Microsoft business cloud services and financial services
Helping banks and insurers meet their regulatory responsibilities
At Microsoft, we’re committed to earning the trust of our financial services customers. We offer business cloud services based on four foundational principles: security, privacy and control, compliance, and transparency. We engage with regulators in key markets to share information about our services, the related controls, and our approach to enabling customer compliance. We also take input from leading banks and insurers across the globe on an ongoing basis to improve our offerings to help meet regulatory requirements.
Here we’ll summarize our key privacy and security features to show how Microsoft business cloud offerings help firms meet the core "outsourcing" regulatory requirements in their respective markets. While outsourcing guidance for use of IT vendors tends to be based on a common framework that Microsoft adheres to, understanding local requirements is important. Microsoft has deep expertise in supporting financial services customers, placing an emphasis on designing our business cloud services so they meet local requirements. Your Microsoft local representatives can help explain our approach and control frameworks, and aid you with any reviews by regulators in using Microsoft business cloud services.
Microsoft aims to make the required regulatory due diligence process easier for customers by collaborating with them throughout the outsourcing cycle. To that end, we also offer a wide range of information through the Trust Center and the Service Trust Portal, as well as tailored contractual provisions to help firms meet their regulatory obligations. Many of our customers are global entities and, given our size and reach, we can offer assistance across multiple jurisdictions.
The information on this page does not apply to Microsoft Cognitive Services or Windows.
Your data is private and under your control
Data use by Microsoft
Banks and insurers maintain ultimate ownership and control of their data.
Microsoft makes clear that you, not Microsoft, retain ownership and control over your data stored in the cloud. Microsoft uses cloud service customer data exclusively to provide customers with state-of-the-art cloud services. We do not use business customer data for advertising-based services, nor do we use or scan the contents of that data (including your email) for advertising or any unauthorized activity or purpose. Furthermore, we have strict limitations to access your data only as you authorize to provide the services you have purchased.
Microsoft is also the first major cloud provider to adopt the world's first international code of practice for cloud privacy, ISO/IEC 27018, which addresses the requirement that cloud providers not use your data for advertising. Our privacy controls are audited against this standard annually.
We manage your data in accordance with the law
Robust controls and technical and security measures
Financial services firms are accountable to ensure that each selected outsourcing service provider maintains adequate plans for security breaches, disaster recovery, and service continuity if an unforeseen occurrence shuts down the cloud. Banks and insurers must take appropriate organizational and technical security measures to secure their data, and ensure that their cloud providers do likewise.
Microsoft Online Service Terms provide for security controls, disaster recovery, and continuity measures designed to help meet applicable regulatory requirements, including those in the financial services sector. The terms are compatible with the obligation for processors to undertake security measures and contractually commit to internationally recognized information management and security standards, such as ISO/IEC 27001. Microsoft security frameworks, certified by independent auditors such as BSI, include planning and prevention protocols to prevent and recover from information loss following disasters. Customers have full access to such audit reports. Our SOC 2 audits meet the rigorous requirements from a risk assurance perspective.
Transparency for effective access and audit requirements
Firms are required under the rules to supervise outsourced functions and to assess the standard of performance of the service provider. A critical element of this is that the bank, its auditors, and the regulator must have effective access to information and relevant documentation related to the outsourced activities.
With input from customers and the industry, Microsoft has developed contractual commitments and processes to help ensure effective oversight of Microsoft and any subcontractors.
- We provide our financial services customers, their auditors, and regulators with effective access to data, as well as access to Microsoft’s business premises and subject matter experts as necessary.
- Microsoft makes specific commitments to financial services customers to help ensure that its contractual framework meets regulatory requirements, including express commitments to support any financial services regulators who requires direct examination of Microsoft cloud services operations and controls.
- Microsoft has also developed a leading-edge Compliance Program tailored specifically for financial services customers, which offers, as needed, engagement with Microsoft engineering and legal professionals. Among other benefits, Compliance Program members can participate in annual summits, which offer a forum for important reports about the service, roadmap information about the services, including on change management, and an opportunity for customers to suggest improvements to the service.
