Control 3.2: Data Retention Policies for Copilot Interactions
Control ID: 3.2 Pillar: Compliance & Audit Regulatory Reference: FINRA 4511 (Books and Records), SEC 17a-4 (Preservation of Records), SOX 802 (Criminal Penalties for Altering Documents) Last Verified: 2026-03-22 Governance Levels: Baseline / Recommended / Regulated
Objective
Establish and enforce data retention policies that preserve Copilot-generated content, Copilot chat history, and Copilot-assisted communications for the retention periods required by financial services regulations, using Microsoft Purview retention policies and retention labels.
Why This Matters for FSI
Financial services regulations mandate that specific types of business records be preserved for defined periods. When Copilot drafts a client email, generates a financial summary, or assists with a compliance review, the resulting content may constitute a business record subject to retention requirements. The challenge with Copilot is that AI-generated and AI-assisted content is distributed across multiple M365 workloads -- Exchange mailboxes, Teams chats, OneDrive files, SharePoint sites, and Copilot Pages -- each with distinct retention behaviors.
SEC Rule 17a-4 requires broker-dealers to preserve business communications for at least 3 years (first 2 years in an accessible place) and certain financial records for 6 years. FINRA Rule 4511 extends this to all books and records required under FINRA rules. SOX Section 802 imposes criminal penalties for knowingly altering, destroying, or concealing records relevant to federal investigations.
Without deliberate retention policies targeting Copilot content locations, firms risk inadvertent destruction of records that regulators expect to be preserved. Microsoft Purview retention policies and retention labels provide the mechanism to enforce these requirements across all Copilot content locations.
Control Description
This control covers the configuration of Microsoft Purview retention policies that address every location where Copilot creates or stores content. It includes retention period determination, policy scoping, retention label design, preservation hold implementation, and the FSI retention matrix.
FSI Retention Matrix for Copilot Content
| Content Type | M365 Location | Record Category | Minimum Retention | Regulatory Basis |
|---|---|---|---|---|
| Microsoft 365 Copilot Chat history | Microsoft Copilot experiences (user mailbox hidden folder) | Business communication | 3 years | FINRA 4511, SEC 17a-4(b)(4) |
| Copilot-drafted emails (sent) | Exchange Online | Business correspondence | 3 years | SEC 17a-4(b)(4) |
| Copilot-drafted emails (client-facing) | Exchange Online | Customer correspondence | 6 years | SEC 17a-4(a) |
| Copilot Pages | SharePoint Embedded user-owned container (retention applied through All SharePoint Sites) | Business record | 3 years | FINRA 4511 |
| Teams meeting recaps (Copilot) | Microsoft Copilot experiences / Teams-Exchange | Business communication | 3 years | FINRA 4511, SEC 17a-4(b)(4) |
| Teams meeting transcripts | Teams / Exchange | Business communication | 3 years | FINRA 4511 |
| Teams chat Copilot interactions | Microsoft Copilot experiences / Teams-Exchange | Business communication | 3 years | FINRA 4511, SEC 17a-4(b)(4) |
| Word/Excel/PowerPoint Copilot drafts | SharePoint / OneDrive | Business record | 6 years (if financial) | SEC 17a-4(a), SOX 802 |
| Copilot-assisted financial analyses | SharePoint / OneDrive | Financial record | 6 years | SEC 17a-3(a)(2), SOX 802 |
| Copilot audit log events | Purview UAL | Audit trail | 6 years | SEC 17a-4(a), FINRA 4511 |
Restructured Retention Locations in Microsoft Purview
Microsoft has reorganized Copilot-related retention locations in Purview. For M365 Copilot governance, the key point is that Copilot interaction history and Copilot Pages storage no longer map to the same retention target.
| Retention Location Category | Included Content | Configuration Path |
|---|---|---|
| Microsoft Copilot experiences | Microsoft 365 Copilot Chat history, Copilot interaction history, meeting recap content, and related Copilot experience records | Purview > Data Lifecycle Management > Retention Policies > Microsoft Copilot experiences |
| All SharePoint Sites | SharePoint Online sites and SharePoint Embedded-backed Copilot Pages / Copilot Notebooks containers | Purview > Data Lifecycle Management > Retention Policies > SharePoint sites |
| Enterprise AI Apps | Copilot Studio agents, Power Platform AI integrations | Purview > Data Lifecycle Management > Retention Policies > Enterprise AI Apps |
| Other AI Apps | Third-party AI tools integrated via Microsoft 365 | Purview > Data Lifecycle Management > Retention Policies > Other AI Apps |
Scope guidance for M365 Copilot deployments: Use Microsoft Copilot experiences to retain Copilot interaction history and use All SharePoint Sites to retain Copilot Pages and Copilot Notebooks because those files are stored in SharePoint Embedded containers.
