In This Article
A credit union processor opens a member's tax returns, copies a Social Security number into a spreadsheet, and shares the loan file with an underwriter over Microsoft Teams. That is normal, productive work. It is also the exact moment nonpublic personal information leaves anyone's direct control. Microsoft Purview sensitivity labels for financial institutions exist to make that moment safe: they classify the data, travel with it, and keep the protection attached no matter where the file goes next.
A sensitivity label is a tag that carries rules. Apply a Confidential label to a mortgage file and Microsoft Purview can encrypt it, stamp it with a watermark, and restrict who is allowed to open, edit, print, or forward it. That protection stays with the document when it is emailed, copied to a USB drive, or downloaded from SharePoint. For a bank, a credit union, or a mortgage lender, that is the difference between data you govern and data you only hope stays put.
Here is the part most institutions miss. Under the FTC Safeguards Rule, the duty to notify the FTC is triggered by the unauthorized acquisition of unencrypted customer information. Classify and encrypt that data with a label, and an incident that might otherwise have crossed the reporting threshold may never reach it. Labels are not a compliance checkbox. They are the least expensive control that shrinks breach risk and regulatory exposure at the same time.
What are Microsoft Purview sensitivity labels?
Microsoft Purview sensitivity labels are classification tags that apply persistent protection to documents, emails, and collaboration spaces across Microsoft 365. A label does two jobs at once. First, it classifies content by sensitivity, for example Public, Internal, Confidential, or Highly Confidential. Second, it can enforce protection: encryption that restricts who can access the content and what they can do with it, plus visual markings such as headers, footers, and watermarks.
The important word is persistent. When a label applies encryption, that protection is written into the file itself. Send the file outside the tenant, save it to personal storage, or lose the laptop it lives on, and the file stays locked to the people the label authorized. Sensitivity labels are supported in Word, Excel, PowerPoint, and Outlook on Windows, macOS, iOS, Android, and the web, so the same rules follow a loan officer from a desktop to a phone without extra work.
Labels also pair naturally with the controls a financial institution already relies on. Encryption at the file level complements tenant-wide Microsoft 365 encryption, and the classification a label carries becomes the condition that data loss prevention and governance policies act on later. That layering is the reason Microsoft's own Zero Trust guidance identifies sensitivity labels as the foundation of data protection.
Why this matters for financial institutions
Regulated lenders and depositories handle nonpublic personal information on nearly every transaction: account numbers, Social Security numbers, income documents, appraisals, and card data. Examiners do not just ask whether that data is protected. They ask whether the institution knows where it lives and can prove the controls on it. A sensitivity label answers both questions in a single, auditable artifact that a bank or credit union can point to during a GLBA examination.
How labels support GLBA and NPI protection
The FTC Safeguards Rule (16 CFR Part 314), which implements the Gramm-Leach-Bliley Act, requires a financial institution to build and maintain a written information security program that protects customer information, meaning any record that contains nonpublic personal information. In practice the rule expects the institution to know where that data lives, control who can reach it, and encrypt customer information at rest and in transit, or apply effective alternative compensating controls that the Qualified Individual reviews and approves.
Sensitivity labels operationalize three of those obligations in one move. The label classifies the data, so the institution can inventory and report where nonpublic personal information sits. The label's encryption restricts access to authorized people. And that same encryption satisfies the protection requirement in a form auditors recognize. Instead of a policy document that describes intent, the institution gets a control that actually enforces itself on the file. Firms already mapping Microsoft 365 to GLBA and OCC expectations should treat labeling as the classification layer the rest of that program stands on.
You shall develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts and contains administrative, technical, and physical safeguards that are appropriate to your size and complexity, the nature and scope of your activities, and the sensitivity of any customer information at issue.
How auto-labeling classifies NPI automatically
Manual labeling works, but it depends on every employee making the right call on every file, which is not a control an examiner will trust at scale. Auto-labeling closes that gap. Microsoft Purview auto-labeling policies scan content for sensitive information types, then apply the correct label without waiting for a person. A policy can watch for prebuilt patterns such as a U.S. Social Security number, a U.S. bank account number, or a credit card number, and it can use custom patterns and exact data match for the account formats specific to your core system.
This is where classification stops being paperwork and starts being enforcement. The moment a spreadsheet full of member account numbers is created, an auto-labeling policy can stamp it Highly Confidential and encrypt it, before anyone shares it by mistake. Auto-labeling runs inside Office apps as content is created and as a service-side sweep across SharePoint, OneDrive, and Exchange to catch data already at rest.
Licensing is where financial institutions need precision. Manual labeling and label-based encryption are available broadly, including in Microsoft 365 Business Premium. Automatic labeling, the service-side sweep, and the Purview data loss prevention policies that keep labeled files out of Microsoft 365 Copilot generally require Microsoft 365 E5 or the Microsoft Purview add-ons. The table below shows how a practical taxonomy maps to institution data, protection, and the plan tier each capability needs.
| Label | Typical financial institution data | Protection the label applies | Tier for automation |
|---|---|---|---|
| Public | Marketing rate sheets, published disclosures | Classification only, no encryption | Any plan |
| Internal | Internal memos, non-customer operational files | Watermark, blocks anonymous external sharing | Any plan (manual) |
| Confidential | Loan files, underwriting notes, vendor contracts | Encryption, restricted to named groups | E5 for auto-labeling |
| Highly Confidential (NPI) | Account and Social Security numbers, income docs, card data | Strong encryption, no forward or print, Copilot exclusion | E5 or Purview add-on |
That taxonomy is also the foundation for Microsoft 365 data loss prevention. Once content carries a label, a data loss prevention policy can use the label as its condition rather than re-scanning every file, which makes the whole program faster and easier to defend.
