In This Article
- What Microsoft Purview Communication Compliance Is
- Why Communication Supervision Became an Examination Issue
- How Communication Compliance Works Inside Microsoft 365
- What Banks, Credit Unions, and Mortgage Companies Need to Capture
- The Off-Channel Gap: Personal Devices and Consumer Apps
- What Communication Compliance Requires: Licensing and Setup
- How ABT Stands This Up for Financial Institutions
- Frequently Asked Questions
Your loan officers, tellers, member-service reps, and wealth advisers now run most of their day inside Microsoft Teams and Outlook. They chat, they meet, they message a borrower back in seconds. That speed is a genuine productivity win. It is also a recordkeeping and supervision obligation, because every one of those messages is a business communication your examiners can ask to see.
Microsoft Purview Communication Compliance is the Microsoft 365 tool built for exactly that obligation. It watches the communication channels your people actually use, flags the messages that carry compliance or conduct risk, and gives a designated reviewer a private, auditable way to act on them. For a bank, credit union, or mortgage company, it turns a growing supervision headache into a managed, reportable process.
This guide explains what Communication Compliance does, why regulators have made communications supervision a first-order examination priority, and what it takes to stand it up correctly in a financial institution's Microsoft 365 tenant.
What Microsoft Purview Communication Compliance Is
Microsoft Purview Communication Compliance is an insider-risk solution that helps an organization detect, capture, and act on inappropriate or non-compliant messages before they become a data-security or compliance incident. It evaluates text and image-based messages across the channels your workforce uses, including Microsoft Teams chats, Exchange Online email, Microsoft 365 Copilot interactions, Viva Engage, and third-party sources such as WhatsApp and Instant Bloomberg brought in through connectors.
The engine is machine-learning classifiers plus keyword matching. Instead of a compliance officer manually reading a sample of thousands of messages, Communication Compliance surfaces only the ones that match a policy, then routes them to a named reviewer. That reviewer, working from the Microsoft Purview portal, can escalate a message, notify the sender, or remove an inappropriate message from Teams. Microsoft built the tool privacy-first: usernames are pseudonymized by default, access is role-based, and every review action is logged.
Why This Matters for Financial Institutions
Supervision of employee communications is not optional for regulated firms. Microsoft explicitly positions Communication Compliance to help organizations detect regulatory-compliance violations, naming the SEC and FINRA, and ships a built-in "Detect financial regulatory compliance" policy template. That template carries built-in classifiers aimed at financial-services conduct risks such as customer complaints, money laundering, and market manipulation, so a compliance team can start from a financial-services baseline rather than building policy from scratch.
Why Communication Supervision Became an Examination Issue
The short answer is enforcement. Over the last few years, regulators stopped treating messy communication records as a paperwork problem and started treating them as a supervision failure worth hundreds of millions of dollars. The Securities and Exchange Commission's "off-channel communications" campaign is the clearest signal, and it is the bellwether the entire financial-services industry now watches.
It began in December 2021, when the SEC charged J.P. Morgan Securities a $125 million civil penalty for widespread failures to preserve business communications that employees had sent over personal devices and unapproved messaging apps. That opening case set the template. The sweep then widened across the industry.
Read the pattern rather than the individual dollar figures. Regulators now expect a firm to capture the communications where business actually happens, retain them, and supervise them, and they are willing to penalize a firm even when there is no underlying fraud, purely for the recordkeeping and supervision gap itself.
Broadly, SEC Rule 17a-4 requires broker-dealers to preserve records of their business communications, including electronic ones, and produce them on request. FINRA Rule 3110 separately requires a firm to maintain a system to supervise those communications. This is a plain-language summary of the requirements, not a verbatim quotation.
Banks, credit unions, and mortgage companies are not all SEC registrants, and it would be wrong to imply that a community credit union will be fined by the SEC. But many financial institutions run brokerage, trust, or wealth-management affiliates that are directly in scope, and the rest face parallel expectations from their own examiners. The FFIEC framework for banks, the NCUA for credit unions, and the Consumer Financial Protection Bureau and state regulators for mortgage companies all expect a firm to preserve and supervise the communications tied to consumer relationships and regulated activity. The tooling that answers all of these obligations is the same.
