Control 1.10: Communication Compliance Monitoring
Control ID: 1.10
Pillar: Security
Regulatory Reference: FINRA Rule 4511, FINRA Rule 3110(b), FINRA Rule 4530(d), FINRA RN 24-09, SEC Rule 17a-3, SEC Rule 17a-4(b)(4), SEC Reg S-P, GLBA 501(b)
Last UI Verified: May 2026
Governance Levels: Baseline / Recommended / Regulated
Objective
Detect and review policy-relevant content in agent-assisted interactions, including user prompts and agent responses. This control supports supervision and review objectives for financial services by monitoring for regulatory violations, inappropriate content, and potential conduct risks.
Why This Matters for FSI
- FINRA Rule 4511 / Rule 3110(b): Supervision of AI-assisted communications; firms must retain and review AI agent interactions. FINRA Rule 3110 requires written supervisory procedures reasonably designed for the firm's business.
- FINRA Rule 4530(d): Firms must report quarterly statistics on written customer complaints. AI-related complaints received in writing, such as allegations that Copilot output was misleading, fabricated, unsuitable, or exposed confidential data, should be captured and routed into that reporting workflow.
- FINRA RN 24-09 / Rule 3110: Reinforces that firms are responsible for communications regardless of whether they are AI-generated. Note: FINRA Regulatory Notice 24-09 explicitly states it does not create new legal or regulatory requirements; the existing supervision and recordkeeping rules apply.
- SEC Rule 17a-3 / 17a-4(b)(4): Retention and review of customer communications; 2022 amendments allow an audit-trail alternative to WORM for electronic records. The durable books-and-records obligation is met via Exchange/Teams retention and records management (see Control 1.9), not by Communication Compliance Policy Match Preservation alone.
- SEC Regulation S-P: Customer information safeguards apply to NPI surfaced through agent interactions.
- GLBA 501(b): Protecting customer NPI in agent interactions.
- MNPI Detection: Identifying potential insider trading communications.
- OCC Bulletin 2026-13 (formerly OCC 2011-12) / Fed SR 26-2 (formerly SR 11-7): Model risk management applies to AI classifiers (trainable classifiers, AI-powered detection) used in Communication Compliance policies.
What Communication Compliance is — and is not
Communication Compliance is the supervisory review plane for content in messages and AI interactions. It is distinct from:
- Insider Risk Management (Control 1.12) — user-behavior risk scoring
- eDiscovery (Control 1.19) — legal hold and case collection
- DLP (Control 1.5) — preventive blocking at egress
- Records retention (Control 1.9) — durable books-and-records obligation under SEC 17a-4 / FINRA 4511
Communication Compliance retains copies of matched content for review under Policy Match Preservation; it does not by itself satisfy the durable retention obligation.
Automation Available
See FINRA Supervision Workflow in FSI-AgentGov-Solutions for automated supervision queue for AI agent outputs supporting FINRA Rule 3110 compliance.
Control Description
| Capability | Description |
|---|---|
| Inappropriate content detection | Detect harassment, threats, discrimination in agent interactions |
| Regulatory violation monitoring | Identify unsuitable recommendations, MNPI indicators |
| Customer complaint routing | Detect, tag, and route AI-related written customer complaints for supervisory review and FINRA Rule 4530(d) quarterly statistics |
| Sensitive data protection | Detect customer data in agent responses |
| AI classifiers | Machine learning detection for complex scenarios |
| Review workflow | Triage, escalation, and remediation workflow |
Customer complaint handling (FINRA Rule 4530(d))
Communication Compliance should treat potential written customer complaints about AI-assisted communications as a supervisory-routing scenario, not just a generic policy hit. When a customer alleges in writing that a Copilot or agent response was misleading, fabricated, unsuitable, or exposed confidential data, reviewers should flag the event as a potential complaint, apply a firm-defined AI-complaint tag, and route the item to Compliance for supervisory review and quarterly FINRA Rule 4530(d) reporting.
Each complaint record should carry a durable reference to the underlying AI interaction preserved through Control 1.7's preservation architecture, such as the prompt/response record, conversation ID, message ID, or evidence-manifest reference. That linkage supports reconstruction, retention, escalation, and downstream reporting. Organizations should verify the tagging taxonomy, case-routing workflow, and quarterly complaint-report process align to their written supervisory procedures and complaint-management standards.
