Control 1.12: Training and Awareness Program
Control ID: 1.12
Pillar: Readiness & Assessment
Regulatory Reference: FINRA Rule 3110, FFIEC IT Handbook (Information Security Booklet), Interagency AI Guidance (2023), GLBA 501(b)
Last Verified: 2026-02-17
Governance Levels: Baseline / Recommended / Regulated
Objective
Develop and deliver a role-based training and awareness program for all Microsoft 365 Copilot users that covers responsible AI use, data sensitivity awareness, prompt hygiene, regulatory boundaries, and institution-specific Copilot policies. This control supports compliance with regulatory expectations that supervised persons understand the tools they use in their work and the compliance obligations that apply to AI-generated content in financial services.
Why This Matters for FSI
- FINRA Rule 3110 (Supervision): Requires broker-dealers to establish and maintain a system of supervision, including written procedures, for supervised persons' activities. This extends to ensuring that supervised persons who use Copilot understand how AI-generated content fits within supervisory requirements and communication compliance obligations.
- FFIEC IT Handbook (Information Security): Expects financial institutions to maintain security awareness training programs that address new technologies and their associated risks. Copilot introduces novel risks (AI hallucination, prompt injection, data surfacing) that must be addressed through training.
- Interagency AI Guidance (2023): Calls for institutions to maintain appropriate governance frameworks that include employee training on responsible AI use. Training should address AI limitations, appropriate reliance, and escalation procedures.
- GLBA 501(b): Information security programs required under GLBA must include employee training and management. Copilot-specific training supports the institution's information security training obligations.
- SOX 302/404: Personnel involved in financial reporting processes must understand how Copilot-generated content affects internal controls. Training supports control awareness for financial reporting personnel.
Control Description
Training Program Structure
The training program should be structured in layers, with each layer building on the previous:
| Layer |
Content |
Audience |
Duration |
Delivery |
| Foundation |
What Copilot is, how it works, data handling basics, responsible AI principles |
All Copilot users |
30-45 minutes |
E-learning module |
| Regulatory Awareness |
FSI-specific regulations, compliance obligations, supervisory requirements |
All FSI Copilot users |
20-30 minutes |
E-learning module |
| Role-Specific |
Role-specific use cases, risks, and compliance requirements |
By role (see below) |
30-60 minutes |
Role-based sessions |
| Hands-On Practice |
Guided exercises using Copilot with governance controls in context |
All Copilot users |
60-90 minutes |
Workshop |
| Annual Refresher |
Updates on Copilot features, policy changes, regulatory developments |
All Copilot users |
20-30 minutes |
E-learning module |
Role-Based Training Modules
| Role |
Training Focus |
Key Topics |
| Executives / Board Members |
Strategic oversight, governance responsibilities, risk awareness |
Copilot governance overview, board-level reporting, risk acceptance decisions, regulatory expectations for AI oversight |
| Compliance Officers |
Monitoring, supervision, policy enforcement |
DSPM for AI monitoring, Activity Explorer, communication compliance with Copilot, supervisory review of AI-generated content |
| IT Administrators |
Technical configuration, governance controls, monitoring |
Copilot admin settings, sensitivity labels, DLP configuration, audit logging, incident response for AI events |
| Information Security |
Security controls, threat landscape, incident response |
Prompt injection risks, data leakage scenarios, Copilot security architecture, security monitoring |
| End Users (General) |
Daily usage, responsible AI, data awareness |
Prompt best practices, output verification, sensitivity label awareness, when not to use Copilot, escalation procedures |
| Client-Facing Roles |
Client communication compliance, supervisory requirements |
FINRA 2210 implications, reviewing AI-drafted client communications, disclosure requirements, SEC Reg BI considerations |
| Financial Reporting |
SOX implications, data accuracy, financial controls |
Verifying AI-generated financial content, maintaining audit trails, SOX control awareness |
| Trading / Capital Markets |
Information barrier awareness, MNPI protection |
Copilot behavior within information barriers, preventing MNPI leakage, trade-related content restrictions |
| Wealth Management / Advisory |
Client data protection, suitability, fiduciary considerations |
Client data handling, Copilot and fiduciary obligations, personalized communication review |
| Risk Management |
AI risk assessment, model risk, vendor risk |
Copilot risk taxonomy, model risk considerations, vendor risk monitoring |
Core Training Topics
1. Responsible AI Use
| Topic |
Key Points |
| AI limitations |
Copilot can hallucinate (generate plausible but incorrect information); outputs must be verified |
| Human-in-the-loop |
Users are responsible for reviewing and validating all Copilot outputs before use |
| Appropriate reliance |
Copilot is an assistant -- critical decisions require human judgment |
| Bias awareness |