How Communication Compliance Works Inside Microsoft 365
Communication Compliance runs as a native part of your Microsoft 365 tenant, so there is no separate archive product to bolt on and no messages leaving Microsoft's compliance boundary. A compliance administrator creates a policy that answers four questions: whose communications to check, which channels to include, what to look for, and who reviews the matches.
The channels available today cover where financial-services work actually happens:
- Microsoft Teams chats and channels, including detection inside meeting transcripts.
- Exchange Online email across all mailboxes in the organization.
- Microsoft 365 Copilot prompts and responses, so AI interactions are supervised alongside human ones.
- Viva Engage community conversations and private messages.
- Third-party sources such as WhatsApp, Bloomberg chat, and other platforms, imported through connectors.
Once a policy runs, machine-learning classifiers score every in-scope message. When a message matches, it appears in the reviewer's queue with the surrounding context. The reviewer, who must sit in a dedicated Communication Compliance role and is opted in by an administrator, can resolve the alert, escalate it, tag it, notify the user, or remove the message. Dashboards track pending and resolved matches, and a compliance team can export a full activity log to answer an examiner's request. The result is a defensible, repeatable supervision process instead of a spreadsheet and a promise.
The point is not to read everyone's messages. The point is to prove, on demand, that your firm has a system that catches the ones that matter.
What Banks, Credit Unions, and Mortgage Companies Need to Capture
The financial-services value of Communication Compliance is that it maps to the conduct risks examiners actually probe. A generic harassment filter is table stakes. What sets a regulated firm apart is supervising the communications where money, advice, and consumer protection intersect. That looks different in each corner of the industry.
Mortgage companies live in the borrower conversation. Loan officers text and message applicants constantly, and those exchanges touch fair-lending, steering, fee disclosure, and complaint-handling rules under Regulation Z, RESPA, and the broader prohibition on unfair, deceptive, or abusive acts and practices. A Communication Compliance policy can flag customer-complaint language and unauthorized disclosures in Teams and Outlook so a compliance officer sees them in days, not during a Consumer Financial Protection Bureau examination. Our guide on bridging IT and compliance in the mortgage industry with Microsoft solutions goes deeper on that overlap.
Credit unions field member communications across service, lending, and, increasingly, investment programs offered through a credit-union service organization. Communication Compliance supervises member-facing channels for complaint patterns and conduct issues, and it pairs naturally with the member-data protections that Microsoft Purview sensitivity labels provide for nonpublic personal information.
Banks carry the widest surface. A community bank may run a trust department, a wealth arm, and a treasury desk, some of which are directly in FINRA and SEC scope, alongside BSA and anti-money-laundering monitoring that already depends on reviewing communications for suspicious activity. Communication Compliance and insider risk management together give a bank a single lens on both conduct in messages and risky activity by users.
The takeaway
Supervision and retention are two halves of one obligation. Communication Compliance is the supervision half, catching the risky message. Retention and archiving keep the record. Read how the record side works in our guide to Microsoft 365 data retention for financial institutions, and treat the two as a pair.
The Off-Channel Gap: Personal Devices and Consumer Apps
Here is the failure mode that produced billions in penalties, and it is deceptively ordinary. An employee finds the approved channel slow, so they move the conversation to a personal cell phone, a text thread, or a consumer messaging app. The business gets done. The record never enters a system anyone can search, retain, or supervise. When the examiner asks for it, the firm cannot produce it, and the gap itself is the violation.
A loan officer switches a borrower conversation to personal text because it is faster, and later promises a rate concession that never reaches the file.
The institution has no record to supervise or produce. A complaint or exam turns a convenience into an unsupervised, undocumented commitment the firm must defend blind.
Communication Compliance addresses this from two directions. First, by making the approved channels genuinely usable, Microsoft Teams and Outlook, it removes the excuse to go off-channel in the first place. When the sanctioned tools are the fast tools, people stay on them. Second, for the platforms employees still reach for, Communication Compliance ingests third-party sources through connectors, so a WhatsApp or Bloomberg conversation can be pulled into the same supervision and review workflow rather than living in a blind spot. The strategy is to shrink the off-channel surface and to capture what remains.
Communication Compliance is part of the Microsoft Purview suite inside Microsoft 365. Because ABT manages your Microsoft 365 tenant as a Tier-1 Microsoft Cloud Solution Provider, the supervision policy, the reviewer roles, the retention that backs it, and the Microsoft Entra ID access controls around it all live in one governed environment rather than a patchwork of add-on vendors.
