Corporate communication channels continue to proliferate as a result of hybrid collaboration and engagement with customers across multiple mediums and devices. This has also resulted in regulatory agencies, such as the Securities and Exchange Commission (SEC), shifting their regulatory requirements to include work-related communications on all devices and platforms. With stronger enforcement stances and increases in communication volume across platforms, organizations are finding it difficult to sift through volumes of communications to help meet regulatory compliance requirements. These elevated compliance standards also result in higher fines. For example, in the United States, the SEC imposed $1.8B in fines on Wall Street firms because employees violated communication requirements by discussing business matters using personal devices and text messages.
Across Microsoft Teams, Outlook and apps like Instant Bloomberg, Microsoft Purview Communication Compliance provides the tools to help organizations detect regulatory (e.g. SEC or FINRA) and business conduct compliance violations, such as the sharing of sensitive or confidential information, harassing or threatening language, and sharing of adult content. Built with privacy by design, usernames are pseudonymized by default, role-based access controls are built in, investigators are opted in by an admin, and audit logs are in place to help ensure user-level privacy.
Recently we have rolled out capabilities that help companies better sift through potential communication violations with the right policies, attributes and filters to enable better detection and investigation of policy violations.
Dynamically matching specific user groups to policies
Organizations have various regulatory, legal and business policy requirements for different locations, departments, and roles. To help them meet the varying needs of their organizations, we are pleased to announce adaptive policy scopes are enabled for Communication Compliance policies. Currently available in public preview, adaptive policy scopes enable organizations to dynamically scope Communication Compliance policies to groups of users, using Azure Active Directory attributes and properties to determine inclusion or exclusion from the policies. For example, selecting employee attributes such as “US Employees” would automatically update the policy scope as new users are added to the Azure Active Directory group. This new feature enables organizations to apply user attributes for policies based on geography, role, or other Azure Active Directory attributes without an administrator configuring the group(s). This also means Communication Compliance and Azure Active Directory administrators no longer need to maintain group membership.
Select “Add scopes” and check box next to the group(s) that matches defined attribute(s).
Triage policy matches more efficiently
Organizations receive a large number of unsolicited email blasts, such as bulk newsletters. These communications can generate false positives, making it difficult to investigate and remediate communication compliance policy alerts. To help customers triage communication compliance policy matches more efficiently, we have added a policy condition to exclude email blasts from Communication Compliance policies. Currently available in public preview, the email blasts exclusion setting can be configured at the per-policy level, and customers can define the sensitivity settings.
Check box under “Filter email blasts” to enable the filter.
Helping address regulatory requirements with new classifiers
Communication Compliance takes a privacy by design approach by providing capabilities to help detect potential regulatory violations, including sharing of sensitive or confidential information, across a variety of Microsoft and non-Microsoft communication platforms. To help companies address regulatory compliance requirements, Communication Compliance now offers six new regulatory policy templates. Currently available in public preview, the new Communication Compliance regulatory policy templates include:
- Corporate sabotage: Detects messages that may mention acts to damage or destroy corporate assets or property. This classifier can help customers manage regulatory compliance obligations such as NERC Critical Infrastructure Protection standards or state regulations like Chapter 9.05 RCW in Washington state.
- Gifts & entertainment: Detects messages that may suggest exchanging gifts or entertainment in return for service, which violates regulations related to bribery. This classifier can help customers manage regulatory compliance obligations such as Foreign Corrupt Practices Act, the UK’s Bribery Act, and FINRA Rule 2320.
- Money laundering: Detects signs that may suggest money laundering or engagement in acts to conceal or disguise the origin or destination of proceeds. This classifier can help customers manage regulatory compliance obligations such as the Bank Secrecy Act, the USA Patriot Act, FINRA Rule 3310 and Anti-Money Laundering Act of 2020.
- Stock manipulation: Detects signs of possible stock manipulation, such as recommendations to buy, sell, or hold stocks that may suggest an attempt to manipulate the stock price. This classifier can help customers manage regulatory compliance obligations such as the Securities Exchange Act of 1934, FINRA Rule 2372, and FINRA Rule 5270.
- Unauthorized disclosure: Detects sharing of information explicitly designated as confidential or internal to unauthorized individuals. This classifier can help customers manage regulatory compliance obligations such as FINRA Rule 2010 and SEC Rule 10b-5. This classifier can help customers manage regulatory compliance obligations such as the Securities Exchange Act of 1934, FINRA Rule 2372, and FINRA Rule 5270.
- Regulatory collusion: Detects messages that may violate regulatory anti-collusion requirements such as an attempted concealment of sensitive information. This classifier can help customers manage regulatory compliance obligations such as the Sherman Antitrust Act, Securities Exchange Act of 1933, Securities Exchange Act of 1934, Investment Advisers Act of 1940, Federal Trade Commission Act of 1914, and Robinson-Patman Act.
Click the box next to the classifier template you wish to select.
The Communication Compliance features in this blog are available currently in public preview. You can get status updates for those and other Communication Compliance features at Microsoft 365 Roadmap | Microsoft Purview Communication Compliance.
We also are happy to share that there is an easier way for you to try Microsoft Purview solutions directly in the Microsoft Purview compliance portal with a free trial (an active Microsoft 365 E3 subscription is required as a prerequisite). By enabling the trial in the compliance portal, you can quickly start using all capabilities of Microsoft Purview, including Insider Risk Management, Communication Compliance, Records Management, Audit, eDiscovery, Information Protection, Data Lifecycle Management, Data Loss Prevention, and Compliance Manager.
Visit your Microsoft Purview compliance portal for more details or check out the Microsoft Purview solutions trial (an active Microsoft 365 E3 subscription is required as a prerequisite).
If you are a current Communication Compliance customer and are interested in learning more about how Communication Compliance can help safeguard sensitive information and detect potential regulatory or business conduct violations, check out the resources available on our “Become a Communication Compliance Ninja” resource page.
Liz Willets, Senior Marketing Manager
Christophe Fiessinger, Principal Product Manager