Control 3.9: AI Disclosure, Transparency, and SEC Marketing Rule
Control ID: 3.9 Pillar: Compliance & Audit Regulatory Reference: SEC Marketing Rule (Rule 206(4)-1), SEC Regulation Best Interest (Reg BI), State AI Disclosure Laws, SEC Risk Alerts on AI Marketing Claims Last Verified: 2026-02-17 Governance Levels: Baseline / Recommended / Regulated
Objective
Establish AI disclosure and transparency controls that address regulatory requirements for informing customers and investors about the use of Microsoft 365 Copilot in financial services activities, support compliance with the SEC Marketing Rule's prohibitions against misleading AI claims ("AI washing"), and help meet emerging state AI disclosure requirements.
Why This Matters for FSI
The SEC has taken an increasingly active stance on AI disclosure and transparency in the financial services industry. The SEC Marketing Rule (Rule 206(4)-1), effective November 2022, prohibits investment advisers from making untrue statements of material fact or omitting material facts in marketing materials. The SEC has explicitly extended this prohibition to claims about AI capabilities, issuing enforcement actions against firms that overstated or misrepresented their use of AI in investment management.
When a financial institution deploys M365 Copilot, several disclosure and transparency obligations arise:
- Customer disclosure: Customers may have a right to know when AI assists in generating communications, recommendations, or analyses they receive. Several states have enacted or proposed laws requiring disclosure of AI-generated content.
- Marketing integrity: Firms must not overstate Copilot's role or capabilities in marketing materials. Claiming that Copilot "powers" investment decisions when it merely assists with drafting communications is misleading.
- Regulatory transparency: Regulators expect institutions to be transparent about their use of AI tools, including in regulatory filings, examination responses, and compliance documentation.
- Investor relations: Public companies face proxy disclosure considerations about AI deployment and governance.
The SEC has specifically targeted "AI washing" -- the practice of exaggerating or misrepresenting AI capabilities to attract investors or clients. In 2024, the SEC settled enforcement actions against investment advisers for making misleading claims about AI in their marketing materials. These actions establish clear precedent that AI-related marketing claims are subject to the same standards as all other marketing claims.
Control Description
This control covers AI disclosure requirements, anti-AI-washing controls, transparency policies for Copilot usage, and compliance with the SEC Marketing Rule and emerging state AI disclosure laws.
AI Disclosure Framework
| Disclosure Type | Audience | Requirement | Copilot Application |
|---|---|---|---|
| Customer disclosure | Retail and institutional clients | Inform when AI assists in service delivery | Disclose Copilot assistance in client communications, reports, and recommendations |
| Marketing disclosure | Prospective clients, investors | Accurate representation of AI capabilities | Marketing materials must not overstate Copilot's role in investment management or financial analysis |
| Regulatory disclosure | FINRA, SEC, OCC, other regulators | Transparent reporting of AI usage | Include Copilot in regulatory filings, examination responses, and compliance program documentation |
| Internal disclosure | Employees, associated persons | Clear policies on AI tool usage | All users must understand what Copilot does and does not do |
| Vendor disclosure | Clients, regulators | Transparency about third-party AI | Disclose that Copilot is a Microsoft vendor service, not a proprietary AI system |
SEC Marketing Rule Compliance for Copilot
The SEC Marketing Rule prohibits:
| Prohibition | Copilot Risk | Control |
|---|---|---|
| Untrue statements of material fact | Claiming Copilot performs functions it cannot (e.g., "AI-driven investment analysis") | Marketing review for AI-related claims accuracy |
| Omission of material facts | Failing to disclose Copilot's limitations when describing AI capabilities | Required disclosure of AI limitations in marketing |
| Misleading statements | Implying Copilot makes investment decisions when it only assists with communication | Clear distinction between AI assistance and AI decision-making |
| Testimonials/endorsements | Using AI-generated testimonials or endorsements | Prohibition on Copilot-generated testimonials |
| Third-party ratings | Misrepresenting AI ratings or assessments | Accuracy verification for any AI-related ratings referenced |
Anti-AI-Washing Controls
| Control | Purpose | Implementation |
|---|---|---|
| Marketing review for AI claims | Prevent misleading AI-related marketing | All marketing materials referencing AI or Copilot undergo compliance review |
| Approved AI terminology | Standardize how Copilot is described | Create a glossary of approved terms and prohibited terms for describing Copilot |
| Capability accuracy verification | Verify marketing claims match actual capabilities | Cross-reference marketing claims against documented Copilot capabilities |
| Competitive positioning review | Prevent misleading AI comparisons | Review any competitive positioning involving AI capabilities |
| Social media monitoring | Detect unauthorized AI claims by associated persons | Monitor social media for AI-related claims about firm capabilities |
Approved vs. Prohibited AI Terminology
| Context | Approved Language | Prohibited Language |
|---|---|---|
| Describing Copilot's role | "AI-assisted communication drafting" | "AI-powered investment management" |
| Describing capabilities | "Copilot helps draft and organize information" | "Our AI analyzes markets and identifies opportunities" |
| Client communications | "This communication was prepared with AI writing assistance" | [No disclosure of AI involvement] |
| Marketing materials | "We use AI tools to improve operational efficiency" | "Our proprietary AI drives investment returns" |
| Investment process | "AI tools assist our team with research and analysis" | "AI makes our investment decisions" |
State AI Disclosure Laws
Several states have enacted or proposed AI disclosure requirements relevant to financial services:
| Jurisdiction | Requirement | Copilot Relevance |
|---|---|---|
| Colorado AI Act | Disclosure when AI makes or substantially contributes to consequential decisions | Copilot-assisted lending, insurance, or advisory decisions |
| Illinois AI Video Interview Act | Disclosure when AI analyzes video interviews | Copilot-assisted HR activities for FSI firms |
| California (proposed) | Transparency requirements for AI-generated content | Copilot-generated client communications |
| NYC Local Law 144 | Bias audits for AI in employment decisions | Copilot-assisted HR and employment activities |
| Various state privacy laws | Opt-out rights for profiling and automated decision-making | Copilot-assisted customer profiling |
Firms should monitor evolving state AI legislation and update disclosure practices as requirements emerge.
