Skip to content

Control 3.4: Communication Compliance Monitoring

Control ID: 3.4 Pillar: Compliance & Audit Regulatory Reference: FINRA 3110 (Supervision), FINRA 2210 (Communications with the Public), SEC Regulation Best Interest (Reg BI) Last Verified: 2026-02-17 Governance Levels: Baseline / Recommended / Regulated

Objective

Deploy Microsoft Purview Communication Compliance policies that monitor Copilot-assisted communications for regulatory violations, inappropriate content, and supervisory review triggers, providing systematic oversight of AI-generated and AI-assisted messages across all M365 communication channels.

Why This Matters for FSI

Copilot fundamentally changes the nature of business communications in financial services. When a registered representative uses Copilot to draft a client email about investment recommendations, when an analyst uses Copilot to generate a research summary shared with clients, or when a broker uses Copilot to respond to customer complaints, the resulting communications carry the same regulatory obligations as purely human-authored content -- but are generated at significantly higher speed and volume.

FINRA Rule 3110(a) requires member firms to establish and maintain a system to supervise the activities of each associated person that is reasonably designed to achieve compliance with applicable securities laws and FINRA rules. Integrating Communication Compliance with Insider Risk Management creates an automated escalation pathway that strengthens the supervisory system by connecting surveillance findings to risk scoring in real time. FINRA Rule 2210 imposes specific content standards on communications with the public, requiring that content be fair, balanced, and not misleading. SEC Regulation Best Interest requires that broker-dealers act in the best interest of retail customers when making recommendations.

Communication Compliance in Microsoft Purview provides the mechanism to apply supervisory review, content scanning, and policy enforcement to Copilot-assisted communications at scale. Without these controls, firms may be unable to demonstrate that they maintain reasonable supervisory systems over AI-assisted communications.

Control Description

This control covers the configuration of Communication Compliance policies that target Copilot-assisted communications, including policy design, keyword detection, trainable classifiers, review workflows, escalation procedures, and integration with Insider Risk Management (IRM).

Expanded Coverage Scope

Communication Compliance now monitors AI interactions across Microsoft 365 Copilot, Microsoft Security Copilot, Microsoft Fabric Copilot, and Copilot Studio custom agents. For Microsoft 365 Copilot and Copilot Chat deployments covered by this framework, configure Communication Compliance policies as follows. Configuration guidance for Security Copilot, Fabric Copilot, and Copilot Studio is outside the scope of this framework -- those surfaces are noted here for awareness only.

Communication Compliance Policy Types for Copilot

Policy Type Purpose Copilot Relevance
Regulatory compliance Detect communications that may violate regulations Catches Copilot-drafted messages with promissory language, performance assurances, or misleading claims
Conflict of interest Detect potential conflicts in communications Identifies when Copilot drafts referencing internal holdings, material nonpublic information (MNPI), or conflicted recommendations
Inappropriate content Detect offensive or unprofessional language Catches Copilot-generated content that could be considered unfair, deceptive, or abusive (UDAAP)
Custom policy Detect organization-specific concerns Catches Copilot-generated content with firm-specific prohibited terms, unauthorized product mentions, or non-approved disclosures

Detection Methods

Method Description Best For
Keyword dictionaries Lists of specific terms that trigger review Prohibited terms, product names not approved for marketing, competitor names
Regular expressions Pattern matching for structured data Account numbers, SSNs, or other sensitive data in Copilot-generated messages
Trainable classifiers ML models trained on communication patterns Detecting tone, sentiment, promissory language, or misleading claims
Built-in classifiers Microsoft-provided classifiers Threat, harassment, discrimination, regulatory compliance patterns
Sensitive information types Predefined data patterns PII, financial data, or other SIT patterns in Copilot-drafted communications

Review Workflow Architecture

Copilot-Assisted Communication Sent
          |
          v
Communication Compliance Policy Scan
          |
    +-----+-----+
    |             |
  No Match     Match
    |             |
  (Pass)     Queue for Review
                  |
                  v
         Reviewer Dashboard
          |             |
      Compliant    Non-Compliant
          |             |
       Resolve      Escalate
                        |
                  +-----+-----+
                  |           |
            Remediate    Regulatory
              Action      Report
                  |
                  v
         IRM Risk Indicator
         (if IRM integration enabled)

Copilot Surface Coverage

Copilot Surface Monitored Policy Location Notes
Outlook Copilot Yes Exchange Online Copilot-drafted and revised emails are scanned as standard Exchange messages
Teams Copilot Yes Teams Copilot-assisted chat messages and channel posts are scanned
Microsoft 365 Copilot Chat Partial Exchange Online Copilot Chat messages stored in Exchange are scannable; review coverage depends on retention configuration
Word Copilot No (direct) N/A Documents generated by Word Copilot are not directly scanned by Communication Compliance; use DLP for document content scanning
Copilot Pages Partial OneDrive Shared Copilot Pages may be scanned when shared as links in monitored channels
Security Copilot / Fabric Copilot / Copilot Studio Awareness only N/A Coverage exists for these surfaces; configuration guidance is outside scope of this framework