Retention Policy vs. Retention Label
| Mechanism | Use Case | Behavior |
|---|---|---|
| Retention policy | Blanket retention for all content in a location | Applied automatically to all content; users cannot remove; supports "retain and then delete" or "retain only" |
| Retention label | Targeted retention for specific document types | Applied manually or via auto-labeling; can declare content as a regulatory record; supports disposition review |
For FSI Copilot governance, use retention policies as the baseline to provide coverage for all Copilot content locations, and retention labels for targeted record declaration of high-value regulatory records.
Content Locations for Copilot Data
Understanding where Copilot stores data is critical for comprehensive retention coverage:
- Microsoft Copilot experiences (Purview retention location): Primary location for Copilot Chat history, Copilot interaction data, and meeting recap content
- Exchange Online mailboxes: Copilot Chat history (hidden folder), Copilot-drafted emails, meeting recap summaries
- OneDrive for Business: Copilot-generated files saved to personal OneDrive locations
- SharePoint Online / SharePoint Embedded: Copilot-generated documents stored in team sites plus Copilot Pages and Copilot Notebooks stored in user-owned SharePoint Embedded containers
- Teams channel messages: Copilot summaries posted in channels
- Teams chat messages: Copilot interactions in 1:1 and group chats
- Purview Audit Log: CopilotInteraction events (covered by Control 3.1 retention)
Priority Cleanup for AI-Generated Assets
Microsoft Purview now supports priority cleanup policies that target AI-generated content for earlier disposition review, enabling organizations to reduce storage costs while maintaining regulatory compliance. This capability is particularly relevant for Copilot-generated draft content that users do not finalize — ephemeral drafts that are never sent or saved as formal business records may not warrant the same retention period as finalized content.
Governance considerations for AI-generated drafts:
Priority cleanup allows organizations to configure separate retention treatment for AI-generated content that meets specific criteria. However, FSI organizations must exercise caution in applying shorter retention periods to Copilot-generated content given broad regulatory interpretations of "business records."
| Tier | Priority Cleanup Approach | Rationale |
|---|---|---|
| Baseline | Standard retention (no priority cleanup) | Avoids inadvertent destruction of records; simpler governance |
| Recommended | Priority cleanup for unsent Copilot drafts only | Reduces storage costs for clearly ephemeral content while retaining all sent or saved content |
| Regulated | Retain all Copilot-generated content regardless of draft status | Conservative interpretation of SEC Rule 17a-3(a)(17), which covers "all communications relating to the member's business" — firms under heightened oversight should err toward broader retention |
When configuring priority cleanup at the Recommended tier, scope the cleanup policy narrowly: target only documents in personal OneDrive locations that have never been shared or sent, that have not been modified in 90+ days, and that match Copilot-generated content signatures. Document the scope decisions and the regulatory rationale in the firm's records management schedule.
Threaded Summaries Retention
Copilot-generated meeting summaries and Teams conversation summaries are retained as threaded objects linked to their source content. This threading structure creates a retention consideration that firms must address explicitly in their policies.
The independence principle: Deleting a source message does not delete the Copilot summary, and vice versa. A Teams meeting transcript that is deleted per a normal deletion workflow does not automatically delete the Copilot-generated meeting recap. Similarly, a retention policy that covers meeting transcripts does not automatically extend to the Copilot-generated summary unless the summary's storage location is also covered.
Implications for FSI firms:
- Retention policies must cover both the source content location (e.g., Teams channel messages) and the summary storage location (e.g., Microsoft Copilot experiences) to ensure complete retention of the full interaction record.
- FINRA Rule 4511(c) requires members to preserve books and records in a format and media that comply with applicable regulations. Threaded summaries that capture the substance of a business discussion are books and records for this purpose — they cannot be excluded from the firm's retention inventory.
