SharePoint for Financial Services: SEC, FINRA, SOC 2, and Compliance Configuration Guide

Financial Services: The Highest-Stakes SharePoint Deployment

Financial services organizations — broker-dealers, investment advisors, banks, insurance companies, and wealth management firms — operate under some of the strictest document retention and compliance requirements in any regulated industry. SharePoint Online deployments in financial services must address:

• SEC Rule 17a-4: Electronic records preservation requirements for broker-dealers
• FINRA Rule 4370: Business continuity and records preservation
• SOC 2 Type II: Trust service principles (security, availability, confidentiality)
• Gramm-Leach-Bliley Act (GLBA): Protection of customer financial information
• GDPR/CCPA: Privacy regulations for customer data

This guide covers the specific configurations required for SharePoint Online to meet these regulatory obligations.

SEC Rule 17a-4: WORM Records Requirements

SEC Rule 17a-4(f) requires broker-dealers to preserve electronic records in a non-rewriteable, non-erasable format (WORM — Write Once Read Many). This is one of the most stringent records requirements in financial services.

What SEC 17a-4 Requires

• Preservation period: 3-6 years depending on record type (generally 3 years accessible, 6 years total)
• WORM storage: Records cannot be altered or deleted during the retention period
• Index and access: Records must be indexed and accessible to regulators on demand
• Independent access: Third-party access to records (for firms using cloud storage)
• Automatic preservation: System must prevent manual deletion during retention period

Microsoft 365 / SharePoint 17a-4 Compliance

Microsoft provides an attestation letter from Cohasset Associates confirming Microsoft 365 meets SEC 17a-4(f) requirements when configured with:

• Microsoft Purview Regulatory Records: Apply "Regulatory Record" label — immutable, even admins cannot delete
• Azure Immutable Blob Storage: For archive/backup copies
• Microsoft 365 Audit log retention: Long-term audit retention (E5 + 10-year add-on)

```powershell

# Create regulatory record label (most restrictive — cannot be removed by anyone)

Connect-IPPSSession

New-ComplianceRetentionLabel `

-Name "SEC 17a-4 - Broker-Dealer Records - 6 Years" `

-RetentionAction KeepAndDelete `

-RetentionDuration 2190 ` # 6 years in days

-RetentionDurationDisplayHint Years `

-IsRecordLabel $true `

-IsRegulatoryLabel $true ` # Cannot be removed even by admins

-Notes "SEC Rule 17a-4(f): 6-year retention for broker-dealer records. Regulatory record - immutable."

```

WORM-Compliant Archive with Azure Immutable Storage

For a belt-and-suspenders approach, archive SharePoint content to Azure Blob Storage with immutability policies:

```powershell

# Configure Azure Blob Storage immutability policy

$resourceGroup = "compliance-rg"

$storageAccount = "finservrecords"

$container = "sec-17a4-archive"

# Create storage account with immutable storage support

New-AzStorageAccount -ResourceGroupName $resourceGroup `

-Name $storageAccount `

-Location "East US" `

-SkuName Standard_GRS `

-Kind StorageV2

# Set immutability policy on container (WORM)

Set-AzStorageBlobImmutabilityPolicy `

-BlobContainerName $container `

-Context (New-AzStorageContext -StorageAccountName $storageAccount -StorageAccountKey $key) `

-ImmutabilityPeriod 2190 ` # 6 years in days

-State "Unlocked" # Lock after testing, cannot be reversed

```

FINRA Rule 4370: Business Continuity Records

FINRA Rule 4370 requires member firms to maintain a Business Continuity Plan (BCP) and preserve records needed to resume operations during a disruption.

SharePoint BCP Requirements

• BCP documents must be accessible from a location outside the primary office (cloud = compliant)
• Employee emergency contact information must be current and accessible
• Critical customer account records must be accessible within 4 hours of a disruption

SharePoint Online (being cloud-based and geographically redundant) satisfies the accessibility requirements, but firms must document this in their BCP.

```

FINRA 4370 SharePoint Evidence Package (prepare for examination):

├── Business Continuity Plan document (SharePoint Communication Site)

├── Emergency contact directory (SharePoint list, accessible from any device)

├── Critical records inventory (SharePoint library - confirms records are in cloud)

├── Recovery procedures (SharePoint page with step-by-step access instructions)

└── Annual BCP review documentation (version history = audit trail)

```

SOC 2 Type II Controls for SharePoint

SOC 2 audits assess Trust Service Criteria (TSC). For SharePoint in scope, the most relevant criteria:

CC6: Logical Access Controls

CC6.1 — The entity implements logical access security software, infrastructure, and architectures over protected information:

• Evidence: SharePoint conditional access policies, MFA enforcement, Defender for Cloud Apps policies
• Configuration: `Set-SPOTenant -ConditionalAccessPolicy AllowLimitedAccess`

CC6.2 — Prior to issuing system credentials and allowing access:

• Evidence: SharePoint access request workflow (formal request → manager approval → IT provisioning)
• Configuration: Power Automate access request workflow with approval chain

CC6.3 — The entity authorizes, modifies, or removes access based on roles:

• Evidence: Azure AD group-based access reviews (Identity Governance), quarterly access review reports
• Configuration: Azure AD Access Reviews on SharePoint site security groups

```powershell

# Create quarterly access review for SharePoint site security groups

Connect-MgGraph -Scopes "AccessReview.ReadWrite.All"

New-MgIdentityGovernanceAccessReviewDefinition `

-DisplayName "Quarterly SharePoint Access Review - Finance Site" `

-DescriptionForAdmins "Review access to Finance SharePoint site" `

-Scope @{

"@odata.type" = "#microsoft.graph.accessReviewQueryScope"

Query = "/groups/{finance-sharepoint-group-id}/members"

} `

-Reviewers @(

@{Query = "/users/{finance-director-id}"; "@odata.type" = "#microsoft.graph.accessReviewReviewerScope"}

) `

-Settings @{

MailNotificationsEnabled = $true

ReminderNotificationsEnabled = $true

JustificationRequiredOnApproval = $true

AutoApplyDecisionsEnabled = $true

DefaultDecision = "Deny" # If reviewer doesn't respond, access is removed

InstanceDurationInDays = 14

Recurrence = @{

Range = @{Type = "numbered"; NumberOfOccurrences = 4}

Pattern = @{Type = "absoluteMonthly"; Interval = 3} # Quarterly

}

}

```

CC6.6 — The entity implements logical access security measures to protect against threats:

• Evidence: Microsoft Defender for Cloud Apps session policies for SharePoint, DLP policies
• Configuration: Defender for Cloud Apps conditional access app control for SharePoint

CC7: System Monitoring

CC7.2 — The entity monitors system components:

• Evidence: Alert policies active for SharePoint security events, monthly alert review documentation
• Configuration: See Audit Log guide for alert policy setup

```powershell

# Create SOC 2 required alerts for SharePoint

# Privileged access alert

New-ProtectionAlert `

-Name "SharePoint Admin Role Assigned" `

-Category DataAdministration `

-Severity High `

-Operation SiteCollectionAdminAdded `

-NotifyUser "[email protected]", "[email protected]"

# Bulk download alert (potential data exfiltration)

New-ProtectionAlert `

-Name "SharePoint Bulk Download - Potential Exfiltration" `

-Category ThreatManagement `

-Severity High `

-Operation FileDownloaded `

-Threshold 50 `

-TimeWindow 60 `

-NotifyUser "[email protected]"

```

GLBA Safeguards Rule for SharePoint

The Gramm-Leach-Bliley Act Safeguards Rule (16 CFR 314) requires financial institutions to implement security programs protecting "customer information."

For SharePoint, customer information (NPI — Non-Public Personal Information) includes:

• Customer names + financial account data
• SSNs + financial information
• Any personally identifiable information combined with financial information

SharePoint GLBA Configuration Checklist

• [ ] NPI-containing SharePoint sites identified and inventoried
• [ ] Sensitivity label "GLBA - Customer NPI" applied to NPI libraries
• [ ] DLP policy: detect SSN + financial account combinations, block external sharing
• [ ] Access restricted to employees with business need (minimum necessary)
• [ ] External sharing disabled for all NPI sites
• [ ] Audit logging with 6-year retention on NPI site access
• [ ] Conditional Access: NPI sites require managed device + MFA
• [ ] Annual risk assessment documents NPI in SharePoint

GLBA Customer NPI DLP Policy

```powershell

# GLBA NPI detection DLP policy for SharePoint

Connect-IPPSSession

New-DlpCompliancePolicy `

-Name "GLBA Customer NPI Protection" `

-SharePointLocation All `

-OneDriveLocation All

New-DlpComplianceRule `

-Policy "GLBA Customer NPI Protection" `

-Name "Block External Sharing of NPI" `

-ContentContainsSensitiveInformation @(

@{Name = "U.S. Social Security Number (SSN)"; minCount = "1"},

@{Name = "Credit Card Number"; minCount = "1"},

@{Name = "U.S. Bank Account Number"; minCount = "1"}

) `

-BlockAccess $true `

-BlockAccessScope PerUser `

-GenerateAlert $true `

-AlertProperties @{AggregationType = "PerPolicy"} `

-NotifyUser Owner `

-NotifyEmailMessage "GLBA NPI Detected: External sharing blocked per GLBA Safeguards Rule policy."

```

Financial Firm SharePoint Site Architecture

```

Financial Services SharePoint Environment

├── Corporate Hub

│ ├── Executive Communications (Comms Site)

│ ├── Corporate Policies (Team Site - restricted)

│ └── Board Materials (Team Site - executive only)

├── Compliance Hub

│ ├── Regulatory Filings (Team Site - SEC/FINRA records)

│ ├── Audit Documentation (Team Site - audit team only)

│ ├── Incident Reports (Team Site - compliance + legal)

│ └── AML/KYC Documentation (Team Site - compliance only)

├── Operations Hub

│ ├── Trade Operations (Team Site)

│ ├── Settlement Records (Team Site - WORM)

│ └── Client Account Records (Team Site - NPI protected)

├── HR Hub

│ ├── Employee Records (Team Site - HR only)

│ └── Benefits Administration (Team Site - HR only)

└── Client Portals Hub (external sharing enabled per site)

└── [Client Name] Portal (Communication Site - client external access)

```

Examination Readiness

Financial regulators (SEC, FINRA, OCC, CFPB) expect firms to produce records quickly during examination. Prepare:

• Records inventory: Maintain a catalog of all SharePoint sites with regulatory records, organized by rule/requirement
• Search capability: Verify compliance team can run Purview Content Search across all SharePoint locations within 2 hours
• Export procedure: Document step-by-step export process (format, timeframe, who executes)
• Legal hold procedure: Test that Legal Hold can be applied to a SharePoint site within 4 hours of request
• Mock examination drill: Conduct annual drill where compliance team simulates a FINRA examination request

Conclusion

SharePoint Online for financial services is viable for even the most regulated broker-dealers and investment advisors when configured with Microsoft Purview Regulatory Records, WORM-compliant archival, SOC 2 controls, and GLBA NPI protection. The key is configuring these controls proactively, before a regulatory examination or audit finds gaps.

EPC Group has deployed SOC 2 and SEC/FINRA compliant SharePoint environments for broker-dealers, investment advisors, private equity firms, and regional banks. Contact us for a financial services compliance assessment.