Coverage Gap Mitigation

Communication Compliance primarily monitors Exchange and Teams channels. For Copilot surfaces not directly monitored (Word, Excel, PowerPoint), implement compensating controls:

  • DLP policies (Pillar 2) to scan document content for prohibited terms
  • Sensitivity labels with content marking for Copilot-generated documents
  • Supervisory review procedures for Copilot-generated documents before external sharing (see Control 3.6)

IRM Integration

Communication Compliance as an IRM Risk Indicator

Communication Compliance policy violations now generate risk indicators that feed into Insider Risk Management (IRM) policies. When a user's Copilot-assisted communications trigger CC alerts -- for example, promissory language in a client email or potential MNPI disclosure in a Teams message -- those indicators contribute to the user's insider risk score in IRM.

This creates a cross-pillar governance loop: Pillar 3 (Communication Compliance monitoring, this control) feeds directly into Pillar 2 (insider risk detection, Control 2.10). A registered representative whose Copilot-drafted communications repeatedly trigger CC policy matches may surface as an elevated insider risk, prompting enhanced supervision without requiring manual correlation between compliance and security teams.

FINRA Rule 3110(a) requires that supervisory systems be reasonably designed -- integrating CC with IRM fulfills this requirement by automating the escalation of communication compliance signals into the firm's broader risk management framework.

Enabling IRM Integration

To configure the CC-to-IRM integration:

  1. Navigate to Microsoft Purview > Communication compliance > Settings
  2. Select Insider Risk Management integration
  3. Toggle Enable insider risk indicators from Communication Compliance to On
  4. Select which CC policy violation types should generate IRM risk indicators (recommended: all high-severity violation types)
  5. Save settings

Once enabled, CC policy matches begin generating risk indicator events in IRM. Review the IRM dashboard (Control 2.10) to confirm indicators are flowing within 24 hours of enabling.

Governance Levels

Baseline

  • Create at least one Communication Compliance policy targeting Exchange and Teams locations
  • Configure keyword detection for high-priority prohibited terms (e.g., "guaranteed returns," "risk-free," "no downside")
  • Assign at least two qualified reviewers (to avoid single-point-of-failure in review)
  • Establish a review SLA of 48 hours for flagged communications
  • Document the communication compliance program in the firm's written supervisory procedures
  • CC policies without IRM integration (IRM integration not yet required at Baseline)
  • Create separate policies for each communication type: regulatory compliance, conflict of interest, and custom firm-specific policies
  • Deploy trainable classifiers for detecting promissory language, performance assurances, and misleading claims in Copilot-drafted messages
  • Reduce review SLA to 24 hours for flagged communications
  • Configure automated escalation for unreviewed items exceeding SLA
  • Integrate Communication Compliance alerts with the firm's compliance case management system
  • Enable IRM integration for high-risk CC policies -- CC violations from policies covering registered representatives and high-risk communication scenarios should generate IRM risk indicators
  • Implement reviewer rotation and workload balancing
  • Conduct monthly policy effectiveness reviews with false positive/negative analysis
  • Create dashboards for communication compliance metrics (volume scanned, matches found, review outcomes)

Regulated

  • Deploy comprehensive policy coverage across all FINRA-regulated communication types
  • Implement pre-send review for Copilot-drafted communications by registered representatives to high-risk clients (see Control 3.5)
  • Configure real-time alerting for critical regulatory violations (e.g., promissory language to retail clients)
  • Implement supervisory review sampling rates aligned with FINRA 3110 examination expectations (minimum 10% of outbound Copilot-assisted communications)
  • Establish quarterly testing of Communication Compliance policy effectiveness per FINRA 3120
  • Enable IRM integration for all CC policies with automated escalation workflows -- all CC policy violations generate IRM risk indicators; automated escalation workflows trigger when IRM risk scores exceed defined thresholds
  • Maintain detailed review logs with documented rationale for each disposition (compliant, non-compliant, escalated)
  • Configure policy analytics to identify patterns in Copilot-generated communication violations
  • Implement automated reporting of Communication Compliance metrics to senior management and the compliance committee

Setup & Configuration

Step 1: Create Regulatory Compliance Policy

  1. Navigate to Microsoft Purview portal
  2. Go to Communication compliance > Policies
  3. Click + Create policy > Custom policy
  4. Configure:
    • Name: FSI-CopilotComms-RegulatoryCompliance
    • Description: Monitors Copilot-assisted communications for regulatory compliance violations
    • Supervised users: All Copilot-licensed users (or targeted groups: registered representatives, advisors)
    • Reviewers: Compliance supervisors (minimum 2)
    • Locations: Exchange Online, Microsoft Teams
    • Direction: Outbound and internal
    • Conditions: Configure keyword dictionaries (see below) and built-in regulatory compliance classifier

