Control 3.11: Record Keeping and Books-and-Records Compliance (SEC 17a-3/4, FINRA 4511)
Control ID: 3.11 Pillar: Compliance & Audit Regulatory Reference: SEC Rule 17a-3 (Records to Be Made), SEC Rule 17a-4 (Records to Be Preserved), FINRA Rule 4511 (General Requirements) Last Verified: 2026-02-17 Governance Levels: Baseline / Recommended / Regulated
Objective
Establish comprehensive record-keeping practices for Microsoft 365 Copilot interactions that help meet SEC Rules 17a-3 and 17a-4 books-and-records requirements and FINRA Rule 4511 general record-keeping obligations, including record creation, retention period compliance, WORM storage requirements, metadata preservation, and chain-of-custody documentation. Address the SEC 17a-4(f)(2)(ii)(A) audit-trail alternative to WORM storage and the mobile Copilot access recordkeeping risk emerging from the regulatory emphasis on capturing all business communications across all channels.
Why This Matters for FSI
The books-and-records rules are among the most fundamental regulatory requirements in the securities industry. SEC Rule 17a-3 specifies what records broker-dealers must create and maintain. SEC Rule 17a-4 specifies how long those records must be preserved and in what format. FINRA Rule 4511 requires members to make and preserve books and records as FINRA rules, the Securities Exchange Act, and applicable regulations require.
When M365 Copilot is used in the daily operations of a broker-dealer or investment adviser, the interactions and outputs become part of the firm's books and records. A Copilot-drafted trade confirmation, a Copilot-assisted compliance review, a Copilot-generated client summary, or a Copilot-assisted financial analysis all potentially constitute records that must be created, preserved, and made available for regulatory examination.
The Recordkeeping Modernization Challenge: WORM, Audit Trails, and the Off-Channel Enforcement Era
The intersection of SEC 17a-4's technical storage requirements, the SEC and CFTC's sustained enforcement campaign against off-channel communications, and the emergence of mobile AI interactions creates a unified recordkeeping governance challenge that institutions must address comprehensively.
SEC Rule 17a-4 imposes specific technical requirements for electronic storage, including the requirement that records be preserved in a non-rewriteable, non-erasable format -- commonly referred to as WORM (Write Once, Read Many) storage. But Rule 17a-4(f)(2)(ii)(A) provides an alternative: an audit-trail alternative where records need not be stored in non-rewriteable format if the broker-dealer maintains an audit trail of all modifications, deletions, and access events for the record throughout its retention period. For Copilot content governed through Microsoft Purview, this alternative may offer a practical compliance path for firms that cannot or choose not to implement full third-party WORM archival -- provided the Purview audit infrastructure is configured to capture the required events.
The urgency of comprehensive recordkeeping governance is underscored by the off-channel enforcement wave that has defined regulatory action since 2021. The SEC and CFTC have imposed over $2 billion in fines on financial institutions for failing to preserve business communications conducted on unapproved channels -- personal devices, unauthorized messaging apps, and non-firm email. This enforcement campaign, sometimes called the "off-channel" or "WhatsApp" enforcement, establishes beyond doubt that regulators expect ALL business communications to be captured, regardless of the channel used. The channel does not determine the record-keeping obligation; the business purpose of the communication does.
This enforcement context frames the mobile Copilot risk directly. M365 Copilot is accessible via mobile Microsoft 365 apps -- Teams, Outlook, and Word mobile -- and mobile interactions generate the same audit events and are subject to the same retention obligations as desktop interactions, provided the mobile device is managed (Microsoft Intune MDM/MAM) and uses the official Microsoft 365 apps. The risk emerges when users access Copilot through unmanaged mobile browsers or personal devices: those interactions may fall outside the firm's retention infrastructure in the same way that personal-device messaging has generated regulatory liability in the off-channel enforcement cases.
The thread connecting these three areas -- the audit-trail alternative to WORM, the off-channel enforcement imperative, and the mobile Copilot access risk -- is the same underlying principle: recordkeeping obligations attach to the content and its business purpose, not to the storage medium or access channel. M365 Copilot, deployed with proper Purview governance and Conditional Access device requirements, actually helps institutions satisfy this principle by keeping AI-assisted interactions within the governed communication perimeter. Copilot without those controls creates the same off-channel gap that has generated billions in regulatory penalties.