AI outputs may reflect biases present in training data or grounding content |
| Transparency |
Disclose AI-generated content where required by policy or regulation |
2. Data Sensitivity Awareness
| Topic |
Key Points |
| Permission awareness |
Copilot can access everything the user can access -- understand your permission scope |
| Sensitivity labels |
Understand what sensitivity labels mean and how they affect Copilot behavior |
| NPI and PII recognition |
Recognize customer financial information that requires special handling |
| Cross-workload surfacing |
Copilot can combine information from email, Teams, SharePoint, and OneDrive in a single response |
| Content in responses |
Copilot responses may contain regulated data -- treat responses with the same sensitivity as source material |
3. Prompt Hygiene
| Topic |
Key Points |
| Effective prompting |
Write clear, specific prompts for better and more relevant results |
| Avoid sensitive data in prompts |
Do not include customer SSNs, account numbers, or other sensitive data directly in prompts when unnecessary |
| Prompt injection awareness |
Understand that malicious content in documents could attempt to manipulate Copilot (basic awareness) |
| Context management |
Understand that Copilot maintains conversation context -- sensitive information from earlier in a conversation persists |
| Oversharing in prompts |
Do not reference content you should not be accessing, even if Copilot surfaces it |
4. Regulatory Boundaries
| Topic |
Key Points |
| FINRA 2210 (Communications) |
Copilot-drafted client communications must undergo the same supervisory review as human-drafted communications |
| Information barriers |
Do not use Copilot to circumvent information barriers (Chinese walls) |
| Record retention |
Copilot-generated business communications are subject to the same retention requirements as other business records |
| Supervisory review |
AI-generated content in regulated workflows must be reviewed per supervisory procedures |
| Prohibited uses |
Identify scenarios where Copilot use is prohibited by institution policy (e.g., generating regulatory filings without review, creating client trade recommendations without advisor oversight) |
Training Completion Tracking
| Tracking Element |
Requirement |
Tool |
| Module completion |
Track completion of each training module per user |
LMS (Learning Management System) |
| Assessment scores |
Require passing score on knowledge assessments |
LMS built-in assessments |
| Certification date |
Record date of training completion for compliance reporting |
LMS certification records |
| Expiration |
Set annual expiration requiring refresher training |
LMS auto-expiration |
| Reporting |
Generate compliance reports showing completion rates by department and role |
LMS reporting |
Training Completion as License Gate
| Governance Level |
Training Requirement Before License Assignment |
| Baseline |
Foundation module completed |
| Recommended |
Foundation + Regulatory Awareness modules completed |
| Regulated |
Foundation + Regulatory Awareness + Role-Specific module completed with passing assessment score |
Copilot Surface Coverage
Training should address responsible use across all Copilot surfaces:
| Copilot Surface |
Training Focus |
Key Guidance |
| Microsoft 365 Copilot Chat |
Primary training surface |
Most comprehensive guidance -- covers all data access, prompting, and response handling |
| Word Copilot |
Content generation |
Review all generated content before sharing; apply sensitivity labels to generated documents |
| Excel Copilot |
Data analysis |
Validate AI-generated analyses against source data; do not rely on Copilot for financial calculations without verification |
| PowerPoint Copilot |
Presentation creation |
Review for accuracy and compliance before presenting to clients or regulators |
| Outlook Copilot |
Email drafting |
Apply supervisory review requirements to AI-drafted emails; verify recipient appropriateness |
| Teams Copilot |
Meeting and chat |
Understand meeting transcript privacy; be aware of information barrier considerations |
| SharePoint / OneDrive |
Content discovery |
Understand that Copilot surfaces content based on permissions -- report any unexpected content surfacing |
| Copilot Pages |
Collaborative content |
Apply sharing governance; understand that Pages content may be visible to collaborators |
| Loop Copilot |
Collaborative editing |
Apply same review standards to AI-generated Loop content |
Governance Levels
| Level |
Requirement |
Rationale |
| Baseline |
Develop Foundation training module covering Copilot basics, responsible AI, and data sensitivity. Require completion before Copilot license assignment. Track completion rates. Establish annual refresher cadence. |
Minimum training to support informed and responsible Copilot use with basic completion tracking. |
| Recommended |
All Baseline requirements plus: develop Regulatory Awareness module covering FSI-specific requirements. Develop role-specific modules for at least client-facing, compliance, and admin roles. Include knowledge assessments with passing score requirements. Integrate training completion into license assignment workflow. Track completion rates by department and role. Conduct hands-on workshops for each deployment phase. |
Comprehensive role-based training that addresses FSI-specific regulatory requirements with knowledge verification. |
| Regulated |