Monitored Channels and AI Locations
Communication Compliance policies operate across the channels and locations Microsoft Learn currently documents. To monitor Copilot interactions, use the dedicated template "Detect Microsoft Copilot interactions". Microsoft Learn's policy-template reference documents the Copilot interactions template conditions as Prompt Shields and Protected material classifiers; verify the displayed conditions during policy creation because template details can vary by tenant rollout.
| Location group | Examples | Notes |
|---|---|---|
| Exchange Online | User mailboxes (internal and outbound) | Reviewers must have Exchange Online mailboxes |
| Microsoft Teams | Chats, channels (excluding shared with external) | Teams chat matches may take up to 48 hours to process per Learn |
| Viva Engage | Public communities | |
| Microsoft Copilot experiences | Microsoft 365 Copilot, Copilot Chat, Microsoft Copilot Studio, Security Copilot, Copilot in Fabric | Use the dedicated Detect Microsoft Copilot interactions template for Copilot policy creation |
| Enterprise AI apps | Entra-connected or Purview Data Map-connected generative AI apps, such as ChatGPT Enterprise | Pay-as-you-go billing required for non-M365 AI data per Learn |
| Other AI apps | Browser and network activity for unmanaged AI apps, such as ChatGPT, Google Gemini, and Microsoft Copilot consumer | Pay-as-you-go billing required for non-M365 AI data |
| Third-party sources | Bloomberg, Slack, etc. via supported connectors | Connector availability varies; verify per tenant |
Pay-as-you-go billing required for non-M365 AI
Detection of inappropriate or risky interactions for non-Microsoft 365 AI data — including connected generative AI apps and Copilot Studio in some configurations — requires pay-as-you-go billing to be enabled per Microsoft Learn. Plan and document this with your billing owner before scoping a policy to those locations.
Processing windows are not real-time
Per current Microsoft Learn, Teams chat matches may take up to 48 hours to surface in the review queue, and Exchange email/attachment matches about 24 hours. Non-Microsoft sources often take 24–48 hours. Do not design supervisory procedures around real-time alert expectations the product does not document.
Key Configuration Points
- Enable Unified Audit Log first. Microsoft Learn marks this as a required step; Communication Compliance relies on the audit log for alert generation and reviewer-action logging.
- Verify the privacy default. Pseudonymization of usernames is on by default in Communication Compliance. Document the opt-out audit trail (admin, justification, date) before any reviewer is opted in to investigator capability.
- Assign role groups using the canonical Learn names: Communication Compliance (catch-all), Communication Compliance Admins, Communication Compliance Analysts, Communication Compliance Investigators, Communication Compliance Viewers. Reviewers must also be assigned at the per-policy level and must have Exchange Online mailboxes.
- Use the built-in template "Detect Microsoft Copilot interactions" as the starting point for Copilot monitoring; Microsoft Learn's policy-template reference documents Prompt Shields and Protected material conditions for the Copilot interactions template, and administrators should verify the displayed conditions before creating the policy.
- Use "Detect inappropriate text" (Exchange + Teams + Viva Engage) for harassment / threats / discrimination scenarios. Note that "Detect inappropriate content" is locked to Teams + Viva Engage with Hate / Violence / Sexual / Self-harm classifiers; it does not support Exchange or Copilot locations.
- Use "Detect financial regulatory compliance" (Regulatory compliance template) for FINRA-specific scenarios. This template defaults to a 10% review percentage; FSI customers supervising registered representatives typically need 100%; tune the review percentage explicitly and document the basis.
- Configure complaint-focused keywords, classifier coverage, or custom dictionaries so written allegations about misleading AI output, fabricated information, unauthorized recommendations, or confidential-data exposure are routed to the Regulatory compliance workflow.
- Define a firm-standard complaint tag and escalation path for AI-related written complaints, including the case-management reference that links the complaint record to the underlying AI interaction preserved through Control 1.7's preservation architecture.
- Use Custom policy when template-locked locations / direction / conditions do not fit the use case.
- Configure OCR via the policy condition checkbox (it is not a tenant-level toggle). OCR processing typically takes about an hour to take effect per Learn.