Copilot Surface Coverage
| Copilot Surface | Disclosure Relevance | Control Mechanism |
|---|---|---|
| Outlook Copilot | High -- client communications may require AI disclosure | Email footer disclosure; communication review |
| Word Copilot | High -- client-facing documents may require AI disclosure | Document footer or disclosure section; approval workflow |
| Teams Copilot | Moderate -- external meeting attendees may need disclosure | Meeting participant notification; recap disclaimer |
| Excel Copilot | Moderate -- financial analyses shared externally | Output verification; source attribution |
| PowerPoint Copilot | Moderate -- client presentations | Slide disclaimer; presentation review |
| Microsoft 365 Copilot Chat | Low -- internal use | Internal disclosure not typically required |
| Copilot Pages | Moderate -- if shared externally | Sharing controls; external sharing disclosure |
Governance Levels
Baseline
- Establish an AI disclosure policy that addresses when and how Copilot usage is disclosed to clients
- Review existing marketing materials for AI-related claims and verify accuracy
- Create a list of approved and prohibited AI terminology for use in client communications and marketing
- Prohibit marketing claims that overstate Copilot's role in investment decision-making
- Include AI disclosure requirements in Copilot user training (see Control 1.12)
- Document the firm's AI transparency posture for regulatory examination readiness
Recommended
- Implement a marketing review process for all materials containing AI-related claims
- Deploy email signature or footer templates that disclose AI assistance in client communications
- Create a standard AI disclosure statement for client-facing documents generated with Copilot assistance
- Monitor social media and public communications by associated persons for unauthorized AI claims
- Conduct annual review of AI-related marketing claims for continued accuracy
- Maintain a register of all public-facing AI claims and their supporting evidence
- Develop client FAQ materials explaining the firm's use of Copilot
Regulated
- Implement automated detection of unauthorized AI claims in outbound communications
- Conduct quarterly SEC Marketing Rule compliance reviews for all AI-related marketing materials
- Establish a pre-clearance process for any new marketing materials containing AI references
- Monitor state AI disclosure law developments and maintain a jurisdiction-specific compliance matrix
- Prepare examination-ready documentation of the firm's AI disclosure and anti-AI-washing program
- Implement AI disclosure verification as part of the annual FINRA 3120 supervisory testing
- Commission independent review of AI-related marketing claims for Marketing Rule compliance
- Document competitive intelligence procedures for monitoring industry AI marketing practices
Setup & Configuration
Step 1: Establish AI Disclosure Policy
- Draft an AI Disclosure Policy that addresses:
- When AI/Copilot usage must be disclosed to clients
- How disclosure should be made (email footer, document section, verbal notice)
- Who is responsible for ensuring disclosure compliance
- Consequences for non-disclosure when required
- Exemptions (e.g., purely internal communications)
- Route through compliance, legal, and senior management approval
- Distribute to all associated persons and obtain acknowledgment
Step 2: Create Approved AI Terminology Guide
- Document approved terms for describing Copilot in various contexts:
| Context | Approved Descriptions |
|---|---|
| Internal communications | "Copilot," "AI writing assistant," "AI-assisted drafting" |
| Client communications | "AI writing assistance," "technology-assisted communication" |
| Marketing materials | "AI-assisted operational tools," "AI-enhanced efficiency" |
| Regulatory filings | "Microsoft 365 Copilot," "vendor-provided large language model" |
- Document prohibited terms and claims:
- "AI-powered investment management"
- "Proprietary AI" (when referring to Copilot)
- "AI-driven returns" or "AI-generated alpha"
- Any claim implying AI makes investment decisions autonomously
- Distribute the terminology guide and integrate into compliance training
Step 3: Implement Marketing Review Process
- Update the marketing material review process to include an AI claims review step:
- Trigger: Any marketing material containing references to AI, machine learning, Copilot, or related terms
- Reviewer: Compliance officer with SEC Marketing Rule expertise
- Review criteria: Accuracy, materiality, no misleading statements, proper context
- Approval: Documented approval with compliance sign-off
- Create a Marketing Rule compliance checklist specific to AI claims:
- All AI capability claims are factually accurate
- Limitations of AI tools are appropriately disclosed
- No implication that AI makes autonomous investment decisions
- Distinction between AI assistance and AI decision-making is clear
- No use of prohibited AI terminology
- Client can understand the actual role of AI in service delivery
Step 4: Configure Client Communication Disclosures
- Create email signature/footer templates that include AI disclosure:
Standard AI Disclosure Footer:
NOTICE: This communication may have been prepared with the assistance
of AI-based writing tools. All content has been reviewed and approved
by the sender. This communication should not be relied upon as
investment advice. [Standard firm disclosures follow.]
