Microsoft business cloud services and financial services

Helping banks and insurers meet their regulatory responsibilities

At Microsoft, we’re committed to earning the trust of our financial services customers. We offer business cloud services based on four foundational principles: security, privacy and control, compliance, and transparency. We engage with regulators in key markets to share information about our services, the related controls, and our approach to enabling customer compliance. We also take input from leading banks and insurers across the globe on an ongoing basis to improve our offerings to help meet regulatory requirements.

Here we’ll summarize our key privacy and security features to show how Microsoft business cloud offerings help firms meet the core "outsourcing" regulatory requirements in their respective markets. While outsourcing guidance for use of IT vendors tends to be based on a common framework that Microsoft adheres to, understanding local requirements is important. Microsoft has deep expertise in supporting financial services customers, placing an emphasis on designing our business cloud services so they meet local requirements. Your Microsoft local representatives can help explain our approach and control frameworks, and aid you with any reviews by regulators in using Microsoft business cloud services.

Microsoft aims to make the required regulatory due diligence process easier for customers by collaborating with them throughout the outsourcing cycle. To that end, we also offer a wide range of information through the Trust Center and the Service Trust Portal, as well as tailored contractual provisions to help firms meet their regulatory obligations. Many of our customers are global entities and, given our size and reach, we can offer assistance across multiple jurisdictions.

The information on this page does not apply to Bing Search Services or Windows.

Industry-leading financial compliance

Expand all

Financial services firms are accountable to ensure that cloud service providers take appropriate organizational and technical security measures to secure their data and maintain adequate plans for security breaches, disaster recovery, and service continuity.

To help firms comply with national, regional, and global financial industry requirements governing the collection and use of individuals’ data, Microsoft offers:

  • A set of compliance offerings for our business cloud services validated by independent auditing firms against the standards.
  • Documentation of our efforts to meet the stringent regulatory obligations of financial institutions with:
  • The Microsoft Financial Services Compliance Program, which was developed specifically to help financial institutions identify, assess, and manage risk. Built on an understanding of the unique and strict regulatory obligations of financial services, it is aligned to global financial regulatory oversight and risk management requirements and offers direct engagement with security and compliance engineering teams.

Additional resources Microsoft business cloud services and financial services Get a summary of our key privacy and security features that show how Microsoft business cloud offerings—including Microsoft Azure, Microsoft Dynamics 365, and Microsoft 365—can help financial firms meet the core outsourcing regulatory requirements in their respective markets.

Payment Card Industry (PCI) Data Security Standards (DSS). Microsoft business cloud services are certified as compliant with PCI DSS version 3.2 at Service Provider Level 1, the highest volume of transactions—more than 6 million a year.

Learn more

Service Organization Controls (SOC) 1, 2, and 3 Reports. Microsoft business cloud services are audited at least annually against the SOC reporting framework by independent third-party auditors.

Learn more

To help financial institutions in Australia that are assessing cloud providers and their services, Microsoft has published two papers:

They document how financial firms can move data and workloads to Azure and Microsoft 365 in ways that can help meet Australian Prudential Regulation Authority (APRA) standards.

Learn more

The primary financial services regulators in Belgium are the National Bank of Belgium (NBB) and the Financial Services and Markets Authority (FSMA). The NBB is responsible for prudential supervision of financial institutions, while the FSMA supervises financial markets and financial information disseminated by companies.

Microsoft has published a checklist, A compliance checklist for financial institutions in Belgium, to help financial institutions in Belgium conduct thorough risk assessments on how Azure, Dynamics 365, and Microsoft 365 can help them address NBB and FSMA regulations and guidelines before they move to the cloud.

Learn more

The Office of the Superintendent of Financial Institutions (OSFI) is an independent agency of the Government of Canada responsible for the prudential regulation and supervision of federally regulated financial institutions and pension plans in Canada.

Microsoft prepared a guide, Navigating your way to the cloud: A compliance checklist for financial institutions in Canada, to explain how Azure, Microsoft 365, and Power BI can help financial institutions in Canada address OSFI requirements, and to serve as a guidepost for customers conducting risk assessments of our business cloud services.

Learn more

The Financial Supervisory Authority (Finanstilsynet), or FSA, is a government agency whose principal role is preparing regulatory guidelines for financial institutions in Denmark and monitoring their compliance.

