Compliance in Microsoft Cloud for Financial Services

You are wholly responsible for ensuring your own compliance with all applicable laws and regulations. To help you meet your own compliance obligations across regulated industries and markets worldwide, Microsoft maintains the largest compliance portfolio in the industry. Compliance offerings are grouped into four segments: globally applicable, US government, industry specific, and region/country specific.

Compliance offerings are based on various types of assurances, including formal certifications, attestations, validations, authorizations, and assessments produced by independent third-party auditing firms, as well as contractual amendments, self-assessments, and customer guidance documents produced by Microsoft. For pointers to the Microsoft compliance portfolio, see Microsoft compliance offerings.

Each compliance offering description provides links to downloadable resources to assist you with your own compliance obligations. For current coverage for United States (US) and United Kingdom (UK), see the Financial Services compliance offerings in the following table, where ✅ indicates compliant, and ❌ indicates not compliant:

Standard, regulation or certification Microsoft Dataverse Dynamics 365 AI Customer Insights Dynamics 365 Customer Service Insights Microsoft Graph Microsoft Power Platform Microsoft Teams
23 NYCRR Part 500 (US)
FCA + PRA (UK)
GDPR
GLBA (US)
ISO 22301
ISO 27001
ISO 27017
ISO 27018
SOC 1 Type 2
SOC 2 Type 2

*Microsoft Dynamics 365 Customer service Insights has not achieved the NIST CSF, or NIST SP 800-171

Additional information is available from the Financial Services landing page on the Service Trust Portal.

Microsoft Purview Compliance Manager is a tool you can use to assess compliance across both sides of the shared responsibility model. It can help you throughout your compliance journey, from taking inventory of your data protection risks to managing the complexities of implementing controls, staying current with regulations and certifications, and reporting to auditors. It also enables you to manage your organization’s compliance requirements by giving you a risk-based score measuring your progress toward completing recommended actions that help reduce risks based on regulatory standards and our data protection baseline. It provides workflow capabilities and built-in control mapping to help you efficiently carry out improvement actions. Provided you have the right level of access you can log in to Microsoft Purview Compliance Manager to see your compliance score and start managing compliance for your organization.

Data storage

The solutions in Microsoft Cloud for Financial Services are not multi-geo by design. If data processing laws require that data be preserved in the country, a deployment tenant must be created in the geography to ensure that data stored in the services stay within the region.

Microsoft currently provides the following country deployments:

Country/Region Available languages
Australia English
Brazil Brazilian Portuguese
Canada English, French
France French
Germany German
Hong Kong S.A.R. Traditional Chinese
India English
Ireland English
Italy Italian
Mexico Spanish
Netherlands Dutch
New Zealand English
Singapore English
Switzerland German, Italian, French
United Kingdom English
United States English

You can find information about how and where data is stored in the following articles:

Microsoft Cloud for Financial Services and specific certifications and standards

System and Organization Controls (SOC) 2

The scope of Microsoft’s current SOC 2 certification includes the Microsoft Cloud for Financial Services and its current capabilities that include Unified Customer Profile, Customer Onboarding, and Collaboration Manager. These capabilities deploy Microsoft services from Azure, Dynamics 365, and Microsoft 365 offerings on the public cloud, including:

  • Microsoft Power BI
  • Microsoft Dynamics 365 Customer Service Insights
  • Microsoft Dynamics 365 AI Customer Insights
  • Microsoft Power Automate
  • Microsoft Dataverse
  • Microsoft Power Apps
  • Microsoft Graph

See the following resources for information about SOC and Microsoft's services: System and Organization Controls (SOC) 2 Type 2 - Microsoft Compliance

General Data Protection Regulation (GDPR)

Microsoft is committed to its own compliance with GDPR, as well as providing an array of products, features, documentation, and resources to support our customers in meeting their compliance obligations under the GDPR. Following is a description of Microsoft’s contractual commitments to its customers concerning personal data collected from enterprise software:

Microsoft Cloud for Financial Services complies with all Data Protection Impact Assessments (DPIA) considerations. The DPIA guidance applies to Office 365, Azure, Dynamics 365, and Microsoft Support and Professional Services. Additional details on GDPR impact assessment can be found at Data Protection Impact Assessments: Guidance for data controllers using Dynamics 365, Azure and Office 365.

Note

For software licensed from Microsoft Commercial Licensing programs, refer directly to the Microsoft Products and Services Data Protection Addendum (DPA) at aka.ms/dpa.

Compliance resources