All Recommended requirements plus: develop role-specific modules for all identified roles (executives, trading, wealth management, risk, audit). Include scenario-based assessments testing regulatory knowledge in Copilot context. Require manager attestation of training completion before license assignment. Integrate training records into compliance reporting. Conduct annual training effectiveness review. Maintain training program documentation in regulatory examination file. Include training metrics in board-level governance reporting. |
Examination-ready training program with comprehensive role coverage, verified knowledge, and documented effectiveness supporting regulatory compliance obligations. |
Setup & Configuration
Evaluate and select a training delivery mechanism:
| Option |
Pros |
Cons |
| Microsoft Viva Learning |
Integrated with M365, familiar interface, assignment tracking |
May require additional configuration for custom content |
| Third-party LMS |
Feature-rich, advanced reporting, compliance-focused |
Additional cost, integration effort |
| SharePoint-based |
No additional cost, fully customizable |
Limited tracking capabilities, manual reporting |
| Blended approach |
Combines LMS modules with live workshops |
Higher development and delivery effort |
Step 2: Develop Training Content
Create training modules using the structure outlined above:
- Foundation module (e-learning, 30-45 minutes)
- Regulatory Awareness module (e-learning, 20-30 minutes)
- Role-specific modules (e-learning or instructor-led, 30-60 minutes each)
- Hands-on workshop materials (facilitator guide + exercises)
- Annual refresher module (e-learning, 20-30 minutes)
- Knowledge assessment questions per module
Step 3: Establish Assessment and Certification
Configure assessment and certification requirements:
- Define passing score (80% recommended for Regulated level)
- Create question banks for randomized assessments
- Set certification validity period (annual renewal)
- Configure expiration notifications
Step 4: Integrate with License Assignment
Create workflow connection between training completion and Copilot license assignment:
- Training completion triggers eligibility for license assignment
- Automated or manual verification before license is assigned
- Non-completion prevents license assignment (Recommended and Regulated levels)
Step 5: Launch and Monitor
Execute training program aligned with deployment phases:
- Assign Foundation module to all target users 2-4 weeks before deployment phase
- Assign role-specific modules to relevant roles
- Monitor completion rates daily during deployment phases
- Follow up with non-completers through manager escalation
- Conduct hands-on workshops per deployment phase
Financial Sector Considerations
- FINRA CE Integration: For registered representatives, consider integrating Copilot awareness content into continuing education (CE) programs or firm element training requirements under FINRA Rule 1240.
- Annual Compliance Training Alignment: Many financial institutions conduct annual compliance training programs. Integrate Copilot awareness and refresher content into existing annual training rather than creating standalone training fatigue.
- Regulatory Examination Evidence: Maintain training completion records in a format that can be readily produced during regulatory examinations. FINRA and SEC examiners may request evidence of AI-related training for supervised persons.
- Client-Facing Disclosure: Train client-facing personnel on any disclosure requirements the institution has adopted regarding AI-assisted content creation. Some institutions require disclosure that AI tools were used in preparing client communications.
- Multi-Language Considerations: Financial institutions with diverse workforces may need to provide training materials in multiple languages to support accessibility requirements.
- Training for Contractors and Temps: Temporary and contract employees who receive Copilot access must complete the same training requirements. Include this population in training program planning.
- Incident Reporting Training: Include clear guidance on how users should report Copilot-related incidents (unexpected data surfacing, concerning outputs, potential compliance issues) as part of the training program.
Verification Criteria
- Foundation training module has been developed covering Copilot basics, responsible AI, and data sensitivity
- Training is required before Copilot license assignment at the appropriate level per governance tier
- Training completion rates are tracked and reported by department and role
- Regulatory Awareness module has been developed covering FSI-specific requirements (Recommended and Regulated levels)
- Role-specific training modules have been developed for at least client-facing, compliance, and admin roles (Recommended and Regulated levels)
- Knowledge assessments are included with defined passing scores (Recommended and Regulated levels)
- Annual refresher training cadence is established with expiration and renewal process
- Hands-on workshops have been conducted for each deployment phase (Recommended and Regulated levels)
- Training records are maintained in a format suitable for regulatory examination (Regulated level)
- Training program effectiveness is reviewed annually with documented findings and improvements (Regulated level)
Additional Resources
FSI Copilot Governance Framework v1.2.1 - March 2026