Skip to Content (custom)


Improving Information Governance to Help Financial Services Organizations Remain Compliant

  • Information governance
  • 3 Mins

Organizations in heavily regulated industries often face compliance roadblocks. Deadlines can vary, data pools continually increase, and internal processes may be outdated -- but addressing these challenges can be simplified. Enhancing information governance is one transformative option to explore, especially for financial services organizations. The industry is subject to stringent regulatory requirements due to the nature of deals in the sector. Those tasked with policy creation, tech investment, and regulatory compliance management should know their options and strategize accordingly.

A Demanding Regulatory Landscape

Financial services organizations are subject to heightened regulatory oversight for digital communications. Understanding requirements around what data to retain, how to retain it, and for how long is business critical. While this effort may seem cumbersome, the first step is knowing which regulations apply and what is expected to sufficiently meet each obligation.

A prime example is Rule 17a-4 of the Securities and Exchange Act. This rule outlines the requirements for retaining and preserving records by broker-dealers and other regulated entities. SEC Rule 17a-4(b)(4) requires that a broker-dealer retain originals of all communications received and copies of all communications sent by the broker-dealer relating to its “business as such” for at least three years – and for the first two years, in an easily accessible place.

Additionally, the 17a-4 includes specific provisions for the use of “worm-compliant” storage (Write Once, Read Many) for certain types of electronic records. The Securities and Exchange Commission (SEC) provided guidance on this topic in 2022, adding an audit-trail alternative to the existing requirement that broker-dealers preserve electronic records exclusively in a non-rewriteable, non-erasable format.  These changes allow the use of modern technology to comply with these rules, eliminating the need to utilize legacy storage that is slow and costly.

Another example that falls under the SEC’s authority is the Commodities Future Trading Commission (CFTC) Rule 15F(g)(1) CFTC SEA 15F(g)(1). This rule is more limited in scope as it relates to commodity future trading activity. It requires that broker-dealers retain all daily trading communications dealing with security-based swaps.

The above examples represent just a few communication-related regulatory obligations the financial services industry faces. The Financial Industry Regulatory Authority (FINRA) notice provisions is another example of regulatory obligations organizations can be subject to. Noncompliant organizations can be subject to fines, reputational harm, and disrupted business operations.

Microsoft Information Governance Solutions

Most organizations expect regulators to increase their communication monitoring in the future, and as a result these organizations have begun to revisit Microsoft’s Purview Platform. As such, it is critical for decision makers at financial services organizations to understand their options, and information governance is foundational to maintaining sound retention and preservation practices. Compliance-driven information governance programs should also highlight the policies around authorized communication channels, as this will help organizations keep track of data they need to archive and reduce the risk of using unmonitored communications.

To remain complaint, financial services organizations should explore Microsoft 365 (M365). While many financial services organizations have already adopted M365 for email, document management, and collaboration, they continue to ingest messages into separate archive solutions. These legacy archives have been in place for 10, 15, or even 20+ years, often storing petabytes of information. They may have capabilities for eDiscovery, legal hold, supervision, and records retention. Organizations are revisiting M365 and planning their roadmap to leverage M365 as their archive system of record to satisfy regulatory obligations.

Repurposing tools already in use for other functions provides significant cost savings and ease of implementation benefits. Microsoft offers the same capabilities of legacy archive solutions including archiving, supervision, eDiscovery, and records management. The financial services industry and regulators recognize that M365 Purview can meet specialized requirements, such as the 17a-4 regulations. 

Key capabilities include:

  • Retention and Records Management: M365 has built-in capabilities to allow organizations to manage high-value content and meet regulatory obligations. Applying retention labels and policies provides a baseline governance of data across M365 workloads.
  • Microsoft Purview eDiscovery Premium: This solution allows organizations to preserve M365 data in place, collect potentially responsive information, then review and cull that data within the M365 environment. Organizations can reduce the amount of irrelevant but confidential data that leaves their environment and thereby incur saving on future production.
  • Legal Hold and In-Place Preservation: There is a built-in communications workflow to send legal hold notifications to custodians and track acknowledgments. Users can also build automation around in-place preservation on scale with Graph APIs or use a UI to manage the process.
  • Compliant Archiving: Organizations can retain data to comply with FINRA, SEC, FERC and other requirements.  Features are available to streamline supervision/surveillance compliance obligations by allowing users to review communications and kick off investigations when violations occur.
  • Data Loss Prevention (DLP): These capabilities help control sensitive data across Exchange, Teams, SharePoint, OneDrive, and Devices. Having these capabilities in one platform is extremely valuable.  It is crucial to remember that introducing M365 as the archive system of record leads to a variety of documentation updates. An inventory and review of documentation is required to ensure capabilities reflect in organizational policies, procedures, employee onboarding and offboarding activities, and training materials. While this will take some time to get up and running, organizations should see substantial ROI and improved ease of use after implementation. 

To learn more about Information Governance options to meet regulatory requirements and decrease risk, download our white paper.

The contents of this article are intended to convey general information only and not to provide legal advice or opinions.

Subscribe to Future Blog Posts

Learn more about Epiq's Service offerings
Our Services