Control 1.10: Communication Compliance Monitoring
Control ID: 1.10
Pillar: Security
Regulatory Reference: FINRA Rule 4511, FINRA Rule 3110(b), FINRA 25-07, SEC Rule 17a-3, SEC Rule 17a-4(b)(4), SEC Reg S-P, GLBA 501(b)
Last UI Verified: April 2026
Governance Levels: Baseline / Recommended / Regulated
Objective
Detect and review policy-relevant content in agent-assisted interactions, including user prompts and agent responses. This control supports supervision and review objectives for financial services by monitoring for regulatory violations, inappropriate content, and potential conduct risks.
Why This Matters for FSI
- FINRA Rule 4511 / Rule 3110(b): Supervision of AI-assisted communications; firms must retain and review AI agent interactions. FINRA Rule 3110 requires written supervisory procedures reasonably designed for the firm's business.
- FINRA Notice 25-07 (and Notice 24-09): Reinforces that firms are responsible for communications regardless of whether they are AI-generated. Note: FINRA Notice 24-09 explicitly states it does not create new legal or regulatory requirements; the existing supervision and recordkeeping rules apply.
- SEC Rule 17a-3 / 17a-4(b)(4): Retention and review of customer communications; 2022 amendments allow an audit-trail alternative to WORM for electronic records. The durable books-and-records obligation is met via Exchange/Teams retention and records management (see Control 1.9), not by Communication Compliance Policy Match Preservation alone.
- SEC Regulation S-P: Customer information safeguards apply to NPI surfaced through agent interactions.
- GLBA 501(b): Protecting customer NPI in agent interactions.
- MNPI Detection: Identifying potential insider trading communications.
- OCC 2011-12 / Fed SR 11-7: Model risk management applies to AI classifiers (trainable classifiers, AI-powered detection) used in Communication Compliance policies.
What Communication Compliance is — and is not
Communication Compliance is the supervisory review plane for content in messages and AI interactions. It is distinct from:
- Insider Risk Management (Control 1.12) — user-behavior risk scoring
- eDiscovery (Control 1.19) — legal hold and case collection
- DLP (Control 1.5) — preventive blocking at egress
- Records retention (Control 1.9) — durable books-and-records obligation under SEC 17a-4 / FINRA 4511
Communication Compliance retains copies of matched content for review under Policy Match Preservation; it does not by itself satisfy the durable retention obligation.
Automation Available
See FINRA Supervision Workflow in FSI-AgentGov-Solutions for automated supervision queue for AI agent outputs supporting FINRA Rule 3110 compliance.
Control Description
| Capability | Description |
|---|---|
| Inappropriate content detection | Detect harassment, threats, discrimination in agent interactions |
| Regulatory violation monitoring | Identify unsuitable recommendations, MNPI indicators |
| Sensitive data protection | Detect customer data in agent responses |
| AI classifiers | Machine learning detection for complex scenarios |
| Review workflow | Triage, escalation, and remediation workflow |
Monitored Channels and AI Locations
Communication Compliance policies operate across the channels and locations Microsoft Learn currently documents. To monitor Microsoft 365 Copilot and Copilot Chat, use the dedicated template "Detect Microsoft 365 Copilot and Microsoft 365 Copilot Chat interactions", which configures Prompt Shields and Protected material classifiers.
| Location group | Examples | Notes |
|---|---|---|
| Exchange Online | User mailboxes (internal and outbound) | Reviewers must have Exchange Online mailboxes |
| Microsoft Teams | Chats, channels (excluding shared with external) | Teams chat matches may take up to 48 hours to process per Learn |
| Viva Engage | Public communities | |
| Microsoft Copilot experiences | Microsoft 365 Copilot, Copilot Chat | Use the dedicated Copilot template |
| Enterprise AI apps | Copilot Studio agents, Security Copilot, Fabric Copilot, etc. | Pay-as-you-go billing required for non-M365 AI data per Learn |
| Other AI apps | Approved third-party generative AI (e.g., ChatGPT Enterprise, Gemini for Workspace via connectors) | Pay-as-you-go billing required for non-M365 AI data |
| Third-party sources | Bloomberg, Slack, etc. via supported connectors | Connector availability varies; verify per tenant |
Pay-as-you-go billing required for non-M365 AI
Detection of inappropriate or risky interactions for non-Microsoft 365 AI data — including connected generative AI apps and Copilot Studio in some configurations — requires pay-as-you-go billing to be enabled per Microsoft Learn. Plan and document this with your billing owner before scoping a policy to those locations.
Processing windows are not real-time
Per current Microsoft Learn, Teams chat matches may take up to 48 hours to surface in the review queue, and Exchange email/attachment matches about 24 hours. Non-Microsoft sources often take 24–48 hours. Do not design supervisory procedures around real-time alert expectations the product does not document.
Key Configuration Points
- Enable Unified Audit Log first. Microsoft Learn marks this as a required step; Communication Compliance relies on the audit log for alert generation and reviewer-action logging.
