ABT Blog

Regulatory Compliance and Your Microsoft 365 Environment: What Financial Institutions Must Configure

Written by Justin Kirsch | Sun, Mar 08, 2026

In this guide:

Financial regulators penalized over 100 firms $3.5 billion since 2021 for one recurring failure: off-channel communications that institutions could not produce when examiners asked. The SEC, CFTC, and FINRA collected another $600 million in FY2024 alone, and these enforcement actions are accelerating, not slowing down. The common thread across every penalty is the same: data that should have been retained, monitored, and producible was not. For banks regulated by the OCC and FDIC, credit unions supervised by the NCUA, and mortgage companies answering to the CFPB, the technology platform where most of that data lives is Microsoft 365.

The regulatory landscape shifted again in 2025. The CFPB's workforce dropped from 1,700 to roughly 200 staff, but the compliance obligations written into Regulation E, Regulation Z, Regulation B, and the Gramm-Leach-Bliley Act remain federal law. State attorneys general have already begun stepping into the enforcement vacuum, filing their own actions under state consumer protection statutes. The NCUA's 2026 supervisory priorities explicitly shifted toward risk-based supervision, meaning your M365 configuration is now direct evidence of IT governance maturity during examinations. There is no regulatory pause. There is only a shift in who is checking your work.

Most financial institutions already run Microsoft 365. The question is whether your tenant is configured to meet the specific data handling, retention, and access control requirements that your particular regulator actually checks during an examination. This article maps those requirements to concrete M365 admin center configurations, organized by the compliance capabilities that matter across every financial institution charter type.

$3.5B
Total penalties levied against 100+ financial firms since 2021 for off-channel communications failures. The SEC, CFTC, and FINRA collected $600 million in FY2024 alone. Regulators are not guessing — they are auditing your electronic records retention.
SEC, CFTC, and FINRA enforcement actions, 2021-2024

How Your Microsoft 365 Configuration Impacts Regulatory Compliance

Regulatory compliance at a financial institution is not an abstract concept that lives in policy binders. It translates directly into how your Microsoft 365 tenant handles four categories of data that every examiner — whether from the OCC, FDIC, NCUA, CFPB, or state regulators — will scrutinize:

  • Consumer and member personally identifiable information (PII): Social Security numbers, account numbers, loan application data, credit reports, and income documentation flowing through Exchange Online, SharePoint, OneDrive, and Teams. For banks, this includes deposit account records. For credit unions, member share and loan records. For mortgage companies, borrower files spanning the entire origination lifecycle.
  • Regulated transaction and disclosure records: Account statements, Loan Estimates, Closing Disclosures, adverse action notices, error resolution documentation, and fee disclosures that must be retained for specific periods with provable audit trails under Reg E, Reg Z, Reg B, and the Bank Secrecy Act.
  • Communication records: Customer-facing emails, internal processing discussions, compliance review threads, and any electronic communication related to a consumer's account or transaction. Off-channel communication enforcement has become the single largest fine category in financial services.
  • Access and activity logs: Records of who accessed consumer data, when, from what device, and what they did with it. The FFIEC examination procedures explicitly require institutions to demonstrate access controls and audit trail capabilities.

If your M365 tenant runs on default retention settings, has no DLP policies scoped to financial data types, and uses basic audit logging without extended retention, you have gaps in all four categories. Default M365 configurations were designed for general business use. They were not designed for OCC-regulated national banks, FDIC-supervised state banks, NCUA-examined credit unions, or CFPB-monitored mortgage originators.

The Enforcement Landscape Is Shifting, Not Shrinking

The CFPB's staffing reduction does not reduce your compliance obligations. Regulation E (electronic fund transfers), Regulation Z (truth in lending), Regulation B (equal credit), and the Gramm-Leach-Bliley Act are federal statutes that remain enforceable regardless of agency headcount. Meanwhile, NCUA's 2026 supervisory priorities shifted to risk-based supervision, where your M365 data retention and DLP configurations become direct evidence of IT governance maturity. State AGs in New York, California, and Illinois have already filed enforcement actions in areas where federal agencies have pulled back. Your M365 tenant is auditable from multiple directions simultaneously.

