Control 3.5: FINRA Rule 2210 Compliance for Copilot-Drafted Communications
Control ID: 3.5 Pillar: Compliance & Audit Regulatory Reference: FINRA 2210 (Communications with the Public), FINRA Regulatory Notice 24-09 (AI in Communications), SEC Marketing Rule (206(4)-1), Investment Advisers Act Section 206 Last Verified: 2026-02-17 Governance Levels: Baseline / Recommended / Regulated
Objective
Establish controls that help organizations meet FINRA Rule 2210 content standards when registered representatives and other associated persons use Microsoft 365 Copilot to draft, revise, or assist with customer-facing communications, including pre-review requirements, supervisory approval workflows, and content quality gates.
Why This Matters for FSI
FINRA Rule 2210 governs all communications with the public by FINRA member firms, requiring that such communications be fair, balanced, and not misleading. The rule classifies communications into three categories -- retail communications, correspondence, and institutional communications -- each with specific approval and supervisory requirements.
When Copilot drafts a client email about investment performance, generates marketing copy for a fund, or assists with a response to a customer inquiry, the resulting communication must meet every standard of Rule 2210 as if a human had authored it independently. FINRA Regulatory Notice 24-09 explicitly addresses this, reminding firms that their obligations regarding communications apply "regardless of whether the communication was drafted by a person, generated by AI, or developed using some combination of the two."
The risk is significant: Copilot may generate language that sounds authoritative and polished but contains promissory statements, omits material risks, presents unbalanced views of investment products, or includes fabricated performance data. Without pre-use review controls and supervisory approval workflows, firms may distribute non-compliant customer communications at a scale and speed that traditional supervisory systems cannot catch.
Enforcement Precedent: SEC v. Delphia Inc. and Global Predictions Inc. (March 2024)
The SEC charged Delphia Inc. and Global Predictions Inc. with making false and misleading statements about their purported use of artificial intelligence in investment processes. Both firms settled, paying combined penalties of $400,000. This enforcement action established that marketing AI capabilities in financial services — including AI-assisted communications and AI-driven analysis — carries specific regulatory liability under the antifraud provisions of the Investment Advisers Act Section 206 when claims about AI use are materially misleading or unsubstantiated.
This enforcement action has direct implications for how firms communicate about their use of Microsoft 365 Copilot. When Copilot assists in drafting communications that describe the firm's AI tools — for example, a client newsletter explaining how "our AI-powered analysis identifies opportunities" — those descriptions must be accurate, balanced, and not misleading per FINRA Rule 2210(d)(1)(A). The Delphia precedent demonstrates that regulators actively enforce against "AI washing" — overstating AI capabilities or misrepresenting how AI contributes to investment processes in client-facing materials. Firms using Copilot to draft any content about their AI capabilities must apply the same content standards as any other material fact disclosure.
Control Description
This control addresses the specific requirements of FINRA Rule 2210 as they apply to Copilot-drafted communications, including communication classification, content standards, pre-use approval requirements, supervisory review workflows, and recordkeeping obligations.
FINRA 2210 Communication Categories and Copilot Implications
| Category | Definition | Copilot Risk | Supervisory Requirement |
|---|---|---|---|
| Retail communication | Any written communication distributed to more than 25 retail investors within a 30-day period | Highest risk -- Copilot may generate marketing content, social media posts, or mass emails at scale | Principal pre-approval before first use or distribution |
| Correspondence | Any written communication distributed to 25 or fewer retail investors within a 30-day period | High risk -- Copilot may draft individualized client emails with investment recommendations | Post-use review (or pre-use review per firm procedures) |
| Institutional communication | Any written communication distributed solely to institutional investors | Moderate risk -- Copilot may generate research or analysis for institutional clients | Supervisory system required; pre-approval not required unless firm policy mandates |
Content Standards for Copilot-Drafted Communications
FINRA Rule 2210 requires that all communications:
- Be fair and balanced: Communications must present a balanced picture including risks, not just potential benefits. Copilot-drafted content frequently emphasizes positive aspects.