- Verify the privacy default. Pseudonymization of usernames is on by default in Communication Compliance. Document the opt-out audit trail (admin, justification, date) before any reviewer is opted in to investigator capability.
- Assign role groups using the canonical Learn names: Communication Compliance (catch-all), Communication Compliance Admins, Communication Compliance Analysts, Communication Compliance Investigators, Communication Compliance Viewers. Reviewers must also be assigned at the per-policy level and must have Exchange Online mailboxes.
- Use the built-in template "Detect Microsoft 365 Copilot and Microsoft 365 Copilot Chat interactions" as the starting point for AI monitoring; this template configures Prompt Shields and Protected material classifiers and is the canonical Copilot scope.
- Use "Detect inappropriate text" (Exchange + Teams + Viva Engage) for harassment / threats / discrimination scenarios. Note that "Detect inappropriate content" is locked to Teams + Viva Engage with Hate / Violence / Sexual / Self-harm classifiers; it does not support Exchange or Copilot locations.
- Use "Detect financial regulatory compliance" (Regulatory compliance template) for FINRA-specific scenarios. This template defaults to a 10% review percentage; FSI customers supervising registered representatives typically need 100%; tune the review percentage explicitly and document the basis.
- Use Custom policy when template-locked locations / direction / conditions do not fit the use case.
- Configure OCR via the policy condition checkbox (it is not a tenant-level toggle). OCR processing typically takes about an hour to take effect per Learn.
- Document each policy's Reviewers, Locations, Conditions, Review percentage, Direction, and Policy Match Preservation setting as part of the supervisory design record.
- Plan administrative units to scope reviewer/investigator permissions by region or business unit. Per Learn this is the documented mechanism for HR-only vs. Compliance-only vs. Legal-only scoping in multi-affiliate FSI organizations.
- For non-Microsoft 365 AI / Enterprise AI / Other AI app coverage, enable pay-as-you-go billing before scoping a policy to those locations.
Records retention vs Policy Match Preservation
Policy Match Preservation retains a copy of matched content for review while the policy is in place. As of June 1, 2025 the options are 1 month / 6 months / 1 year / 7 years (default 1 year). It is not the records retention mechanism for SEC 17a-4(b)(4) / FINRA 4511 — durable books-and-records retention is met via Exchange Online retention, Teams retention, and records management (see Control 1.9). Set Policy Match Preservation per supervisory needs and document records retention separately.
PowerShell and Communication Compliance — what is and is not supported
Per Microsoft Learn (communication-compliance-policies): PowerShell is not supported for creating and managing Communication Compliance policies. Policy CRUD is portal-only.
The supervisory review cmdlet family (*-SupervisoryReviewPolicyV2, *-SupervisoryReviewRule, Get-SupervisoryReviewActivity) does run in Security & Compliance PowerShell (IPPS) and is used for evidence collection and supervisory review CRUD. Do not assume Connect-ExchangeOnline is the right shell — it is not. Use Connect-IPPSSession.
Sovereign Cloud Availability
Verify per tenant before assuming a feature is at parity. Communication Compliance is currently available in tenants hosted in geographical regions and countries supported by Azure service dependencies; specific classifiers and connectors vary by cloud.
| Capability | Commercial | GCC | GCC High | DoD |
|---|---|---|---|---|
| Communication Compliance core (Exchange / Teams / Viva Engage) | GA | GA | GA | GA |
| Microsoft 365 Copilot / Copilot Chat detection template | GA | Verify staged availability | Verify staged availability | Verify staged availability |
| Enterprise / Other AI apps coverage (PAYG required) | Verify staged availability | Verify | Verify | Verify |
| Inappropriate content (Hate / Violence / Sexual / Self-harm) classifiers | GA | GA | Verify model parity | Verify model parity |
| OCR for images | GA (PAYG) | Verify | Verify | Verify |
| Administrative Units (preview / GA per Learn) | Per Learn | Per Learn | Per Learn | Per Learn |
Portal endpoints:
- Commercial:
https://purview.microsoft.com - GCC:
https://compliance.microsoft.com(transitioning topurview.microsoft.com) - GCC High / DoD:
https://purview.microsoft.us
PowerShell endpoints (IPPS / Security & Compliance): see Control 1.5 sovereign cloud subsection for canonical Connect-IPPSSession parameters; Communication Compliance supervisory review cmdlets share the same connection model.
