New compliance assessment builds financial services confidence in Microsoft 365 Copilot
Brokerage firms and other financial institutions using Microsoft 365 Copilot with their most important data and systems can now rest assured that their innovations can readily meet latest compliance requirements from the United States Securities and Exchange Commission (SEC).
Under new SEC rules, many financial services firms must keep detailed records of transactions and communications to protect investors and help prevent fraud. These firms need to know that the products and services they employ are capable of meeting the stringent requirements of the regulation.
To make this easier for Microsoft customers, we have partnered with records management consulting firm Cohasset Associates to produce an expanded assessment of Microsoft 365 services, including Microsoft Copilot and Microsoft Loop. This report, released December 2024, gives firms clarity that they can innovate broadly with the new generative AI capabilities of Copilot and explore the unique collaborative workspace capabilities of Microsoft Loop, while also remaining confident of their ability to ensure compliance.
What the new SEC rules require
In a nutshell, SEC Rules 17a-4 and 18a-6 impose new requirements on recordkeeping that will impact many firms. These rules apply to brokers, dealers, and members of national security exchanges, and they require that certain types of records be preserved for certain amounts of time to facilitate regulatory examinations and compliance checks. Additionally, SEC Rule 18a-6 is tailored to security-based swap entities, and specifically targets records related to security-based swap transactions.
The primary goal of all these rules is to protect investors and maintain the integrity of financial markets by ensuring that all transactions are properly documented and can be reviewed if necessary. The regulation includes requirements for the following:
- Recordkeeping: Firms must keep records of all their transactions, including trade confirmations, account statements, and communications with clients.
- Retention periods: The rule specifies how long these records must be kept. For example, some records need to be retained for at least six years, with the first two years’ records being easily accessible.
- Accessibility: The records must be stored in a way that they can be quickly accessed if needed for audits or investigations. This helps regulatory bodies check for compliance and investigate any potential issue.
Helping ensure compliance through an independent assessment from Cohasset Associates
When the SEC revised Rules 17a-4 and 18a-6 in October 2022 to keep pace with rapid technological advances, Microsoft enlisted Cohasset Associates to produce an independent assessment of its compliance capabilities. Released in October 2023, that report ensured that SharePoint, OneDrive, Microsoft Teams, Exchange, and Viva Engage met the new requirements for recording, storing, and managing electronic records in a non-rewriteable, non-erasable format.
The latest Cohasset Associates assessment is an update to their earlier report, and it includes detailed evaluations and recommendations for how to implement and configure controls within Copilot and Microsoft Loop to ensure compliance.
In addition to SEC Rules 17a-4 and 18a-6, the assessment also applies to Financial Industry Regulatory Authority (FINRA) Rule 4511 and Commodity Futures Trading Commission (CFTC) Rule 1.31, which also pertain to the maintenance and preservation of records.
Easier and more efficient compliance with Microsoft Cloud for Financial Services
Helping firms reduce the friction of meeting compliance requirements while embracing new opportunities through technology is a core tenet of Microsoft Cloud for Financial Services.
We exist to help capital markets firms, banks, insurers, and others harness the benefits of cloud and AI technologies with a fit-for-purpose cloud platform, off-the-shelf accelerators, a broadly aligned partner ecosystem, and comprehensive investments to promote compliance and transparency. Microsoft Cloud for Financial Services also helps keep customers up to date on various compliance regimes, regulatory requirements, and security controls. And we provide capabilities to help companies implement the most current, efficient, and effective IT risk management strategies.
We offer a range of solutions to help financial services firms ensure compliance with regulatory regulations worldwide, including those from the SEC. Among these, Microsoft Purview Compliance Manager helps firms assess their compliance posture and manage compliance activities, with pre-built assessments for various regulations, including SEC rules, and insights for improved compliance. Also, to help ensure the compliant preservation of electronic records, Immutable storage for Azure Blob Storage and Preservation Lock to restrict changes to retention policies and retention label policies can help firms meet the immutable storage requirements, ensuring records cannot be altered or deleted.
Discover more
To help financial institutions quickly embrace cloud and AI technologies, Microsoft is committed to ensuring that our services remain compliant with all major regulations worldwide. For more information and to learn more on how we empower firms to unlock business value and deepen customer relationships in the era of AI:
- Learn about the SEC rules and in-scope Microsoft cloud platforms and services at Microsoft Learn.
- Download the updated Cohasset Assessment for Office 365 on the Microsoft Service Trust Portal (for Microsoft cloud services customers or through a free trial).
- To connect with subject-matter experts to assist risk and compliance teams with accelerating cloud and AI adoption, see Compliance Program for Microsoft Cloud.
- For compliance-related documentation and related resources, see the Microsoft Compliance page.