- Not be misleading: No statement can omit material facts or present information in a way that creates a false impression. Copilot may omit required disclosures or risk factors.
- Include required disclosures: Specific types of communications require specific disclosures (e.g., past performance disclosures, fee disclosures). Copilot does not automatically include firm-required disclosures.
- Not predict or project performance: Communications may not predict or project future investment performance. Copilot may generate predictive language based on training data patterns.
- Present fair comparisons: Any comparisons must be fair and balanced. Copilot may generate comparisons using incomplete or outdated data.
- Not use promissory language: Communications may not guarantee outcomes or use promissory language. Copilot may generate phrases like "guaranteed to grow" or "risk-free returns."
Copilot-Specific Failure Modes
| Failure Mode | Description | Example |
|---|---|---|
| Hallucinated performance data | Copilot generates fabricated performance numbers | "This fund has returned 12% annually over the past decade" (when no such data was provided) |
| Missing risk disclosures | Copilot describes investment benefits without risks | "This strategy offers excellent growth potential" (without "past performance does not guarantee future results") |
| Promissory language | Copilot uses definitive outcome language | "Your investment will grow over time" instead of "investments may fluctuate in value" |
| Unauthorized product claims | Copilot describes product features not supported by prospectus | "This fund provides guaranteed income" for a non-guaranteed product |
| Stale or incorrect data | Copilot references outdated fund data or market conditions | Performance figures from Copilot's training data rather than current prospectus |
| Missing mandatory disclosures | Copilot omits firm-required disclaimers | Client email without required brokerage disclosures |
| AI washing in communications | Copilot drafts overstatements about the firm's AI capabilities | "Our AI systems guarantee superior market timing" — violates FINRA 2210(d)(1)(A) and the Investment Advisers Act Section 206 antifraud provisions |
Copilot Surface Coverage
| Copilot Surface | 2210 Applicability | Control Mechanism |
|---|---|---|
| Outlook Copilot | High -- emails to clients are correspondence or retail communications | Communication Compliance pre-send review; supervisory approval workflow |
| Teams Copilot | High -- Teams messages to external clients are communications | Communication Compliance monitoring; external sharing controls |
| Word Copilot | High -- documents drafted for client distribution | Sensitivity labels requiring approval before external sharing |
| PowerPoint Copilot | High -- presentation decks for client meetings | Sensitivity labels; supervisory review before presentation |
| Microsoft 365 Copilot Chat | Low -- Copilot Chat is internal; becomes applicable if content is copied to client communications | User training on Copilot output review before client use |
| Excel Copilot | Moderate -- analyses shared with clients | Data validation before sharing; supervisory review for client deliverables |
| Copilot Pages | Moderate -- if shared externally | External sharing controls; supervisory review requirement |
Regulatory Framework
FINRA Regulatory Notice 24-09
FINRA Regulatory Notice 24-09 directly addresses the use of AI tools in member firm communications. Key expectations include:
- Firms must establish written supervisory procedures that specifically address AI-generated communications
- The principal approval requirement for retail communications applies regardless of whether AI assisted in drafting
- Firms must have a reasonable basis for any claims or recommendations in Copilot-drafted communications, even if the firm did not originate the language
- Firms must train associated persons on the limitations of AI tools and the firm's policies for using them in client communications
The FINRA 2026 Annual Risk Monitoring and Examination Priorities Letter is expected to maintain and expand the focus on AI-generated communications that was introduced in FINRA Regulatory Notice 24-09. Institutions should prepare for increased examination scrutiny of Copilot-assisted communications, with particular attention to whether supervisory systems adequately address AI-generated content velocity and quality controls. Firms that have built robust Communication Compliance programs aligned to Notice 24-09 will be better positioned to demonstrate supervisory effectiveness when this enhanced scrutiny arrives.
Pre-Review vs. Post-Review
FINRA 2210 requires pre-use principal approval for retail communications. For correspondence (25 or fewer retail investors), the rule permits post-use review, but firms may choose to implement pre-use review for Copilot-drafted correspondence as a risk mitigation measure. The decision should be documented in the firm's written supervisory procedures.