48hrs from assessment start to actionable compliance gap report

Compliance Starts with Measurement

Your M365 configuration is only as strong as your last review. ABT evaluates Conditional Access, MFA, retention policies, sensitivity labels, and DLP configurations against the regulatory benchmarks for your charter type.

Get Your Security Grade Talk to an ABT financial services security architect

Regulatory Data Retention Requirements Mapped to M365

Financial institution data has specific retention periods defined across multiple regulatory frameworks. Banks must satisfy OCC and FDIC examination procedures. Credit unions answer to NCUA Part 749 and the FFIEC IT Examination Handbook. Mortgage companies must comply with Regulation Z, Regulation X, and Regulation B under CFPB oversight. Broker-dealers face the strictest timeline: SEC Rule 17a-4 and FINRA Rule 4511 require six-year retention of electronic communications. Your Microsoft 365 retention policies must align with the longest applicable period for each data type — and M365 defaults fall far short.

Every regulatory requirement has a matching M365 capability — the gap is in configuration, not tooling.
30-90 Days
Default Microsoft 365 retention for emails and audit logs. Regulators require 2 to 6 years: Reg E mandates 2 years, Reg Z requires 2-5 years, Reg B requires 25 months, and SEC/FINRA require 6 years. The gap between what M365 provides by default and what your examiner expects is measured in years, not days.
Microsoft 365 documentation; CFPB Regulations E, Z, B; SEC Rule 17a-4; FINRA Rule 4511

Retention Requirements by Record Type and Regulator

Record Type Minimum Retention Regulation / Authority Applies To
Electronic Fund Transfer Records 2 years Reg E, 12 CFR 1005.13 Banks, Credit Unions
Closing Disclosures 5 years after consummation Reg Z, 12 CFR 1026.25(c)(1)(ii) Mortgage Companies
HUD-1/Settlement Records 5 years after settlement Reg X, 12 CFR 1024.10(e) Mortgage Companies
Credit Application Records 25 months Reg B, 12 CFR 1002.12(b) All Financial Institutions
BSA/AML Records 5 years 31 CFR 1010.430 Banks, Credit Unions
Electronic Communications 6 years SEC Rule 17a-4; FINRA Rule 4511 Broker-Dealers, Dual-Registered FIs
LO Compensation Records 3 years after payment Reg Z, 12 CFR 1026.25(c)(2) Mortgage Companies
Suspicious Activity Reports 5 years from filing 31 CFR 1020.320(d) Banks, Credit Unions
General TILA Compliance 2 years after disclosure Reg Z, 12 CFR 1026.25(a) All Consumer Lenders

M365 Configuration: Retention Policies

In the Microsoft Purview compliance portal, navigate to Solutions > Data Lifecycle Management > Retention Policies. Create policies that cover each data type above:

  • Exchange Online retention: Set a minimum retention policy aligned to your longest regulatory requirement. For banks and credit unions, BSA/AML records require 5 years. For mortgage companies, closing disclosures require 5 years. For institutions with broker-dealer operations, SEC/FINRA requires 6 years. Use adaptive scopes to target specific distribution groups (e.g., "Compliance," "Lending," "Operations," "BSA Officer") rather than applying a blanket policy to all mailboxes.
  • SharePoint/OneDrive retention: Apply retention labels to document libraries containing regulated records — loan files, account documentation, BSA/AML reports, and compliance correspondence. Use auto-apply retention labels based on sensitive information types to catch documents saved outside designated libraries.
  • Teams retention: If your staff uses Teams channels or chats for customer-related discussions, those conversations are subject to the same retention requirements as email. This is the exact scenario that triggered billions in off-channel communication penalties. Configure Teams retention to match your Exchange retention period.

The critical mistake is leaving M365 at its default retention settings. Default Exchange Online retention is 14 days for deleted items and no long-term retention policy. That means a loan officer who deletes an email confirming a rate lock, or a BSA analyst who removes a suspicious activity draft, loses it in two weeks. An examiner asking for that record two years later will not accept "it was deleted" as an answer.

DLP Policies for Consumer Financial Data

Data Loss Prevention policies in Microsoft Purview stop consumer financial data from leaving your organization through unauthorized channels. For regulatory compliance, you need DLP rules that address the data types specific to your institution's operations — deposit accounts at banks, member share data at credit unions, and borrower files at mortgage companies.