Microsoft has published A compliance checklist for financial institutions in Denmark to help these financial organizations address FSA and other Danish requirements when moving to the cloud. Customers can use it to measure Microsoft business cloud services (including Azure, Dynamics 365, and Microsoft 365) against the FSA regulatory framework and conduct their own risk assessments.

Learn more

The European Banking Authority (EBA) is an independent authority that is responsible for prudential regulation and supervision across the European banking sector. It has issued a “Final Report on Recommendations on Outsourcing to Cloud Services Providers” that outlines a comprehensive approach for outsourcing of cloud computing in the EU.

To help financial institutions in the EU with cloud adoption, Microsoft published guidance that addresses the key points in the EBA recommendations, European Banking Authority Guidance Addresses Cloud Computing for the First Time. It explains how Microsoft business cloud services can help customers meet those requirements.

Learn more

The French Financial Authority (Autorité des Marchés Financiers, AMF) and the French Prudential Authority (Autorité de Contrôle Prudentiel et de Résolution, ACPR) are the primary regulators in France responsible for supervising financial markets, banks, and other financial organizations.

Microsoft has prepared a guide, Navigating your way to the cloud: a checklist for financial institutions in France, to help financial institutions in France meet the AMF General Regulation and ACPR Guidelines on the risks associated with cloud computing. It provides a detailed overview of the regulatory landscape and can help financial firms adopt Microsoft business cloud services to help them meet those requirements.

Learn more

The Reserve Bank of India (RBI), Insurance Regulatory and Development Authority of India (IRDAI), and the Ministry of Electronics and Information Technology (MeitY) comprise three of the key financial industry regulators overseeing financial institutions and market infrastructure in India. Their directives include outsourcing and risk management guidelines as well as requirements for compliance with privacy rules governing sensitive data.

In response, Microsoft has developed guidance to help financial institutions in India address these extensive and complex requirements: A compliance checklist for financial institutions in India. In addition to an overview of the broad regulatory landscape, it provides an exhaustive set of questions to help financial firms assess how Microsoft business cloud services can help meet those requirements.

Learn more

The Center for Financial Industry Information Systems (FISC) was established by the Japanese Ministry of Finance to promote security in banking computer systems in Japan. In collaboration with the Bank of Japan and the Financial Services Agency, the FISC created guidelines for the security of banking information systems.

Microsoft provided evidence of compliance with FISC datacenter, operational, and technical guidelines. We then engaged outside assessors who validated that Microsoft business cloud services meet these requirements of the FISC v8 standard in Japan.

Learn more about the Microsoft response to new FISC guidelines in Japan

The primary financial regulators in the Netherlands are the Authority for the Financial Markets (Autoriteit Financiële Markten, AFM) and the Dutch Central Bank (De Nederlandsche Bank, DNB). They are responsible for the supervision of banks, pension funds, insurers, and other financial institutions, particularly as they consider moving to the cloud.

Microsoft has published guidance to help financial institutions in the Netherlands meet DNB requirements when they use Azure, Dynamics 365, and Microsoft 365. The document, A compliance checklist for financial institutions in the Netherlands, includes an overview of Dutch regulatory requirements and a point-by-point explanation of how Microsoft cloud services address each one.

Learn more

The Reserve Bank of New Zealand (RBNZ) regulates banks, credit unions, insurance companies, superannuation trustees and other financial institutions. While all financial institutions must consider their general RBNZ obligations, large banks (those with net liabilities exceeding NZ$10 billion) using cloud services must address the RBNZ Outsourcing Policy of September 2017.

Microsoft has published documentation, A compliance checklist for financial institutions in New Zealand, to help financial institutions in New Zealand assess how Azure, Dynamics 365, and Microsoft 365 can help them meet RBNZ requirements and conduct their own risk assessments.

The primary financial services regulators in Nigeria are the Central Bank of Nigeria (CBN) and the National Insurance Commission (NAICOM). The CBN is responsible for the licensing, monitoring, and supervision of banks and other financial institutions, and the NAICOM ensures the effective administration and regulation of the insurance business.