Failure to maintain adequate books and records is among the most frequently cited deficiencies in FINRA and SEC examinations. Adding Copilot to the workflow without updating record-keeping practices creates material examination risk.
Control Description
This control provides comprehensive guidance on record keeping for all Copilot-generated and Copilot-assisted content, organized around the regulatory framework of SEC 17a-3 (record creation), SEC 17a-4 (record preservation), and FINRA 4511 (general requirements).
SEC 17a-3 Record Creation Requirements and Copilot
| 17a-3 Record Type | Copilot Relevance | Record Source |
|---|---|---|
| (a)(1) Blotters/ledgers | Copilot-assisted trade documentation | Exchange, SharePoint |
| (a)(2) General ledger | Copilot-assisted accounting entries | Excel, SharePoint |
| (a)(6) Memoranda of orders | Copilot-drafted order documentation | Exchange, SharePoint |
| (a)(7) Records of account | Copilot-assisted account documentation | SharePoint, Exchange |
| (a)(9) Written communications | Copilot-drafted client and internal communications | Exchange, Teams |
| (a)(10) Associated person records | Copilot-generated compliance documentation | SharePoint |
| (a)(17) Communications (retail/correspondence/institutional) | All Copilot-assisted communications | Exchange, Teams |
| (a)(25) Written supervisory procedures | Copilot-related WSP addendum | SharePoint |
SEC 17a-4 Retention Requirements
| Record Category | Retention Period | WORM Required | Copilot Content Examples |
|---|---|---|---|
| 17a-4(a) General business records (blotters, ledgers, financial statements) | 6 years (first 2 in accessible place) | Yes | Copilot-generated financial summaries, Copilot-assisted ledger entries |
| 17a-4(b)(1) Account records | 6 years after account closure | Yes | Copilot-assisted account documentation |
| 17a-4(b)(4) Business communications | 3 years (first 2 in accessible place) | Yes | Copilot-drafted emails, Teams messages, Microsoft 365 Copilot Chat history |
| 17a-4(b)(7) Written supervisory procedures | 3 years after superseded | Yes | WSP Copilot addendum versions |
| 17a-4(b)(8) Complaints | 4 years | Yes | Copilot-assisted complaint responses |
WORM Storage and the Audit-Trail Alternative
SEC Rule 17a-4(f) requires that electronically stored records be:
- Non-rewriteable and non-erasable (WORM compliance)
- Preserved exclusively in a non-rewriteable, non-erasable format for the required retention period
- Automatically verified for quality, accuracy, and completeness of recording
- Serialized with original and duplicate units having time-date serial counts
- Indexed and readily accessible
- Auditable by an independent party
Audit-trail alternative (Rule 17a-4(f)(2)(ii)(A)): As an alternative to non-rewriteable storage, a broker-dealer may instead preserve records in a manner that maintains an audit trail of all modifications, deletions, and access events throughout the record's retention period. This audit-trail alternative does not require WORM-formatted storage but imposes a comprehensive audit logging requirement: every access, modification, or deletion attempt must be recorded and preserved for the full retention period.
For Copilot content in Microsoft Purview, the audit-trail alternative may be satisfied through:
- Microsoft Purview retention labels with regulatory record declaration -- prevents modification and deletion (any attempt is blocked and logged)
- Preservation Lock on the retention policy -- makes the retention policy itself immutable, ensuring the governance framework cannot be dismantled
- Purview audit log -- captures access events, label applications, and policy actions throughout the retention period
Firms pursuing the audit-trail alternative should document their compliance approach and confirm with their 17a-4 compliance counsel that the Purview audit configuration meets the rule's requirements before relying on this path. Third-party WORM archival remains the clearest path to 17a-4(f) compliance for firms with active SEC examination risk.
