Control 3.3: Compliance and Regulatory Reporting
Control ID: 3.3
Pillar: Reporting
Regulatory Reference: FINRA Rule 4511, FINRA Regulatory Notice 25-07 (proposed), SEC 17a-3/4, SEC Regulation S-P (amended), SOX 302/404, GLBA 501(b), OCC 2011-12
Last UI Verified: April 2026
Governance Levels: Baseline / Recommended / Regulated
Objective
Establish a comprehensive framework for generating, distributing, and archiving compliance reports that demonstrate AI agent governance adherence to financial services regulations. This control helps organizations demonstrate evidence of compliance during examinations and audits.
Why This Matters for FSI
- FINRA Rule 4511: Books and records preservation requirements apply to AI agent activity logs and governance decisions; helps support records retention obligations
- FINRA Regulatory Notice 25-07 (proposed, comment period closed July 2025): Signals expected real-time supervision and recordkeeping for AI-generated communications and outputs; firms should plan recordkeeping capability now even though final rule text is pending
- SEC 17a-3/4: Customer interaction records, including AI-generated communications, must be preserved in non-rewriteable, non-erasable (WORM) format and remain accessible and retrievable
- SEC Regulation S-P (amended May 2024): Requires written incident response policies and customer notification within 30 days of unauthorized access; staggered compliance dates apply (large covered institutions: December 3, 2025; all others: June 3, 2026)
- SOX 302/404: Quarterly management certifications and annual internal control attestations require contemporaneous evidence of IT general controls covering AI agent infrastructure
- GLBA 501(b): Safeguard effectiveness must be documented and reviewed at least annually
- OCC 2011-12 / Fed SR 11-7: Model risk management programs require documented validation, monitoring, and reporting for AI/ML models used in regulated business decisions
Control Description
This control establishes automated and manual processes for compliance reporting across the AI agent governance framework. It integrates with Microsoft Compliance Manager for assessment tracking, SharePoint for document archiving, and Power BI for executive dashboards.
| Capability | Description |
|---|---|
| Control Status Reporting | Weekly/monthly reports showing compliance by pillar |
| Regulatory Alignment | Mapping of controls to specific regulatory requirements |
| Examination Packages | Pre-built document bundles for FINRA, SEC, OCC exams |
| Executive Dashboards | Real-time compliance score visibility for leadership |
| Automated Distribution | Scheduled reports with approval workflows |
Microsoft Compliance Manager AI Assessments
Microsoft Compliance Manager includes 320+ regulatory framework templates with four premium templates specifically for AI governance:
| Template | Focus | FSI Application |
|---|---|---|
| EU AI Act | Risk classification, conformity assessment | EU operations, cross-border agents |
| NIST AI RMF | AI risk management lifecycle | Model risk alignment (OCC 2011-12) |
| ISO/IEC 42001 | AI management system | Enterprise AI governance framework |
| ISO/IEC 23894 | AI risk management | Risk assessment methodology |
Premium Assessment Template Licensing
Organizations with A5/E5/G5 licensing receive three premium regulatory templates at no additional cost (the AI templates above qualify). Additional premium templates are available a la carte. The free Microsoft Data Protection Baseline is included for all tenants. Verify current entitlements in the Compliance Manager portal before enabling templates.
Microsoft Foundry Integration
For organizations using Microsoft Foundry for agent development, automated compliance evaluations are available:
| Capability | Description | FSI Use Case |
|---|---|---|
| Built-in Evaluators | Groundedness, coherence, fluency scoring | Automated QA for agent responses |
| Custom Evaluators | Organization-specific compliance rules | Regulatory disclosure checking |
| Evaluation Pipelines | Automated testing workflows | CI/CD compliance gates |
AI-Powered Regulatory Templates (GA January 2026)
Compliance Manager now supports AI-assisted conversion of regulatory PDFs into actionable assessment controls:
- Generates draft custom assessments from uploaded regulatory text (e.g., FINRA Notices, state AI laws)
- Suggests control mappings based on organizational profile
- Identifies gaps between current controls and regulatory requirements
FSI caveat: AI-generated mappings require legal/compliance review before use as evidence. Treat output as a drafting aid, not a finished assessment.
Key Configuration Points
- Configure Microsoft Compliance Manager assessments for FINRA, SEC, SOX, and GLBA
- Create SharePoint document library structure for report archiving with 7-year retention
- Build Power Automate flows for automated weekly/monthly/quarterly report generation
- Establish Power BI dashboard with compliance scores by pillar
- Define distribution matrix with approval workflows for executive reports
- Integrate regulatory examination calendar for deadline tracking
- Complete AI regulatory impact assessments for new agent deployments
Automation Available
See Compliance Dashboard in FSI-AgentGov-Solutions for aggregated compliance reporting across the framework control catalog with zone-based filtering, trend analysis, and exception tracking.
