Control 4.3: Copilot in Teams Phone and Queues Governance

Control ID: 4.3 Pillar: Operations & Monitoring Regulatory Reference: FINRA Rule 3110 (Supervision), FINRA Rule 4511 (Books and Records), GLBA 501(b), FFIEC IT Examination Handbook Last Verified: 2026-02-17 Governance Levels: Baseline / Recommended / Regulated

Objective

Establish governance controls for Microsoft 365 Copilot in Teams Phone (call summarization, voicemail transcription) and Teams Queues (agent assist, real-time suggestions) to support compliance with call recording governance requirements, supervisory review obligations, and customer data protection standards in financial services environments.

Why This Matters for FSI

Financial services organizations conduct a significant volume of customer interactions over the phone -- account inquiries, trade instructions, advisory consultations, complaints, and service requests. When Copilot is enabled for Teams Phone and Queues, it generates AI-produced call summaries, voicemail transcriptions, and real-time agent assistance that may constitute business records subject to regulatory retention requirements.

FINRA Rule 4511 requires broker-dealers to preserve records of business communications, which can include telephone communications when they relate to the firm's business. FINRA Rule 3110 requires supervisory systems that reasonably cover the firm's communication channels. When Copilot generates summaries of customer calls, those summaries become part of the firm's communication record and may require supervisory review.

For banking institutions, GLBA 501(b) requires administrative, technical, and physical safeguards for customer information. Phone conversations with customers routinely involve sensitive financial data -- account numbers, Social Security numbers, transaction details -- that Copilot will process during summarization. The FFIEC expects institutions to maintain appropriate controls over technology that processes customer data.

Copilot in Queues presents additional considerations for contact center operations. Real-time agent assistance surfaces information from organizational knowledge bases, which may include restricted or confidential content. Without appropriate controls, agents could receive suggestions based on information they are not authorized to access.

Disclaimer

This control is provided for informational purposes only and does not constitute legal, regulatory, or compliance advice. See full disclaimer.

Control Description

Copilot in Teams Phone

Copilot in Teams Phone provides the following capabilities that require governance:

Feature	Description	Governance Concern
Call Summarization	AI-generated summary after call completion	Retention, accuracy, supervisory review
Voicemail Transcription	AI transcription of voicemail messages	Retention, accuracy, privacy
Real-time Suggestions	In-call prompts and information surfacing	Data access scope, information barriers
Action Item Extraction	Tasks derived from call conversations	Record accuracy, attribution
Sentiment Analysis	Assessment of call tone and customer satisfaction	Privacy, bias, fair treatment

Copilot in Queues

Copilot in Teams Queues provides contact center capabilities:

Feature	Description	Governance Concern
Agent Assist	Real-time knowledge base suggestions during calls	Data access boundaries, accuracy
Call Wrap-up	Automated post-call summary and categorization	Record completeness, retention
Queue Analytics	AI-driven insights on call patterns and agent performance	Privacy, manager access limits
Customer Context	Pre-call information surfacing from CRM and M365 data	Data minimization, need-to-know
Suggested Responses	Recommended answers based on knowledge base content	Regulatory accuracy, disclaimer requirements

Call Recording Governance

When Copilot processes phone calls, the underlying recording and transcription infrastructure must be governed:

Recording Consent: Many jurisdictions require notification or consent for call recording; Copilot processing implies recording
Recording Storage: Call recordings and transcriptions are stored in Exchange Online and OneDrive
Recording Access: Only authorized personnel should access call recordings and Copilot summaries
Recording Retention: Retention periods must align with regulatory requirements

Supervisory Review of Call Summaries

For FINRA-regulated firms, Copilot-generated call summaries that document trade instructions, investment recommendations, or customer complaints should be subject to supervisory review:

Call summaries should be captured in the firm's supervisory review system
Reviewers should compare AI-generated summaries against actual recordings for accuracy sampling
Supervisory review SLAs should account for the volume of Copilot-generated call summaries