Step 2: Configure Keyword Dictionaries

Create keyword dictionaries for common FSI regulatory concerns:

Promissory Language Dictionary:

guaranteed returns
risk-free
no risk
cannot lose
sure thing
certain profit
guaranteed income
guaranteed performance
promise you will
zero risk

Unauthorized Product References Dictionary:

[Add firm-specific unauthorized product names]
[Add competitor product names not approved for comparison]
[Add unregistered securities terms]

MNPI Indicators Dictionary:

not yet announced
confidential deal
pending acquisition
insider information
before the market knows
unreleased earnings
pre-announcement

Step 3: Configure Trainable Classifiers

  1. In the policy conditions, add Trainable classifiers
  2. Select or create classifiers for:
    • Regulatory compliance (built-in) -- detects potential regulatory violations
    • Customer complaints (custom) -- detects complaint language that triggers FINRA 4530 reporting
    • Investment recommendations (custom) -- detects suitability/best interest language requiring supervisory review

Step 4: Enable IRM Integration

  1. Go to Communication compliance > Settings > Insider Risk Management integration
  2. Enable insider risk indicators from Communication Compliance
  3. Select which violation types generate IRM risk indicators (start with high-severity regulatory compliance and MNPI violations)
  4. Verify in the IRM dashboard (Control 2.10) that CC indicators are flowing within 24 hours

Step 5: Configure Review Workflow

  1. In Communication compliance > Settings:
    • Enable Email notifications for reviewers when new items are queued
    • Set Escalation rules for items not reviewed within SLA
    • Configure Power Automate integration for automated case creation in external systems
  2. Train reviewers on:
    • How to identify Copilot-assisted communications in the review queue
    • Firm-specific regulatory requirements for each communication type
    • Escalation procedures for confirmed violations

Step 6: Enable Policy and Monitor

  1. Enable the policy and monitor the dashboard for initial results
  2. Expect a tuning period of 2-4 weeks to refine keywords and reduce false positives
  3. Document false positive patterns and adjust detection thresholds

Financial Sector Considerations

Copilot-Specific Detection Challenges

Copilot-drafted communications may exhibit different patterns than human-authored messages:

  • Overly confident language: Copilot may generate language that sounds more definitive than intended, potentially triggering promissory language detectors
  • Generic disclaimers: Copilot may include boilerplate disclaimers that are not firm-approved
  • Product descriptions: Copilot may describe products using language from public sources that does not meet the firm's approved marketing standards
  • Hallucinated performance data: Copilot may generate fabricated statistics or performance figures that could mislead clients

Communication compliance policies should be calibrated to detect these Copilot-specific patterns while minimizing false positives from legitimate business communications.

Supervisory Review Integration

Communication Compliance findings should feed directly into the firm's supervisory review program:

  • Flagged communications require documented supervisory disposition
  • Patterns of violations by specific individuals should trigger enhanced supervision (and will surface as IRM risk indicators when IRM integration is enabled)
  • Recurring Copilot-generated violations should trigger Copilot usage review and additional user training
  • Quarterly trend reports should be presented to the compliance committee

FINRA Regulatory Notice 24-09 Alignment

FINRA Regulatory Notice 24-09 specifically addresses member firm obligations regarding AI-generated communications. Communication compliance policies should be calibrated to detect the specific risks identified in this notice, including Copilot-generated content that:

  • Makes predictions about future performance
  • Omits material risks in investment recommendations
  • Contains misleading comparisons or benchmarks
  • Fails to include required disclosures

Verification Criteria

# Verification Step Expected Outcome Governance Level
1 Send a test message containing promissory language via Outlook Copilot Message is flagged and appears in reviewer dashboard within 24 hours Baseline
2 Verify policy covers both Exchange and Teams locations Policy location settings include both workloads Baseline
3 Confirm reviewer access to Communication Compliance dashboard Assigned reviewers can access and disposition flagged items Baseline
4 Test trainable classifier detection Classifier correctly flags test messages with regulatory compliance issues Recommended
5 Verify escalation workflow Unreviewed items past SLA trigger escalation notification Recommended
6 Run monthly false positive analysis False positive rate is below 30% (tuned threshold) Recommended
7 Verify IRM integration is enabled for high-risk CC policies IRM Settings > Communication Compliance integration shows enabled status Recommended
8 Trigger a CC policy match and verify IRM indicator appears Within 24 hours of a CC match, a corresponding risk indicator appears in the IRM dashboard for the user Recommended
9 Test pre-send review for high-risk communications Copilot-drafted messages to high-risk clients are held for supervisory approval Regulated
10 Verify FINRA 3120 testing documentation Annual testing records demonstrate communication compliance effectiveness Regulated
11 Confirm integration with compliance case management Flagged items create cases in the firm's compliance system Recommended
12 Review communication compliance trend report Quarterly report shows detection volumes, review outcomes, and Copilot-specific violation patterns Regulated

Additional Resources

FSI Copilot Governance Framework v1.2.1 - March 2026