In This Article
- The encryption rule examiners actually enforce
- Who the mandate covers: the bank, credit union, and mortgage split
- What Microsoft 365 already encrypts by default
- The gap between default encryption and an examiner-ready posture
- The Microsoft 365 controls that close the gap
- Customer-managed keys for your crown jewels
- Frequently Asked Questions
Your loan officers send borrowers tax returns, pay stubs, and closing disclosures every hour of the business day. Your members and customers expect that data to move quickly and arrive without friction. Microsoft 365 lets your team do exactly that, and it encrypts a great deal of that data automatically. So when an examiner asks how you protect customer information by encryption, it is tempting to answer that Microsoft handles it.
That answer is half right, and the half that is missing is the half examiners check. Microsoft 365 encrypts data on its disks and across the wire by default. It does not, by default, guarantee that the content of an email leaving your tenant stays encrypted and bound to the right recipient, or that a sensitive file shared in Teams stays protected after someone downloads it. That difference is the difference between a control you can describe and a control you can prove.
This guide walks through what Microsoft 365 encrypts on its own, where the gap sits, and the specific Microsoft controls that turn default encryption into the documented, examiner-ready posture that the FTC Safeguards Rule and the banking agencies expect. It is written for the people who get the exam findings: the IT directors, security leads, and compliance officers at credit unions, banks, and mortgage companies.
The encryption rule examiners actually enforce
For non-bank financial institutions, the encryption requirement is not a best practice or a framework suggestion. It is a categorical line in the FTC Safeguards Rule, and it has been enforceable since June 9, 2023, the compliance deadline for the rule's revised provisions. The text is short and specific.
Protect by encryption all customer information held or transmitted by you both in transit over external networks and at rest.
Read it closely, because two details decide whether your posture holds up. First, the requirement is for data both in transit over external networks and at rest. Not one or the other. An institution that encrypts its servers but lets sensitive email content travel unprotected has covered half the rule. Second, there is exactly one exception. If your institution determines that encryption is infeasible for a particular system, the rule allows you to substitute effective alternative compensating controls, but only when those controls are reviewed and approved by your Qualified Individual, the person the rule makes accountable for your information security program.
That exception is the honest nuance, and it is the one examiners apply in practice. There is no informal waiver. If encryption is off somewhere, an examiner expects to see a documented infeasibility determination, a documented compensating control, and the Qualified Individual's documented approval. "Microsoft encrypts it" is not that documentation.
Why this matters for financial institutions
The encryption requirement is one of nine elements the Safeguards Rule requires in a written information security program. Encryption is the element most often misread as "already handled by the cloud," which is precisely why it surfaces as a finding. The fix is rarely buying new technology. For most institutions on Microsoft 365, the controls already exist in the license tier they own. They are simply not configured, applied, or documented yet.
If you want the full picture of how the Safeguards Rule maps onto a Microsoft 365 tenant, our companion guide on the FTC Safeguards Rule for mortgage companies using Microsoft 365 walks the rule element by element. Encryption is one piece of a larger program, and the program is what the exam grades.
Who the mandate covers: the bank, credit union, and mortgage split
Here is where a lot of well-meaning compliance copy goes wrong, and where getting it right earns you credibility. The FTC Safeguards Rule does not apply to every financial institution. It applies to non-bank financial institutions under the Federal Trade Commission's jurisdiction. That includes independent mortgage lenders and brokers, auto dealers that arrange financing, and similar non-depository lenders. It does not cover banks or federally insured credit unions.
Banks and credit unions are not off the hook for encryption. They sit under a parallel regime: the information security standards that implement Section 501(b) of the Gramm-Leach-Bliley Act, written as the Interagency Guidelines Establishing Information Security Standards. Each prudential regulator publishes its own version of those guidelines.
Non-bank mortgage companies
Governed by the FTC Safeguards Rule, 16 CFR Part 314. The encryption requirement at 314.4(c)(3) is categorical: encrypt customer information in transit over external networks and at rest, unless infeasibility plus Qualified-Individual-approved compensating controls apply.
Banks and credit unions
Governed by the GLBA Section 501(b) Interagency Guidelines. The OCC publishes them at 12 CFR Part 30, Appendix B; the FDIC at 12 CFR Part 364, Appendix B; the Federal Reserve in its own appendices; and the NCUA at 12 CFR Part 748, Appendix A. These are risk-based, and they expressly expect encryption.