M365 Configuration: DLP Policy Setup

Navigate to Microsoft Purview > Data Loss Prevention > Policies > Create Policy. Start with the "U.S. Financial Data" template and customize it for your institution type:

  • Sensitive information types to detect: Social Security numbers, U.S. bank account numbers, credit card numbers, U.S. Individual Taxpayer Identification Numbers (ITINs), and driver's license numbers. Banks and credit unions should add custom sensitive information types for internal account numbers and routing numbers. Mortgage companies should add loan numbers and NMLS IDs if they use standardized formats.
  • Locations to monitor: Exchange Online, SharePoint Online, OneDrive for Business, Teams chat and channel messages, and Endpoint (for organizations using Microsoft 365 E5 or the compliance add-on).
  • Policy actions: Block external sharing of documents containing three or more sensitive information types. Show policy tips to users when they attempt to share files containing consumer PII outside the organization. Require business justification for sharing that overrides the policy. Generate incident reports for the compliance team.

Financial Institution DLP Rules by Charter Type

Beyond the standard financial data template, configure rules for these institution-specific scenarios:

  • Account and loan data in email: Block emails containing combinations of SSN + account number + financial amounts from being sent to external recipients without encryption. Customers sending data to your institution is expected. Your staff forwarding it to a personal email account is the exact behavior that triggers regulatory findings.
  • Regulated documents as attachments: Flag outbound emails with PDF attachments matching naming conventions for disclosures, account statements, or examination-related documents unless the recipient domain is on your approved list (core banking platform, eSign vendor, title company, or regulatory agency).
  • Teams external sharing: If your organization allows guest access in Teams, block sharing of files from channels tagged with sensitivity labels like "Consumer PII," "Member Data," or "Borrower Data" with external guests. This is especially critical for credit unions using Teams for committee communications that may reference member account details.
  • BSA/AML document controls (banks and credit unions): Apply strict DLP rules to SAR drafts, CTR documentation, and beneficial ownership records. These documents should never leave the organization via email or external sharing. Configure DLP to block and notify the BSA officer of any attempt.
1,700 → 200
CFPB staff reduction in 2025. But Reg E, Reg Z, Reg B, and the Gramm-Leach-Bliley Act remain federal law. State AGs in New York, California, and Illinois are already stepping into the enforcement vacuum. Your compliance obligations did not shrink — your enforcement surface expanded.
Reuters, state AG enforcement filings, 2025-2026

eDiscovery and Legal Hold for Regulatory Examinations

When a regulator requests specific records — whether it is the OCC asking a national bank for BSA documentation, the NCUA examining a credit union's lending practices, the FDIC reviewing a state bank's consumer complaint handling, or the CFPB requesting mortgage origination files — you need to produce them. Microsoft 365's eDiscovery tools are built for this. The problem is that most financial institutions have never configured them.

M365 Configuration: eDiscovery Setup

In the Microsoft Purview compliance portal, navigate to Solutions > eDiscovery. Microsoft 365 offers two tiers:

  • eDiscovery (Standard): Available with E3 licensing. Allows content searches across Exchange mailboxes, SharePoint sites, and OneDrive accounts. Supports legal holds on specific mailboxes and sites. This is sufficient for most regulatory examination responses at community banks, credit unions, and mortgage companies.
  • eDiscovery (Premium): Available with E5 licensing or the E5 Compliance add-on. Adds custodian management, legal hold notifications, advanced analytics (near-duplicate detection, email threading), and review sets. Worth the investment for institutions that face frequent examination requests, consent orders, or litigation holds.

Pre-Examination Preparation

Do not wait for an examination notice to set up eDiscovery. Configure it now:

  • Assign eDiscovery Manager roles: Designate at least two people (typically your compliance officer and IT administrator) as eDiscovery Managers in Microsoft Purview. This role is required to create cases, run searches, and export content.
  • Create standing search templates: Build saved searches that cover your institution's regulated content locations. For banks: commercial lending mailboxes, BSA/AML SharePoint sites, deposit operations folders. For credit unions: member services mailboxes, lending department sites, supervisory committee folders. For mortgage companies: loan processing mailboxes, compliance sites, borrower data folders. When an examiner requests records, clone the template and add the specific search terms.
  • Test your search results: Run a test search quarterly. If the search returns zero results for a customer or member you know has records, your content locations are misconfigured or your retention policies deleted the records prematurely.