- Microsoft provides customers use of online dashboards and tools to examine the service continuously, including access to relevant documentation and evidence about how Microsoft implements its controls.
Together, these commitments, program, and tools offer a unique approach to enabling effective access to information and meeting audit requirements at scale.
Regulatory compliance and auditing with Microsoft cloud services for financial services customers
- Financial services compliance in Azure
- Financial Services Compliance Program for Office 365 (also covers Dynamics 365 and Intune)
- Enabling compliance: Microsoft’s approach to the UK Financial Conduct Authority’s (FCA) finalised cloud guidance white paper
- Transparency in Microsoft business cloud services
Customers need to know where their data is stored by region, and that the region is consistent with applicable regulatory requirements.
Microsoft has taken steps to reduce data transfer concerns in its business cloud services. Data transfer and processing procedures, as set out within our contractual framework, comply with applicable legal requirements. We enable specific data at rest to be located within the customer's geographical region, and are transparent about the location of our data storage facilities in the Online Service Terms.
Planning for termination of services and business continuity requirements
Regulators expect banks and insurers to maintain plans and measures for termination of outsourced services and, in particular, for continuity or a smooth transition to another provider in the case of failure or unexpected disruption.
To help you meet these regulatory obligations, Microsoft contractually commits to business continuity and exit provisions tailored specifically to financial services customers, including cooperation during migration to and from our cloud services. Microsoft Commercial Support has deep expertise to help customers in these transitions. Microsoft also guarantees retention of customer data stored in the cloud services in a limited-function account for 90 days after the expiration or termination of a customer's subscription, so that the customer may extract the data.
We'll help keep your data secure
Encryption for a strong defense
Encryption serves as the last and strongest line of defense in a multi-layered data security strategy, so encryption has long been featured in many Microsoft products and services to protect our customers from criminals and hackers.
When customer data moves over a network—between user devices and Microsoft datacenters or within datacenters themselves—Microsoft products and cloud services use industry-standard encrypted transport protocols. For customer data at rest, Microsoft offers a wide range of encryption capabilities up to AES-256, giving firms the flexibility to choose the solution that best meets their needs.
- How Microsoft protects data at rest and in transit
- Strengthening encryption for Azure customers
- Office 365 message encryption
Proactive cybersecurity and partnerships
We don’t stop at building security into our services; we go after criminals who are looking to steal from our customers.
We have created the Digital Crimes Unit, whose Cybercrime Center proactively investigates and stops online crime such as the spreading of viruses or theft of personal information. For greater effectiveness and impact, we partner globally with the private and public sectors. Through our Security Intelligence Reports, Microsoft provides transparency into the threat landscape to help organizations understand current issues and trends.
You know what we’re doing with your data
Microsoft meets stringent data protection requirements to enable transfers of data out of a region, such as under Europe’s data protection regulations.
Microsoft’s business cloud services help banks and insurers comply with the most stringent data protection regulatory requirements. Microsoft Online Services Terms include data processing terms specifying where data is stored and also include the EU Model Clauses. In 2014, Microsoft became the first cloud service provider to receive an opinion letter from the Article 29 Working Party (the data protection regulators from all 28 European Union member states), determining the adequacy of EU data protection requirements. In effect this means that customers can be assured that no matter where their data is located throughout the world, it is protected to a standard which is equal to that required by the EU data protection authorities.
Learn more about Microsoft compliance with EU Model Clauses.
Third-party access to data
Microsoft does not provide any third party with direct and unfettered access to its customers' data, and does not provide any technical means of circumventing encryption that protects customer data. The rule of law requires that law enforcement must obtain valid legal orders to obtain customer data; in those instances, Microsoft’s standard practice is to attempt to redirect the third party to obtain the requested data from our customer.
Microsoft Online Services Terms
Microsoft Online Services Terms offer standard contract terms to enterprises seeking cloud services. Microsoft provides additional contractual provisions for most financial services entities to help meet specific regulatory obligations. Please contact your Microsoft account manager for more information.