Control 3.4: Communication Compliance Monitoring
Control ID: 3.4 Pillar: Compliance & Audit Regulatory Reference: FINRA 3110 (Supervision), FINRA 2210 (Communications with the Public), SEC Regulation Best Interest (Reg BI) Last Verified: 2026-05-25 Governance Levels: Baseline / Recommended / Regulated
Objective
Deploy Microsoft Purview Communication Compliance policies that monitor Copilot-assisted communications for regulatory violations, inappropriate content, and supervisory review triggers, providing systematic oversight of AI-generated and AI-assisted messages across all M365 communication channels.
Why This Matters for FSI
Copilot fundamentally changes the nature of business communications in financial services. When a registered representative uses Copilot to draft a client email about investment recommendations, when an analyst uses Copilot to generate a research summary shared with clients, or when a broker uses Copilot to respond to customer complaints, the resulting communications carry the same regulatory obligations as purely human-authored content -- but are generated at significantly higher speed and volume.
FINRA Rule 3110(a) requires member firms to establish and maintain a system to supervise the activities of each associated person that is reasonably designed to achieve compliance with applicable securities laws and FINRA rules. Integrating Communication Compliance with Insider Risk Management creates an automated escalation pathway that strengthens the supervisory system by connecting surveillance findings to risk scoring in real time. FINRA Rule 2210 imposes specific content standards on communications with the public, requiring that content be fair, balanced, and not misleading. SEC Regulation Best Interest requires that broker-dealers act in the best interest of retail customers when making recommendations.
Communication Compliance in Microsoft Purview provides the mechanism to apply supervisory review, content scanning, and policy enforcement to Copilot-assisted communications at scale. Without these controls, firms may be unable to demonstrate that they maintain reasonable supervisory systems over AI-assisted communications.
Control Description
This control covers the configuration of Communication Compliance policies that target Copilot-assisted communications, including policy design, keyword detection, trainable classifiers, review workflows, escalation procedures, and integration with Insider Risk Management (IRM).
Expanded Coverage Scope
Communication Compliance now monitors AI interactions across Microsoft 365 Copilot, Microsoft Security Copilot, Microsoft Fabric Copilot, and Copilot Studio custom agents. For Microsoft 365 Copilot and Copilot Chat deployments covered by this framework, configure Communication Compliance policies as follows. Configuration guidance for Security Copilot, Fabric Copilot, and Copilot Studio is outside the scope of this framework -- those surfaces are noted here for awareness only.
Recent Enhancements (April 2026)
Content preview in IRM alerts: Communication Compliance alerts that feed into Insider Risk Management (IRM) now support content preview directly within the alert interface. Investigators can preview the flagged content inline without navigating away from the alert queue, streamlining the investigation workflow and reducing the time from alert to disposition. Organizations should verify that preview access is restricted to authorized investigators per the firm's information barrier and need-to-know policies.
Case creation without content: Investigators can now create Communication Compliance investigation cases without attaching the flagged content at case creation time. This supports workflows where the compliance team needs to initiate tracking, assign ownership, or begin documentation before full content review — useful for firms with multi-stage investigation procedures or where preliminary case assessment is handled by a separate triage team.
Pay-as-you-go model for AI-driven indicators: Certain AI-driven communication compliance indicators — particularly those covering non-Microsoft 365 AI applications — now operate under a pay-as-you-go billing model. Microsoft 365 Copilot communication compliance indicators remain included with E5 or E5 Compliance licensing at no additional charge. Organizations should review their billing configuration to understand which indicators incur PAYG charges, particularly if monitoring third-party AI tools alongside Microsoft 365 Copilot.
Multicloud communication compliance coverage: Communication Compliance coverage has expanded to include stronger multicloud monitoring across Azure, Microsoft Fabric, and third-party platforms. For FSI organizations using Azure-based AI services or Fabric data pipelines alongside Microsoft 365 Copilot, this broader coverage helps address supervisory obligations across the full AI ecosystem. Organizations should verify that multicloud policies align with their existing FINRA Rule 3110 supervisory procedures and document any platforms not yet covered.
