Compliance

SharePoint for Financial Services: GLBA, SOX & Recordkeeping

Deploying SharePoint Online in banks, broker-dealers, asset managers, and insurers. GLBA Safeguards, SOX ITGC, SEC 17a-4 recordkeeping, FINRA supervision, and NYDFS 500 SharePoint posture.

SharePoint Support TeamApril 21, 202617 min read
SharePoint for Financial Services: GLBA, SOX & Recordkeeping - Compliance guide by SharePoint Support
SharePoint for Financial Services: GLBA, SOX & Recordkeeping - Expert Compliance guidance from SharePoint Support

SharePoint Compliance in Financial Services: The Dense Stack

A single SharePoint Online deployment in a bank, broker-dealer, asset manager, or insurer is simultaneously in scope for SOC 2 Type II, SOX Section 404 ITGC, GLBA Safeguards, FINRA supervision, SEC 17a-4 retention, NYDFS 500 cybersecurity, OCC third-party risk, FFIEC Information Security Booklet controls, and a growing catalog of state privacy laws.

SharePoint architecture diagram showing hub sites, team sites, and content structure
Enterprise SharePoint architecture with hub sites and connected team sites

This brief is the financial-services companion to our SharePoint compliance pillar. It focuses on the recordkeeping, supervision, and examiner-ready evidence patterns that apply specifically to SharePoint content in regulated financial firms.

Scoping SharePoint Against the Regulatory Stack

Begin by scoping each SharePoint workload against the frameworks that apply:

  • SOX Section 404 / ITGC — Sites producing data used in financial statements, reconciliations, or ITGC narrative
  • SEC 17a-4 — Sites holding books and records requiring WORM retention
  • FINRA supervision — Sites holding supervised communications or research
  • GLBA Safeguards — Sites containing nonpublic personal financial information (NPI)
  • NYDFS 500 — Sites within the firm's cybersecurity program scope
  • CCPA/CDPA/state privacy — Sites containing personal information of state residents

Document scope in a SharePoint Compliance Scoping Register and update quarterly. Scope changes (new sites, new data types, new integrations) are formal change-management events.

SEC 17a-4 and WORM Retention in SharePoint

SEC 17a-4 requires Write-Once-Read-Many (WORM) retention of qualifying books and records. SharePoint Online by itself is not a WORM archive, but SharePoint plus Microsoft Purview Records Management plus Preservation Lock can satisfy the rule when configured correctly:

  • Declare records via Purview retention labels designated as record or regulatory record labels
  • Apply Preservation Lock to retention policies to prevent deletion or modification of the labeled content during the retention period
  • Document the configuration in the firm's recordkeeping policy
  • Validate the approach with external counsel and SEC examiner expectations

For high-volume or specialty record types (voice, IM), most firms supplement with dedicated archive products (Smarsh, Global Relay) that are purpose-built for 17a-4.

SOX ITGC for SharePoint

Not every SharePoint site is SOX-scoped. The scoping decision drives the control set:

  • SOX-scoped sites — Protected access via security groups, change management for site settings, sensitivity labels restricting external sharing, documented change history for any Power Automate workflows, quarterly access reviews
  • Non-scoped sites — Standard control set from the compliance pillar

Document the SOX scope register and update annually. External auditors will ask, at a minimum, for the scope register, site-level permission exports, and change history for in-scope workflows.

GLBA Safeguards and NPI Protection

The revised FTC Safeguards Rule (16 CFR 314) requires specific practices for customer information. In SharePoint, the high-impact controls include:

  • Named Qualified Individual accountable for the Safeguards program, with SharePoint explicitly in scope
  • Written risk assessment updated at least annually
  • Access controls — Entra ID groups, Conditional Access, site-level permissions, quarterly reviews
  • Encryption at rest (AES-256) and in transit (TLS 1.2+); Customer Key where required
  • Continuous monitoring or annual penetration testing covering SharePoint
  • MFA for SharePoint access
  • Secure disposal — Purview retention policies and offboarding workflow for departing users
  • Change management for SharePoint tenant settings and site lifecycle
  • Incident response — 30-day notification trigger for breaches affecting 500+ consumers

Map the practices across SOC 2, NYDFS, and GLBA to avoid duplicated effort — most controls overlap.

NYDFS 500 and SharePoint

The 2023 NYDFS 500 amendment introduced stricter requirements:

  • 500.11 Third-party risk — Microsoft covered in the firm's third-party risk assessment
  • 500.16 Incident response — SharePoint incidents included in the runbook, with 72-hour notification
  • 500.17 MFA — Required for SharePoint access via Conditional Access
  • 500.2 Governance — CISO or equivalent includes SharePoint in annual cybersecurity risk assessment
  • 500.9 Penetration testing — Annual testing scopes SharePoint appropriately

Document SharePoint posture in the annual NYDFS filing and in board-level cybersecurity reporting.

