Control 1.10: Communication Compliance Monitoring

Overview

Control ID: 1.10 Control Name: Communication Compliance Monitoring Regulatory Reference: FINRA 4511, SEC Rule 17a-3, GLBA 501(b), FINRA Regulatory Notice 25-07 Setup Time: 2-3 hours (initial); ongoing policy tuning

---

Purpose

Communication Compliance helps detect and review policy-relevant content in in-scope communications, including agent-assisted interactions (for example, user prompts and agent responses occurring in monitored Microsoft 365 workloads). This control is intended to support supervision and review objectives for U.S.-regulated financial services use cases; it does not, by itself, guarantee regulatory compliance.

For U.S. financial services, communication compliance monitoring commonly supports:

• FINRA 4511/25-07: Supervision of AI-assisted communications
• SEC Rule 17a-3: Retention and review of customer communications
• GLBA 501(b): Protecting customer NPI in agent interactions
• Investment Recommendations: Monitoring for suitability violations
• MNPI Detection: Identifying potential insider trading communications
• Conduct Risk: Detecting inappropriate agent behavior

---

Prerequisites

Primary Owner Admin Role: Purview Communication Compliance Roles Supporting Roles: None

Required Licenses

• Microsoft 365 E5 OR Microsoft 365 E5 Compliance
• Communication Compliance add-on (if not in E5)

Required Permissions

• Communication Compliance Admin (full configuration)
• Communication Compliance Analyst (review alerts)
• Communication Compliance Investigator (investigate issues)
• Communication Compliance Viewer (read-only access)

Dependencies

• Control 1.7 (Audit Logging): Audit infrastructure to evidence policy lifecycle and review actions (e.g., policy create/update, role assignment changes, alert dispositions, and investigation actions)
• Control 1.9 (Data Retention): Retention of communications
• Control 1.13 (SITs): Sensitive information types for detection

Pre-Setup Checklist

• [ ] Compliance reviewers identified and trained
• [ ] Detection scenarios defined (harassment, regulatory violations, etc.)
• [ ] Reviewer coverage model defined (hours of coverage, SLAs, backups, segregation of duties)
• [ ] Escalation procedures documented (HR/Legal/Compliance, severity levels, and decision authority)
• [ ] Agent interaction channels identified and validated as in-scope locations (e.g., Teams, Exchange, Copilot for Microsoft 365)
• [ ] Legal/compliance review of monitoring scope, notice/consent, and retention requirements completed (U.S. only)
• [ ] Evidence repository location defined for exports, screenshots, and runbooks

---

Governance Levels

Baseline (Level 1)

Implement basic communication compliance policy for agent interactions; monitor for policy violations.

Recommended (Level 2-3)

Advanced policies with AI-driven detection; integrate with compliance review workflow.

Regulated/High-Risk (Level 4)

Comprehensive monitoring with real-time alerts; mandatory retention and audit trail.

---

Setup & Configuration

Step 1: Assign Communication Compliance Roles

Portal Path: Microsoft Purview Compliance Portal → Permissions → Microsoft Purview solutions

1. Navigate to Purview Compliance Portal
2. Go to Permissions → Microsoft Purview solutions → Roles
3. Assign roles:

Role	Purpose	Assign To
Communication Compliance Admin	Full policy management	Compliance team leads
Communication Compliance Analyst	Review and triage alerts	Compliance analysts
Communication Compliance Investigator	Investigate and remediate	Senior compliance
Communication Compliance Viewer	Read-only access	Audit team

Evidence to capture (recommended):

• Screenshot or export of role group membership (date/time visible)
• Approval record for role assignments (ticket/change record)
• Mapping of named individuals to responsibilities (review/triage/investigate)