- When configuring eDiscovery searches, include both Teams message content and the Microsoft Copilot experiences location to ensure threaded summaries are captured in hold and export operations.
- Conduct an annual review of threaded summary retention coverage to verify that policy updates have not created gaps between source content and summary retention.
Copilot Surface Coverage
| Copilot Surface | Content Stored | Retention Location | Policy Type |
|---|---|---|---|
| Microsoft 365 Copilot Chat | Chat history with Copilot | Microsoft Copilot experiences | Copilot experiences retention policy |
| Word Copilot | Generated/revised document content | SharePoint or OneDrive (where doc is saved) | SharePoint/OneDrive retention policy |
| Excel Copilot | Generated formulas, analyses, charts | SharePoint or OneDrive | SharePoint/OneDrive retention policy |
| PowerPoint Copilot | Generated slides, design changes | SharePoint or OneDrive | SharePoint/OneDrive retention policy |
| Outlook Copilot | Drafted/revised emails | Exchange mailbox (Sent Items, Drafts) | Exchange retention policy |
| Teams Copilot | Meeting recaps, chat summaries | Microsoft Copilot experiences / Teams-Exchange | Teams + Copilot experiences retention policy |
| Copilot Pages | Page content, collaborative edits | SharePoint Embedded user-owned container | SharePoint retention policy covering All SharePoint Sites |
Governance Levels
Baseline
- Create retention policies covering all Copilot content locations for a minimum of 3 years — required locations: Exchange Online (Copilot Chat substrate, Outlook drafts), Microsoft Copilot experiences (Copilot interaction history), SharePoint Online / All SharePoint Sites (team-shared files plus SharePoint Embedded containers used by Copilot Pages and Copilot Notebooks), OneDrive for Business (personal files and documents saved there, but not Pages storage), Teams Channel messages, Teams Chat messages, and Microsoft 365 Groups
- Configure via Purview portal: Microsoft Purview portal > Solutions > Data Lifecycle Management > Microsoft 365 > Retention policies > + New retention policy
- Configure a retention policy for the Microsoft Copilot experiences location to capture Copilot Chat history
- Verify Copilot Chat history is included in the Microsoft Copilot experiences retention scope
- Confirm that Copilot Pages and Copilot Notebooks are covered through a retention policy scoped to All SharePoint Sites because the content is stored in SharePoint Embedded containers
- Note: Copilot interactions in Teams are captured under the same
TeamsChatLocation(1:1, group) andTeamsChannelLocation(channels) as standard Teams messages — no separate location parameter is needed specifically for Teams Copilot content - Note: Copilot-generated content in Word/Excel/PowerPoint is retained wherever the host file is stored (SharePoint or OneDrive) and is covered by those location policies
- Document retention policy assignments in the firm's records management schedule
- Test retention by verifying that deleted Copilot content is recoverable within the retention period
Recommended
- Implement differentiated retention periods based on the FSI retention matrix (3 years for communications, 6 years for financial records)
- Create retention labels for "Regulatory Record -- Financial" (6-year) and "Regulatory Record -- Communication" (3-year)
- Configure auto-apply retention labels using trainable classifiers or keyword queries for Copilot-generated financial documents
- Implement preservation hold policies for users under regulatory investigation or litigation hold
- Use adaptive scopes to target retention policies by department, office, or job title — create via Microsoft Purview > Data Lifecycle Management > Adaptive scopes > + Create scope; available scope types: Users (based on Entra ID attributes → applies to OneDrive + Exchange), SharePoint sites (based on site name, URL, or sensitivity labels), and Microsoft 365 Groups (based on group attributes); limitation: adaptive scopes cannot currently filter within Teams Chat/Channel locations by Copilot-specific attributes — the entire Teams location is included
- Monitor retention policy status and coverage through Purview data lifecycle management reports
- Conduct quarterly retention coverage audits to identify gaps
- Configure priority cleanup for unsent Copilot drafts with appropriate scope controls
- Verify that threaded summary retention covers both source and summary locations
- Confirm PowerShell-based policy creation covers all locations — reference:
New-RetentionCompliancePolicy -ExchangeLocation All -SharePointLocation All -OneDriveLocation All -TeamsChannelLocation All -TeamsChatLocation All -ModernGroupLocation All
Regulated
- Configure WORM-immutable retention for records subject to SEC Rule 17a-4(f) requirements — use