Microsoft has published A compliance checklist for financial institutions in Nigeria to help Nigerian financial firms conducting due-diligence assessments of Microsoft business cloud services. It sets forth the issues to be addressed and maps Azure, Dynamics 365, and Microsoft 365 services against those regulatory obligations.

The Financial Supervision Authority (Komisja Nadzoru Finansowego, KNF) is the financial regulatory authority in Poland, responsible for supervision of the financial market, which includes oversight over banking, capital markets, insurance, pension schemes, and electronic money institutions.

Microsoft has published documentation, Navigating your way to the cloud: A compliance checklist for financial institutions in Poland, to help Polish financial institutions assess how Azure, Dynamics 365, and Microsoft 365 can help them meet these requirements and conduct their own risk assessments.

Learn more

The Saudi Arabian Monetary Authority (SAMA) and the Capital Market Authority (CMA) comprise the two key financial services regulators for Saudi Arabia. The SAMA manages monetary policy and oversees the financial and insurance systems, while the CMA regulates and develops Saudi Arabian capital markets.

Microsoft has published guidance to help financial institutions in the Saudi Arabia meet SAMA and CNA requirements when they use Azure, Dynamics 365, and Microsoft 365. The document, A compliance checklist for financial institutions in Saudi Arabia, includes an overview of regulatory requirements and a point-by-point explanation of how Microsoft cloud services address each one.

In 2016, the Monetary Authority of Singapore (MAS) (the central bank in Singapore) and the Association of Banks in Singapore (ABS) endorsed cloud computing, including the use of public clouds. In response, Microsoft published two papers that demonstrate how financial firms can move data and workloads to the Microsoft Cloud with the confidence that they are meeting MAS outsourcing guidelines and ABS use guidance.

Azure, Dynamics 365, Microsoft 365, and Power BI include features and functionalities that can help meet the MAS and ABS guidelines.

Learn more

The Swedish Financial Supervisory Authority (SFSA), which is accountable to the Ministry of Finance, authorizes, supervises and monitors all companies operating in Swedish financial markets. It has published outsourcing guidelines for credit institutions and insurance companies.

Microsoft has published A compliance checklist for financial institutions in Sweden to help financial organizations address these SFSA requirements when moving their business functions to the cloud. Customers can use the checklist to measure Azure, Dynamics 365, and Microsoft 365 against the FSA regulatory framework and conduct their own risk assessments.

The Financial Market Supervisory Authority (Eidgenössische Finanzmarktaufsicht, FINMA) is the regulator of independent financial markets in Switzerland and responsible for ensuring that Swiss markets function effectively. Its publication, “Circular 2018/3 Outsourcing–Banks and Insurers,” defines the supervisory requirements applicable to banks, securities dealers, and insurance companies that outsource business activities to the cloud.

To help financial institutions in Switzerland with cloud adoption, Microsoft published guidance: A compliance checklist for financial institutions in Switzerland. It lists the regulatory issues that financial firms must address to meet FINMA requirements and maps Microsoft business cloud services against those issues. Azure, Dynamics 365, and Microsoft 365 include features and functionalities that can help meet those stringent requirements.

Learn more

The Financial Conduct Authority (FCA), an independent public body that is accountable to the Treasury, works with the Prudential Regulation Authority (PRA) as prudential regulators for financial firms and markets in the UK and for the Bank of England. In 2016, the FCA published guidance for firms outsourcing business functions to the cloud.

In response, Microsoft produced two comprehensive guides to help financial firms in the UK using Azure and Power BI meet the standards set out in the FCA guidelines for outsourcing to the cloud and conduct their own risk assessments:

The features and functionalities of Azure and Power BI can help customers meet FCA requirements.

Learn more

For financial institutions in the United States and multinationals with offices in the United States or doing business there, Microsoft provides both compliance offerings validated by independent auditing firms against US standards and point-by-point guidance to help financial firms comply with cloud outsourcing requirements and regulations.

Note that regulations in other countries cover many of the same points as those in the United States, so reviewing the guidance we offer to financial services in the United States may be helpful. For example, the SEC Rule 17a-4(f) specifies requirements for regulated entities that elect to retain records on electronic storage media. While this is a US regulation, it may be relevant to organizations in other countries, many of which also regulate immutable storage.