Step 2: Create Communication Compliance Policies

Portal Path: Purview → Communication compliance → Policies → + Create policy

Policy 1: Agent Inappropriate Content Detection

1. Navigate to Communication compliance → Policies
2. Click + Create policy
3. Template: Detect inappropriate content
4. Policy name: FSI-Agent-InappropriateContent
5. Users and groups:
6. Select users who interact with agents OR
7. Select mailboxes/Teams where agent conversations occur
8. Locations:
9. ✅ Teams chat (if agents use Teams)
10. ✅ Copilot for Microsoft 365 (if available)
11. ✅ Exchange email (for email-based agents)
12. ✅ Other supported locations used for agent interactions in your tenant (select only those you actually use)
13. Conditions:
14. ✅ Detect threats and harassment
15. ✅ Detect discrimination
16. ✅ Detect profanity
17. Review frequency: Ongoing monitoring
18. Reviewers: Assign compliance analysts
19. Click Create policy

Reviewer and escalation setup (recommended):

• Configure at least two reviewers per policy (primary + backup)
• Document review SLAs and escalation triggers (for example: high severity within 4 hours; medium within 1 business day)
• Define segregation of duties (policy admins should not be the only reviewers, where feasible)

Policy 2: Financial Regulatory Violations

1. Click + Create policy
2. Template: Custom policy
3. Policy name: FSI-Agent-RegulatoryViolations
4. Users: All users with agent access
5. Locations: All applicable channels
6. Conditions - Sensitive information:
7. ✅ Custom SIT: MNPI Indicators
8. ✅ Custom SIT: Unsuitable Investment Recommendations
9. ✅ Financial data patterns
10. Conditions - Keywords:

    "guaranteed return", "risk free", "can't lose"
    "inside information", "before announcement"
    "don't tell anyone", "keep this quiet"
    "hot tip", "sure thing"
    

11. Direction: Inbound and outbound
12. Reviewers: Compliance (primary) + Legal (escalation/consult)
13. Click Create policy

Policy 3: Customer Data Protection

1. Click + Create policy
2. Template: Detect sensitive information
3. Policy name: FSI-Agent-CustomerDataProtection
4. Users: All agent users
5. Conditions - Sensitive information types:
6. ✅ Credit card numbers
7. ✅ Social Security numbers
8. ✅ Bank account numbers
9. ✅ Custom: Customer account numbers
10. Threshold: Start with low for initial tuning, then adjust based on false positives/negatives and documented risk acceptance
11. Direction: Outbound (agent responses)
12. Reviewers: Data protection team
13. Click Create policy

Policy 4: Conflict of Interest Detection

1. Click + Create policy
2. Template: Custom policy
3. Policy name: FSI-Agent-ConflictOfInterest
4. Conditions - Keywords:

   "my personal account", "trade for myself"
   "front running", "before the client"
   "proprietary trading", "house account"
   

5. Reviewers: Compliance + Ethics
6. Click Create policy

Policy evidence to capture (recommended):

• Screenshot(s) of each policy’s scope (users/groups), locations, conditions, and reviewers
• Export of policy list showing enabled/disabled state
• Change record for initial deployment and any subsequent tuning

Step 3: Configure Detection Classifiers

Portal Path: Purview → Communication compliance → Settings → Classifiers

Enable AI-powered classifiers:

1. Go to Settings → Classifiers
2. Enable relevant trainable classifiers:
3. ✅ Threats
4. ✅ Harassment
5. ✅ Discrimination
6. ✅ Adult content
7. ✅ Profanity
8. ✅ Regulatory collusion (if available)
9. ✅ Gifts & entertainment (if available)

Note: Availability of specific classifiers varies by licensing and service updates; only enable and rely on classifiers you can verify as available in your tenant.

Step 4: Set Up Optical Character Recognition (OCR)

Portal Path: Purview → Communication compliance → Settings → OCR

For detecting sensitive content in images shared via agents:

1. Go to Settings → OCR
2. Enable OCR for communication compliance
3. Configure:
4. ✅ Process images in Teams
5. ✅ Process attachments
6. ✅ Apply SIT detection to OCR text

Step 5: Configure Alert Settings

Portal Path: Purview → Communication compliance → Settings → Priority user groups

1. Create priority groups for high-risk users:
2. Group 1: Registered representatives
3. Group 2: Investment advisers
4. Group 3: Executives

5. Group 4: IT administrators with agent access

6. Configure alert routing:

7. High severity → Immediate email + Teams notification
8. Medium severity → Daily digest
9. Low severity → Weekly review queue