Protecting Teams, SharePoint, and Copilot with labels
Sensitivity labels do not stop at individual documents. Container labels extend the same classification to Microsoft Teams sites, Microsoft 365 Groups, and SharePoint sites. A container label sets the privacy of the space, controls external user access and sharing, and governs access from unmanaged devices. Those unmanaged-device and authentication controls work in conjunction with Microsoft Entra ID Conditional Access, so a Highly Confidential Teams site can require a compliant device before it opens. Institutions already tuning Conditional Access policies can attach those rules to a label instead of managing them site by site.
Labels are also a key control for turning on Microsoft 365 Copilot safely. Copilot honors label encryption, so it does not surface content a user is not permitted to see, and it displays the sensitivity label of the items it cites. New content Copilot creates inherits the highest-priority label of its sources. On top of that, Purview data loss prevention for Microsoft 365 Copilot, a generally available control, can block files carrying a label such as Highly Confidential from being processed by Copilot. That combination is what lets a lender adopt Purview data loss prevention for Copilot and AI agents without exposing member data to a prompt.
Why labels come first
Sensitivity labels are not one feature among many. They are the classification layer that data loss prevention, container security, and Copilot governance all build on. Deploy labels first, and every downstream control gets simpler, because each one acts on the label instead of re-inspecting the data.
How to deploy labels in a financial institution
A sensitivity label rollout succeeds or fails on sequence. Skip straight to encryption and you will lock people out of files they need. Start with a taxonomy the business understands, prove it on a pilot, then automate. The path below is the one that survives an examination and does not generate a flood of help desk tickets.
Agree on four labels mapped to real data, from Public to Highly Confidential for nonpublic personal information.
Release labels to a small group for manual use, gather feedback, and confirm encryption does not break sharing.
Turn on auto-labeling for sensitive information types so account and Social Security numbers get labeled on creation.
Add container labels to Teams and SharePoint, wire Conditional Access, and set Copilot data loss prevention.
This is the work ABT does for financial institutions every day. As the largest Tier-1 Microsoft Cloud Solution Provider dedicated to financial services, ABT manages the Microsoft 365 tenants of more than 750 banks, credit unions, and mortgage companies under the M365 Guardian operating model: designing the label taxonomy against the institution's actual nonpublic personal information, deploying auto-labeling for the sensitive information types that match its core system, connecting container labels to Microsoft Entra ID Conditional Access, and right-sizing licensing so the institution pays for Microsoft 365 E5 and Purview only where auto-labeling and Copilot controls genuinely require it. Classification also feeds the institution's data retention and archiving program, so the same labels that protect a loan file help govern how long it is kept.
See where your nonpublic personal information is exposed
A Microsoft 365 security assessment from ABT shows a financial institution exactly where labeling would close a gap:
- Where nonpublic personal information sits unclassified across Teams, SharePoint, and email
- Which sensitive information types auto-labeling should catch on creation
- Whether your current licensing covers auto-labeling and Copilot data loss prevention
- A prioritized label taxonomy mapped to your GLBA obligations
Frequently Asked Questions
A Microsoft Purview sensitivity label is a classification tag that applies persistent protection to a document, email, or collaboration space in Microsoft 365. It classifies content by sensitivity and can enforce encryption, restrict who can open or edit the content, and add markings such as watermarks. The protection travels with the file wherever it goes.
The FTC Safeguards Rule (16 CFR Part 314) calls for a written information security program that, among other safeguards, has the institution know where customer information lives, control access to it, and encrypt it or apply effective alternative compensating controls. A sensitivity label supports all three at once: it classifies the data so the institution knows where it lives, restricts access to authorized people, and applies encryption in a form examiners recognize as an enforced control rather than a stated intention.
No. Manual sensitivity labeling and label-based encryption are available in lower plans, including Microsoft 365 Business Premium. Microsoft 365 E5 or the Microsoft Purview add-ons are required for automatic labeling, the service-side sweep across SharePoint and Exchange, and the data loss prevention policies that block labeled files from Microsoft 365 Copilot. Matching plan to need is a licensing decision ABT helps institutions right-size.
Yes. Container labels apply a sensitivity label to Microsoft Teams sites, Microsoft 365 Groups, and SharePoint sites. They set the privacy of the space, control external access and sharing, and govern access from unmanaged devices. The unmanaged-device and authentication settings work together with Microsoft Entra ID Conditional Access, so a highly sensitive site can require a compliant device before it opens.
Microsoft 365 Copilot honors sensitivity labels. It will not surface content a user is not permitted to see, it shows the label of the items it cites, and new content it generates inherits the highest-priority label of its sources. Purview data loss prevention for Microsoft 365 Copilot can also block files carrying a specified label from being processed by Copilot, which lets an institution adopt Copilot without exposing labeled nonpublic personal information.
Sensitivity labels classify and protect the content itself, applying encryption and access rules that travel with the file. Data loss prevention watches how content moves and blocks risky actions, such as emailing a labeled file outside the institution. They work best together: the label sets the classification, and data loss prevention uses that label as the condition it enforces, rather than re-scanning every file.