Skip to content

Control 4.2: Copilot in Teams Meetings Governance

Control ID: 4.2 Pillar: Operations & Monitoring Regulatory Reference: FINRA Rule 3110 (Supervision), FINRA Rule 4511 (Books and Records), SEC Rule 17a-4, SEC Reg S-P Last Verified: 2026-02-17 Governance Levels: Baseline / Recommended / Regulated

Objective

Establish governance controls for Microsoft 365 Copilot in Teams meetings — including transcription, recap summaries, meeting notes, and follow-up actions — to support compliance with financial services recordkeeping obligations, supervisory review requirements, and data retention policies for regulated communications.

Why This Matters for FSI

Teams meetings in financial services organizations frequently involve discussions of material non-public information (MNPI), client account details, investment recommendations, trade discussions, and regulatory matters. When Copilot is enabled in Teams meetings, it generates AI-produced artifacts — meeting summaries, action items, and intelligent recaps — that may themselves constitute business records subject to retention requirements.

FINRA Rule 4511 requires member firms to make and preserve books and records as FINRA prescribes, and SEC Rule 17a-4(b)(4) imposes specific retention periods for business communications, requiring preservation of records for three years. Meeting transcripts and Copilot-generated summaries that capture substantive business discussions may fall within the scope of these retention requirements.

FINRA Rule 3110(b)(4) requires firms to establish and maintain a supervisory system, including written supervisory procedures, that is reasonably designed to achieve compliance with applicable securities laws. When Copilot generates meeting summaries that describe investment recommendations or client interactions, those summaries may require supervisory review.

For banking institutions, the FFIEC expects that all technology-generated records are subject to the institution's records management program. Copilot meeting artifacts should be classified, retained, and managed consistently with other business records.

Without proper governance, meeting summaries generated by Copilot could contain inaccurate characterizations of discussions, miss critical context, or persist beyond required retention periods. Conversely, if summaries are not retained when they should be, firms face potential spoliation concerns.

Disclaimer

This control is provided for informational purposes only and does not constitute legal, regulatory, or compliance advice. See full disclaimer.

Control Description

This control governs the lifecycle of Copilot-generated content in Teams meetings, from creation through retention and eventual disposition.

ACTION REQUIRED: Teams Copilot Default Change — FSI Recordkeeping Impact

Effective March 2026, Microsoft changed the default Copilot in Teams meetings policy from EnabledWithTranscript to Enabled. Under the previous default, Copilot in Teams meetings required active transcription, ensuring that all meeting content processed by Copilot was simultaneously captured as a transcript — a critical component of FSI recordkeeping infrastructure. Under the new Enabled default, Copilot can operate in meetings without transcription, meaning Copilot-generated meeting summaries and action items may exist without a corresponding verbatim transcript record.

For regulated financial institutions, this change creates an immediate recordkeeping compliance gap. SEC Rule 17a-4(b)(4) requires preservation of business communications for three years. FINRA Rule 4511 requires members to preserve books and records as prescribed by FINRA and applicable regulations. FINRA Rule 3110(b)(4) requires supervisory review of communications. Without transcription, Copilot meeting artifacts (summaries, action items) may lack the underlying verbatim record needed to demonstrate the accuracy and completeness of the AI-generated summary.

Remediation: Enforce the EnabledWithTranscript setting via Teams meeting policy to maintain the transcript-coupled behavior:

Set-CsTeamsMeetingPolicy -Identity "FSI-Regulated-Policy" -CopilotWithoutTranscript Disabled

Apply this policy to all user groups where meeting recordkeeping obligations apply. Verify enforcement with:

Get-CsTeamsMeetingPolicy -Identity "FSI-Regulated-Policy" | Select-Object CopilotWithoutTranscript

This must return Disabled to confirm that Copilot requires transcription in regulated meetings.

Meeting Transcription Requirements

The EnabledWithTranscript and Enabled policy settings represent fundamentally different compliance postures:

Setting How Copilot Operates Compliance Posture
EnabledWithTranscript Copilot only activates when transcription is running. All Copilot-processed meeting content has a corresponding verbatim transcript. Recordkeeping-safe configuration. Meeting artifacts can be verified against the verbatim record.
Enabled Copilot can activate regardless of transcription status. Copilot-generated artifacts may exist without any underlying transcript. New Microsoft default (March 2026). Copilot artifacts without transcript cannot be independently verified.