- Create document disclosure templates for Copilot-assisted deliverables:
Standard Document Disclosure:
Disclosure: Portions of this document were prepared with the assistance
of AI-based productivity tools. All content has been reviewed for
accuracy and approved by [Name, Title]. The analysis and recommendations
herein represent the professional judgment of [firm name], not
AI-generated investment advice.
- Deploy templates through Exchange transport rules, Word templates, or firm document management system
Step 5: Monitor and Enforce
- Configure Communication Compliance policies to flag outbound messages containing unauthorized AI claims
- Create keyword dictionaries for unauthorized AI terminology
- Establish a quarterly review cadence for all public-facing AI claims
- Document enforcement actions for AI disclosure policy violations
Financial Sector Considerations
SEC Enforcement Precedent
The SEC's 2024 enforcement actions against investment advisers for AI washing establish important precedent:
- Firms were charged for claiming to use AI in investment decision-making when the AI was only used for marketing or operational tasks
- Penalties included monetary fines and required corrective disclosures
- The SEC emphasized that firms must have a "reasonable basis" for AI claims in marketing materials
- The SEC examinations division has added AI marketing claims to its examination priority list
Examination Preparedness
SEC and FINRA examiners are increasingly asking about AI usage during routine examinations. Firms should prepare:
- A clear summary of how Copilot is used and how it is not used
- Documentation demonstrating that marketing claims about AI are accurate and not misleading
- Evidence of the AI disclosure policy and its enforcement
- Records of marketing material reviews that include AI claims assessment
- Documentation of any client complaints related to AI or Copilot usage
Institutional vs. Retail Disclosure Obligations
Disclosure obligations may differ based on client type:
- Retail clients: Higher disclosure obligation; clear, plain-language disclosure of AI assistance in communications and recommendations
- Institutional clients: Sophisticated investors may require less disclosure, but material misrepresentations are still prohibited
- Prospects: Marketing materials to prospects must comply with the Marketing Rule regardless of sophistication level
Competitive Considerations
While disclosure is required, firms should balance transparency with competitive positioning:
- Disclose AI usage accurately without creating unnecessary client concern
- Emphasize human oversight and professional judgment as the primary drivers of service quality
- Position AI tools as efficiency enhancers, not replacements for professional expertise
- Avoid language that could create fiduciary risk by overstating AI capabilities
Verification Criteria
| # | Verification Step | Expected Outcome | Governance Level |
|---|---|---|---|
| 1 | Review AI disclosure policy | Policy exists, addresses Copilot, and has been distributed to all associated persons | Baseline |
| 2 | Verify approved terminology guide is published | Guide is accessible and referenced in compliance training | Baseline |
| 3 | Audit marketing materials for AI claims accuracy | All AI claims are factually accurate and not misleading | Baseline |
| 4 | Test email footer disclosure deployment | AI disclosure footer appears on client communications from Copilot-licensed users | Recommended |
| 5 | Verify marketing review process includes AI claims step | Review checklist includes AI-specific review criteria with documented approvals | Recommended |
| 6 | Test unauthorized AI claims detection | Communication Compliance policy flags test message with prohibited AI terminology | Recommended |
| 7 | Review quarterly AI marketing claim audit | Audit is completed with documented findings and remediation | Regulated |
| 8 | Verify state law compliance matrix | Matrix covers all jurisdictions where firm operates with current requirements | Regulated |
| 9 | Review examination-ready documentation package | Complete AI disclosure and anti-AI-washing documentation is assembled | Regulated |
| 10 | Verify independent marketing review | Third-party review of AI-related marketing claims is completed and documented | Regulated |
Additional Resources
- SEC Marketing Rule (Rule 206(4)-1)
- SEC Risk Alert on AI Marketing Claims
- SEC Enforcement Actions on AI Washing (2024)
- SEC Regulation Best Interest
- Colorado AI Act (SB 24-205)
- Microsoft Responsible AI Transparency Report
- Control 3.5 -- FINRA Rule 2210 Compliance
- Control 3.8 -- Model Risk Management
-
Related Controls: 3.7 Regulatory Reporting, 3.8 Model Risk Management, 1.12 Training and Awareness
FSI Copilot Governance Framework v1.2.1 - March 2026