For Copilot content distributed across M365 workloads, the full compliance options are:
- Option A: Retention labels with regulatory record declaration + Preservation Lock (audit-trail alternative path)
- Option B: Third-party WORM archival (Bloomberg Vault, Smarsh, Global Relay) with complete data connector coverage
Metadata Preservation
Records must include sufficient metadata to establish context, authenticity, and chain of custody:
| Metadata Element | Purpose | Copilot Source |
|---|---|---|
| Timestamp | When the record was created | Exchange/Teams/SharePoint creation timestamp |
| Author | Who created or sent the record | User identity (UPN) |
| Copilot indicator | Whether AI assisted in creating the record | CopilotInteraction audit event correlation |
| Recipients | Who received the communication | Exchange/Teams recipient metadata |
| Content hash | Integrity verification | Document/message hash for tamper detection |
| Sensitivity label | Classification of the record | Purview sensitivity label metadata |
| Retention label | Record category and retention period | Purview retention label metadata |
| Source references | What grounding data Copilot used | CopilotInteraction AccessedResources field |
Chain of Custody
For records that may be produced in regulatory examinations or litigation:
Record Created (Copilot-assisted)
|
v
Audit Event Logged (CopilotInteraction)
|
v
Retention Policy Applied (Purview)
|
v
WORM Archive Created (Option B) OR Audit Trail Preserved (Option A: Rule 17a-4(f)(2)(ii)(A))
|
v
Integrity Verified (hash check)
|
v
Examination Production (eDiscovery export)
|
v
Chain-of-Custody Documentation
Copilot Surface Coverage
| Copilot Surface | Record Type | 17a-3/4 Category | WORM Required |
|---|---|---|---|
| Outlook Copilot | Business correspondence | 17a-4(b)(4) | Yes -- 3 years |
| Teams Copilot | Business communications (chat/meeting) | 17a-4(b)(4) | Yes -- 3 years |
| Microsoft 365 Copilot Chat | Business communications | 17a-4(b)(4) | Yes -- 3 years |
| Word Copilot | Business documents (varies by content) | 17a-4(a) or (b) depending on content | Yes -- 3-6 years |
| Excel Copilot | Financial records, analyses | 17a-4(a) if financial | Yes -- 6 years |
| PowerPoint Copilot | Client presentations, reports | 17a-4(b)(4) if client-facing | Yes -- 3 years |
| Copilot Pages | Collaborative business records | 17a-4(b)(4) or (a) depending on content | Yes -- 3-6 years |
| Mobile Copilot (managed device) | Same as desktop surface accessed | Same as above | Yes -- same as desktop |
| Mobile Copilot (unmanaged device) | Records may not be captured | At risk -- outside retention scope | Governance gap |
Governance Levels
Baseline
- Inventory all Copilot content locations and map them to 17a-3/4 record categories, including mobile access channels — key 17a-3 record types affected by Copilot: customer account records (Copilot-drafted account summaries, suitability notes), order tickets/blotter (Copilot-assisted trade order documentation), trade confirmations (Copilot-formatted confirmation drafts), written customer communications (any Copilot-drafted email via Outlook Copilot), agreements (Copilot-drafted advisory agreements), and supervisory records (Copilot-assisted supervisory review notes)
- Configure retention policies for minimum 3-year retention across all Copilot content locations (see Control 3.2) — align to 17a-3/4 minimum periods: customer account records 6 years, order tickets 6 years, written customer communications 3 years, trade confirmations 3 years, supervision records 3 years, partnership/corporate records life of firm + 3 years
- Document Copilot record-keeping procedures in the firm's compliance manual
- Verify that
CopilotInteractionaudit events are captured and retained (see Control 3.1 — audit logging infrastructure) - Include Copilot records in the firm's books-and-records index
- Establish basic procedures for producing Copilot records in response to regulatory requests
- Require mobile Copilot access only through managed Microsoft 365 apps (Teams, Outlook, Word mobile) deployed via Intune MDM/MAM
Recommended
- Implement differentiated retention based on record category (3 years for communications, 6 years for financial records) — see 17a-3/4 retention period table above
- Deploy retention labels with regulatory record declaration for high-value Copilot records
- Configure Preservation Lock on retention policies governing regulated records — once enabled, the policy cannot be deleted and the retention period cannot be shortened (⚠️ this action is irreversible); enable via Purview > Retention policies > [policy] > Lock policy; this supports 17a-4(f) WORM requirements per SEC no-action letters
- Configure auto-apply retention labels for Copilot-generated financial documents