The risk-based framing matters, but it does not soften the encryption expectation. The NCUA's Appendix A, the "Guidelines for Safeguarding Member Information," names the control directly as one of the measures a credit union should consider.
Encryption of electronic member information, including while in transit or in storage on networks or systems to which unauthorized individuals may have access.
So the practical answer is the same across all three institution types, arrived at through two different doors. A mortgage company faces a categorical mandate. A bank or credit union faces a risk-based guideline that expressly expects encryption in transit and in storage. In both cases, an examiner will ask the same question: show me how customer or member information is encrypted, and show me where you decided it was not. The Microsoft 365 controls that answer that question are identical regardless of which door you came through.
What Microsoft 365 already encrypts by default
Start with the good news, because it is real and your institution is not starting from zero. Microsoft 365 encrypts customer data at rest by default. It uses BitLocker for volume-level disk encryption in Microsoft's data centers, Distributed Key Manager for key management, and additional service-level encryption across Exchange Online, SharePoint, OneDrive, and Teams files. The cryptography relies on FIPS 140-2 validated modules. By default, the keys are Microsoft-managed.
Data in transit is encrypted too. Microsoft 365 uses Transport Layer Security by default, and Exchange Online negotiates TLS 1.2 for mail transport. When your staff opens Outlook, when a file syncs to OneDrive, when one Microsoft server talks to another, that traffic is protected in transit.
The honest baseline
Microsoft 365 encrypts your data at rest with BitLocker and in transit with TLS, automatically, before you configure anything. The disks are encrypted. The connections are encrypted. What default encryption does not do is guarantee that the content of data leaving your tenant stays encrypted and bound to the intended recipient. That is a different control, and it is the one your exam is checking.
This is the point where a lot of vendor messaging overreaches in one of two directions. Some claim Microsoft 365 is fully encrypted end to end, which is not accurate and will not survive an auditor's follow-up question. Others claim Microsoft 365 email is not encrypted, which is equally wrong and needlessly alarming. Neither framing is useful. The accurate framing is narrower and more important: default encryption protects data at rest on Microsoft's infrastructure and protects connections in transit, and there is a specific category of risk that default encryption alone does not close.
The gap between default encryption and an examiner-ready posture
The gap lives at the moment data leaves your tenant. TLS protects the connection between two servers. It does not protect the message content once the message lands, and it does not control what happens to that content afterward. When Exchange Online delivers email to a non-Microsoft server, the transport is only as protected as the receiving server allows. External mail transport is frequently opportunistic, meaning it uses TLS when the receiving server supports it and falls back when it does not, unless you enforce otherwise.
So consider what actually happens to a borrower's data on a normal day.
A loan officer emails a borrower their closing disclosure as a PDF attachment. The borrower replies, downloads the file, forwards it to their spouse, and saves it to a personal cloud drive.
TLS protected the hop from Exchange Online to the borrower's mail server, if that server accepted TLS. After the message arrived, the content was a plain attachment. Nothing in the default configuration encrypted the content itself or controlled the forward and the download.
Now add the threat reality. The Verizon 2024 Data Breach Investigations Report found that the human element was involved in 68 percent of breaches. Stolen credentials and phishing remain among the top breach actions year over year. This is the part that reframes the encryption conversation. At-rest encryption is transparent to anyone who is logged in: BitLocker protects the disk from physical theft, but it does nothing to limit what a user can see once they have authenticated. So the at-rest layer alone does not narrow who can reach a given file, and it does not follow the data when that file leaves the tenant. Those are the two exposures content-level controls are built to address.
At-rest disk encryption protects your data from a stolen hard drive. It does not narrow who can open a sensitive file, and it does not follow the file out the door. Content-level encryption with access control does both.
Sensitivity labels and message encryption are not a cure for a compromised account that already has rights to a file. What they do is limit access to specific identities, so the population that can open a labeled document is small and deliberate rather than everyone in the tenant, and they keep the encryption and permissions attached to the content after it is sent or downloaded. That is why the examiner-grade control is not "is the disk encrypted." It is "is the sensitive content encrypted, scoped to the right people, and able to travel safely outside the tenant, and can you prove it." Closing that gap is a configuration exercise, and the tools to do it are already in Microsoft 365.
Not sure whether your outbound email is actually content-encrypted?
ABT configures and documents the Microsoft 365 encryption controls examiners check.