  • Commodity Futures Trading Commission (CFTC) Rule 1.31(c-d). An independent third-party assessor validated that Azure Immutable Blob Storage with Policy Lock and Office 365 with Preservation Lock can help financial institutions meet relevant CFTC Rule 1.31(c-d) storage requirements.

    Learn more

  • Compliance Map of Cloud Computing and Regulatory Principles in the US. This document describes the key US federal regulatory principles and recommended implementation practices that guide the use of cloud computing by US financial institutions. It also summarizes how Azure and Office 365 address such principles and practices.

    Learn more

  • Federal Financial Institutions Examination Council (FFIEC). Microsoft helps financial services clients comply with the audit requirements of the Federal Financial Institutions Examination Council.

    Learn more

  • Financial Industry Regulatory Authority (FINRA) Rule 4511(c). Microsoft engaged an outside assessor to validate that Azure Immutable Blob Storage with Policy Lock and Office 365 with Preservation Lock can help financial services organizations meet the relevant storage requirements of FINRA Rule 4511(c).

    Learn more

  • Gramm-Leach-Bliley Act (GLBA). Microsoft helps financial services clients comply with the privacy and security requirements of the Gramm-Leach-Bliley Act.

    Learn more

  • Sarbanes-Oxley Act (SOX). Financial services firms addressing their compliance obligations with the Sarbanes-Oxley Act can leverage the SOC 1 Type 2 attestation that Microsoft received from an independent auditing firm.

    Learn more

  • Securities and Exchange Commission (SEC) Rule 17a-4(f). An independent assessment firm validated that Azure Immutable Blob Storage with Policy Lock and Office 365 with Preservation Lock can help financial firms meet the immutable storage requirements of SEC 17a-4(f).

    Learn more

  • Title 23 New York Codes, Rules, and Regulations Part 500 (23 NYCRR 500). Microsoft has prepared a guide, Supporting Compliance with NYDFS Cybersecurity Requirements, to explain how Azure, Microsoft 365, and Power BI can help financial institutions comply with 23 NYCRR 500 requirements.

    Learn more

Your data is private and under your control

Banks and insurers maintain ultimate ownership and control of their data

Microsoft makes clear that you, not Microsoft, retain ownership and control over your data stored in the cloud. Microsoft uses cloud service customer data exclusively to provide customers with state-of-the-art cloud services. We do not use business customer data for advertising-based services, nor do we use or scan the contents of that data (including your email) for advertising or any unauthorized activity or purpose. Furthermore, we have strict limitations to access your data only as you authorize to provide the services you have purchased.

Microsoft is also the first major cloud provider to adopt the world's first international code of practice for cloud privacy, ISO/IEC 27018, which addresses the requirement that cloud providers not use your data for advertising. Our privacy controls are audited against this standard annually.

We manage your data in accordance with the law

Expand all

Financial services firms are accountable to ensure that each selected outsourcing service provider maintains adequate plans for security breaches, disaster recovery, and service continuity if an unforeseen occurrence shuts down the cloud. Banks and insurers must take appropriate organizational and technical security measures to secure their data, and ensure that their cloud providers do likewise.

Microsoft Online Service Terms provide for security controls, disaster recovery, and continuity measures designed to help meet applicable regulatory requirements, including those in the financial services sector. The terms are compatible with the obligation for processors to undertake security measures and contractually commit to internationally recognized information management and security standards, such as ISO/IEC 27001. Microsoft security frameworks, certified by independent auditors such as BSI, include planning and prevention protocols to prevent and recover from information loss following disasters. Customers have full access to such audit reports. Our SOC 2 audits meet the rigorous requirements from a risk assurance perspective.

How Microsoft works to keep financial data safe

Firms are required under the rules to supervise outsourced functions and to assess the standard of performance of the service provider. A critical element of this is that the bank, its auditors, and the regulator must have effective access to information and relevant documentation related to the outsourced activities.

With input from customers and the industry, Microsoft has developed contractual commitments and processes to help ensure effective oversight of Microsoft and any subcontractors.