- Establish metadata preservation standards for Copilot records
- Implement chain-of-custody documentation for Copilot record productions
- Conduct quarterly record-keeping audits to verify retention policy coverage and compliance
- Test record retrieval and production workflows for examination readiness
- Deploy Conditional Access policies restricting Copilot access to managed devices or compliant applications — this is the primary control preventing the off-channel gap for mobile Copilot (see Control 2.3 for Conditional Access configuration)
- Document the compliance path selected for 17a-4(f) (audit-trail alternative via Purview, or third-party WORM archival) with supporting rationale
- Address SEC off-channel enforcement trends — the SEC has assessed $2+ billion in off-channel communication fines since 2021; Copilot-drafted messages sent via unapproved channels remain subject to off-channel enforcement, while Copilot-assisted drafts sent via monitored M365 channels are not themselves off-channel communications; configure a DLP policy blocking Copilot access to off-channel conversation content and IRM monitoring for Copilot queries about off-channel topics
Regulated
- Implement WORM-compliant storage for Copilot records per SEC Rule 17a-4(f) — either via Option A (audit-trail alternative: Purview regulatory record labels + Preservation Lock with documented compliance analysis per Rule 17a-4(f)(2)(ii)(A)), or Option B (third-party WORM archival with vendor attestation)
- For Option A (audit-trail alternative per 17a-4(f)(2)(ii)(A)): leverage SharePoint Preservation Hold Library — provides audit trail of record creation and immutability when combined with retention hold; the system must automatically verify recording quality/accuracy, serialize and time-date stamp records, and support download to a readable format
- For Option B (third-party WORM archival): evaluate providers such as Global Relay, Smarsh, or Veritas Enterprise Vault — these ingest Teams/Exchange Copilot content via journaling or EWS and provide SEC-compliant WORM storage with vendor attestation
- Obtain or verify SEC Rule 17a-4(f) attestation from archival storage vendor (if pursuing Option B)
- Implement MDM-enforced device compliance requirements for all mobile Copilot access — Intune device compliance policies + app protection policies + periodic mobile audit log review
- Implement automated record classification for Copilot content using trainable classifiers
- Establish real-time record integrity monitoring with hash verification
- Maintain pre-built examination response packages organized by record category — align to 17a-3/4 record types: customer account records (6 yr), order tickets (6 yr), customer communications (3 yr), trade confirmations (3 yr), supervision records (3 yr)
- Conduct annual SEC 17a-4 compliance assessment for Copilot records with documented results, including review of whether the audit-trail alternative configuration satisfies Rule 17a-4(f)(2)(ii)(A) requirements
- Implement independent audit of record-keeping completeness and integrity
- Document compensating controls for any identified record-keeping gaps, including mobile access gaps
Setup & Configuration
Step 1: Map Copilot Records to 17a-3/4 Categories
- Create a Copilot record classification matrix:
| Copilot Activity | Record Category | 17a-3 Reference | 17a-4 Retention | Location |
|---|---|---|---|---|
| Client email drafting | Business correspondence | 17a-3(a)(17) | 3 years | Exchange |
| Financial analysis | Financial records | 17a-3(a)(2) | 6 years | SharePoint/OneDrive |
| Trade documentation | Order memoranda | 17a-3(a)(6) | 6 years | SharePoint |
| Client proposals | Business correspondence | 17a-3(a)(17) | 3 years | SharePoint/OneDrive |
| Compliance review | Compliance records | 17a-3(a)(25) | 3 years after superseded | SharePoint |
| Meeting summaries | Business communications | 17a-3(a)(9) | 3 years | Teams/Exchange |
| Copilot Chat interactions | Business communications | 17a-3(a)(9) | 3 years | Exchange |
| Mobile Copilot interactions (managed) | Same as above by content | Same as above | Same as above | Via managed app |
- Document the matrix in the firm's record-keeping schedule
- Review and update the matrix quarterly as Copilot usage patterns evolve
Step 2: Configure Retention Policies (See Control 3.2 for Detailed Steps)
- Create retention policies covering all Copilot content locations:
- Exchange: 3-year minimum (6-year for financial correspondence)
- SharePoint: 6-year minimum for financial record sites
- OneDrive: 3-year minimum (6-year for financial documents)
- Teams: 3-year minimum
- For regulated environments, configure 6-year retention across all locations
Step 3: Implement WORM Storage or Audit-Trail Alternative
Option A: Microsoft Purview Audit-Trail Alternative (Rule 17a-4(f)(2)(ii)(A))