What Communication Compliance Requires: Licensing and Setup
Communication Compliance is an E5-tier capability. A user whose communications are covered by a policy needs Microsoft 365 E5, Office 365 E5, or the Microsoft Purview Suite (formerly Microsoft 365 E5 Compliance). It is not included in Microsoft 365 E3, and for an institution running on E3 or Business Premium that is often the first surprise. It does not have to mean relicensing every user to full E5, though. The Microsoft Purview Suite is available as an add-on, so most institutions can reach the capability without a wholesale migration. The honest move is to price it both ways before a project starts, rather than stall a rollout after.
Setup is not only technical. The privacy-by-design controls, pseudonymized names, role-based access, and audit logging, matter because employee-communication supervision touches employment and privacy law. Getting the roles, scoping, and notice right is as important as getting the classifiers right, which is where an experienced partner earns its keep.
How ABT Stands This Up for Financial Institutions
Access Business Technologies is the largest Tier-1 Microsoft Cloud Solution Provider dedicated to financial services, and we manage the Microsoft 365 tenants of more than 750 banks, credit unions, and mortgage companies. Communication Compliance is not a standalone product we resell. It is one capability inside the Microsoft 365 environment we already manage under our Guardian operating model, which means the supervision policy sits alongside the identity, data-protection, and retention controls that surround it.
In practice, that means we confirm the licensing math before it becomes a blocker, configure the financial regulatory template to your institution's products, set the reviewer roles so compliance and IT stay properly separated, connect the off-channel sources your people actually use, and align supervision with the retention and data loss prevention policies already in your tenant. You get a defensible, examiner-ready supervision process, and one partner who manages the whole Microsoft 365 environment it lives in.
Turn communication supervision from a gap into a managed process
ABT configures Microsoft Purview Communication Compliance inside the Microsoft 365 tenant we already manage for banks, credit unions, and mortgage companies. Talk to an ABT expert about closing your off-channel gap before your next exam.
Frequently Asked Questions
Microsoft Purview Communication Compliance is an insider-risk solution in Microsoft 365 that helps organizations detect, capture, and act on inappropriate or non-compliant messages across Microsoft Teams, Exchange Online email, Microsoft 365 Copilot, Viva Engage, and third-party sources. It uses machine-learning classifiers to surface only policy matches for a designated reviewer, and it is built privacy-first with pseudonymized usernames and role-based access.
Yes. Firms with brokerage, trust, or wealth affiliates are directly subject to SEC and FINRA recordkeeping and supervision rules, and the rest face parallel expectations from the FFIEC, the NCUA, and the Consumer Financial Protection Bureau to preserve and supervise communications tied to consumer relationships and regulated activity. The same Microsoft Purview toolset addresses all of these obligations.
Communication Compliance is an E5-tier capability. Any user whose communications are covered by a policy needs Microsoft 365 E5, Office 365 E5, or the Microsoft Purview Suite (formerly Microsoft 365 E5 Compliance). It is not included in Microsoft 365 E3, so institutions on E3 should plan the licensing before scoping a policy.
Off-channel communications are business messages sent on unapproved tools such as personal devices, text threads, or consumer messaging apps, where the firm cannot capture, retain, or supervise them. By the SEC's account, its off-channel enforcement sweep has since December 2021 reached dozens of firms and more than $2 billion in combined penalties, with specific actions including $1.1 billion across 16 firms in September 2022 and roughly $390 million across 26 firms in August 2024. Regulators penalize the recordkeeping and supervision gap itself, even absent any underlying fraud.
Communication Compliance is built privacy-first. Usernames are pseudonymized by default, access is controlled by dedicated role groups, investigators are opted in by an administrator, and every review action is captured in an audit log. This separation lets a firm meet supervision obligations while limiting who can see identifiable content and keeping a defensible record of how reviews were handled.
Data loss prevention stops sensitive information from leaving the organization, while Communication Compliance supervises the content and conduct of messages for regulatory and policy violations. They are complementary Microsoft Purview capabilities: DLP guards the data, Communication Compliance watches the conversation, and retention preserves both. Financial institutions typically deploy all three together in one Microsoft 365 tenant.