Social Media and Copilot
If registered representatives use Copilot to draft social media content (LinkedIn posts, tweets), such content may constitute retail communications under FINRA 2210 if it is distributed to more than 25 retail investors. Firms should extend Copilot communication controls to social media authoring workflows.
Advertising and Marketing Materials
Copilot-drafted advertising and marketing materials are subject to FINRA's filing requirements with the Advertising Regulation Department. Firms must file retail communications with FINRA within 10 business days of first use (or pre-file if subject to pre-use filing requirements).
Governance Levels
Baseline
- Document FINRA 2210 requirements in the firm's Copilot usage policies
- Include 2210 content standards in Copilot user training materials (see Control 1.12)
- Configure Communication Compliance policies with keyword detection for promissory language, performance predictions, and missing disclosure patterns (see Control 3.4)
- Establish a requirement that all Copilot-drafted retail communications receive principal pre-approval before distribution
- Maintain a record of all principal approvals for Copilot-drafted retail communications
Recommended
- Implement a supervisory approval workflow for Copilot-drafted correspondence to clients
- Deploy trainable classifiers tuned to detect FINRA 2210 violations in Copilot-drafted content
- Create a library of firm-approved Copilot prompts for common client communication scenarios (e.g., account review summaries, market commentary, product descriptions)
- Establish a "Copilot output review checklist" for registered representatives to use before sending Copilot-drafted client communications
- Configure DLP policies to block external sharing of documents containing Copilot-generated content that lacks required disclosure markers
- Conduct monthly sampling of Copilot-drafted client communications for 2210 compliance
- Track and report Copilot-related 2210 violations separately from human-authored violations
Regulated
- Implement mandatory pre-send supervisory review for all Copilot-drafted client communications by registered representatives
- Deploy automated content scanning for FINRA 2210 violations with real-time feedback before send
- Create separate communication compliance policies for each 2210 communication category (retail, correspondence, institutional)
- Maintain a searchable archive of all Copilot-drafted client communications with supervisory disposition records
- Conduct quarterly 2210 compliance testing per FINRA 3120 with specific focus on Copilot-drafted communications
- Implement Copilot prompt guardrails that automatically inject firm-required disclosures into client communication drafts
- Report Copilot-related 2210 findings to senior management and the compliance committee quarterly
- Prepare examination-ready documentation demonstrating the firm's Copilot-specific 2210 compliance program
Setup & Configuration
Step 1: Configure Communication Compliance for 2210
- Navigate to Microsoft Purview portal
- Go to Communication compliance > Policies
- Create policy:
- Name:
FSI-FINRA2210-CopilotComms - Description: Monitors Copilot-assisted client communications for FINRA 2210 compliance
- Supervised users: All registered representatives and associated persons with Copilot licenses
- Reviewers: Registered principals designated as supervisory reviewers
- Locations: Exchange Online (outbound), Microsoft Teams (external)
- Direction: Outbound
- Conditions: Keyword dictionaries for promissory language, performance predictions, and unauthorized claims (see below)
- Name:
Step 2: Create FINRA 2210-Specific Keyword Dictionaries
Promissory / Performance Prediction Terms:
guaranteed returns
guaranteed income
guaranteed growth
risk-free investment
risk-free returns
cannot lose money
sure to increase
will definitely grow
certain to appreciate
no possibility of loss
always outperforms
never loses value
predicted return
expected return of [number]%
projected growth of
AI Washing / Capability Misrepresentation Terms:
Configure policies to flag outbound communications that contain unsubstantiated AI capability claims, consistent with the SEC v. Delphia enforcement precedent and FINRA Rule 2210(d)(1)(A):
our AI guarantees
AI-powered returns
AI ensures superior
our algorithms always
AI eliminates risk
AI-driven certainty
proven AI superiority
Missing Disclosure Indicators:
Configure policies to flag outbound emails to external recipients that discuss investment products but do not contain:
- "Past performance" (indicating performance disclosure is present)
- "Not FDIC insured" (for applicable products)
- "May lose value" (risk acknowledgment)
Step 3: Establish Supervisory Approval Workflow
For firms requiring pre-send approval of Copilot-drafted retail communications:
- Create a Microsoft 365 Group for Copilot Communication Supervisors
- Configure a Power Automate flow or compliance workflow:
- Trigger: Outbound email from registered representative flagged as Copilot-assisted or containing investment product references
- Action: Route to supervisor inbox for approval
- Approval: Supervisor reviews and approves/rejects with documented rationale
- On approval: Email is released for delivery
- On rejection: Email is returned to sender with reviewer comments
- Document the workflow in the firm's written supervisory procedures
Step 4: Create Firm-Approved Prompt Library
Develop a library of vetted prompts for common client communication scenarios:
| Scenario | Approved Prompt Template | Required Disclosures |
|---|---|---|
| Account review summary | "Summarize the key points from this account review for the client. Include standard risk disclosures." | Performance disclaimer, risk acknowledgment |
| Market commentary | "Draft a market commentary based on this research. Do not make predictions about future performance." | Forward-looking statement disclaimer |
| Product description | "Describe this product using only information from the attached prospectus. Include all risk factors." | Prospectus reference, risk factors |
| Complaint response | "Draft a response to this client complaint. Be empathetic and factual. Do not make promises about outcomes." | Complaint acknowledgment, escalation information |
Step 5: Configure Reporting and Tracking
- Create a Communication Compliance dashboard widget for FINRA 2210-specific metrics
- Track:
- Volume of Copilot-drafted client communications reviewed
- 2210 violation detection rate for Copilot-drafted vs. human-authored communications
- Types of violations detected (promissory language, missing disclosures, performance predictions, AI washing claims)
- Time-to-review for flagged communications
- Recidivism rate by individual registered representative
Verification Criteria
| # | Verification Step | Expected Outcome | Governance Level |
|---|---|---|---|
| 1 | Send a test Copilot-drafted email with promissory language to an external recipient | Message is flagged by Communication Compliance policy | Baseline |
| 2 | Verify that written supervisory procedures address Copilot-drafted communications | WSPs include specific section on AI-assisted communications | Baseline |
| 3 | Verify principal pre-approval workflow for retail communications | Test retail communication routed to supervisor before distribution | Recommended |
| 4 | Test firm-approved prompt library availability | Registered representatives can access approved prompts for common client communication scenarios | Recommended |
| 5 | Review monthly sampling results | Documented sample of Copilot-drafted client communications with 2210 compliance assessment | Recommended |
| 6 | Verify trainable classifier detection | Classifier correctly flags Copilot-drafted communications with 2210 violations | Regulated |
| 7 | Run quarterly FINRA 3120 testing | Testing records demonstrate effectiveness of Copilot communication compliance program | Regulated |
| 8 | Verify examination-ready documentation | Evidence package demonstrates complete 2210 compliance program for Copilot communications | Regulated |
| 9 | Test pre-send review workflow end-to-end | Copilot-drafted communication is held, reviewed, approved/rejected, with full audit trail | Regulated |
| 10 | Verify Copilot-specific violation tracking | Dashboard separately reports Copilot-related vs. human-authored 2210 violations | Regulated |
Additional Resources
- FINRA Rule 2210 (Communications with the Public)
- FINRA Regulatory Notice 24-09 (AI and Communications)
- FINRA Communications with the Public FAQ
- SEC Marketing Rule (206(4)-1)
- SEC v. Delphia Inc. and Global Predictions Inc. (March 2024)
- Microsoft Purview Communication Compliance
- Control 3.4 -- Communication Compliance Monitoring
- Control 3.6 -- Supervision and Oversight
-
Related Controls: 3.4 Communication Compliance, 3.6 Supervision and Oversight, 1.12 Training and Awareness
FSI Copilot Governance Framework v1.2.1 - March 2026