The Microsoft 365 controls that close the gap
Three Microsoft 365 controls turn default encryption into a content-level, recipient-bound, examiner-ready posture. None of them require a new platform. They require configuration, rollout, and documentation in the tenant you already run.
Encrypts outbound email to recipients through the Azure Rights Management service, with rights controls such as Encrypt-Only and Do Not Forward.
Microsoft Purview Message Encryption, the successor to what was branded Office 365 Message Encryption, encrypts the message itself, not just the connection. When that loan officer sends a closing disclosure, the content is encrypted and tied to the intended recipient. With Do Not Forward applied, the borrower can read it but cannot forward it onward. This is the control that turns the email scenario above from "we hope the receiving server used TLS" into "the content was encrypted to the recipient, and we can show the policy that did it."
The second control protects files wherever they go.
Applies encryption and access control that persists with the file wherever it travels, including email, SharePoint, OneDrive, and removable media.
A sensitivity label is a piece of metadata that carries encryption and access rules with the file. Label a tax return "Confidential," and the encryption and permissions travel with the document. If that file is downloaded from Teams, copied to a USB drive, or attached to an email, it stays encrypted and only authorized identities can open it. The protection is bound to the content, not to the location, which is exactly the property the borrower-data scenario was missing. Sensitivity labels work hand in hand with data loss prevention, and our guide on Microsoft 365 data loss prevention for financial services covers how labeling and DLP policies reinforce each other.
The third control hands you the keys.
Lets your institution provide customer-managed root keys, stored in Azure Key Vault, for service encryption across Exchange, SharePoint, OneDrive, and Teams files.
By default, Microsoft manages the encryption keys. Customer Key lets your institution supply and control the root keys instead, stored in your Azure Key Vault. For a board or an examiner asking who holds the keys to member data, "we do, and here is the key vault" is a materially stronger answer than "Microsoft does." Customer Key adds a layer of encryption using your own keys on top of the default service encryption.
A note on terminology that auditors notice
ABT manages your Microsoft 365 tenant. Microsoft owns and runs the underlying infrastructure; as a Tier-1 Microsoft Cloud Solution Provider, ABT configures and operates the encryption posture inside that tenant through delegated administration. The Azure Key Vault that holds your Customer Key root keys lives in your own Azure subscription, which ABT can operate as the partner of record. Precision here is not pedantry. A vendor that says it will host the tenant, rather than manage it, tells an examiner it may not understand its own delegated-admin role, and that makes the examiner wonder what else is imprecise.
Notice the arc across these three controls. Message Encryption protects what your team sends. Sensitivity labels protect what your team stores and shares. Customer Key proves who controls the keys. Together they take the productivity your team already has, keep the data protected as it moves, and produce the governance evidence the exam wants. For the email and file retention side of that evidence, see our guide on Microsoft 365 data retention and email archiving for financial institutions.
Customer-managed keys for your crown jewels
For the most sensitive data an institution holds, there is one more tier of control, and it comes with an honest tradeoff that you should understand before you reach for it.
Double Key Encryption protects data with two keys: one your institution controls, and one stored securely in Microsoft Azure. Both keys are required to view the data, so Microsoft can access only one key and the content stays unavailable to Microsoft alone. Microsoft documents Double Key Encryption as a control that helps meet regulatory requirements including the Gramm-Leach-Bliley Act, and positions it for highly regulated industries such as financial services.
The tradeoff is real and you should not be sold this control without it. Because the Microsoft 365 service cannot decrypt Double Key Encryption content on its own, that content cannot be processed by the cloud services that need to read it. Per Microsoft's own documentation, that list includes Microsoft 365 Copilot, eDiscovery content inspection, content search and indexing, coauthoring in the Office web apps, and mail-flow rules that scan attachments. Double Key Encryption also requires Microsoft 365 E5, or equivalent Purview Information Protection licensing.
Right control, right data tier
Microsoft's own Double Key Encryption guidance, in its section on when an organization should adopt the control, describes most organizational data as nonsensitive (about 80 percent), a sensitive middle tier (about 15 percent), and a highly sensitive "crown jewels" tier (about 5 percent). Double Key Encryption is built for that top 5 percent, where the strictest protection is worth giving up Copilot, search, and coauthoring. For the other 95 percent, sensitivity labels with Microsoft-managed or customer-managed keys give you protection without breaking the productivity tools your team relies on.