For regulated financial institutions, EnabledWithTranscript is the only configuration that ensures Copilot-generated meeting summaries and action items can be verified against an underlying verbatim record. Without this coupling, firms cannot demonstrate to regulators the accuracy of AI-generated meeting artifacts, cannot produce verbatim records upon regulatory demand, and may face examination deficiencies for incomplete meeting recordkeeping.

Key configuration points for meeting transcription:

Setting Location FSI Recommendation
Transcription Policy Teams Admin Center > Meetings > Meeting Policies Enable for licensed Copilot users; disable for groups where meeting content should not be processed by AI
CopilotWithoutTranscript Teams meeting policy (PowerShell) Set to Disabled to enforce EnabledWithTranscript behavior
Auto-recording Teams Admin Center > Meetings > Meeting Policies Consider enabling for regulated discussions; disable for informal meetings
Transcript storage Exchange Online (user mailbox) and OneDrive Confirm retention policies apply to both storage locations
Who can transcribe Meeting policy settings Restrict to organizer and co-organizers in regulated environments

Copilot Recap Features

When Copilot is enabled in a meeting, it provides several post-meeting capabilities:

  • Intelligent Recap: AI-generated summary of key discussion points
  • Meeting Notes: Structured notes organized by topic
  • Action Items: Tasks extracted from the meeting discussion
  • Follow-up Suggestions: Recommended next steps based on the discussion
  • Topic Segments: Chaptered breakdown of the meeting by discussion topic
  • Speaker Attribution: Identification of who said what during the meeting

Each of these artifacts is stored in the meeting organizer's Exchange Online mailbox and is accessible through Teams Meeting Recap.

All recap features (Intelligent Recap, Meeting Notes, Action Items, Follow-up Suggestions) are available under both EnabledWithTranscript and Enabled policy settings. However, only EnabledWithTranscript requires that the underlying verbatim transcript exists alongside the AI-generated artifacts. For regulatory compliance purposes, the presence of a transcript is what makes Copilot meeting artifacts verifiable and defensible during examinations or litigation.

Opt-In and Opt-Out Controls

Control Description Configuration
Meeting-level opt-out Individual meetings can disable Copilot Meeting organizer toggles Copilot off before meeting starts
Participant notification All participants see a notification when Copilot is active Automatic — cannot be disabled
Sensitivity labels Meetings with specific sensitivity labels can restrict Copilot Configure label policies to block Copilot in highly sensitive meetings
Policy-level control Entire user groups can be excluded from meeting Copilot Teams meeting policy assignment

Retention and Disposition

Meeting transcripts and Copilot-generated summaries must be covered by the organization's retention policies:

  • Transcripts: Stored in Exchange Online and should be covered by Exchange retention policies
  • Recap Content: Stored alongside the meeting in Exchange Online
  • Recordings: Stored in OneDrive/SharePoint and should be covered by SharePoint retention policies
  • Chat Messages: In-meeting chat is subject to Teams retention policies

Copilot Surface Coverage

Surface Coverage Notes
Teams Scheduled Meetings Full Recap, notes, action items, transcript
Teams Channel Meetings Full Same as scheduled meetings
Teams Meet Now Partial Copilot available but recap may be limited without scheduling
Teams Webinars Full Transcription and Copilot available
Teams Town Halls Partial Organizer-side Copilot; attendee access varies
Teams 1:1 Calls Partial Copilot summarization if transcription is enabled
Teams Phone (PSTN) See Control 4.3 Separate governance under Control 4.3

Governance Levels

Baseline

  • Enforce EnabledWithTranscript via Teams meeting policy for all user groups with recordkeeping obligations — override the September 2025 default change (MC1139493) that changed the global default from EnabledWithTranscript to CopilotWithoutTranscript. FSI firms must explicitly set -Copilot "EnabledWithTranscript" on all regulated meeting policies to maintain transcript-coupled Copilot behavior required for record-keeping:

    Set-CsTeamsMeetingPolicy -Identity "FSI-Regulated" `
  -Copilot "EnabledWithTranscript" `
  -AllowTranscription $true

    Portal path: Teams Admin Center > Meetings > Meeting policies > [policy name] > Recording & transcription > Copilot

  • Define which user groups have Copilot enabled for Teams meetings via meeting policies — key -Copilot parameter values: Disabled (no Copilot), Enabled (Copilot without transcript requirement), EnabledWithTranscript (Copilot requires active transcription)

