FINRA fined 21 broker-dealers a combined $1.8B in 2024 for electronic communication recordkeeping failures — the largest enforcement action series in FINRA history. The majority of violations involved off-channel communications (WhatsApp, personal email) or inadequate supervision workflows, not Microsoft 365 configuration failures per se. But several enforcement actions included findings related to retention policy gaps in cloud communication platforms. For broker-dealers evaluating or restructuring Microsoft 365 licensing for FINRA and SEC compliance, the right configuration — and the right licensing to enable it — is not optional.
This guide provides a precise mapping from FINRA Rule 17a-4 and SEC 17 CFR 240.17a-4 requirements to specific Microsoft 365 licensing components, with a cost model for typical broker-dealer configurations and the negotiation levers that reduce cost without compromising compliance coverage.
Independent Advisory. Zero Vendor Bias.
500+ Microsoft EA engagements including financial services clients. 32% average cost reduction. We structure FINRA/SEC compliant Microsoft 365 configurations without overpaying for capabilities regulators don't require.
View Advisory Services →FINRA and SEC Recordkeeping Requirements: The Technical Mandates
FINRA Rule 17a-4 (modelled on the SEC rule) requires broker-dealers to preserve business records in a form that: is non-erasable and non-rewritable (WORM storage); preserves all data in the original format; maintains an audit trail of access and modification attempts; and is accessible to regulators and examiners on demand. The rule explicitly addresses electronic storage media and requires that at least one copy be stored with a designated third-party repository or in a manner that prevents access by the broker-dealer's personnel for deletion or alteration.
The 2022 SEC amendments updated 17a-4 to allow the use of "write-once, read-many" alternatives that meet the original technical requirements through modern cloud compliance mechanisms — specifically permitting retention lock configurations that immutably preserve records, even if not on traditional WORM physical media. This update opened the door for cloud platforms like Microsoft 365 to satisfy the rule through retention policy compliance locks, rather than requiring physical WORM storage.
Microsoft 365 Capability Mapping to FINRA/SEC Requirements
| FINRA/SEC Requirement | Microsoft 365 Feature | Required Licence | Configuration Required |
|---|---|---|---|
| Non-erasable, non-rewritable storage | Preservation Lock on Retention Policy | M365 E3 minimum | Enable Preservation Lock in Purview |
| 6-year email retention | Exchange Online Archiving + retention policy | M365 E3 (unlimited archive) | Set 6-year auto-apply retention |
| Duplicate storage / third-party repository | Geo-redundant storage + third-party connector | E3 + optional third party (Smarsh, Global Relay) | GRS vault settings or third-party archiver |
| Audit trail of access/modification | Purview Audit (Standard) | M365 E3 | Enable audit logging |
| Enhanced audit (10-year log retention) | Purview Audit Premium | M365 E5 Compliance | Configure Audit Premium policies |
| Communication supervision / review | Purview Communication Compliance | M365 E5 Compliance or add-on (~$12/user) | Configure supervision policies and reviewers |
| eDiscovery for regulatory examinations | Purview eDiscovery Standard | M365 E3 | Assign eDiscovery Manager role |
| Custodian-based holds (litigation/exam) | Purview eDiscovery Premium | M365 E5 Compliance | Configure custodian holds |
| Teams message retention | Teams retention policies | M365 E3 (basic) / E5 Compliance (advanced) | Apply Teams retention policy in Purview |
Cohasset Assessment: What It Covers and What It Doesn't
Cohasset Associates has assessed Microsoft 365 (Exchange Online specifically) and determined that it meets the requirements of SEC Rule 17a-4(f) when configured with Preservation Lock on Retention Policies. This assessment is frequently cited as comprehensive FINRA/SEC certification — but it has important scope limitations:
- Covered: Exchange Online email archiving with Preservation Lock enabled. The assessment validates the technical controls for non-erasable, non-rewritable storage as required by 17a-4(f).
- Not covered: Microsoft Teams message retention (Teams requires separate configuration and Cohasset has conducted separate assessments for Teams). Cohasset's assessment does not cover third-party communication channels (Bloomberg, ICE Chat, WhatsApp).
- Configuration-dependent: The assessment applies only when Preservation Lock is properly configured on retention policies with the required minimum retention periods. Default Exchange Online settings do NOT satisfy 17a-4 — configuration is mandatory.
The practical implication: a broker-dealer relying solely on the Cohasset assessment without verifying that Preservation Lock is actually enabled in their tenant is not compliant, despite purchasing the right licences. Licence ownership + correct configuration = compliance. Licence ownership alone does not satisfy the regulation.
Supervision Requirements: Where E5 Compliance Becomes Mandatory
FINRA Rule 3110 requires broker-dealers to establish and maintain a supervisory system for registered representatives — including electronic communications supervision. The supervision requirement is the primary driver for Purview Communication Compliance in broker-dealer environments.