Evidence to capture (recommended):

• Screenshot(s) of priority user groups and membership sources
• Screenshot(s) or documentation of alert routing/notification settings
• Named on-call rotation for high-severity alerts (if used)

Step 6: Create Review Workflow

Portal Path: Purview → Communication compliance → Alerts

Configure review process:

1. Navigate to Alerts tab
2. For each policy, configure:
3. Initial review: Analyst triage (24 hours)
4. Escalation: Investigator (if confirmed)

5. Remediation options:

   • Resolve (no violation)
   • Escalate to HR/Legal
   • Remediation required
   • Regulatory reporting consideration (as determined by Legal/Compliance; do not automate)

6. Document workflow:

   Alert Generated → Analyst Review (24h)
                  ↓
   Confirmed Violation?
   ├── No → Resolve + Document
   └── Yes → Escalate to Investigator
              ↓
        Investigation (48h)
              ↓
        Remediation Action
        ├── Training required
        ├── Disciplinary action
        ├── System change
      └── Regulatory reporting consideration
   

Case management minimums (recommended): - Require a disposition and rationale for every alert (including “no violation”) - Require evidence attachment or reference (message excerpt, policy match reason, classifier hit) - Record timestamps for triage, escalation, and closure to demonstrate SLA adherence - Use a consistent severity taxonomy and escalation criteria across policies

---

PowerShell Configuration

# Communication Compliance Configuration
# Requires: Security & Compliance PowerShell

# Connect to Security & Compliance Center
Connect-IPPSSession

# ===== GET CURRENT POLICIES =====

Get-SupervisoryReviewPolicyV2 | Select-Object Name, Enabled, ReviewerEmail |
    Format-Table -AutoSize

# ===== CREATE COMMUNICATION COMPLIANCE POLICIES =====

# Note: Communication Compliance has limited PowerShell support
# Most configuration is done via the portal

# Get compliance role groups
Get-RoleGroup | Where-Object { $_.Name -like "*Communication*" } |
    Select-Object Name, Members | Format-List

# ===== ADD MEMBERS TO ROLE GROUPS =====

# Add analyst to Communication Compliance Analysts
Add-RoleGroupMember -Identity "Communication Compliance Analysts" `
    -Member "compliance-analyst@contoso.com"

# Add investigator
Add-RoleGroupMember -Identity "Communication Compliance Investigators" `
    -Member "compliance-investigator@contoso.com"

# ===== AUDIT LOG SEARCH FOR AGENT COMMUNICATIONS =====

$StartDate = (Get-Date).AddDays(-7)
$EndDate = Get-Date

# Search for Copilot interactions
$CopilotComms = Search-UnifiedAuditLog `
    -StartDate $StartDate `
    -EndDate $EndDate `
    -RecordType CopilotInteraction `
    -ResultSize 5000

Write-Host "Copilot interactions found: $($CopilotComms.Count)" -ForegroundColor Yellow

# Parse for review
$CommAnalysis = $CopilotComms | ForEach-Object {
    $AuditData = $_.AuditData | ConvertFrom-Json

    [PSCustomObject]@{
        Date = $_.CreationDate
        User = $_.UserIds
        Operation = $AuditData.Operation
        AppName = $AuditData.AppName
        # Additional fields based on schema
    }
}

# Export for compliance review
$CommAnalysis | Export-Csv "C:\Governance\CopilotComms-$(Get-Date -Format 'yyyyMMdd').csv" -NoTypeInformation

# Evidence tip: export the raw audit results too (immutable copy)
$CopilotComms | Export-Csv "C:\Governance\CopilotComms-Raw-$(Get-Date -Format 'yyyyMMdd').csv" -NoTypeInformation

# ===== CHECK SENSITIVE INFO TYPE MATCHES =====

# Get SITs used in policies
Get-DlpSensitiveInformationType |
    Where-Object { $_.Name -like "*Financial*" -or $_.Name -like "*Account*" } |
    Select-Object Name, Publisher | Format-Table