Built-In Copilot Interactions Policy Template
Microsoft Purview Communication Compliance includes a built-in Detect Microsoft 365 Copilot interactions policy template that pre-configures monitoring for Copilot-assisted communications. This template provides a faster path to baseline coverage than building a custom policy from scratch.
| Template Feature | Description |
|---|---|
| Pre-configured scope | Targets Microsoft 365 Copilot interactions across Exchange, Teams, and Copilot Chat |
| Built-in classifiers | Enables Microsoft-provided classifiers for regulatory compliance, protected material, and prompt injection patterns |
| Reviewer assignment | Requires designation of at least one reviewer at creation time |
| Portal-only setup | Configured entirely through the Microsoft Purview portal — no PowerShell required |
To create a policy from this template:
- Navigate to Microsoft Purview portal > Communication compliance > Policies
- Select + Create policy > Detect Microsoft 365 Copilot interactions
- Configure the supervised user scope (recommended: all Copilot-licensed users for Baseline; registered representatives and advisors for targeted deployments)
- Assign reviewers (minimum two for redundancy)
- Review the pre-selected classifiers and add any firm-specific keyword dictionaries
- Enable the policy and monitor the dashboard for initial results
FSI organizations should use this template as a Baseline starting point and layer firm-specific keyword dictionaries and trainable classifiers on top for Recommended and Regulated tiers.
Prompt Shields and Protected Material Detection
Microsoft Purview now integrates Prompt Shields and protected material classifiers as detection signals within Communication Compliance. These capabilities help identify Copilot interactions where a user may have attempted prompt injection or where Copilot-generated output may contain protected material (copyrighted content, proprietary data, or third-party intellectual property).
| Capability | Description | FSI Governance Value |
|---|---|---|
| Prompt Shields | Detects patterns consistent with prompt injection attempts — where a user tries to override Copilot's system instructions or safety guardrails | Supports FINRA Rule 3110 supervisory obligations by flagging attempts to circumvent AI safety controls; provides evidence of control effectiveness |
| Protected material classifier | Identifies Copilot-generated output that may contain protected or copyrighted material | Helps address intellectual property risk and supports compliance with content-origin obligations in client-facing communications |
These classifiers generate alerts in the Communication Compliance review queue alongside traditional keyword and trainable classifier matches. Organizations should:
- Enable Prompt Shields and protected material classifiers in Communication Compliance policies covering Copilot interactions
- Include Prompt Shield alerts in the firm's incident response workflow, as repeated prompt injection attempts by a user may warrant enhanced supervision or Copilot access review
- Document protected material detections as part of the firm's content governance and intellectual property risk management processes
Communication Compliance Policy Types for Copilot
| Policy Type | Purpose | Copilot Relevance |
|---|---|---|
| Regulatory compliance | Detect communications that may violate regulations | Catches Copilot-drafted messages with promissory language, performance assurances, or misleading claims |
| Conflict of interest | Detect potential conflicts in communications | Identifies when Copilot drafts referencing internal holdings, material nonpublic information (MNPI), or conflicted recommendations |
| Inappropriate content | Detect offensive or unprofessional language | Catches Copilot-generated content that could be considered unfair, deceptive, or abusive (UDAAP) |
| Custom policy | Detect organization-specific concerns | Catches Copilot-generated content with firm-specific prohibited terms, unauthorized product mentions, or non-approved disclosures |
Detection Methods
| Method | Description | Best For |
|---|---|---|
| Keyword dictionaries | Lists of specific terms that trigger review | Prohibited terms, product names not approved for marketing, competitor names |
| Regular expressions | Pattern matching for structured data | Account numbers, SSNs, or other sensitive data in Copilot-generated messages |
| Trainable classifiers | ML models trained on communication patterns | Detecting tone, sentiment, promissory language, or misleading claims |
| Built-in classifiers | Microsoft-provided classifiers | Threat, harassment, discrimination, regulatory compliance patterns |
| Sensitive information types | Predefined data patterns | PII, financial data, or other SIT patterns in Copilot-drafted communications |
Review Workflow Architecture
Copilot-Assisted Communication Sent
|
v