What Communication Compliance enables for FINRA Rule 3110:
- Policy-based communication review: Detect potentially violative language (investment recommendations, market commentary, customer complaints) across email and Teams through machine learning classifiers
- Reviewer assignment and workflow: Route detected communications to compliance reviewers with escalation workflows and documentation
- Sampling supervision: Configure percentage-based random sampling of communications for periodic compliance review
- Escalation and remediation tracking: Document remediation actions for regulatory examination evidence
- Third-party channel integration: Connect Bloomberg, ICE Chat, Refinitiv via Microsoft Graph connectors for unified supervision
Without Communication Compliance, FINRA Rule 3110 supervision must be performed through manual review processes or third-party platforms (Bloomberg Vault, Global Relay, Smarsh). The cost comparison is direct: Purview Communication Compliance at $12/user/month vs Global Relay at approximately $25–$40/user/month for comparable functionality. At 500 users, the Microsoft-native solution saves $78,000–$168,000/year in archiving platform costs — when correctly structured in an EA.
Third-Party Communication Channels: The Persistent Gap
The 2024 FINRA enforcement actions were overwhelmingly about off-channel communications — WhatsApp, personal email, Signal, and other platforms used for business communications outside approved channels. Microsoft 365 does not capture these communications natively. The broker-dealer must either: prohibit off-channel communications (with documented enforcement), or deploy mobile device management (Intune) with application-level supervision for approved messaging apps.
For the channels broker-dealers commonly use alongside M365:
| Channel | Microsoft Native Capture? | Solution | Additional Licence/Cost |
|---|---|---|---|
| Exchange Online email | Yes | Exchange Online Archiving | Included in E3 |
| Microsoft Teams | Yes | Teams retention + Communication Compliance | E5 Compliance for supervision |
| Bloomberg Terminal Chat | Via connector | Bloomberg Teams integration + Purview connector | Bloomberg licence + Purview Communication Compliance |
| ICE Chat / Refinitiv Eikon | Via Graph connector | Microsoft Graph connector partner (Globanet, etc.) | Partner connector licence + Communication Compliance |
| Via third-party | TeleMessage, Smarsh, Global Relay mobile capture | Third-party platform ($15–$30/user/month) | |
| Personal email | No | Policy prohibition + monitoring attestation | Operational controls (no technical capture) |
3-Year Cost Model: FINRA-Compliant Broker-Dealer
Three scenarios for a 500-user broker-dealer (300 registered representatives, 200 support staff):
| Component | Scenario A: E3 + Add-ons | Scenario B: E5 Bundle | Scenario C: E3 + E5 Compliance |
|---|---|---|---|
| Base M365 plan (500 users) | E3 $216,000/year | E5 $342,000/year | E3 $216,000/year |
| Communication Compliance (300 reg-reps) | $12/user × 300 = $43,200/year | Included | E5 Compliance for 500 = $72,000/year |
| eDiscovery Premium (if needed) | ~$12/user × 500 = $72,000/year | Included | Included in E5 Compliance |
| Audit Premium (10-year logs) | Included in E5 Comp bundle | Included | Included in E5 Compliance |
| Annual total | $331,200 | $342,000 | $288,000 |
| 3-year total (list) | $993,600 | $1,026,000 | $864,000 |
Scenario C — E3 for all staff plus E5 Compliance for all staff — is consistently the most cost-efficient structure for broker-dealers needing full FINRA/SEC compliance coverage without paying the E5 security premium for users who don't require advanced security features. The savings vs the E5 bundle approach: $162,000 over 3 years on 500 users, before EA negotiation discounts.
After EA negotiation (typically 18–22% blended discount for financial services firms at this scale): Scenario C drops to approximately $680,000 over 3 years — $30,000–$40,000/year more than a non-compliant E3-only structure, but $120,000+ less than the standard E5 path Microsoft typically recommends for financial services.
Get an Independent Second Opinion
If your Microsoft account team is recommending E5 for FINRA compliance, ask them to map each E5 capability to a specific FINRA rule requirement. If they can't, you're likely overpaying. An independent adviser will provide that mapping in writing.
Request a Consultation →Frequently Asked Questions
What is the minimum Microsoft 365 plan for FINRA compliance?
M365 E3 is the minimum plan for FINRA Rule 17a-4 archiving compliance. For supervision requirements (Rule 3110), Purview Communication Compliance is additionally required — available via M365 E5 Compliance add-on at ~$12/user/month.
Has Cohasset Associates certified Microsoft 365 for SEC 17a-4?
Yes. Cohasset has assessed M365 Exchange Online with Preservation Lock enabled and determined it meets SEC 17 CFR 240.17a-4(f) requirements. The certification is configuration-dependent — Preservation Lock must be enabled. Default M365 settings are not certified.
What retention period does FINRA Rule 17a-4 require?
FINRA Rule 17a-4 requires broker-dealers to preserve most records for 6 years (first 2 years in an accessible place). Trade blotters, ledgers, and associated documents require 6 years from creation. Email retention policies in M365 must enforce these minimum periods as non-erasable storage via Preservation Lock.
Does Microsoft 365 capture Teams messages for FINRA compliance?
M365 captures Teams messages through retention policies (E3, preserves in compliance folders) and Communication Compliance (E5 Compliance, enables supervision review). Teams covers only Microsoft Teams — third-party channels (Bloomberg, ICE Chat) require separate connectors.
📄 Free Guide: Microsoft EA Negotiation Playbook
Complete EA negotiation tactics for enterprise buyers including financial services licence structure optimisation.
Download Free Guide →