Reference Architecture: Mid-Size Bank

A typical mid-size bank SharePoint deployment uses five layers:

  • Identity and access — Entra ID, Conditional Access enforcing MFA and device compliance, SharePoint access via governed security groups
  • Content classification — Purview sensitivity labels with Confidential-NPI parent label and sub-labels for SSN, account number, wealth management files
  • Permissions and sharing — Site-level sensitivity labels drive external sharing restrictions, link expiration 30–90 days, quarterly access reviews
  • Supervision and retention — Communications in scope for FINRA/17a-4 flow through surveillance tools with WORM retention; underlying SharePoint records labeled and Preservation-Locked as applicable
  • Monitoring — Purview unified audit to Sentinel with analytic rules detecting mass download, external sharing anomalies, and unusual access patterns

Examiner-Ready Evidence Package

Bank and broker-dealer examinations touching SharePoint should produce evidence quickly. Pre-build a package that includes:

  • Microsoft SOC 2 Type II and SOC 1 reports from the Service Trust Portal
  • Tenant SharePoint configuration snapshot
  • Site inventory with sensitivity labels, SOX scope, and ownership
  • Permission exports for scoped sites
  • Purview sensitivity label and DLP policies
  • Preservation Lock policies and status for recordkeeping sites
  • Purview unified audit samples for the audit period
  • Conditional Access policies for SharePoint
  • Acceptable-use and records-retention policies
  • Change management log for tenant-level settings
  • Annual penetration testing report scoping SharePoint

Store the package template in a compliance SharePoint site with Preservation Lock and rehearse quarterly with internal audit.

Insider Trading and SharePoint Content Controls

Insider trading compliance at regulated financial firms extends into SharePoint whenever the platform holds material non-public information (MNPI). Controls include:

  • MNPI-labeled sites restricted to named deal teams under a wall-crossed permission model
  • Watch-list and restricted-list data integrated with DLP to prevent MNPI-related searches escaping the controlled workspace
  • Quarterly attestation by deal team members confirming MNPI discipline
  • Documented wall-crossing workflow through compliance before adding a new member to a restricted site
  • Content retention following the firm's MNPI policy (often 5+ years post-deal)

SharePoint sites containing MNPI should be provisioned from a template that applies the correct sensitivity label, DLP scope, and retention default. Never rely on manual site configuration for insider-trading-sensitive workspaces.

Supervisory Controls for FINRA-Regulated SharePoint

FINRA supervision obligations extend into SharePoint whenever the platform holds supervised communications or research. Concrete controls:

  • Channel supervision — Teams channels and SharePoint sites used for trading, research, or client communications must be identified and added to the surveillance scope. Integrate with Smarsh, Global Relay, or Theta Lake so all content is captured.
  • Book-of-record designation — Identify which SharePoint content is the official book of record versus a working copy. The book of record has stricter retention, and derivatives must not supersede it.
  • Research supervision — Publicly distributed research must be reviewed by a supervisory analyst under FINRA 2241. SharePoint sites hosting draft research should have role-based workflow ensuring supervisory approval before external publication.
  • Personal account trading — Employee personal trading compliance monitoring requires retention of communications that touch personal trading activities. SharePoint content referencing employee trading must be retained and supervised.

Document these controls in the firm's Written Supervisory Procedures (WSPs) and update whenever SharePoint scope changes.

Model Risk Management and SharePoint

Banks subject to SR 11-7 (Federal Reserve guidance on model risk management) extend model governance expectations into SharePoint when the platform hosts model documentation, validation workpapers, or supporting evidence. Apply controls:

  • Dedicated SharePoint sites per model with sensitivity labels classifying model workpapers
  • Role-based access limited to model developers, validators, and governance
  • Purview Preservation Lock retaining model documentation for the regulatory retention period (typically at least 5 years post-retirement)
  • Audit retention matching the longest model retention requirement
  • Integration with model inventory systems to ensure SharePoint content ties back to the authoritative model registry

Banks increasingly extend model risk management thinking to AI and Copilot deployments themselves — the Copilot deployment becomes a "model" for SR 11-7 purposes, with documentation, validation, monitoring, and governance all applicable.

Customer Due Diligence and NPI Governance

GLBA Safeguards obligations for customer due diligence (CDD) data held in SharePoint require specific attention:

  • CDD files must be labeled Highly Confidential — NPI or a more specific sub-label
  • Access must be role-based and reviewed quarterly
  • Retention must meet FinCEN Know Your Customer (KYC) requirements (typically 5 years post-account closure)
  • Encryption at rest with Customer Key where firm policy requires
  • DLP policies must detect CDD content types in outbound sharing scenarios

The Financial Crimes Enforcement Network (FinCEN) Customer Due Diligence rule and Beneficial Ownership rule both intersect with SharePoint when CDD content is stored or referenced in the platform. Most banks maintain CDD data in a dedicated CDD platform and use SharePoint only for narrative memos, but cross-reference in a single governance policy.

CCAR, DFAST, and SOX Integration

For large banks subject to Comprehensive Capital Analysis and Review (CCAR) or Dodd-Frank Act Stress Testing (DFAST), SharePoint frequently hosts the narrative workpapers supporting stress-test submissions. Apply SOX-scoped controls to these sites: protected access, change management, sensitivity labels, audit retention, and certified site lifecycle management.