Communication Compliance Policy Scan
|
+-----+-----+
| |
No Match Match
| |
(Pass) Queue for Review
|
v
Reviewer Dashboard
| |
Compliant Non-Compliant
| |
Resolve Escalate
|
+-----+-----+
| |
Remediate Regulatory
Action Report
|
v
IRM Risk Indicator
(if IRM integration enabled)
Copilot Surface Coverage
| Copilot Surface | Monitored | Policy Location | Notes |
|---|---|---|---|
| Outlook Copilot | Yes | Exchange Online | Copilot-drafted and revised emails are scanned as standard Exchange messages |
| Teams Copilot | Yes | Teams | Copilot-assisted chat messages and channel posts are scanned |
| Microsoft 365 Copilot Chat | Partial | Exchange Online | Copilot Chat messages stored in Exchange are scannable; review coverage depends on retention configuration |
| Word Copilot | No (direct) | N/A | Documents generated by Word Copilot are not directly scanned by Communication Compliance; use DLP for document content scanning |
| Copilot Pages | Partial | OneDrive | Shared Copilot Pages may be scanned when shared as links in monitored channels |
| Copilot Notebooks | Partial | OneDrive | Shared Copilot Notebooks may be scanned when shared as links in monitored channels |
| Security Copilot / Fabric Copilot / Copilot Studio | Awareness only | N/A | Coverage exists for these surfaces; configuration guidance is outside scope of this framework |
Coverage Gap Mitigation
Communication Compliance primarily monitors Exchange and Teams channels. For Copilot surfaces not directly monitored (Word, Excel, PowerPoint), implement compensating controls:
- DLP policies (Pillar 2) to scan document content for prohibited terms
- Sensitivity labels with content marking for Copilot-generated documents
- Supervisory review procedures for Copilot-generated documents before external sharing (see Control 3.6)
IRM Integration
Communication Compliance as an IRM Risk Indicator
Communication Compliance policy violations now generate risk indicators that feed into Insider Risk Management (IRM) policies. When a user's Copilot-assisted communications trigger CC alerts -- for example, promissory language in a client email or potential MNPI disclosure in a Teams message -- those indicators contribute to the user's insider risk score in IRM.
This creates a cross-pillar governance loop: Pillar 3 (Communication Compliance monitoring, this control) feeds directly into Pillar 2 (insider risk detection, Control 2.10). A registered representative whose Copilot-drafted communications repeatedly trigger CC policy matches may surface as an elevated insider risk, prompting enhanced supervision without requiring manual correlation between compliance and security teams.
FINRA Rule 3110(a) requires that supervisory systems be reasonably designed -- integrating CC with IRM fulfills this requirement by automating the escalation of communication compliance signals into the firm's broader risk management framework.
Enabling IRM Integration
To configure the CC-to-IRM integration:
- Navigate to Microsoft Purview > Communication compliance > Settings
- Select Insider Risk Management integration
- Toggle Enable insider risk indicators from Communication Compliance to On
- Select which CC policy violation types should generate IRM risk indicators (recommended: all high-severity violation types)
- Save settings
Once enabled, CC policy matches begin generating risk indicator events in IRM. Review the IRM dashboard (Control 2.10) to confirm indicators are flowing within 24 hours of enabling.
Governance Levels
Baseline
- Create at least one Communication Compliance policy targeting Exchange and Teams locations
- Configure keyword detection for high-priority prohibited terms (e.g., "guaranteed returns," "risk-free," "no downside")
- Assign at least two qualified reviewers (to avoid single-point-of-failure in review)
- Establish a review SLA of 48 hours for flagged communications
- Document the communication compliance program in the firm's written supervisory procedures
- CC policies without IRM integration (IRM integration not yet required at Baseline)
Recommended
- Create separate policies for each communication type: regulatory compliance, conflict of interest, and custom firm-specific policies
- Deploy trainable classifiers for detecting promissory language, performance assurances, and misleading claims in Copilot-drafted messages
- Reduce review SLA to 24 hours for flagged communications
- Configure automated escalation for unreviewed items exceeding SLA
- Integrate Communication Compliance alerts with the firm's compliance case management system
- Enable IRM integration for high-risk CC policies -- CC violations from policies covering registered representatives and high-risk communication scenarios should generate IRM risk indicators
- Implement reviewer rotation and workload balancing
- Conduct monthly policy effectiveness reviews with false positive/negative analysis