Copilot Surface Coverage

Surface	Coverage	Notes
Teams Phone - Inbound PSTN	Full	Call summary and voicemail transcription
Teams Phone - Outbound PSTN	Full	Call summary post-call
Teams Phone - VoIP	Full	Same capabilities as PSTN
Teams Queues - Voice	Full	Agent assist, wrap-up, analytics
Teams Queues - Chat	Partial	Text-based agent assist from knowledge base
Teams Phone - Voicemail	Full	Transcription and summarization
Teams Phone - Call Transfer	Partial	Summary may be incomplete for transferred calls

Governance Levels

Baseline

Define which user groups have Copilot enabled for Teams Phone via calling policies — Copilot provides real-time transcription during PSTN and VoIP calls and AI-generated call summaries. Configure via Teams Admin Center > Voice > Calling policies:
```
Set-CsTeamsCallingPolicy -Identity "FSI-Calling-Compliant" `
  -AllowCloudRecordingForCalls $true `
  -AllowTranscriptionForCalling $true `
  -LiveCaptionsEnabledType "DisabledUserOverride"
```
Configure call recording policies to align with regulatory and jurisdictional consent requirements — Portal: Teams Admin Center > Voice > Compliance recording policies
Verify that retention policies cover all call content storage locations: recordings in OneDrive/SharePoint, transcripts alongside recordings, and Copilot-generated call summaries in the user's Exchange mailbox
Document the data flow for Copilot-processed call content (where stored, who can access, how long retained) — call summaries are stored in Exchange Online (Teams call history); recordings stored in OneDrive/SharePoint
Confirm that call recording consent notifications are active for all jurisdictions where the firm operates
Restrict access to Copilot call summaries to the call participants and their supervisors
Verify Call Queue Copilot configuration — Set-CsCallQueue has no direct Copilot parameters; Copilot access for queue agents is governed by each agent's CsTeamsCallingPolicy assignment. Portal: Teams Admin Center > Voice > Call queues
Confirm auto-attendant scope — auto-attendants have no direct Copilot generative AI integration; Copilot assists human agents handling calls transferred from auto-attendants

Implement supervisory review procedures for Copilot call summaries involving regulated activities
Configure information barriers to prevent Copilot in Queues from surfacing restricted content to agents
Establish accuracy sampling procedures — compare Copilot call summaries to actual recordings quarterly
Create retention labels specific to call recordings and summaries with appropriate retention periods — broker-dealers: 3-year minimum per SEC Rule 17a-4; extend to 7 years for supervisor-reviewed calls per FINRA Rule 4511
Monitor Copilot Teams Phone usage through admin reports to identify adoption patterns — verify calling policy enforcement: Get-CsTeamsCallingPolicy -Identity "FSI-Calling-Compliant" | Select-Object AllowCloudRecordingForCalls, AllowTranscriptionForCalling, LiveCaptionsEnabledType
Train agents and supervisors on the limitations of AI-generated call summaries
Integrate certified compliance recording providers (e.g., NICE, Verint) via Teams Bot/Graph API to capture Copilot call summaries alongside native recordings — Portal: Teams Admin Center > Voice > Compliance recording policies

Regulated

Integrate Copilot call summaries into the firm's communication surveillance platform
Implement automated flagging of call summaries containing trade instructions, complaints, or MNPI keywords
Configure WORM-compliant storage for call recordings and transcripts subject to SEC Rule 17a-4
Conduct quarterly audits comparing Copilot call summaries to actual call content for accuracy validation
Require dual-channel recording (separate from Copilot) for compliance-critical call lines — verify that certified compliance recording providers capture Copilot-generated summaries alongside native recordings
Implement real-time compliance monitoring for Copilot agent assist suggestions in regulated scenarios
Maintain detailed audit trail of all access to call recordings and Copilot summaries
Apply SEC Rule 17a-4 retention (3 years readily accessible, 6 years total) for broker-dealer call records; 7-year retention for supervisor-reviewed calls per FINRA examination expectations

Setup & Configuration

Step 1: Configure Teams Phone Copilot Policies

In Teams Admin Center > Voice > Calling Policies:

Create or modify calling policies to control Copilot availability:
Enable Copilot call summarization for licensed users
Configure voicemail transcription settings
Set call recording policies per regulatory requirements
Assign policies to user groups based on role and regulatory exposure

Step 2: Configure Call Recording and Compliance

Recording Policy: Teams Admin Center > Voice > Call Recording
Enable compliance recording for regulated users
Configure recording storage location
Set notification and consent requirements per jurisdiction
Compliance Recording Integration:
For firms using third-party compliance recording (e.g., Verint, NICE), verify that Copilot summaries are captured alongside native recordings
Document any gaps between Copilot processing and compliance recording

Step 3: Configure Retention for Call Content

In Microsoft Purview > Data Lifecycle Management:

Create retention policies covering:
Teams call recordings (stored in OneDrive)
Call transcripts (stored in Exchange Online)
Copilot call summaries (stored in Exchange Online)
Voicemail transcriptions (stored in Exchange Online)
Set retention periods:
Broker-dealers: minimum 3 years readily accessible, 6 years total (SEC 17a-4)
Banks: per institution retention schedule and FFIEC guidance
All: align with organization-wide records retention schedule

Step 4: Configure Queues Agent Assist

In Teams Admin Center > Voice > Queues:

Configure knowledge base sources for Copilot agent assist
Verify that knowledge base content is appropriately classified and access-controlled
Test that information barriers prevent cross-wall content from surfacing to restricted agents
Configure agent assist response templates to include required disclaimers

Step 5: Configure Supervisory Review

For FINRA-regulated firms:

In Microsoft Purview > Communication Compliance, extend policies to capture call summaries
Define keywords and conditions that trigger supervisory review for call content
Assign supervisory reviewers with appropriate authority
Document review SLAs and escalation procedures

Financial Sector Considerations

Broker-Dealers: Telephone communications related to the firm's securities business are subject to recordkeeping requirements. Copilot call summaries that document trade instructions, recommendations, or customer complaints should be treated as business records. Firms should evaluate whether Copilot summaries satisfy or supplement existing call recording obligations, and should not rely solely on AI-generated summaries as the official record.

Wealth Management: Advisory calls with high-net-worth clients frequently involve sensitive portfolio discussions. Copilot summaries of these calls should be reviewed for accuracy before being stored as part of the client record. Inaccurate AI summaries could create liability if they mischaracterize investment advice or client instructions.

Banking Contact Centers: Banks processing customer service calls through Teams Queues must verify that Copilot agent assist does not surface information that violates need-to-know principles. Customer data from one account should not be surfaced during a call about a different customer's account.

Insurance Contact Centers: Claims-related phone calls processed by Copilot may generate summaries that become part of the claims file. State insurance regulators may review these records during market conduct examinations. Verify that summaries accurately reflect the conversation and include appropriate caveats about AI generation.

Call Consent Requirements: Financial institutions operate across multiple jurisdictions with varying call recording consent laws. Some states require all-party consent for recording. Since Copilot processing requires transcription (which implies recording), firms must verify that consent notifications cover AI processing in addition to traditional recording.

Verification Criteria

#	Verification Step	Expected Result
1	Review Teams calling policies for Copilot settings	Copilot enabled only for approved user groups
2	Verify call recording consent notifications	Notifications active and compliant with applicable jurisdictions
3	Confirm retention policies cover all call content types	Recordings, transcripts, summaries, and voicemails under retention
4	Test information barriers in Queues agent assist	Restricted content is not surfaced to barriered agents
5	Search eDiscovery for Copilot call summaries	Call summaries are discoverable and searchable
6	Review supervisory review queue for call summaries (Regulated)	Flagged call summaries appear in review queue within SLA
7	Verify accuracy sampling results from most recent quarter	Sampling completed and documented with findings
8	Confirm compliance recording integration captures Copilot artifacts	Third-party recording platform captures or references Copilot content

Additional Resources

FSI Copilot Governance Framework v1.2.1 - March 2026