AI assistant — not human

FINRA + SEC Microsoft Copilot Controls Checklist (2026)
The 38-control buyer's checklist for FINRA-regulated broker-dealers + SEC-registered RIAs deploying Microsoft 365 Copilot. SEC 17a-4, FINRA Rule 4511, Reg BI, NIST CSF mapping. Built from financial services Copilot rollouts.
The 38-control buyer's checklist for FINRA-regulated broker-dealers + SEC-registered RIAs deploying Microsoft 365 Copilot. SEC 17a-4, FINRA Rule 4511, Reg BI, NIST CSF mapping. Built from financial services Copilot rollouts.

The 38-control checklist for FINRA-regulated broker-dealers + SEC-registered investment advisers (RIAs) deploying Microsoft 365 Copilot. Use as a procurement + readiness gating tool.
Scope reminder. This checklist applies to Microsoft 365 tenants where Copilot may be exposed to MNPI (material non-public information), client trading data, suitability records, communications with retail customers, or other FINRA/SEC-regulated content. Coordinate with your compliance officer + outside counsel.
FINRA + SEC Microsoft Copilot deployment requires controls across 8 families: communications surveillance (FINRA Rule 3110), books and records (SEC 17a-4 + FINRA 4511), supervision (FINRA 3110), customer best interest (Reg BI for broker-dealers; fiduciary duty for RIAs), cybersecurity (Reg S-P + Reg SCI), records retention (6-7 years), MNPI handling, and AML/KYC.
Family 1: Communications Surveillance (FINRA Rule 3110, 3120) — 6 controls
Family 2: Books and Records (SEC 17a-4 + FINRA Rule 4511) — 6 controls
Family 3: Supervision Framework (FINRA Rule 3110) — 5 controls
Family 4: Best Interest / Fiduciary (Reg BI for BDs; Investment Advisers Act for RIAs) — 4 controls
Family 5: Cybersecurity (Reg S-P + Reg SCI for SROs) — 6 controls
Family 6: MNPI Handling — 4 controls
Family 7: AML / KYC / Suspicious Activity (BSA + FinCEN) — 4 controls
Family 8: Governance + Vendor Management — 3 controls
Broker-Dealer (Reg BI): Customer-specific best interest standard. Disclosure of material conflicts. Reasonable basis for recommendation. Compliance with Form CRS.
Investment Adviser (Advisers Act): Fiduciary duty of care + loyalty. Mid-contract disclosure obligations. Form ADV updates.
Both: Copilot recommendations cannot be the SOLE basis for customer-facing recommendation. Human-in-the-loop required.
| Capability | E5 + Copilot | M365 E7 |
|---|---|---|
| Microsoft 365 Copilot | Add-on ($30/user/mo) | Bundled |
| Communication Compliance | E5 included | E7 included |
| Information Barriers | E5 included | E7 included |
| Purview Audit Premium | E5 included | E7 included |
| Microsoft Agent 365 | Add-on $45/user/mo | Bundled |
| Per user/month | $90+ | $99 ($84.15 CSP promo through Dec 31 2026) |
E7 wins for any broker-dealer or RIA running 200+ Copilot licenses (Agent 365 governance becomes operational at scale).
Phase 1 (Weeks 1-4): Foundation — Identity (C22), Audit Premium (C7), Communication Compliance policy authoring (C1-5).
Phase 2 (Weeks 5-12): Data Classification — sensitivity label taxonomy + MNPI controls (C28-31) + Information Barriers (C24).
Phase 3 (Weeks 13-20): Supervision Framework — WSP update (C13), designated principal (C14), branch office training (C16).
Phase 4 (Weeks 21-26): Validation — quarterly tuning (C6), penetration test (C26), CCO attestation (C15).
Total: 26 weeks (6 months) to fully-controlled state. Pilot can begin at end of Phase 1.
Use this 38-control checklist as a procurement + readiness gate before Copilot rollout. Map each control to a named owner. EPC Group ships a tailored version of this checklist with every financial services Copilot governance engagement.
Q: Is Microsoft 365 Copilot FINRA-compliant out of the box?
A: No. Microsoft provides the platform + audit + Communication Compliance capabilities. Customer must configure + supervise per FINRA + SEC requirements.
Q: How long until Copilot is FINRA-safe to roll out?
A: 12-16 weeks for pilot with disciplined execution; 24-26 weeks for enterprise rollout with EPC Group support.
Q: What about Microsoft Copilot Studio agents in BD/RIA environments?
A: Each agent must go through vendor management + governance review. Treat as a third-party AI system. Document agent purpose, data path, retention, supervision.
Q: Does Copilot replace human supervision under FINRA Rule 3110?
A: No. Copilot is a tool. Supervision remains a human registered principal responsibility. Document the supervision-Copilot interaction model.
Q: What about state-registered investment advisers?
A: Apply state-specific overlays (e.g., NY BitLicense, California SB 327 IoT, etc) on top of this federal baseline.
Q: Why EPC Group?
A: 29 years Microsoft + financial services consulting. Errin O'Connor previously held a Lead Architect role at the Federal Reserve Bank of New York. Microsoft Solutions Partner with all six designations. See /reviews.
Founder & Chief AI Architect
Microsoft Press bestselling author with 29 years of enterprise consulting experience.
View Full Profile"Silent AI" ended January 1, 2026, when ISO generative-AI exclusions (CG 40 47/48) went live. Here is what six insurance carriers told me they now require before they will renew AI-touching coverage — and the four court cases driving it.
AI GovernanceA CIO board-prep framework for Build 2026 with the 5 strategic decisions that must land in Q3-Q4 2026: platform standardization, Agent 365, governance posture, compute budget, ROI measurement.
AI GovernanceCompliance risk assessment for Fabric migration after Build 2026: HIPAA controls, SOC 2 audit scope expansion, FedRAMP authorization gaps, EU AI Act implications, and the 14 controls regulated enterprises must add.
Our team of experts can help you implement enterprise-grade ai governance solutions tailored to your organization's needs.