- Create dashboards for communication compliance metrics (volume scanned, matches found, review outcomes)
Regulated
- Deploy comprehensive policy coverage across all FINRA-regulated communication types
- Implement pre-send review for Copilot-drafted communications by registered representatives to high-risk clients (see Control 3.5)
- Configure real-time alerting for critical regulatory violations (e.g., promissory language to retail clients)
- Implement supervisory review sampling rates aligned with FINRA 3110 examination expectations (minimum 10% of outbound Copilot-assisted communications)
- Establish quarterly testing of Communication Compliance policy effectiveness per FINRA 3120
- Enable IRM integration for all CC policies with automated escalation workflows -- all CC policy violations generate IRM risk indicators; automated escalation workflows trigger when IRM risk scores exceed defined thresholds
- Maintain detailed review logs with documented rationale for each disposition (compliant, non-compliant, escalated)
- Configure policy analytics to identify patterns in Copilot-generated communication violations
- Implement automated reporting of Communication Compliance metrics to senior management and the compliance committee
Setup & Configuration
Step 1: Create Regulatory Compliance Policy
- Navigate to Microsoft Purview portal
- Go to Communication compliance > Policies
- Click + Create policy > Custom policy
- Configure:
- Name:
FSI-CopilotComms-RegulatoryCompliance - Description: Monitors Copilot-assisted communications for regulatory compliance violations
- Supervised users: All Copilot-licensed users (or targeted groups: registered representatives, advisors)
- Reviewers: Compliance supervisors (minimum 2)
- Locations: Exchange Online, Microsoft Teams
- Direction: Outbound and internal
- Conditions: Configure keyword dictionaries (see below) and built-in regulatory compliance classifier
- Name:
Step 2: Configure Keyword Dictionaries
Create keyword dictionaries for common FSI regulatory concerns:
Promissory Language Dictionary:
guaranteed returns
risk-free
no risk
cannot lose
sure thing
certain profit
guaranteed income
guaranteed performance
promise you will
zero risk
Unauthorized Product References Dictionary:
[Add firm-specific unauthorized product names]
[Add competitor product names not approved for comparison]
[Add unregistered securities terms]
MNPI Indicators Dictionary:
not yet announced
confidential deal
pending acquisition
insider information
before the market knows
unreleased earnings
pre-announcement
Step 3: Configure Trainable Classifiers
- In the policy conditions, add Trainable classifiers
- Select or create classifiers for:
- Regulatory compliance (built-in) -- detects potential regulatory violations
- Customer complaints (custom) -- detects complaint language that triggers FINRA 4530 reporting
- Investment recommendations (custom) -- detects suitability/best interest language requiring supervisory review
Step 4: Enable IRM Integration
- Go to Communication compliance > Settings > Insider Risk Management integration
- Enable insider risk indicators from Communication Compliance
- Select which violation types generate IRM risk indicators (start with high-severity regulatory compliance and MNPI violations)
- Verify in the IRM dashboard (Control 2.10) that CC indicators are flowing within 24 hours
Step 5: Configure Review Workflow
- In Communication compliance > Settings:
- Enable Email notifications for reviewers when new items are queued
- Set Escalation rules for items not reviewed within SLA
- Configure Power Automate integration for automated case creation in external systems
- Train reviewers on:
- How to identify Copilot-assisted communications in the review queue
- Firm-specific regulatory requirements for each communication type
- Escalation procedures for confirmed violations
Step 6: Enable Policy and Monitor
- Enable the policy and monitor the dashboard for initial results
- Expect a tuning period of 2-4 weeks to refine keywords and reduce false positives
- Document false positive patterns and adjust detection thresholds
Financial Sector Considerations
Copilot-Specific Detection Challenges
Copilot-drafted communications may exhibit different patterns than human-authored messages:
- Overly confident language: Copilot may generate language that sounds more definitive than intended, potentially triggering promissory language detectors
- Generic disclaimers: Copilot may include boilerplate disclaimers that are not firm-approved
- Product descriptions: Copilot may describe products using language from public sources that does not meet the firm's approved marketing standards
- Hallucinated performance data: Copilot may generate fabricated statistics or performance figures that could mislead clients
Communication compliance policies should be calibrated to detect these Copilot-specific patterns while minimizing false positives from legitimate business communications.