- Create retention labels with "Mark items as a regulatory record" enabled in Purview Records Management
- Apply to Copilot-generated content in regulated categories (these labels prevent modification and deletion, and log all access attempts)
- Enable Preservation Lock on the retention policy to make the policy itself immutable
- Verify that the Purview audit log captures access events, modification attempts, and deletion blocks for the labeled items throughout the retention period
- Document the compliance approach in writing: confirm with 17a-4 compliance counsel that the Purview audit configuration meets Rule 17a-4(f)(2)(ii)(A) requirements
Option B: Third-Party WORM Archival
- Select a SEC 17a-4(f)-compliant archival solution (e.g., Bloomberg Vault, Smarsh, Global Relay)
- Configure data connectors to export Copilot content to the archival system:
- Exchange connector for email and Copilot Chat content
- Teams connector for Teams messages and meeting content
- SharePoint/OneDrive connector for document content
- Verify WORM storage attestation from the archival vendor
- Configure retention periods in the archival system to match 17a-4 requirements
Step 4: Configure Mobile Copilot Access Controls
Mobile Copilot access through unmanaged devices creates the same off-channel record-keeping gap that has generated billions in regulatory penalties in the off-channel enforcement cases. Implement the following:
- Deploy Conditional Access policies requiring managed device or compliant application for M365 Copilot access (see Control 2.3 for detailed Conditional Access configuration)
- Configure Intune App Protection Policies (MAM) for Microsoft 365 mobile apps that include Copilot functionality:
- Require PIN for app access
- Block copy/paste of corporate content to personal apps
- Block screen capture
- Wipe corporate data on unenrollment
- Verify that mobile Copilot interactions via managed apps are captured by existing retention policies:
- Teams mobile: covered by Teams retention policy if using official Teams app
- Outlook mobile: covered by Exchange retention policy
- Word/Excel/PowerPoint mobile: covered by SharePoint/OneDrive retention policy
- Test retention coverage by generating a Copilot interaction via mobile (managed app) and verifying it appears in the Purview audit log and is subject to the retention policy
Step 5: Establish Metadata Preservation
- Verify that retention policies preserve original metadata (creation date, author, recipients)
- Configure audit log retention to maintain CopilotInteraction event metadata for the record retention period
- Implement hash-based integrity verification for archived Copilot records:
# Example: Generate SHA-256 hash for exported record integrity verification
$hash = Get-FileHash -Path "ExportedRecord.eml" -Algorithm SHA256
"Record: ExportedRecord.eml | Hash: $($hash.Hash) | Date: $(Get-Date -Format 'yyyy-MM-dd HH:mm:ss')" | Out-File -FilePath "ChainOfCustody.log" -Append
Step 6: Create Examination Response Procedures
- Document standard procedures for responding to FINRA 8210 and SEC examination requests for Copilot records:
- Identify the record categories requested
- Determine Copilot content locations for each category
- Run eDiscovery searches (see Control 3.3)
- Export records in examiner-requested format
- Generate chain-of-custody documentation
- Verify export completeness and integrity
- Create pre-built eDiscovery search queries for common examination request patterns
- Establish response time targets:
- Initial acknowledgment: 2 business days
- Preliminary production: 10 business days
- Complete production: 30 business days (or as specified by examiner)
Financial Sector Considerations
SEC Rule 17a-4(f) Compliance Challenges for Copilot
Meeting the WORM requirement for Copilot content presents unique challenges:
- Distributed storage: Copilot content is stored across multiple M365 workloads, each with different storage and retention mechanisms
- Dynamic content: Copilot Pages and collaborative documents may be modified after initial creation, raising questions about which version constitutes the "record"
- Metadata completeness: Standard M365 metadata may not include all elements required for 17a-4 compliance (e.g., Copilot-specific indicators)
- Attestation requirements: SEC Rule 17a-4(f)(3) requires a representation from the storage media vendor (or third-party provider) that the storage meets WORM requirements; the audit-trail alternative path under Rule 17a-4(f)(2)(ii)(A) requires comprehensive audit trail coverage rather than a vendor attestation
Firms should work with their 17a-4 compliance vendor to confirm that all Copilot content locations are covered by the selected compliance approach (WORM attestation or audit-trail alternative).