  • Configure meeting transcription policies to align with recordkeeping requirements — set -AllowTranscription $true and -LiveCaptionsEnabledType "DisabledUserOverride" on regulated policies
  • Verify that Exchange Online retention policies cover meeting transcripts and recap content; confirm -AllowRecordingStorageOutsideRegion $false for data residency requirements

  • Document the process for meeting organizers to opt out of Copilot for sensitive meetings — disable Copilot entirely for board-level or MNPI discussions:

    Set-CsTeamsMeetingPolicy -Identity "FSI-Board-Meetings" `
  -Copilot "Disabled" -AllowTranscription $false

  • Notify all users that Copilot meeting artifacts may be subject to records retention and supervisory review

  • Confirm that participant notification is functioning when Copilot joins a meeting
  • Verify the global policy Copilot default post-September 2025: Get-CsTeamsMeetingPolicy -Identity Global | Select-Object Copilot, AllowTranscription — confirm regulated policies are not relying on the changed default

  • Enforce EnabledWithTranscript for all users with Copilot licenses + configure auto-transcription for all scheduled meetings involving client discussions. Set additional meeting policy parameters for full coverage:

    Set-CsTeamsMeetingPolicy -Identity "FSI-Regulated" `
  -Copilot "EnabledWithTranscript" `
  -AllowTranscription $true `
  -AllowMeetingCoach $true `
  -AllowCarbonSummary $true `
  -LiveCaptionsEnabledType "DisabledUserOverride"

  • Implement sensitivity labels that automatically restrict Copilot in meetings labeled as "Highly Confidential" or equivalent — Teams Premium supports sensitivity labels for meetings, watermarking, and end-to-end encryption (note: E2EE disables Copilot because transcript is unavailable)

  • Establish supervisory review procedures for Copilot meeting summaries involving regulated discussions
  • Create retention labels specific to Copilot meeting artifacts with retention periods aligned to FINRA Rule 4511 / SEC Rule 17a-4 requirements
  • Monitor Copilot meeting usage through M365 usage reports to identify adoption patterns and compliance gaps — Portal: M365 Admin Center > Reports > Microsoft 365 Copilot usage
  • Configure eDiscovery to include Copilot meeting recap content in legal hold and search scopes
  • Train meeting organizers on when to disable Copilot for discussions involving MNPI, pending transactions, or legal matters

Regulated

  • Enforce EnabledWithTranscript + auto-transcription + auto-recording for all meetings involving regulated activities — verify enforcement across all assigned policies: Get-CsTeamsMeetingPolicy | Select-Object Identity, Copilot, AllowTranscription, AllowCloudRecording
  • Integrate Copilot meeting summaries into the firm's communication surveillance system
  • Implement automated flagging of Copilot meeting summaries that contain keywords related to MNPI, trade instructions, or client complaints
  • Require pre-meeting compliance attestation for meetings where Copilot will be used to discuss regulated topics
  • Conduct quarterly audits of Copilot meeting artifact retention to support compliance with SEC Rule 17a-4 and FINRA Rule 4511
  • Maintain chain-of-custody documentation for Copilot-generated meeting records used in regulatory responses
  • Configure immutable storage (WORM) for meeting transcripts and Copilot summaries subject to SEC Rule 17a-4
  • Deploy Teams Premium sensitivity labels and watermarking for regulated meeting categories to provide visual deterrence and policy-enforced Copilot restrictions

Setup & Configuration

Step 1: Enforce EnabledWithTranscript Policy (Critical — See ACTION REQUIRED Above)

Run this PowerShell remediation immediately to override Microsoft's March 2026 default change:

# Connect to Teams
Import-Module MicrosoftTeams
Connect-MicrosoftTeams

# Verify current default policy state
Get-CsTeamsMeetingPolicy -Identity Global | Select-Object CopilotWithoutTranscript

# Create or update the FSI-regulated meeting policy
$policyName = "FSI-Regulated-Policy"
$existingPolicy = Get-CsTeamsMeetingPolicy -Identity $policyName -ErrorAction SilentlyContinue
if (-not $existingPolicy) {
    New-CsTeamsMeetingPolicy -Identity $policyName
}

# Enforce EnabledWithTranscript: disable Copilot without transcript
Set-CsTeamsMeetingPolicy -Identity $policyName -CopilotWithoutTranscript Disabled

# Verify the setting
Get-CsTeamsMeetingPolicy -Identity $policyName | Select-Object CopilotWithoutTranscript
# Expected: Disabled