Legal Hold During Active Examinations

When you receive an examination notification from your regulator, immediately place legal holds on all relevant content locations. In eDiscovery (Standard), this means placing mailboxes and sites on hold within a case. In eDiscovery (Premium), you can use the custodian management workflow to issue hold notifications and track custodian acknowledgments.

Legal holds override retention policies. If your 5-year retention policy would otherwise delete a document that is subject to a legal hold, the hold wins. The document is preserved until the hold is released. This is by design, and it is the safety net that prevents accidental destruction of evidence during an active examination or enforcement action.

"Examiners will evaluate the quality of an institution's information technology governance and risk management as a key component of overall safety and soundness."

FFIEC Information Technology Examination Handbook, 2024

Email Archiving and Communication Compliance

Financial institutions generate a high volume of regulated email. Customer account inquiries at banks, member loan requests at credit unions, borrower communications at mortgage companies, internal underwriting discussions, compliance reviews, and BSA/AML correspondence all flow through Exchange Online. Every one of these messages is potentially discoverable in a regulatory examination — and since 2021, off-channel communication failures have generated more enforcement penalties than any other single compliance category in financial services.

M365 Configuration: Archive and Journaling

  • In-Place Archive: Enable archive mailboxes for all users who handle regulated data. Navigate to Exchange admin center > Mailboxes > select user > Manage mailbox archive > Enable. Archive mailboxes provide unlimited storage (with E3/E5 licensing) and ensure emails that are moved out of the primary mailbox are still retained and searchable.
  • Auto-expanding archive: For high-volume mailboxes (lending officers, BSA analysts, compliance staff, customer service), enable auto-expanding archiving. This prevents the archive mailbox from hitting its 100 GB limit and automatically provisions additional storage.
  • Journaling (if required): Institutions subject to SEC/FINRA recordkeeping requirements, or those under consent orders with specific documentation mandates, may need a tamper-proof copy of every email. Microsoft 365 supports journal rules that send a copy of every message matching specific criteria to a journal mailbox or third-party archiving service.

Communication Compliance Policies

Microsoft Purview Communication Compliance monitors email and Teams messages for policy violations. For financial institutions, useful detections include:

  • Unauthorized rate or account disclosures: Flag messages where staff share rate information, account terms, or fee structures through personal email accounts or unapproved channels. This is the exact behavior pattern behind billions in off-channel communication fines.
  • Regulatory complaint indicators: Detect messages containing phrases like "regulatory complaint," "examination," "consent order," "attorney general," or "class action" to route them to compliance for review and documentation.
  • Fair lending and UDAP language: Monitor for language patterns that could indicate fair lending violations, steering, or unfair, deceptive, or abusive acts or practices in customer-facing communications across all institution types.

Audit Trail and Access Logging

Regulatory examiners — regardless of agency — expect to see who accessed consumer data, when, and what actions they took. The FFIEC IT Examination Handbook makes this explicit for banks and credit unions. The CFPB examination procedures require it for mortgage companies. Microsoft 365's Unified Audit Log captures this information, but only if you configure it correctly and retain the logs long enough.

These compliance gaps appear across banks, credit unions, and mortgage companies in nearly every M365 tenant ABT audits.

M365 Configuration: Audit Log Settings

  • Verify audit logging is enabled: Navigate to Microsoft Purview > Audit. For E3 tenants, audit logs are retained for 90 days by default. For E5 tenants, the default extends to one year. Neither default meets the multi-year retention requirements that banks (BSA: 5 years), credit unions (NCUA: 5 years), and mortgage companies (Reg Z: 5 years) face.
  • Extend audit log retention: With E5 or the E5 Compliance add-on, create audit log retention policies that retain specific activity types for up to 10 years. At minimum, configure retention matching your longest regulatory period for: user login events, file access and sharing events in SharePoint/OneDrive, mailbox access events, and admin activity logs.
  • Enable mailbox auditing for all users: Mailbox auditing is enabled by default in Microsoft 365, but verify it has not been disabled for specific mailboxes. Navigate to Exchange admin center > Mailboxes > select user > Manage mailbox auditing. Ensure "Owner," "Delegate," and "Admin" actions are all logged.

