Regulatory requirements for data lifecycle management and records management
Use the resources on this page to help you meet specific regulatory requirements for data lifecycle management and records management in Microsoft 365. Each section of this document focuses on one or more related regulations and includes any existing guidance or third-party assessment of how to configure Microsoft 365 to help with the requirements outlined.
These resources are available to download from the Data Protection Resources, FAQ, and White Papers page of the Service Trust Portal.
New Zealand Public Records Act
Supporting New Zealand's Public Records Act compliance obligations with Microsoft 365 - Download assessment
Applicable workloads: SharePoint, OneDrive, Teams, and Exchange
Released January 2021, this report has been produced in partnership with Microsoft New Zealand to assess the capabilities of Microsoft 365 services for recording, storing, and managing requirements for electronic records, as specified by:
- New Zealand Public Records Act 2005, which sets guidelines for preservation of public archives and local authority archives in New Zealand.
This report helps you understand how the system aspects of the New Zealand Public Records Act 2005 (PRA) are achievable when using Microsoft 365.
SEC 17a-4(f), FINRA 4511(c), and CFTC 1.31(c)-(d)
Cohasset Assessment - Microsoft 365 - SEC Rule 17a-4(f) - Immutable Storage for SharePoint, OneDrive, Exchange, Teams, and Yammer - Download assessment
Applicable workloads: SharePoint, OneDrive, Teams, Exchange, and Yammer
Latest version released July 2022, this report has been produced in partnership with Cohasset Associates, Inc. (Cohasset) to assess the capabilities of Microsoft 365 services for recording, storing, and managing requirements for electronic records, as specified by:
Securities and Exchange Commission (SEC) in 17 CFR § 240.17a-4(f), which regulates exchange members, brokers or dealers.
Financial Industry Regulatory Authority (FINRA) Rule 4511(c), which defers to the format and media requirements of SEC Rule 17a-4(f).
The principles-based electronic records requirements of the Commodity Futures Trading Commission (CFTC) in 17 CFR § 1.31(c)-(d).
The opinion from Cohasset is that when compliance features are properly configured and carefully applied and managed as described in their report, the assessed Microsoft 365 services meet the five requirements related to the recording and non-rewriteable, non-erasable storage of electronic records.
Submit and view feedback for