Organisations in heavily regulated industries often face compliance roadblocks. Deadlines can vary, data pools continually increase, and internal processes may be outdated -- but addressing these challenges can be simplified. Enhancing information governance is one transformative option to explore, especially for financial services organisations. The industry is subject to stringent regulatory requirements due to the nature of deals in the sector. Those tasked with policy creation, tech investment, and regulatory compliance management should know their options and strategise accordingly.

A Demanding Regulatory Landscape

Financial services organisations are subject to heightened regulatory oversight for digital communications. Understanding requirements around what data to retain, how to retain it, and for how long is business critical. While this effort may seem cumbersome, the first step is knowing which regulations apply and what is expected to sufficiently meet each obligation.

A prime example is Rule 17a-4 of the Securities and Exchange Act. This rule outlines the requirements for retaining and preserving records by broker-dealers and other regulated entities. SEC Rule 17a-4(b)(4) requires that a broker-dealer retain originals of all communications received and copies of all communications sent by the broker-dealer relating to its “business as such” for at least three years – and for the first two years, in an easily accessible place.

Additionally, the 17a-4 includes specific provisions for the use of “worm-compliant” storage (Write Once, Read Many) for certain types of electronic records. The Securities and Exchange Commission (SEC) provided guidance on this topic in 2022, adding an audit-trail alternative to the existing requirement that broker-dealers preserve electronic records exclusively in a non-rewriteable, non-erasable format.  These changes allow the use of modern technology to comply with these rules, eliminating the need to utilise legacy storage that is slow and costly.

Another example that falls under the SEC’s authority is the Commodities Future Trading Commission (CFTC) Rule 15F(g)(1) CFTC SEA 15F(g)(1). This rule is more limited in scope as it relates to commodity future trading activity. It requires that broker-dealers retain all daily trading communications dealing with security-based swaps.

The above examples represent just a few communication-related regulatory obligations the financial services industry faces. The Financial Industry Regulatory Authority (FINRA) notice provisions is another example of regulatory obligations organisations can be subject to. Noncompliant organisations can be subject to fines, reputational harm, and disrupted business operations.

Microsoft Information Governance Solutions

Most organisations expect regulators to increase their communication monitoring in the future, and as a result these organisations have begun to revisit Microsoft’s Purview Platform. As such, it is critical for decision makers at financial services organisations to understand their options, and information governance is foundational to maintaining sound retention and preservation practices. Compliance-driven information governance programs should also highlight the policies around authorised communication channels, as this will help organisations keep track of data they need to archive and reduce the risk of using unmonitored communications.

To remain complaint, financial services organisations should explore Microsoft 365 (M365). While many financial services organisations have already adopted M365 for email, document management, and collaboration, they continue to ingest messages into separate archive solutions. These legacy archives have been in place for 10, 15, or even 20+ years, often storing petabytes of information. They may have capabilities for eDiscovery, legal hold, supervision, and records retention. Organisations are revisiting M365 and planning their roadmap to leverage M365 as their archive system of record to satisfy regulatory obligations.

Repurposing tools already in use for other functions provides significant cost savings and ease of implementation benefits. Microsoft offers the same capabilities of legacy archive solutions including archiving, supervision, eDiscovery, and records management. The financial services industry and regulators recognise that M365 Purview can meet specialised requirements, such as the 17a-4 regulations. 

Key capabilities include:

• Retention and Records Management: M365 has built-in capabilities to allow organisations to manage high-value content and meet regulatory obligations. Applying retention labels and policies provides a baseline governance of data across M365 workloads.
• Microsoft Purview eDiscovery Premium: This solution allows organisations to preserve M365 data in place, collect potentially responsive information, then review and cull that data within the M365 environment. Organisations can reduce the amount of irrelevant but confidential data that leaves their environment and thereby incur saving on future production.
• Legal Hold and In-Place Preservation: There is a built-in communications workflow to send legal hold notifications to custodians and track acknowledgments. Users can also build automation around in-place preservation on scale with Graph APIs or use a UI to manage the process.
• Compliant Archiving: Organisations can retain data to comply with FINRA, SEC, FERC and other requirements.  Features are available to streamline supervision/surveillance compliance obligations by allowing users to review communications and kick off investigations when violations occur.
• Data Loss Prevention (DLP): These capabilities help control sensitive data across Exchange, Teams, SharePoint, OneDrive, and Devices. Having these capabilities in one platform is extremely valuable.  It is crucial to remember that introducing M365 as the archive system of record leads to a variety of documentation updates. An inventory and review of documentation is required to ensure capabilities reflect in organisational policies, procedures, employee onboarding and offboarding activities, and training materials. While this will take some time to get up and running, organisations should see substantial ROI and improved ease of use after implementation.