Step 2: Configure Teams Meeting Policies

Navigate to Teams Admin Center > Meetings > Meeting Policies:

  1. Create a policy for Copilot-enabled users:
  2. Set Copilot to "Enabled" or "Enabled with transcript"
  3. Set Transcription to "On"
  4. Set Recording per organizational policy
  5. Create a policy for restricted users (e.g., compliance-sensitive roles):
  6. Set Copilot to "Disabled" or "Enabled with transcript only during the meeting"
  7. Configure recording requirements per role

Step 3: Configure Retention Policies

In Microsoft Purview > Data Lifecycle Management > Retention Policies:

  1. Create or update a retention policy for Teams meeting messages
  2. Verify that Exchange Online retention policies cover meeting recap storage locations
  3. Set retention periods per regulatory requirements:
  4. FINRA 4511 / SEC 17a-4: minimum 3 years readily accessible, 6 years total for broker-dealer records
  5. Banking records: per FFIEC and institution-specific requirements
  6. General business records: per organizational retention schedule

Step 4: Configure Sensitivity Label Restrictions

In Microsoft Purview > Information Protection > Label Policies:

  1. For labels such as "Highly Confidential - MNPI" or "Restricted - Client Data," configure the label to restrict Copilot access
  2. When a meeting is assigned a restrictive sensitivity label, Copilot features should be blocked
  3. Document which labels restrict Copilot and communicate to meeting organizers

Step 5: Configure Supervisory Review

For FINRA-regulated firms:

  1. In Microsoft Purview > Communication Compliance, create a policy that captures Copilot meeting summaries
  2. Define reviewable content types to include meeting recap artifacts
  3. Assign supervisory reviewers with appropriate registration and authority
  4. Establish review SLAs (e.g., review within 5 business days of meeting)

Financial Sector Considerations

Broker-Dealers: Meeting summaries that capture investment recommendations, trade discussions, or client suitability conversations are likely business records under FINRA Rule 4511. Firms should treat Copilot meeting recaps with the same retention and supervisory rigor as email and chat communications. Supervisory review under FINRA Rule 3110 should extend to AI-generated meeting summaries that describe regulated activities.

Investment Advisers: Meetings discussing client portfolio changes, investment recommendations, or advisory fee structures generate content that may be subject to SEC recordkeeping requirements under the Investment Advisers Act. Copilot summaries of such meetings should be retained as part of the adviser's books and records.

Banking Institutions: Board meetings, committee meetings, and customer interaction meetings that are transcribed and summarized by Copilot generate records that should be classified under the institution's records management program. FDIC and OCC examiners may request these records during examinations.

Cross-Border Considerations: If meetings include participants from jurisdictions with different data protection requirements (e.g., EU-based employees), the transcription and AI processing of meeting content may implicate GDPR or equivalent requirements. Coordinate with data privacy counsel before enabling transcription for cross-border meetings.

MNPI Protection: Meetings discussing material non-public information require heightened controls. Consider disabling Copilot for meetings involving M&A discussions, pending enforcement actions, earnings pre-announcements, or other MNPI topics. Sensitivity labels provide the mechanism to enforce this restriction.

Verification Criteria

# Verification Step Expected Result
1 Run Get-CsTeamsMeetingPolicy -Identity "FSI-Regulated-Policy" | Select-Object CopilotWithoutTranscript Returns Disabled — confirming EnabledWithTranscript enforcement
2 Review Teams meeting policies in Teams Admin Center Copilot enablement aligns with documented governance decisions; no policy uses the Enabled (without transcript) setting for regulated groups
3 Verify retention policies cover meeting transcripts and recap content Retention policies applied to Exchange Online and OneDrive locations
4 Test Copilot behavior in a meeting with a restrictive sensitivity label Copilot is blocked or limited per label configuration
5 Confirm participant notification appears when Copilot is active All meeting participants see Copilot notification banner
6 Search eDiscovery for Copilot meeting artifacts Recap content, transcripts, and notes are discoverable
7 Review supervisory review queue for meeting summaries (Regulated) Meeting summaries appear in the communication compliance review queue
8 Verify opt-out capability for meeting organizers Organizer can disable Copilot before and during a meeting
9 Confirm immutable storage for meeting records (Regulated) WORM-compliant storage configured for applicable records

Additional Resources

FSI Copilot Governance Framework v1.2.1 - March 2026