# ===== GENERATE COMPLIANCE REPORT =====

$Policies = Get-SupervisoryReviewPolicyV2

$Report = @{
    TotalPolicies = $Policies.Count
    EnabledPolicies = ($Policies | Where-Object { $_.Enabled }).Count
    CopilotInteractions = $CopilotComms.Count
    ReportPeriod = "$StartDate to $EndDate"
    ReportDate = Get-Date
}

Write-Host "`n=== COMMUNICATION COMPLIANCE SUMMARY ===" -ForegroundColor Cyan
$Report | Format-List

---

Financial Sector Considerations

Regulatory Alignment

Regulation	Communication Compliance Requirement
FINRA 4511	Retain and supervise business communications
FINRA 25-07	Supervise AI-assisted communications
SEC 17a-3/4	Retain customer communications
FINRA 3110	Supervisory review of communications
FINRA 2210	Communications with the public
Reg BI	Best interest documentation

Caution (U.S. only): Map these requirements to your firm’s specific obligations, products, and supervisory procedures. This control provides technical monitoring and review workflows; it does not replace written supervisory procedures (WSPs) or legal determination of reportability.

Detection Scenarios for FSI

Scenario	Keywords/Patterns	Priority
Unsuitable Recommendations	"guaranteed", "risk-free", "can't lose"	Critical
MNPI Indicators	"before announcement", "inside information"	Critical
Churning Indicators	"trade more", "increase activity"	High
Conflicts of Interest	"my account", "personal trades"	High
Customer Complaints	"complaint", "dispute", "unhappy"	Medium
Regulatory Inquiries	"SEC", "FINRA", "subpoena"	High

Zone-Specific Configuration

Zone 1 (Personal Productivity)

Monitoring: Basic (harassment, threats)
Review Frequency: Weekly sampling
Escalation: HR only
Retention: 1 year
OCR: Optional

Zone 2 (Team Collaboration)

Monitoring: Standard (inappropriate + regulatory)
Review Frequency: Daily
Escalation: Compliance + HR
Retention: 3 years
OCR: Enabled

Zone 3 (Enterprise Managed)

Monitoring: Comprehensive (all scenarios)
Review Frequency: Real-time for high-risk
Escalation: Compliance + Legal + Regulators
Retention: 7 years
OCR: Required
AI Classifiers: All enabled

FSI Policy Matrix

Policy	Tier 1	Tier 2	Tier 3
Inappropriate Content	✅	✅	✅
Regulatory Violations	❌	✅	✅
Customer Data Protection	❌	✅	✅
Conflict of Interest	❌	⚠️ Sampling	✅
MNPI Detection	❌	⚠️ Sampling	✅
Suitability Monitoring	❌	❌	✅

FSI Configuration Example: Wealth Management

Scenario: A wealth management firm deploys a financial planning agent that provides investment guidance.

Communication Compliance Configuration:

Policy 1: Suitability Monitoring
├── Scope: All agent conversations
├── Detection:
│   ├── Keywords: "guarantee", "promise", "sure thing"
│   ├── SITs: Investment amounts, account numbers
│   └── AI Classifiers: Financial recommendations
├── Review: Within 24 hours
├── Escalation: Compliance supervisor
└── Retention: 7 years

Policy 2: MNPI Detection
├── Scope: Research and trading agents
├── Detection:
│   ├── Keywords: "before earnings", "insider", "quiet"
│   ├── Entity: Company names on restricted list
│   └── Time correlation: Trading activity
├── Review: Immediate
├── Escalation: Legal + Compliance
└── Action: Suspend agent access pending review

Policy 3: Customer Complaint Detection
├── Scope: Customer service agents
├── Detection:
│   ├── Keywords: "complaint", "escalate", "supervisor"
│   ├── Sentiment: Negative/angry
│   └── AI: Dissatisfaction classifier
├── Review: 4 hours
├── Escalation: Service management
└── Action: Log for FINRA 4530 reporting

Policy 4: Gifts and Entertainment
├── Scope: All business agents
├── Detection:
│   ├── Keywords: "dinner", "tickets", "gift"
│   ├── Amounts: Over threshold ($100)
│   └── Entities: Vendor/client names
├── Review: Daily
├── Escalation: Ethics officer
└── Action: Pre-clearance reminder