- Document each policy's Reviewers, Locations, Conditions, Review percentage, Direction, and Policy Match Preservation setting as part of the supervisory design record.
- Plan administrative units to scope reviewer/investigator permissions by region or business unit. Per Learn this is the documented mechanism for HR-only vs. Compliance-only vs. Legal-only scoping in multi-affiliate FSI organizations.
- For Microsoft Copilot experiences beyond Microsoft 365 Copilot data, Enterprise AI apps, or Other AI apps coverage, enable pay-as-you-go billing before scoping a policy to those locations where Microsoft Learn requires it.
Records retention vs Policy Match Preservation
Policy Match Preservation retains a copy of matched content for review while the policy is in place. As of June 1, 2025 the options are 1 month / 6 months / 1 year / 7 years (default 1 year). It is not the records retention mechanism for SEC 17a-4(b)(4) / FINRA 4511 — durable books-and-records retention is met via Exchange Online retention, Teams retention, and records management (see Control 1.9). Set Policy Match Preservation per supervisory needs and document records retention separately.
PowerShell and Communication Compliance — what is and is not supported
Per Microsoft Learn (communication-compliance-policies): PowerShell is not supported for creating and managing Communication Compliance policies. Policy CRUD is portal-only.
The supervisory review cmdlet family (*-SupervisoryReviewPolicyV2, *-SupervisoryReviewRule, Get-SupervisoryReviewActivity) does run in Security & Compliance PowerShell (IPPS) and is used for evidence collection and supervisory review CRUD. Do not assume Connect-ExchangeOnline is the right shell — it is not. Use Connect-IPPSSession.
Zone-Specific Requirements
| Zone | Requirement | Rationale |
|---|---|---|
| Zone 1 (Personal) | Baseline templates (Inappropriate text + Inappropriate content); weekly sampling at template default; manual complaint log and Compliance escalation for any written AI-related customer complaint | Minimal regulatory exposure; manual complaint handling may be acceptable when customer-facing AI use is limited |
| Zone 2 (Team) | Add Regulatory compliance template; daily review cadence; complaint-related keywords/tags; documented manual feed into quarterly FINRA Rule 4530(d) complaint statistics when customer-facing AI is in scope | Shared accountability and increased supervisory expectations |
| Zone 3 (Enterprise) | Add Detect Microsoft Copilot interactions template; review percentage tuned for FINRA-supervised populations (often 100%); pseudonymization opt-out audited; admin-unit scoping for reviewers; dedicated AI-complaint tag/queue with automated routing to Compliance and the quarterly reporting register | Maximum regulatory protection and formalized complaint-reporting workflow |
Roles & Responsibilities
| Role | Responsibility |
|---|---|
| Communication Compliance (catch-all role group) | Legacy "do everything" group; restrict assignment in production tenants |
| Communication Compliance Admins | Policy configuration and management |
| Communication Compliance Analysts | Alert triage and review (per-policy reviewer assignment also required) |
| Communication Compliance Investigators | Investigation, remediation, complaint tagging, and opt-in to view unmasked content (audited) |
| Communication Compliance Viewers | Read-only access to dashboards and reports |
| Compliance Officer | Reportability decisions, quarterly FINRA Rule 4530(d) complaint-statistics input, and legal-hold / supervisory escalation coordination |
| Purview Records Manager | Validate complaint-to-interaction retention linkage and evidence references against Control 1.7's preservation architecture |
| Privacy Officer | Pseudonymization opt-out approvals; admin-unit scoping decisions |
Related Controls
| Control | Relationship |
|---|---|
| 1.7 - Audit Logging | Preservation architecture and audit evidence for complaint-to-interaction linkage |
| 1.9 - Data Retention | Retention of communications and complaint records |
| 1.13 - Sensitive Information Types | SITs for detection |
| 2.12 - Supervision | Supervision requirements (FINRA Supervision Workflow) |
| 3.3 - Compliance and Regulatory Reporting | Quarterly complaint statistics and supervisory reporting outputs |
| 1.12 - Insider Risk | Insider risk correlation |
Implementation Playbooks
Step-by-Step Implementation
This control has detailed playbooks for implementation, automation, testing, troubleshooting, and complaint-routing evidence:
- Portal Walkthrough — Step-by-step portal configuration
- PowerShell Setup — Automation scripts
- Verification & Testing — Test cases and evidence collection
- Troubleshooting — Common issues and resolutions
The portal and verification playbooks include complaint-tagging, escalation, retention-linkage, and quarterly FINRA Rule 4530(d) reporting handoff steps for AI-related written customer complaints.