Record-Keeping Examination Findings
Common SEC and FINRA examination findings related to books and records that are amplified by Copilot:
- Incomplete record retention: Not all communication channels are covered by retention policies (e.g., missing Copilot Chat coverage, unmanaged mobile access)
- Inadequate indexing: Records are retained but not readily retrievable or searchable
- Missing metadata: Records lack sufficient contextual information to establish authenticity and purpose
- WORM gaps: Electronic records are not stored in non-rewriteable format for the required period
- Inconsistent retention: Different retention periods applied to similar record types across workloads
- Mobile access gaps: Copilot interactions via unmanaged mobile devices not captured by retention policies
FINRA Rule 4511 General Requirements
FINRA Rule 4511 requires that members:
- Make and preserve books and records as required under FINRA rules, the SEA, and applicable SEA rules
- Preserve records in a format and media that comply with SEC Rule 17a-4
- Produce records promptly upon request by FINRA
- Notify FINRA of the location of records and any changes to record storage arrangements
Firms must include Copilot record storage locations (including the compliance approach for 17a-4(f)) in their FINRA record-keeping notifications.
Record-Keeping for Departed Representatives
When a registered representative departs the firm, their Copilot records must be preserved for the full retention period. This requires:
- Converting the representative's mailbox to a shared or inactive mailbox before deletion
- Ensuring OneDrive content is reassigned before the OneDrive deletion timer expires
- Verifying all Teams content is preserved through retention policies
- Documenting the departed representative's Copilot record locations in the departure checklist
Verification Criteria
| # | Verification Step | Expected Outcome | Governance Level |
|---|---|---|---|
| 1 | Verify Copilot record classification matrix exists | Matrix maps all Copilot content types to 17a-3/4 categories, including mobile access paths | Baseline |
| 2 | Confirm retention policies cover all Copilot content locations | No Copilot content location (including managed mobile) is outside retention policy scope | Baseline |
| 3 | Test record retrieval for examination response | Copilot records are retrievable and exportable within target timeframes | Baseline |
| 4 | Verify mobile Copilot requires managed device | Conditional Access or MDM policy restricts Copilot mobile access to managed/compliant devices | Recommended |
| 5 | Verify differentiated retention periods | 3-year and 6-year retention applied correctly by record category | Recommended |
| 6 | Verify 17a-4(f) compliance approach is documented | Option A (audit-trail alternative per Rule 17a-4(f)(2)(ii)(A)) or Option B (WORM vendor attestation) is selected and documented | Recommended |
| 7 | Test retention label regulatory record functionality | Content marked as regulatory record cannot be deleted or modified; attempts are logged | Recommended |
| 8 | Verify metadata preservation | Exported records include timestamp, author, recipients, and Copilot indicator | Recommended |
| 9 | Verify WORM storage compliance or audit-trail alternative | Records are stored per the selected 17a-4(f) compliance path with appropriate documentation | Regulated |
| 10 | Verify Preservation Lock on retention policies | Retention policies cannot be modified or deleted by any administrator | Regulated |
| 11 | Test chain-of-custody documentation | Complete chain-of-custody log generated for mock examination production | Regulated |
| 12 | Verify MDM device compliance for mobile Copilot | Intune device compliance + app protection policies enforced; mobile audit log review documented | Regulated |
| 13 | Run annual 17a-4 compliance assessment | Assessment documents compliance status for all Copilot record categories and the audit-trail alternative (if applicable) | Regulated |
Additional Resources
- SEC Rule 17a-3 (Records to Be Made)
- SEC Rule 17a-4 (Records to Be Preserved)
- FINRA Rule 4511 (General Requirements)
- SEC Amendments to 17a-4 (2022)
- Microsoft Purview Regulatory Record Labels
- Preservation Lock for retention policies
- Control 3.1 -- Copilot Interaction Audit Logging
- Control 3.2 -- Data Retention Policies
- Control 3.3 -- eDiscovery for Copilot-Generated Content
-
Related Controls: 3.1 Copilot Audit Logging, 3.2 Data Retention Policies, 3.3 eDiscovery for Copilot Content
FSI Copilot Governance Framework v1.2.1 - March 2026