  • We provide our financial services customers, their auditors, and regulators with effective access to data, as well as access to Microsoft’s business premises and subject matter experts as necessary.
  • Microsoft makes specific commitments to financial services customers to help ensure that its contractual framework meets regulatory requirements, including express commitments to support any financial services regulators who requires direct examination of Microsoft cloud services operations and controls.
  • Microsoft has also developed a leading-edge Compliance Program tailored specifically for financial services customers, which offers, as needed, engagement with Microsoft engineering and legal professionals. Among other benefits, Compliance Program members can participate in annual summits, which offer a forum for important reports about the service, roadmap information about the services, including on change management, and an opportunity for customers to suggest improvements to the service.
  • Microsoft provides customers use of online dashboards and tools to examine the service continuously, including access to relevant documentation and evidence about how Microsoft implements its controls.

Together, these commitments, program, and tools offer a unique approach to enabling effective access to information and meeting audit requirements at scale.

Regulatory compliance and auditing with Microsoft cloud services for financial services customers

Customers need to know where their data is stored by region, and that the region is consistent with applicable regulatory requirements.

Microsoft has taken steps to reduce data transfer concerns in its business cloud services. Data transfer and processing procedures, as set out within our contractual framework, comply with applicable legal requirements. We enable specific data at rest to be located within the customer's geographical region, and are transparent about the location of our data storage facilities in the Online Service Terms

Where data is located in Microsoft cloud services

Regulators expect banks and insurers to maintain plans and measures for termination of outsourced services and, in particular, for continuity or a smooth transition to another provider in the case of failure or unexpected disruption.

To help you meet these regulatory obligations, Microsoft contractually commits to business continuity and exit provisions tailored specifically to financial services customers, including cooperation during migration to and from our cloud services. Microsoft Professional Services has deep expertise to help customers in these transitions. Microsoft also guarantees retention of customer data stored in the cloud services in a limited-function account for 90 days after the expiration or termination of a customer's subscription, so that the customer may extract the data.

How Microsoft manages your data

We'll help keep your data secure

Expand all

Encryption serves as the last and strongest line of defense in a multi-layered data security strategy, so encryption has long been featured in many Microsoft products and services to protect our customers from criminals and hackers.

When customer data moves over a network—between user devices and Microsoft datacenters or within datacenters themselves—Microsoft products and cloud services use industry-standard encrypted transport protocols. For customer data at rest, Microsoft offers a wide range of encryption capabilities up to AES-256, giving firms the flexibility to choose the solution that best meets their needs.

We don’t stop at building security into our services; we go after criminals who are looking to steal from our customers.

We have created the Digital Crimes Unit, whose Cybercrime Center proactively investigates and stops online crime such as the spreading of viruses or theft of personal information. For greater effectiveness and impact, we partner globally with the private and public sectors. Through our Security Intelligence Reports, Microsoft provides transparency into the threat landscape to help organizations understand current issues and trends.

You know what we’re doing with your data

Expand all

Microsoft meets stringent data protection requirements to enable transfers of data out of a region, such as under Europe’s data protection regulations.

Microsoft’s business cloud services help banks and insurers comply with the most stringent data protection regulatory requirements. Microsoft Online Services Terms include data processing terms specifying where data is stored and also include the EU Model Clauses. In 2014, Microsoft became the first cloud service provider to receive an opinion letter from the Article 29 Working Party (the data protection regulators from all 28 European Union member states), determining the adequacy of EU data protection requirements. In effect this means that customers can be assured that no matter where their data is located throughout the world, it is protected to a standard which is equal to that required by the EU data protection authorities.

Learn about Microsoft compliance with EU Model Clauses

Microsoft does not provide any third party with direct and unfettered access to its customers' data, and does not provide any technical means of circumventing encryption that protects customer data. The rule of law requires that law enforcement must obtain valid legal orders to obtain customer data; in those instances, Microsoft’s standard practice is to attempt to redirect the third party to obtain the requested data from our customer.

How Microsoft responds to government requests for customer data content

Recommended Resources

Featured Resources

Microsoft Online Services Terms

  • Microsoft Online Services Terms offer standard contract terms to enterprises seeking cloud services. Microsoft provides additional contractual provisions for most financial services entities to help meet specific regulatory obligations. Please contact your Microsoft account manager for more information.
  • Microsoft Online Services Terms offer standard contract terms to enterprises seeking cloud services. Microsoft provides additional contractual provisions for most financial services entities to help meet specific regulatory obligations. Please contact your Microsoft account manager for more information.