Control 3.3: Compliance and Regulatory Reporting
Control ID: 3.3 Pillar: Reporting Regulatory Reference: FINRA 4511, SEC 17a-3/4, SOX 302/404, GLBA 501(b), OCC 2011-12 Last UI Verified: January 2026 Governance Levels: Baseline / Recommended / Regulated Last Verified: 2026-02-03
Objective
Establish a comprehensive framework for generating, distributing, and archiving compliance reports that demonstrate AI agent governance adherence to financial services regulations. This control helps organizations demonstrate evidence of compliance during examinations and audits.
Why This Matters for FSI
- FINRA 4511: Requires books and records documentation for all agent activities and governance decisions
- SEC 17a-3/4: Customer interaction records must be preserved in accessible, retrievable format
- SOX 302/404: Management certifications and internal control documentation require quarterly attestation
- GLBA 501(b): Safeguard effectiveness must be documented and reviewed annually
- OCC 2011-12: Third-party oversight and vendor compliance requires documented reporting
Control Description
This control establishes automated and manual processes for compliance reporting across the AI agent governance framework. It integrates with Microsoft Compliance Manager for assessment tracking, SharePoint for document archiving, and Power BI for executive dashboards.
| Capability | Description |
|---|---|
| Control Status Reporting | Weekly/monthly reports showing compliance by pillar |
| Regulatory Alignment | Mapping of controls to specific regulatory requirements |
| Examination Packages | Pre-built document bundles for FINRA, SEC, OCC exams |
| Executive Dashboards | Real-time compliance score visibility for leadership |
| Automated Distribution | Scheduled reports with approval workflows |
Microsoft Compliance Manager AI Assessments
Microsoft Compliance Manager includes 320+ regulatory framework templates with four premium templates specifically for AI governance:
| Template | Focus | FSI Application |
|---|---|---|
| EU AI Act | Risk classification, conformity assessment | EU operations, cross-border agents |
| NIST AI RMF | AI risk management lifecycle | Model risk alignment (OCC 2011-12) |
| ISO/IEC 42001 | AI management system | Enterprise AI governance framework |
| ISO/IEC 23894 | AI risk management | Risk assessment methodology |
Premium Assessment Templates
AI regulatory templates require Compliance Manager premium assessment add-on or E5 Compliance licensing. Standard E3/E5 licenses include limited assessment templates.
Microsoft Foundry Integration
For organizations using Microsoft Foundry for agent development, automated compliance evaluations are available:
| Capability | Description | FSI Use Case |
|---|---|---|
| Built-in Evaluators | Groundedness, coherence, fluency scoring | Automated QA for agent responses |
| Custom Evaluators | Organization-specific compliance rules | Regulatory disclosure checking |
| Evaluation Pipelines | Automated testing workflows | CI/CD compliance gates |
AI-Powered Regulatory Intelligence (GA January 2026)
Compliance Manager now includes AI-powered regulatory template generation:
- Automatically suggests control mappings based on organizational profile
- Generates custom assessments from regulatory text input
- Identifies gaps between current controls and regulatory requirements
Key Configuration Points
- Configure Microsoft Compliance Manager assessments for FINRA, SEC, SOX, and GLBA
- Create SharePoint document library structure for report archiving with 7-year retention
- Build Power Automate flows for automated weekly/monthly/quarterly report generation
- Establish Power BI dashboard with compliance scores by pillar
- Define distribution matrix with approval workflows for executive reports
- Integrate regulatory examination calendar for deadline tracking
- Complete AI regulatory impact assessments for new agent deployments
Automation Available
See Compliance Dashboard in FSI-AgentGov-Solutions for aggregated compliance reporting across all 71 framework controls with zone-based filtering, trend analysis, and exception tracking.