This is precisely where experienced configuration earns its keep. Applying Double Key Encryption to everything would cripple search, eDiscovery, and Copilot across your whole tenant. Applying it to nothing leaves your most sensitive data with the same protection as a routine memo. The work is identifying which data belongs in which tier, applying the right control to each, and documenting the decision so an examiner sees deliberate data classification rather than a blanket setting or an oversight.
The encouraging part of all this is how little of it requires a purchase order. The controls that close the gap are, for most institutions, already paid for.
Every institution we onboard already owns most of these controls. Microsoft Purview Message Encryption, sensitivity labels, and Customer Key live inside the Microsoft 365 license tiers banks, credit unions, and mortgage companies commonly hold. The exam findings come from controls that were never turned on, never rolled out to users, or never documented. ABT manages the tenant, configures the encryption controls to match the institution's data and regulator, and produces the evidence package the examiner asks for. The license is the easy part. The examiner-ready configuration is the work.
Encryption is one layer of a defensible Microsoft 365 program. The identity layer that keeps attackers from authenticating in the first place matters just as much, which is why our guide on phishing-resistant multifactor authentication for financial institutions is a natural next read. And because encryption protects data you still have to be able to recover, pair it with the approach in our guide on Microsoft 365 backup for financial institutions. For banks specifically navigating GLBA and OCC expectations, our deeper guide on Microsoft 365, GLBA, and OCC compliance for community banks ties the encryption control into the broader examination picture.
Make your Microsoft 365 encryption posture examiner-ready
Default BitLocker and TLS are the floor, not the finish line. ABT configures Microsoft Purview Message Encryption, sensitivity labels, and Customer Key in your managed tenant, then documents it for the exam.
Frequently Asked Questions
Yes, in part. Microsoft 365 encrypts customer data at rest by default using BitLocker and service-level encryption across Exchange Online, SharePoint, OneDrive, and Teams, and it encrypts data in transit using TLS, with Exchange Online negotiating TLS 1.2 for mail. What default encryption does not do is guarantee content-level, recipient-bound encryption for data that leaves the tenant, such as email to a borrower or a file downloaded from Teams. Closing that gap requires configuring Microsoft Purview Message Encryption, sensitivity labels, and Customer Key.
Default encryption is a foundation, not a complete answer. The FTC Safeguards Rule at 16 CFR 314.4(c)(3) requires covered non-bank financial institutions to protect customer information by encryption both in transit over external networks and at rest, or to use compensating controls approved by the Qualified Individual where encryption is infeasible. An examiner expects documented evidence of how content is encrypted and where it is not, which means default Microsoft-managed encryption needs to be supplemented with configured controls and a written record. Microsoft 365 provides the controls to satisfy the requirement when they are configured, applied, and documented.
No. The FTC Safeguards Rule applies to non-bank financial institutions under FTC jurisdiction, such as independent mortgage lenders and brokers. Banks and federally insured credit unions are covered instead by the GLBA Section 501(b) Interagency Guidelines, published by the OCC at 12 CFR Part 30 Appendix B, the FDIC at 12 CFR Part 364 Appendix B, the Federal Reserve in its own appendices, and the NCUA at 12 CFR Part 748 Appendix A. Those guidelines are risk-based and expressly expect encryption of customer or member information in transit and in storage, so the practical encryption expectation is the same across credit unions, banks, and mortgage companies.
TLS encrypts the connection between two mail servers while a message is in transit. It does not encrypt the message content once the message arrives, and external mail transport is often opportunistic, meaning it uses TLS only when the receiving server supports it. Microsoft Purview Message Encryption encrypts the message content itself and binds it to the intended recipient, with optional rights controls such as Encrypt-Only and Do Not Forward. For customer information leaving the tenant, message encryption is the control examiners look for, because it protects the content regardless of how the transport behaves.
Double Key Encryption is built for an institution's most sensitive data, roughly the top 5 percent that Microsoft's data-tiering guidance calls the crown jewels. It uses two keys, one held by your institution and one stored in Microsoft Azure, so Microsoft alone cannot decrypt the content. The tradeoff is that Microsoft 365 services cannot process Double Key Encryption content, including Microsoft 365 Copilot, eDiscovery, content search, and coauthoring, and it requires Microsoft 365 E5 or equivalent Purview Information Protection licensing. For the other 95 percent of data, sensitivity labels with Microsoft-managed or customer-managed keys provide strong protection without breaking those productivity tools.