New-RetentionComplianceRulewith-RetentionComplianceAction KeepAndDeleteto support immutable retain-then-delete behavior required for WORM compliance - Enable Preservation Lock on retention policies governing regulated records — once enabled, the policy cannot be deleted and the retention period cannot be shortened; this satisfies the 17a-4(f) WORM requirement per SEC no-action letters (⚠️ this action is irreversible); enable via Purview > Retention policies > [policy] > Lock policy
- Implement regulatory record declaration using retention labels with "Mark items as a regulatory record" enabled
- Establish disposition review workflows for records reaching end of retention period
- Create preservation hold policies that can be activated within 4 hours of a regulatory preservation notice
- Configure retention policies for a minimum of 6 years across all Copilot content locations including Microsoft Copilot experiences — example PowerShell with 7-year FSI standard:
New-RetentionCompliancePolicy -Name "FSI-Copilot-7yr-Retention" -ExchangeLocation All -SharePointLocation All -OneDriveLocation All -TeamsChannelLocation All -TeamsChatLocation All -ModernGroupLocation Allfollowed byNew-RetentionComplianceRule -Policy "FSI-Copilot-7yr-Retention" -RetentionDuration 2556 -RetentionComplianceAction Keep - Implement cross-workload retention reporting to verify no Copilot content falls outside retention scope
- Document retention policy exceptions and compensating controls for any gaps
- Conduct annual retention policy effectiveness testing with documented results
- Adopt conservative retention posture for all Copilot-generated content per SEC Rule 17a-3(a)(17) interpretation
Setup & Configuration
Step 1: Create Microsoft Copilot Experiences Retention Policy
- Navigate to Microsoft Purview portal
- Go to Data lifecycle management > Microsoft 365 > Retention policies
- Click + New retention policy
- Configure:
- Name:
FSI-Copilot-Experiences-Retention-3Year - Description: Retains Microsoft Copilot Chat history, meeting recaps, and Copilot interaction content
- Locations: Select Microsoft Copilot experiences — toggle to On (covers all Copilot interaction history and AI-assisted content)
- Retention settings: Retain items for 3 years, then do nothing (retain only)
- Name:
- Click Submit
- For regulated deployments requiring 6-year retention, create a second policy:
FSI-Copilot-Experiences-Retention-6Yearwith 6-year duration
Step 2: Create Exchange Retention Policy (Email + Legacy Copilot Chat Coverage)
- Create a new retention policy:
- Name:
FSI-Copilot-Exchange-Retention-3Year - Description: Retains Exchange content including Copilot-drafted emails for 3 years
- Locations: Exchange mailboxes -- include all users (or scoped groups)
- Retention settings: Retain items for 3 years, then do nothing (retain only)
- Name:
- Click Submit
Step 3: Create OneDrive Retention Policy (Personal Files and Draft Documents)
- Create a new retention policy:
- Name:
FSI-Copilot-OneDrive-Retention-3Year - Description: Retains OneDrive content including personal Copilot-generated documents for 3 years
- Locations: OneDrive accounts -- include all users
- Retention settings: Retain items for 3 years, then do nothing
- Name:
- For financial records requiring 6-year retention, create an additional policy or use retention labels
Step 4: Create SharePoint Retention Policy (Includes Copilot Pages / Notebooks)
- Create a new retention policy:
- Name:
FSI-Copilot-SharePoint-Retention-6Year - Description: Retains SharePoint content including Copilot-generated documents and SharePoint Embedded-backed Copilot Pages / Copilot Notebooks
- Locations: SharePoint sites -- include All SharePoint Sites (or specific financial record sites where appropriate)
- Retention settings: Retain items for 6 years, then do nothing
- Name:
Step 5: Create Teams Retention Policy
- Create a new retention policy:
- Name:
FSI-Copilot-Teams-Retention-3Year - Description: Retains Teams messages and Copilot meeting recaps for 3 years
- Locations: Teams channel messages and Teams chats -- include all
- Retention settings: Retain items for 3 years, then do nothing
- Name:
Step 6: Create Regulatory Record Retention Labels (Regulated)
- Go to Data lifecycle management > Microsoft 365 > Labels
- Create label:
- Name:
FSI-Regulatory-Record-Financial-6Yr - Description: Regulatory record -- financial records retained for 6 years per SEC 17a-4
- Retention: 6 years from date created
- Mark items as a regulatory record: Yes
- At end of retention: Trigger a disposition review
- Name:
- Publish the label to relevant locations and user groups
Step 7: Configure Preservation Hold (As Needed)
For users under litigation hold or regulatory investigation:
# Apply preservation hold to a specific user's mailbox
Set-Mailbox -Identity "user@firm.com" -LitigationHoldEnabled $true -LitigationHoldDuration 2555 -LitigationHoldOwner "compliance@firm.com"
Financial Sector Considerations
Retention Period Conflicts
When a single piece of Copilot content could be classified under multiple retention categories (e.g., an email is both a "business communication" and a "financial record"), the longest applicable retention period should apply. Microsoft Purview follows the principle that retention wins over deletion when policies conflict.