---

Verification & Testing

Verification Steps

1. Confirm Policies Active:
2. Purview → Communication compliance → Policies

3. EXPECTED: All FSI policies listed and enabled

4. Test Detection:

5. Send test message matching policy conditions

6. EXPECTED: Alert generated within SLA

7. Verify Reviewer Access:

8. Log in as analyst, check alert queue

9. EXPECTED: Pending alerts visible

10. Test Escalation:

11. Escalate test alert

12. EXPECTED: Escalation notification sent

13. Validate Audit Evidence (Dependency: Control 1.7):

14. Confirm audit events exist for (a) policy creation/updates, (b) role assignment changes, and (c) reviewer actions/dispositions

15. EXPECTED: Unified audit log returns relevant events for the test period and can be exported

16. Validate Retention (Dependency: Control 1.9):

17. Confirm in-scope communications are retained per your retention configuration
18. EXPECTED: Content is retained and discoverable per policy and legal hold requirements

Verification Evidence

• [ ] Screenshot(s): Policy configurations (scope, locations, conditions, reviewers, enabled state)
• [ ] Export: Policy list and alert statistics by policy (date-stamped)
• [ ] Documentation: Reviewer assignments, SLAs, escalation matrix, and segregation-of-duties rationale
• [ ] Screenshot(s): Classifier enablement (only those available in-tenant)
• [ ] Audit log export (Control 1.7): Queries + raw results evidencing policy/admin/reviewer actions
• [ ] Sample case record(s): Disposition rationale, timestamps, and evidence attachment/reference
• [ ] Report: Periodic compliance summary (weekly/monthly) with metrics and tuning outcomes

---

Troubleshooting & Validation

Issue: Policy Not Detecting Violations

Symptoms: Known violations not generating alerts

Solutions:

1. Verify policy is enabled
2. Check user scope includes target users
3. Verify location scope (Teams, email, etc.)
4. Review keyword/SIT configuration
5. Check classifier is enabled and trained (if using a trainable classifier)
6. Validate the message type is supported for monitoring in your tenant/licensing
7. Verify audit logs show the underlying activity (Dependency: Control 1.7)

Issue: Too Many False Positives

Symptoms: High volume of non-violation alerts

Solutions:

1. Tune keyword lists (add exclusions)
2. Adjust sensitivity thresholds
3. Review and refine classifiers
4. Add context conditions
5. Sample-based review instead of 100%

Evidence tip: Track tuning changes with a change record and compare alert volumes before/after (retain exports).

Issue: Reviewers Not Receiving Alerts

Symptoms: Alerts stuck in queue

Solutions:

1. Verify reviewer role assignments
2. Check email notifications configured
3. Verify reviewer mailbox is active
4. Review routing rules
5. Check for Teams notification issues
6. Confirm the reviewer can access Purview and the Communication compliance solution UI

Issue: Copilot Conversations Not Captured

Symptoms: Agent interactions not appearing

Solutions:

1. Verify Copilot location is selected in policy
2. Check licensing for Copilot capture
3. Review audit log for Copilot events
4. Verify agent is integrated with monitored channel
5. Validate that the interaction type you expect is supported and being logged in your tenant
6. If needed, open a Microsoft support ticket with timestamps and example user IDs (avoid sharing sensitive content)

---

Additional Resources

• Communication Compliance Overview
• Create Communication Compliance Policies
• Investigate and Remediate Alerts
• Trainable Classifiers
• Communication Compliance for Financial Services

---

Related Controls

Control	Relationship
Control 1.7	Audit evidence for communications
Control 1.9	Retention of communications
Control 1.13	SITs for detection
Control 2.12	Supervision requirements
Control 1.12	Insider risk correlation

---

Support & Questions

For implementation support or questions about this control, contact:

• Compliance Team: Policy configuration and review
• Legal: Escalation procedures and regulatory reporting
• HR: Conduct violations and remediation
• AI Governance Lead: Agent-specific monitoring requirements

---

Updated: Dec 2025
Version: v1.0 Beta (Dec 2025)
UI Verification Status: ❌ Needs verification