AI Regulatory Impact Assessment
Before deploying Zone 2/3 agents, complete an AI regulatory impact assessment to identify applicable regulations and control requirements:
| Assessment Area | Key Questions | Regulatory Drivers |
|---|---|---|
| Customer Interaction | Does the agent communicate directly with customers? | FINRA 3110 (Supervision), SEC Reg BI, CFPB UDAAP |
| Investment Recommendations | Does the agent provide investment advice or recommendations? | FINRA 2111, SEC Reg BI, IAA |
| Credit Decisions | Does the agent influence credit, lending, or insurance decisions? | ECOA, FCRA, State AI Laws |
| Transaction Processing | Does the agent process or authorize financial transactions? | FINRA 4511, FINRA 25-07, SEC 17a-4, CFTC 1.31 |
| Data Access | What customer data does the agent access? | GLBA 501(b), SOX 302/404 |
| AML/KYC | Does the agent support AML, KYC, or fraud detection? | BSA, FinCEN, OFAC |
Impact Assessment Template:
Agent Name: ____________________
Governance Zone: [ ] Zone 1 [ ] Zone 2 [ ] Zone 3
Assessment Date: ____________________
Assessed By: ____________________
Customer-Facing: [ ] Yes [ ] No
If Yes: FINRA 3110 supervision and disclosure required
Regulatory Impact Categories (check all that apply):
[ ] Investment/Trading (FINRA 2111, Reg BI)
[ ] Recordkeeping (FINRA 4511, FINRA 25-07, SEC 17a-4)
[ ] Supervision (FINRA 3110)
[ ] Consumer Protection (CFPB UDAAP)
[ ] Fair Lending (ECOA, FCRA)
[ ] AML/BSA Compliance
[ ] Model Risk (OCC 2011-12, SR 11-7)
Required Controls: ____________________
Compliance Officer Sign-Off: ____________________
AML/KYC/OFAC Considerations
AI agents may interact with anti-money laundering (AML), Know Your Customer (KYC), or sanctions screening processes. The AI Regulatory Impact Assessment should include:
Assessment Questions: - Will the agent process customer identification information? - Will the agent support transaction monitoring workflows? - Does the agent have access to sanctions screening results or watchlists? - Will the agent influence decisions about suspicious activity reporting?
Regulatory Reference: 31 U.S.C. 5318, 31 CFR Chapter X (FinCEN regulations)
Incident Notification Requirements:
If the impact assessment identifies customer data access or security incident risk, document applicable notification deadlines:
- SEC Regulation S-P (amended): 30-day customer notification for unauthorized access to sensitive customer information; compliance dates: December 3, 2025 for large covered institutions, June 3, 2026 for all other covered institutions (see Control 3.4 for incident workflow detail)
- GLBA Safeguards Rule: Notification timelines and content requirements vary by entity type and incident scope; coordinate with legal counsel
- Map specific notification requirements during incident workflow design
Scope Note: Comprehensive AML/KYC agent governance is outside the current framework scope. Organizations deploying agents in these areas should reference FinCEN guidance and conduct specialized risk assessments.
Zone-Specific Requirements
| Zone | Requirement | Rationale |
|---|---|---|
| Zone 1 (Personal) | Summary metrics only; Team Lead approval | Low-risk personal use requires minimal reporting |
| Zone 2 (Team) | Department-level detail; Department Head approval | Shared agents need documented compliance |
| Zone 3 (Enterprise) | Full compliance detail; CCO/CAO approval for distribution | Customer-facing agents require comprehensive audit trail |
Roles & Responsibilities
| Role | Responsibility |
|---|---|
| Purview Compliance Admin | Primary owner — configure Compliance Manager assessments, approve report templates, regulatory liaison |
| Compliance Manager Admin | Maintain assessment templates, improvement actions, and control mappings |
| Power Platform Admin | Configure Power Automate report-generation flows; maintain Dataverse data sources |
| AI Governance Lead | Define report content requirements; review control-to-regulation mappings |
| SharePoint Site Owner | Manage archive site permissions, retention labels, and records library |
| Purview Records Manager | Apply retention/records policies to archived report libraries (7-year SEC 17a-4 retention) |
Related Controls
| Control | Relationship |
|---|---|
| 3.1 - Agent Inventory | Provides agent data for compliance reports |
| 3.2 - Usage Analytics | Supplies usage metrics for reports |
| 1.7 - Audit Logging | Source of audit evidence for examination packages |
| 2.13 - Documentation | Archives reports per retention requirements |
Implementation Playbooks
Step-by-Step Implementation
This control has detailed playbooks for implementation, automation, testing, and troubleshooting:
- Portal Walkthrough — Step-by-step portal configuration
- PowerShell Setup — Automation scripts
- Verification & Testing — Test cases and evidence collection
- Troubleshooting — Common issues and resolutions
Verification Criteria
Confirm control effectiveness by verifying:
- Weekly control status reports generate automatically and archive to SharePoint
- Monthly executive dashboard reflects accurate compliance scores by pillar
- Quarterly audit packages compile all required evidence documents
- Examination packages contain regulator-specific document sets (FINRA, SEC, OCC)
- Reports retained per applicable retention requirements (typically 6+ years under SEC 17a-4(b) for broker-dealer records; verify your firm's retention schedule with legal/compliance)
- Executive sign-off workflow captures CCO/CAO approval before distribution
Additional Resources
- Microsoft Purview Compliance Manager
- Compliance Manager Assessments
- Power BI for Compliance Reporting
- SharePoint Records Management
- Power Automate Scheduled Flows
Microsoft Audit Reporting Tools
For enhanced Copilot/AI reporting beyond native M365 Admin Center capabilities, see:
- Microsoft Audit Reporting Tools Playbook - AI-in-One Dashboard and PAX (Portable Audit eXporter) for enterprise-scale analytics
Implementation Note
Organizations should verify that their implementation meets their specific regulatory obligations. This control supports compliance efforts but requires proper configuration and ongoing validation.
Updated: April 2026 | Version: v1.4.0 | UI Verification Status: Current