Compliance in Microsoft Cloud for Financial Services
You are wholly responsible for ensuring your own compliance with all applicable laws and regulations. To help you meet your own compliance obligations across regulated industries and markets worldwide, Microsoft maintains the largest compliance portfolio in the industry. Compliance offerings are grouped into four segments: globally applicable, US government, industry specific, and region/country specific.
Compliance offerings are based on various types of assurances, including formal certifications, attestations, validations, authorizations, and assessments produced by independent third-party auditing firms, as well as contractual amendments, self-assessments, and customer guidance documents produced by Microsoft. For pointers to the Microsoft compliance portfolio, see Microsoft compliance offerings.
Each compliance offering description provides links to downloadable resources to assist you with your own compliance obligations. For current coverage for United States (US) and United Kingdom (UK), see the Financial Services compliance offerings in the following table, where ✅ indicates compliant, and ❌ indicates not compliant:
|Standard, regulation or certification||Microsoft Dataverse||Dynamics 365 AI Customer Insights||Dynamics 365 Customer Service Insights||Microsoft Graph||Microsoft Power Platform||Microsoft Teams|
|23 NYCRR Part 500 (US)||✅||✅||✅||✅||✅||✅|
|FCA + PRA (UK)||✅||✅||✅||✅||✅||✅|
|SOC 1 Type 2||✅||✅||✅||✅||✅||✅|
|SOC 2 Type 2||✅||✅||✅||✅||✅||✅|
*Microsoft Dynamics 365 Customer service Insights has not achieved the NIST CSF, or NIST SP 800-171
Additional information is available from the Financial Services landing page on the Service Trust Portal.
Microsoft Purview Compliance Manager is a tool you can use to assess compliance across both sides of the shared responsibility model. It can help you throughout your compliance journey, from taking inventory of your data protection risks to managing the complexities of implementing controls, staying current with regulations and certifications, and reporting to auditors. It also enables you to manage your organization’s compliance requirements by giving you a risk-based score measuring your progress toward completing recommended actions that help reduce risks based on regulatory standards and our data protection baseline. It provides workflow capabilities and built-in control mapping to help you efficiently carry out improvement actions. Provided you have the right level of access you can log in to Microsoft Purview Compliance Manager to see your compliance score and start managing compliance for your organization.
The solutions in Microsoft Cloud for Financial Services are not multi-geo by design. If data processing laws require that data be preserved in the country, a deployment tenant must be created in the geography to ensure that data stored in the services stay within the region.
Microsoft currently provides the following country deployments:
|Hong Kong S.A.R.||Traditional Chinese|
|Switzerland||German, Italian, French|
You can find information about how and where data is stored in the following articles:
- Microsoft 365: Where your Microsoft 365 customer data is stored
- Azure: Data residency in Azure
- Dynamics 365 and Power Platform: International availability of Dynamics 365
Microsoft Cloud for Financial Services and specific certifications and standards
System and Organization Controls (SOC) 2
The scope of Microsoft’s current SOC 2 certification includes the Microsoft Cloud for Financial Services and its current capabilities that include Unified Customer Profile, Customer Onboarding, and Collaboration Manager. These capabilities deploy Microsoft services from Azure, Dynamics 365, and Microsoft 365 offerings on the public cloud, including:
- Microsoft Power BI
- Microsoft Dynamics 365 Customer Service Insights
- Microsoft Dynamics 365 AI Customer Insights
- Microsoft Power Automate
- Microsoft Dataverse
- Microsoft Power Apps
- Microsoft Graph
See the following resources for information about SOC and Microsoft's services: System and Organization Controls (SOC) 2 Type 2 - Microsoft Compliance
General Data Protection Regulation (GDPR)
Microsoft is committed to its own compliance with GDPR, as well as providing an array of products, features, documentation, and resources to support our customers in meeting their compliance obligations under the GDPR. Following is a description of Microsoft’s contractual commitments to its customers concerning personal data collected from enterprise software:
Microsoft Cloud for Financial Services complies with all Data Protection Impact Assessments (DPIA) considerations. The DPIA guidance applies to Office 365, Azure, Dynamics 365, and Microsoft Support and Professional Services. Additional details on GDPR impact assessment can be found at Data Protection Impact Assessments: Guidance for data controllers using Dynamics 365, Azure and Office 365.
For software licensed from Microsoft Commercial Licensing programs, refer directly to the Microsoft Products and Services Data Protection Addendum (DPA) at aka.ms/dpa.
- Microsoft Compliance documentation
- Microsoft Purview Compliance Manager
- Microsoft Purview Compliance Portal
- Privacy in the Trust Center
- Azure Privacy
- Dynamics 365 and Power Platform compliance and data privacy
- Microsoft 365 privacy management
- Financial Services in the Service Trust Portal
- Resources for Software Assurance
- Learning path: Reduce risk with Microsoft Purview Compliance Manager