AI Regulatory Impact Assessment
Before deploying Zone 2/3 agents, complete an AI regulatory impact assessment to identify applicable regulations and control requirements:
| Assessment Area | Key Questions | Regulatory Drivers |
|---|---|---|
| Customer Interaction | Does the agent communicate directly with customers? | FINRA 3110 (Supervision), SEC Reg BI, CFPB UDAAP |
| Investment Recommendations | Does the agent provide investment advice or recommendations? | FINRA 2111, SEC Reg BI, IAA |
| Credit Decisions | Does the agent influence credit, lending, or insurance decisions? | ECOA, FCRA, State AI Laws |
| Transaction Processing | Does the agent process or authorize financial transactions? | FINRA 4511, SEC 17a-4, CFTC 1.31 |
| Data Access | What customer data does the agent access? | GLBA 501(b), SOX 302/404 |
| AML/KYC | Does the agent support AML, KYC, or fraud detection? | BSA, FinCEN, OFAC |
Impact Assessment Template:
Agent Name: ____________________
Governance Zone: [ ] Zone 1 [ ] Zone 2 [ ] Zone 3
Assessment Date: ____________________
Assessed By: ____________________
Customer-Facing: [ ] Yes [ ] No
If Yes: FINRA 3110 supervision and disclosure required
Regulatory Impact Categories (check all that apply):
[ ] Investment/Trading (FINRA 2111, Reg BI)
[ ] Recordkeeping (FINRA 4511, SEC 17a-4)
[ ] Supervision (FINRA 3110)
[ ] Consumer Protection (CFPB UDAAP)
[ ] Fair Lending (ECOA, FCRA)
[ ] AML/BSA Compliance
[ ] Model Risk (OCC 2011-12, SR 11-7)
Required Controls: ____________________
Compliance Officer Sign-Off: ____________________
AML/KYC/OFAC Considerations
AI agents may interact with anti-money laundering (AML), Know Your Customer (KYC), or sanctions screening processes. The AI Regulatory Impact Assessment should include:
Assessment Questions: - Will the agent process customer identification information? - Will the agent support transaction monitoring workflows? - Does the agent have access to sanctions screening results or watchlists? - Will the agent influence decisions about suspicious activity reporting?
Regulatory Reference: 31 U.S.C. 5318, 31 CFR Chapter X (FinCEN regulations)
Incident Notification Requirements:
If the impact assessment identifies customer data access or security incident risk, document applicable notification deadlines:
- SEC Regulation S-P (effective December 3, 2025): 30-day notification requirement for unauthorized access to customer information (see Control 3.4 for full details)
- GLBA: Notification timelines vary by incident type and entity obligations
- Map specific requirements during incident workflow design
Scope Note: Comprehensive AML/KYC agent governance is outside the current framework scope. Organizations deploying agents in these areas should reference FinCEN guidance and conduct specialized risk assessments.
Zone-Specific Requirements
| Zone | Requirement | Rationale |
|---|---|---|
| Zone 1 (Personal) | Summary metrics only; Team Lead approval | Low-risk personal use requires minimal reporting |
| Zone 2 (Team) | Department-level detail; Department Head approval | Shared agents need documented compliance |
| Zone 3 (Enterprise) | Full compliance detail; CCO/CAO approval for distribution | Customer-facing agents require comprehensive audit trail |
Roles & Responsibilities
| Role | Responsibility |
|---|---|
| Compliance Officer | Configure assessments, approve reports, regulatory liaison |
| Power Platform Admin | Set up automation flows, maintain SharePoint structure |
| AI Governance Lead | Define report requirements, review control mappings |
| SharePoint Site Owner | Manage archive permissions, retention policies |
Related Controls
| Control | Relationship |
|---|---|
| 3.1 - Agent Inventory | Provides agent data for compliance reports |
| 3.2 - Usage Analytics | Supplies usage metrics for reports |
| 1.7 - Audit Logging | Source of audit evidence for examination packages |
| 2.13 - Documentation | Archives reports per retention requirements |
Implementation Playbooks
Step-by-Step Implementation
This control has detailed playbooks for implementation, automation, testing, and troubleshooting:
- Portal Walkthrough — Step-by-step portal configuration
- PowerShell Setup — Automation scripts
- Verification & Testing — Test cases and evidence collection
- Troubleshooting — Common issues and resolutions
Verification Criteria
Confirm control effectiveness by verifying:
- Weekly control status reports generate automatically and archive to SharePoint
- Monthly executive dashboard reflects accurate compliance scores by pillar
- Quarterly audit packages compile all required evidence documents
- Examination packages contain regulator-specific document sets (FINRA, SEC, OCC)
- Reports retained for 7 years per FINRA 4511 and SEC 17a-4 requirements
- Executive sign-off workflow captures CCO/CAO approval before distribution
Additional Resources
- Microsoft Purview Compliance Manager
- Compliance Manager Assessments
- Power BI for Compliance Reporting
- SharePoint Records Management
- Power Automate Scheduled Flows
Microsoft Audit Reporting Tools
For enhanced Copilot/AI reporting beyond native M365 Admin Center capabilities, see:
- Microsoft Audit Reporting Tools Playbook - AI-in-One Dashboard and PAX (Portable Audit eXporter) for enterprise-scale analytics
Implementation Note
Organizations should verify that their implementation meets their specific regulatory obligations. This control supports compliance efforts but requires proper configuration and ongoing validation.
Updated: January 2026 | Version: v1.2 | UI Verification Status: Current