Verification Criteria
Confirm control effectiveness by verifying:
- Unified Audit Log enabled —
Get-AdminAuditLogConfigreturnsUnifiedAuditLogIngestionEnabled : True(or per Defender portal Audit search) - License entitlement reconciled — in-scope users hold a qualifying SKU per current Microsoft Purview Suite / Microsoft 365 E5 / E5 Compliance guidance
- Pseudonymization —
Settings → Privacyconfirms default pseudonymization is on; any opt-out has a documented justification - Reviewer prerequisites — each per-policy reviewer is an individual user with an Exchange Online mailbox; per-policy reviewer assignment is verified
- Template + scope inventory —
Get-SupervisoryReviewPolicyV2(IPPS) returns the expected policies with the correct templates, scopes, and review percentages - Deterministic activation test — a named test sender with a UTC-stamped policy-relevant message produces a Pending entry in the review queue after the documented processing window (Teams up to 48h, Exchange ~24h)
- Audit pipeline —
Search-UnifiedAuditLog(paged with-SessionId+-SessionCommand ReturnLargeSet) returns rows forSupervisionRuleMatch,SupervisionPolicyCreated/Updated/Deleted, andSupervisoryReviewTagoperations within the test window - Policy Match Preservation — explicit setting per policy is documented (not assumed default); separate records retention is in place per Control 1.9
- Admin units / scoping — reviewer/investigator permissions are scoped per region or business unit using administrative units where applicable
- PAYG billing enabled for any policy location where Microsoft Learn requires it, including Enterprise AI apps, Other AI apps, and non-Microsoft 365 AI data in Microsoft Copilot experiences
- Complaint-handling workflow — complaint-oriented detection and routing are configured for AI-related written customer complaints; the complaint record references the underlying AI interaction preserved through Control 1.7's preservation architecture; and the quarterly FINRA Rule 4530(d) reporting process includes this complaint category
Regulatory Requirements
FINRA Rule 2210 - Communications with the Public
AI-generated customer communications must meet Rule 2210 content standards. Per FINRA Regulatory Notice 24-09 FAQ D.8, "Firms are responsible for their communications, regardless of whether they are generated by a human or AI technology."
Communication Classification:
- Retail Communication (>25 retail investors in 30 days): Pre-use principal approval required
- Correspondence (≤25 retail investors in 30 days): Post-use review acceptable
- Institutional: Internal procedures apply
The FINRA 2026 Annual Regulatory Oversight Report emphasizes that firms must configure AI agents to route communications through appropriate review workflows based on classification.
FINRA 2026 Annual Regulatory Oversight Report
The FINRA 2026 Annual Regulatory Oversight Report continues to emphasize supervision of AI-generated communications and Rule 2210 classification. Configure agents and policies to route communications through the appropriate supervisory workflow per the firm's written supervisory procedures.
Additional Resources
- Microsoft Learn: Communication Compliance Overview
- Microsoft Learn: Plan for Communication Compliance
- Microsoft Learn: Configure Communication Compliance
- Microsoft Learn: Configure Communication Compliance for Microsoft Copilot interactions
- Microsoft Learn: Create Communication Compliance Policies
- Microsoft Learn: Communication Compliance Channels
- Microsoft Learn: Investigate and Remediate Alerts
- Microsoft Learn: Communication Compliance Permissions
- Microsoft Learn: New-SupervisoryReviewPolicyV2
- Microsoft Learn: New-SupervisoryReviewRule
- Microsoft Learn: Get-SupervisoryReviewActivity
- Microsoft Learn: Connect to Security & Compliance PowerShell
- Microsoft Learn: Trainable Classifiers
- FINRA Rule 2210
- FINRA Rule 4530
- FINRA Rule 3110
- FINRA Regulatory Notice 24-09 — Generative AI guidance (June 2024)
Updated: May 2026 | Version: v1.6.2 | UI Verification Status: Current