Control 1.10: Communication Compliance Monitoring
Control ID: 1.10 Pillar: Security Regulatory Reference: FINRA 4511, SEC Rule 17a-3, GLBA 501(b), FINRA Rule 3110 Last UI Verified: January 2026 Governance Levels: Baseline / Recommended / Regulated Last Verified: 2026-02-03
Objective
Detect and review policy-relevant content in agent-assisted interactions, including user prompts and agent responses. This control supports supervision and review objectives for financial services by monitoring for regulatory violations, inappropriate content, and potential conduct risks.
Why This Matters for FSI
- FINRA 4511/3110: Supervision of AI-assisted communications
- SEC 17a-3: Retention and review of customer communications
- GLBA 501(b): Protecting customer NPI in agent interactions
- FINRA 3110: Supervisory review of communications
- MNPI Detection: Identifying potential insider trading communications
Control Description
| Capability | Description |
|---|---|
| Inappropriate content detection | Detect harassment, threats, discrimination in agent interactions |
| Regulatory violation monitoring | Identify unsuitable recommendations, MNPI indicators |
| Sensitive data protection | Detect customer data in agent responses |
| AI classifiers | Machine learning detection for complex scenarios |
| Review workflow | Triage, escalation, and remediation workflow |
Monitored Copilot and AI Locations
Communication Compliance policies can target specific M365 Copilot locations. Configure policies to include:
| Audit Event Name | Friendly Name | What's Captured |
|---|---|---|
CopilotInteraction |
Microsoft 365 Copilot | User prompts and Copilot responses across M365 apps |
CopilotForM365Interaction |
Copilot for Microsoft 365 | Enterprise Copilot usage (Word, Excel, PowerPoint, Outlook, Teams) |
AgentInteraction |
Copilot Studio Agent | Custom agent prompts, responses, and tool invocations |
CopilotChat |
Copilot Chat | Business Chat / web chat interactions |
TeamsAIInteraction |
Teams AI Features | Copilot in Teams meetings, transcripts, and summaries |
Policy Location Configuration:
When creating Communication Compliance policies, select "Copilot for Microsoft 365" and "Copilot Studio" as monitored locations to capture AI-assisted communications. This enables detection of policy-relevant content in both user prompts and AI responses.
Key Configuration Points
- Assign Communication Compliance roles (Admin, Analyst, Investigator, Viewer)
- Create policies for inappropriate content, regulatory violations, and customer data protection
- Enable AI-powered trainable classifiers for detection
- Configure OCR for image content detection
- Set up priority user groups for high-risk individuals
- Configure alert routing by severity level
- Document review workflow with SLAs and escalation paths
- Configure coverage for Entra-connected AI apps to extend monitoring beyond native M365 Copilot to third-party and custom AI applications registered in Entra ID
- Enable Data Map connector integration to extend Communication Compliance coverage to data sources cataloged in Purview Data Map, supporting detection across broader data estate
Zone-Specific Requirements
| Zone | Requirement | Rationale |
|---|---|---|
| Zone 1 (Personal) | Basic monitoring (harassment, threats); weekly sampling | Minimal regulatory exposure |
| Zone 2 (Team) | Standard monitoring; daily review; compliance escalation | Shared accountability |
| Zone 3 (Enterprise) | Comprehensive monitoring; real-time alerts; all classifiers | Maximum regulatory protection |
Roles & Responsibilities
| Role | Responsibility |
|---|---|
| Communication Compliance Admin | Policy configuration and management |
| Communication Compliance Analyst | Alert triage and review |
| Communication Compliance Investigator | Investigation and remediation |
| Legal | Escalation procedures and regulatory reporting |
Related Controls
| Control | Relationship |
|---|---|
| 1.7 - Audit Logging | Audit evidence for communications |
| 1.9 - Data Retention | Retention of communications |
| 1.13 - Sensitive Information Types | SITs for detection |
| 2.12 - Supervision | Supervision requirements (FINRA Supervision Workflow) |
| 1.12 - Insider Risk | Insider risk correlation |
Implementation Playbooks
Step-by-Step Implementation
This control has detailed playbooks for implementation, automation, testing, and troubleshooting:
- Portal Walkthrough — Step-by-step portal configuration
- PowerShell Setup — Automation scripts
- Verification & Testing — Test cases and evidence collection
- Troubleshooting — Common issues and resolutions
Verification Criteria
Confirm control effectiveness by verifying:
- All FSI policies created and enabled
- Test message generates alert within SLA
- Reviewers can access and process alerts
- Escalation workflow functions correctly
- Audit log captures policy and reviewer actions
- Communications retained per retention policy
Regulatory Requirements
FINRA Rule 2210 - Communications with the Public
AI-generated customer communications must meet Rule 2210 content standards. Per FINRA Notice 24-09 FAQ D.8, "Firms are responsible for their communications, regardless of whether they are generated by a human or AI technology."
Communication Classification:
- Retail Communication (>25 retail investors in 30 days): Pre-use principal approval required
- Correspondence (≤25 retail investors in 30 days): Post-use review acceptable
- Institutional: Internal procedures apply
The FINRA 2026 Annual Regulatory Oversight Report emphasizes that firms must configure AI agents to route communications through appropriate review workflows based on classification.
Updated February 2026
FINRA 2026 oversight priorities include examination of AI-generated communications for Rule 2210 compliance and proper classification.
Additional Resources
- Microsoft Learn: Communication Compliance Overview
- Microsoft Learn: Create Communication Compliance Policies
- Microsoft Learn: Investigate and Remediate Alerts
- Microsoft Learn: Trainable Classifiers
- FINRA Rule 2210
- FINRA Notice 24-09
Updated: January 2026 | Version: v1.2 | UI Verification Status: Current