Departed Employee Records
When employees leave the firm, their Copilot content must remain subject to retention policies. Convert departed user mailboxes to shared mailboxes or inactive mailboxes to maintain retention policy coverage. OneDrive content should be reassigned to a manager or compliance account before the OneDrive deletion timer expires (default 30 days after account deletion). Verify that the Microsoft Copilot experiences retention policy continues to cover departed users' content after account changes.
Merger and Acquisition Considerations
During M&A activities, Copilot content from acquired entities may need to be preserved under the acquiring firm's retention obligations. Plan for cross-tenant retention migration or implement preservation holds before tenant consolidation.
Cost of Long-Term Retention
Retaining 6+ years of Copilot content across all workloads has storage cost implications. Work with Microsoft account teams to understand storage consumption patterns and plan for archive mailbox usage where applicable. The Microsoft Copilot experiences retention location adds storage volume beyond traditional Exchange and SharePoint retention — include this in annual storage capacity planning.
Verification Criteria
| # | Verification Step | Expected Outcome | Governance Level |
|---|---|---|---|
| 1 | List all active retention policies in Purview | Policies covering Microsoft Copilot experiences, Exchange, OneDrive, SharePoint, and Teams are present and enabled | Baseline |
| 2 | Delete a Copilot Chat message and verify recovery | Content is recoverable from the Recoverable Items folder within the retention period | Baseline |
| 3 | Verify Copilot Pages are covered by retention | Copilot Pages appear in eDiscovery search of OneDrive/Copilot experiences content | Baseline |
| 4 | Run a retention policy status report | All policies show "On" status with no distribution errors | Recommended |
| 5 | Verify differentiated retention periods | 3-year policies apply to communications; 6-year policies apply to financial records | Recommended |
| 6 | Test preservation hold activation | Hold is applied and content is preserved within 4 hours of activation | Regulated |
| 7 | Verify regulatory record label immutability | Content with regulatory record label cannot be deleted or modified by users | Regulated |
| 8 | Run cross-workload retention gap analysis | No Copilot content locations fall outside active retention policy scope | Regulated |
| 9 | Verify departed employee content retention | Inactive mailbox and OneDrive content remain subject to retention policies | Recommended |
| 10 | Test disposition review workflow | Records reaching end of retention trigger disposition review for authorized reviewers | Regulated |
| 11 | Verify Microsoft Copilot experiences policy distribution | Copilot experiences retention policy shows DistributionStatus: Success | Baseline |
| 12 | Confirm threaded summary retention coverage | Teams meeting recaps retained independently of source transcript deletion | Recommended |
Additional Resources
- Learn about retention policies and retention labels
- Create and configure retention policies
- Declare records by using retention labels
- Inactive mailboxes in Exchange Online
- SEC Rule 17a-4 electronic storage requirements
- FINRA Rule 4511
- Control 3.1 -- Copilot Interaction Audit Logging
- Control 3.3 -- eDiscovery for Copilot-Generated Content
-
Control 3.11 -- Record Keeping and Books-and-Records Compliance
-
Related Controls: 3.1 Copilot Audit Logging, 3.11 Record Keeping, 3.3 eDiscovery for Copilot Content
FSI Copilot Governance Framework v1.2.1 - March 2026