The Federal Reserve Supervisory Letter on internal controls over financial reporting (SR 13-19) reaches SharePoint when narrative content supports capital adequacy filings. Coordinate with the Controller's office and SOX ITGC team to ensure SharePoint coverage is included in the annual ITGC risk assessment.

Frequently Asked Questions

Does SharePoint Online satisfy SEC 17a-4 recordkeeping?

When combined with Purview Records Management and Preservation Lock, SharePoint can satisfy 17a-4 WORM requirements. Validate with external counsel and examiner expectations.

Which SharePoint sites are in scope for SOX ITGC?

Sites producing, transforming, or distributing data used in financial statements or management representations. Document scope in a register and apply stricter controls to scoped sites.

How does GLBA Safeguards apply to SharePoint?

Named Qualified Individual, risk assessment, encryption, MFA, continuous monitoring, change management, secure disposal, incident response — all applicable. SharePoint inherits platform encryption; customer-configurable controls are the firm's responsibility.

What NYDFS 500 obligations apply to SharePoint?

500.11 third-party risk, 500.16 incident response, 500.17 MFA, 500.2 risk assessment. Cover SharePoint explicitly in the annual filing.

How do I prevent oversharing of NPI in SharePoint?

Site-level sensitivity labels, sharing-policy restrictions, DLP for financial identifiers, link expiration, quarterly access reviews.

What retention applies to SharePoint content for broker-dealers?

17a-4 covered records WORM for 3/5/6 years; FINRA/SEC communication retention per governing rules; Preservation Lock enforces immutability.

Can Copilot for SharePoint be used in a regulated bank?

Yes, after oversharing remediation, 70+ percent label coverage, DLP for financial identifiers, Purview Copilot audit, and signed AI acceptable-use policy. Pilot in lower-risk functions first.

Share this article:

Written by the SharePoint Support Team

Senior SharePoint Consultants | 25+ Years Microsoft Ecosystem Experience

Our senior SharePoint consultants bring deep expertise spanning 500+ enterprise migrations and compliance implementations across HIPAA, SOC 2, and FedRAMP environments. We cover SharePoint Online, Microsoft 365, migrations, Copilot readiness, and large-scale governance.

Frequently Asked Questions

Does SharePoint Online satisfy SEC 17a-4 recordkeeping?
SharePoint Online combined with Microsoft Purview Records Management and Preservation Lock can satisfy SEC 17a-4 WORM requirements when configured correctly. Preservation Lock prevents deletion and modification of labeled records for the retention period. Validate the configuration with external counsel and SEC examiner expectations before relying on it for production books and records.
Which SharePoint sites are in scope for SOX ITGC?
Sites that produce, transform, or distribute information feeding financial statements or management representations about internal controls. A board-level financial reporting site is in scope. An operations site is not. Document SOX scope in a formal register and apply stricter controls (site lifecycle management, change tracking, protected access) to scoped sites. Out-of-scope sites use the standard control set.
How does GLBA Safeguards apply to SharePoint?
GLBA Safeguards (16 CFR 314, revised 2023) requires a named Qualified Individual, written risk assessment, encryption in transit and at rest, MFA, continuous monitoring or annual penetration testing, change management, secure disposal, and incident response. SharePoint Online inherits platform encryption and most safeguards, while customer-configurable items (Conditional Access, DLP for NPI, audit retention, access reviews) remain the firm responsibility.
What NYDFS 500 obligations apply to SharePoint?
NYDFS 500.11 (third-party risk), 500.16 (incident response), 500.17 (MFA), and 500.2 (risk assessment) all apply. Cover SharePoint in the annual 500.2 risk assessment, include SharePoint incidents in the 500.16 runbook, and enforce MFA for SharePoint via Conditional Access for all users per 500.17. Document SharePoint coverage in the annual NYDFS filing.
How do I prevent oversharing of NPI in SharePoint?
Apply Purview sensitivity labels (Highly Confidential — NPI) to sites containing customer financial information, configure tenant sharing policies to block "Anyone with the link" on NPI sites, enable DLP policies detecting SSN, account numbers, and routing numbers, and require link expiration at 30–90 days. Schedule quarterly access reviews in Entra ID. For public-facing investment research, separate into dedicated sites without NPI.
What retention applies to SharePoint content for broker-dealers?
Books and records covered by SEC 17a-4 require WORM retention for 3, 5, or 6 years depending on record type. Communications subject to FINRA and SEC retention rules follow their governing timeframes. Purview retention policies with Preservation Lock enforce immutability. Non-record content follows the firm's general retention policy. Apply retention via site-level sensitivity labels so labeling cascades to files.
Can Copilot for SharePoint be used in a regulated bank?
Yes in principle, with additional governance. Enable only after oversharing is remediated, labels are applied at 70+ percent coverage, DLP policies for financial identifiers are active, Purview Copilot audit is retained per firm policy, and AI acceptable-use policy is signed by licensed users. Most banks pilot Copilot for SharePoint in lower-risk functions (marketing, HR) before expanding to finance, trading, and customer-facing roles.

Need Expert Help?

Our SharePoint consultants are ready to help you implement these strategies in your organization.

Continue Reading in Compliance