Zone-Specific Requirements
| Zone | Requirement | Rationale |
|---|---|---|
| Zone 1 (Personal) | Baseline templates (Inappropriate text + Inappropriate content); weekly sampling at template default | Minimal regulatory exposure |
| Zone 2 (Team) | Add Regulatory compliance template; daily review cadence; documented compensating-control plan if any policy is paused | Shared accountability |
| Zone 3 (Enterprise) | Add Copilot interactions template; review percentage tuned for FINRA-supervised populations (often 100%); pseudonymization opt-out audited; admin-unit scoping for reviewers | Maximum regulatory protection |
Roles & Responsibilities
| Role | Responsibility |
|---|---|
| Communication Compliance (catch-all role group) | Legacy "do everything" group; restrict assignment in production tenants |
| Communication Compliance Admins | Policy configuration and management |
| Communication Compliance Analysts | Alert triage and review (per-policy reviewer assignment also required) |
| Communication Compliance Investigators | Investigation, remediation, opt-in to view unmasked content (audited) |
| Communication Compliance Viewers | Read-only access to dashboards and reports |
| Legal / Compliance Officer | Reportability decisions, regulatory-routing, legal-hold escalation |
| Privacy Officer | Pseudonymization opt-out approvals; admin-unit scoping decisions |
Related Controls
| Control | Relationship |
|---|---|
| 1.7 - Audit Logging | Audit evidence for communications |
| 1.9 - Data Retention | Retention of communications |
| 1.13 - Sensitive Information Types | SITs for detection |
| 2.12 - Supervision | Supervision requirements (FINRA Supervision Workflow) |
| 1.12 - Insider Risk | Insider risk correlation |
Implementation Playbooks
Step-by-Step Implementation
This control has detailed playbooks for implementation, automation, testing, and troubleshooting:
- Portal Walkthrough — Step-by-step portal configuration
- PowerShell Setup — Automation scripts
- Verification & Testing — Test cases and evidence collection
- Troubleshooting — Common issues and resolutions
Verification Criteria
Confirm control effectiveness by verifying:
- Unified Audit Log enabled —
Get-AdminAuditLogConfigreturnsUnifiedAuditLogIngestionEnabled : True(or per Defender portal Audit search) - License entitlement reconciled — in-scope users hold a qualifying SKU per current Microsoft Purview Suite / Microsoft 365 E5 / E5 Compliance guidance
- Pseudonymization —
Settings → Privacyconfirms default pseudonymization is on; any opt-out has a documented justification - Reviewer prerequisites — each per-policy reviewer is an individual user with an Exchange Online mailbox; per-policy reviewer assignment is verified
- Template + scope inventory —
Get-SupervisoryReviewPolicyV2(IPPS) returns the expected policies with the correct templates, scopes, and review percentages - Deterministic activation test — a named test sender with a UTC-stamped policy-relevant message produces a Pending entry in the review queue after the documented processing window (Teams up to 48h, Exchange ~24h)
- Audit pipeline —
Search-UnifiedAuditLog(paged with-SessionId+-SessionCommand ReturnLargeSet) returns rows forSupervisionRuleMatch,SupervisionPolicyCreated/Updated/Deleted, andSupervisoryReviewTagoperations within the test window - Policy Match Preservation — explicit setting per policy is documented (not assumed default); separate records retention is in place per Control 1.9
- Admin units / scoping — reviewer/investigator permissions are scoped per region or business unit using administrative units where applicable
- PAYG billing enabled for any policy that includes Enterprise / Other AI apps locations
- Sovereign cloud parity — for GCC / GCC High / DoD tenants, capability gaps are recorded as compensating-control notes rather than asserted as functioning
Regulatory Requirements
FINRA Rule 2210 - Communications with the Public
AI-generated customer communications must meet Rule 2210 content standards. Per FINRA Notice 24-09 FAQ D.8, "Firms are responsible for their communications, regardless of whether they are generated by a human or AI technology."
Communication Classification:
- Retail Communication (>25 retail investors in 30 days): Pre-use principal approval required
- Correspondence (≤25 retail investors in 30 days): Post-use review acceptable
- Institutional: Internal procedures apply
The FINRA 2026 Annual Regulatory Oversight Report emphasizes that firms must configure AI agents to route communications through appropriate review workflows based on classification.
FINRA 2026 Annual Regulatory Oversight Report
The FINRA 2026 Annual Regulatory Oversight Report continues to emphasize supervision of AI-generated communications and Rule 2210 classification. Configure agents and policies to route communications through the appropriate supervisory workflow per the firm's written supervisory procedures.
Additional Resources
- Microsoft Learn: Communication Compliance Overview
- Microsoft Learn: Plan for Communication Compliance
- Microsoft Learn: Configure Communication Compliance
- Microsoft Learn: Create Communication Compliance Policies
- Microsoft Learn: Communication Compliance Channels
- Microsoft Learn: Investigate and Remediate Alerts
- Microsoft Learn: Communication Compliance Permissions
- Microsoft Learn: New-SupervisoryReviewPolicyV2
- Microsoft Learn: New-SupervisoryReviewRule
- Microsoft Learn: Get-SupervisoryReviewActivity
- Microsoft Learn: Connect to Security & Compliance PowerShell
- Microsoft Learn: Trainable Classifiers
- FINRA Rule 2210
- FINRA Rule 3110
- FINRA Notice 24-09
- FINRA Notice 25-07
Updated: April 2026 | Version: v1.4.0 | UI Verification Status: Current