Supervisory Review Integration
Communication Compliance findings should feed directly into the firm's supervisory review program:
- Flagged communications require documented supervisory disposition
- Patterns of violations by specific individuals should trigger enhanced supervision (and will surface as IRM risk indicators when IRM integration is enabled)
- Recurring Copilot-generated violations should trigger Copilot usage review and additional user training
- Quarterly trend reports should be presented to the compliance committee
FINRA Regulatory Notice 24-09 Alignment
FINRA Regulatory Notice 24-09 specifically addresses member firm obligations regarding AI-generated communications. Communication compliance policies should be calibrated to detect the specific risks identified in this notice, including Copilot-generated content that:
- Makes predictions about future performance
- Omits material risks in investment recommendations
- Contains misleading comparisons or benchmarks
- Fails to include required disclosures
Verification Criteria
| # | Verification Step | Expected Outcome | Governance Level |
|---|---|---|---|
| 1 | Send a test message containing promissory language via Outlook Copilot | Message is flagged and appears in reviewer dashboard within 24 hours | Baseline |
| 2 | Verify policy covers both Exchange and Teams locations | Policy location settings include both workloads | Baseline |
| 3 | Confirm reviewer access to Communication Compliance dashboard | Assigned reviewers can access and disposition flagged items | Baseline |
| 4 | Test trainable classifier detection | Classifier correctly flags test messages with regulatory compliance issues | Recommended |
| 5 | Verify escalation workflow | Unreviewed items past SLA trigger escalation notification | Recommended |
| 6 | Run monthly false positive analysis | False positive rate is below 30% (tuned threshold) | Recommended |
| 7 | Verify IRM integration is enabled for high-risk CC policies | IRM Settings > Communication Compliance integration shows enabled status | Recommended |
| 8 | Trigger a CC policy match and verify IRM indicator appears | Within 24 hours of a CC match, a corresponding risk indicator appears in the IRM dashboard for the user | Recommended |
| 9 | Test pre-send review for high-risk communications | Copilot-drafted messages to high-risk clients are held for supervisory approval | Regulated |
| 10 | Verify FINRA 3120 testing documentation | Annual testing records demonstrate communication compliance effectiveness | Regulated |
| 11 | Confirm integration with compliance case management | Flagged items create cases in the firm's compliance system | Recommended |
| 12 | Review communication compliance trend report | Quarterly report shows detection volumes, review outcomes, and Copilot-specific violation patterns | Regulated |
Advisory: Real-Time Voice Conversation Governance
Emerging Surface — Monitor for GA
Microsoft has announced real-time voice conversation capabilities for M365 Copilot (April 2026 roadmap). Voice-based Copilot interactions introduce new communication compliance challenges that organizations should prepare for.
Governance implications for FSI:
- Record-keeping: Voice interactions between Copilot and users may constitute business communications subject to retention under FINRA Rule 4511(a) and SEC Rule 17a-4. Organizations should verify whether voice transcripts are captured in existing audit and retention pipelines.
- Supervision: FINRA Rule 3110 supervision requirements may extend to voice-based Copilot interactions, particularly when used in client-facing or advisory contexts. Firms should assess whether current supervisory procedures address this modality.
- Communication compliance policies: Existing Purview Communication Compliance policies that monitor text-based Copilot interactions may not automatically cover voice transcripts. Organizations should verify policy scope once voice capabilities reach GA.
- Pre-send review: The pre-send supervisory review workflow documented in this control does not currently apply to voice interactions. Firms should evaluate compensating controls for real-time voice scenarios.
Recommended preparation:
- Monitor Microsoft 365 Message Center for voice conversation GA announcements
- Assess whether existing communication compliance policies will apply to voice transcripts
- Update written supervisory procedures to address voice-based AI interactions
- Coordinate with Control 3.5 (FINRA 2210) for voice-specific compliance review requirements
Additional Resources
- Microsoft Purview Communication Compliance
- Create communication compliance policies
- Trainable classifiers in Microsoft Purview
- Communication Compliance and Insider Risk Management integration
- FINRA Rule 3110 (Supervision)
- FINRA Rule 2210 (Communications with the Public)
- FINRA Regulatory Notice 24-09
- SEC Regulation Best Interest
- Control 2.10 -- Insider Risk Detection
- Control 3.5 -- FINRA Rule 2210 Compliance
-
Related Controls: 3.5 FINRA 2210 Compliance, 3.6 Supervision and Oversight, 2.10 Insider Risk Detection
FSI Copilot Governance Framework v1.4.0 - April 2026