What Examiners Actually Ask For

During regulatory examinations focused on data handling and information security, examiners across all agencies typically request:

  • Records of who accessed a specific customer's or member's account data and when
  • Evidence that former employees' access was revoked upon termination
  • Logs showing failed login attempts or access from unusual locations
  • Proof that sensitive data was not shared externally without authorization
  • Documentation of admin changes to security policies, retention settings, or DLP configurations
  • Evidence of periodic access reviews and recertification (FFIEC requirement for banks and credit unions)

If your audit log retention is 90 days and the examiner asks about activity from 18 months ago, you have nothing to show. That gap becomes a finding. At a community bank, it becomes an MRA. At a credit union, it shows up on the NCUA's next risk-focused examination. At a mortgage company, it gives the CFPB or state AG documented grounds for enforcement.

Common Compliance Gaps We Find in Financial Institution M365 Tenants

After configuring Microsoft 365 environments for over 750 financial institutions since 1999, these are the compliance gaps that appear most frequently across banks, credit unions, and mortgage companies. Each one is a configuration problem, not a licensing limitation.

  • No retention policies beyond M365 defaults. The single most common gap across all institution types. Regulated data gets deleted on standard retention schedules that have nothing to do with BSA, Reg E, Reg Z, or FFIEC requirements. Emails containing account records, loan documentation, or compliance correspondence disappear after 14 days in the deleted items folder. Fix: Create retention policies aligned with the table in the Data Retention section above, scoped to your institution's regulatory requirements.
  • DLP policies not scoped to financial data types. Many institutions have DLP policies that detect credit card numbers but nothing else. Account data containing SSN + account number + balance flows freely to personal email accounts. Fix: Deploy the institution-specific DLP rules described in the DLP section, including BSA/AML document controls for banks and credit unions.
  • No eDiscovery cases or role assignments. When an examination notice arrives, nobody in the organization has the permissions to search for and export the requested records. This creates delays that examiners interpret as lack of preparedness. Fix: Assign eDiscovery Manager roles and build standing search templates before you need them.
  • Audit logging at default retention. E3 tenants lose audit logs after 90 days. Even E5 tenants lose them after one year unless custom retention policies are configured. When an examiner asks about data access from 18 months ago, the institution has nothing to produce. Fix: Create audit log retention policies that match your longest regulatory retention period.
  • Archive mailboxes not enabled. Staff delete old emails to manage mailbox size. Those emails are gone permanently after the deleted items retention period expires. Fix: Enable archive mailboxes for all users who handle regulated data — lending, operations, compliance, BSA, and customer or member service.
  • No sensitivity labels on regulated documents. Loan files, account records, BSA reports, and consumer disclosures are stored alongside general business documents with no classification. This makes DLP policies less effective and eDiscovery searches less precise. Fix: Create sensitivity labels for "Consumer PII," "Regulated Records," "BSA/AML," and "Examination Materials" and train staff to apply them.
  • Legacy authentication still enabled. Older mail clients and third-party applications using basic authentication bypass Conditional Access policies, meaning access to consumer data cannot be controlled or audited properly. Fix: Block legacy authentication in Conditional Access and migrate all clients to modern authentication.
  • No communication compliance monitoring. Staff use personal devices, text messages, or unauthorized messaging platforms for customer-related discussions, and the institution has no technical control to detect it. Since 2021, this has been the most expensive compliance failure in financial services. Fix: Deploy Microsoft Purview Communication Compliance and enforce an electronic communications policy that covers all channels.
48hrs from assessment start to compliance gap report

Get Your Security Grade

ABT's assessment evaluates your M365 tenant against the specific regulatory benchmarks for your institution type — OCC, FDIC, NCUA, or CFPB. See exactly where your retention policies, DLP rules, and audit logging stand before your next examination.

Start Your Assessment

Talk to a Financial Services Security Architect

Every financial institution charter has different compliance requirements. Our team has configured M365 for community banks, credit unions, and mortgage companies since 1999 — we know what your specific examiner expects to see.

