant (FIDO2) for privileged users; Section 500.14 Training + Monitoring → Sentinel UEBA + Defender Attack Simulation Training; Section 500.15 Encryption → Customer Key + DKE for highest-sensitivity Copilot content; Section 500.16 Incident Response → Sentinel SOAR runbooks with documented IR plan integration. Annual CISO certification supported.

Can federally-regulated banks deploy Copilot in GCC High?

Yes. Microsoft 365 Copilot is available in GCC + GCC High with FedRAMP-aligned posture. For Federal Reserve System member banks, GSEs (Fannie Mae, Freddie Mac), federal credit unions (NCUA-supervised), and OCC-supervised national banks subject to federal supervision, GCC + GCC High provide the appropriate sovereign-tenant posture. Errin O'Connor previously held a Lead Architect role at the Federal Reserve Bank of New York; EPC Group has shipped GCC + GCC High deployments for federally-regulated financial entities.

What does Copilot engagement cost for a financial services firm?

Foundation ($175K-$350K, 12-20 weeks): single-workload Copilot governance pilot — 47-control framework adapted for FSI + Information Barrier design + Communication Compliance configuration + WSP update + pilot rollout. Enterprise ($400K-$900K, 24-36 weeks): multi-workload + EOM full lifecycle + Managed Microsoft Support. Platform ($900K-$3M, 40-60 weeks): Enterprise + Microsoft Cloud for Financial Services + Fabric platform + Center of Excellence + multi-entity federation. License costs separate — M365 Copilot is $30/user/mo on top of E3/E5.

Schedule Copilot for FSI Discovery

FRBNY pedigree. Tailored FINRA + SEC + NYDFS Copilot governance.

Schedule Discovery Call (888) 381-9725