Schedule a Consultation

Frequently Asked Questions

Microsoft 365 E3 provides the baseline tools for regulatory compliance at financial institutions: retention policies, basic eDiscovery, DLP policies, and 90-day audit log retention. Microsoft 365 E5 or the E5 Compliance add-on extends audit log retention to 10 years, adds eDiscovery Premium with custodian management and analytics, and provides advanced DLP capabilities including endpoint DLP. Most banks, credit unions, and mortgage companies with active regulatory examination exposure should be on E5 or E3 plus the compliance add-on to meet multi-year retention requirements.

Retention periods vary by record type and regulator. For banks and credit unions, BSA/AML records require five years, electronic fund transfer records under Regulation E require two years, and credit application records under Regulation B require 25 months. For mortgage companies, closing disclosures must be retained for five years under Regulation Z, and HUD-1 settlement records require five years under Regulation X. Institutions with broker-dealer operations face the longest requirement: six years under SEC Rule 17a-4 and FINRA Rule 4511. Many financial institutions apply a blanket seven-year retention policy to simplify compliance across all record types and regulators.

Financial institutions should configure DLP policies that detect and block unauthorized sharing of Social Security numbers, bank account numbers, credit card numbers, and Individual Taxpayer Identification Numbers across Exchange Online, SharePoint, OneDrive, and Teams. Banks and credit unions should add custom sensitive information types for internal account numbers, routing numbers, and BSA/AML document patterns. Mortgage companies should add loan numbers and NMLS IDs. Configure rules that block external sharing of documents containing three or more sensitive information types, show policy tips to users, require business justification for overrides, and generate incident reports for the compliance team.

Before an examination, assign eDiscovery Manager roles to your compliance officer and IT administrator in Microsoft Purview. Create standing search templates that cover your institution's regulated content locations: lending mailboxes, compliance SharePoint sites, BSA/AML document libraries, and customer or member data folders. When an examination notification arrives, immediately place legal holds on all relevant content locations to override retention policies and prevent accidental deletion. Test your eDiscovery searches quarterly by searching for known customer or member records to verify your content locations and retention policies are correctly configured.

The FFIEC IT Examination Handbook requires banks and credit unions to maintain audit trails showing who accessed consumer data, when, from what device, and what actions they took. The CFPB examination procedures require the same for mortgage companies. Microsoft 365 E3 retains audit logs for 90 days by default, which is insufficient for any regulated financial institution. E5 licensing or the E5 Compliance add-on extends default retention to one year and allows custom audit log retention policies up to 10 years. At minimum, configure five-year retention for user login events, file access and sharing events, mailbox access events, and admin activity logs. Verify mailbox auditing is enabled for all users with Owner, Delegate, and Admin actions logged.

The NCUA's 2026 supervisory priorities shifted toward risk-based supervision, meaning examiners evaluate IT governance maturity rather than simply checking compliance boxes. In practice, this means your Microsoft 365 configuration serves as direct evidence of whether your credit union takes data protection seriously. Examiners will look for properly configured retention policies aligned with regulatory requirements, active DLP policies covering member data, eDiscovery readiness for examination responses, extended audit log retention beyond defaults, and documented evidence of periodic security configuration reviews. Credit unions that can demonstrate these configurations during examinations will receive faster, smoother exam cycles. Those that cannot will face heightened scrutiny and potential enforcement actions.

Next Steps

Start with the retention policy table. Find your institution type, identify the longest retention requirement from your primary regulator, and compare it to what your M365 tenant currently has configured. If you find gaps — and most financial institutions do — the configuration steps in each section above will close them. If you are not sure what your current configuration looks like, that is the first problem to solve.

  • Assess your current M365 compliance posture. ABT offers a free Microsoft 365 Security Assessment that evaluates your tenant configuration against regulatory compliance benchmarks for your specific institution type, including data retention requirements, DLP policy coverage, audit log configuration, and eDiscovery readiness.
  • Talk to a financial services IT specialist. Schedule a conversation with our team to review your compliance configuration against OCC, FDIC, NCUA, or CFPB examination procedures, identify gaps, and build an action plan before your next examination.

Justin Kirsch

CEO, Access Business Technologies

Justin Kirsch has configured Microsoft 365 environments for regulated financial institutions since 1999. As CEO of Access Business Technologies, the largest Tier-1 Microsoft Cloud Solution Provider dedicated to financial services, he helps banks, credit unions, and mortgage companies build compliant M365 configurations that satisfy examiners and protect customer data.
View full post