Microsoft 365 for
FCA-regulated firms.
We build Microsoft estates that survive the regulator's questions. Conditional Access for sensitive client data. Purview for regulated communications. Controlled Copilot rollouts. The boring, careful security work that lets the rest of the business move more quickly.
F
What we build for
FCA-regulated firms.
Financial services has specific regulatory pressures that change how the Microsoft work is shaped. We have built specifically for these.
Conditional Access for sensitive client data
Identity-first design that maps to SYSC controls and Consumer Duty record-keeping. Risk-based access policies that gate sensitive client data by user, device, and signal — without making advisors miserable.
Purview for regulated communications
Communication compliance, recording, and surveillance across Teams chat, calls, email, and approved third-party channels. For SYSC 10A-scope firms, auditable and exportable on demand.
M365 archive & retention
Long-term retention, legal hold, and discovery infrastructure on top of Exchange, SharePoint and OneDrive. Replaces legacy on-prem archive systems with a regulated record set you can find when the FCA asks.
Copilot governance for confidential data
Sensitivity-labelled grounding so Copilot only sees what each user is meant to see. Restricted SharePoint Search, ethical walls between client teams, full audit trail for compliance review.
KYC workflow automation
Power Platform onboarding flows that capture KYC evidence, run sanctions screening through your provider, and route to compliance approval. Replaces shared inboxes and Excel-based registers.
Controlled Teams channels
Approved-channels-only architecture for regulated comms, with off-channel detection on personal devices and policy-driven provisioning for new client engagements.
The standards and regulators that
shape this work.
FCA Operational Resilience
Important business service mapping, impact tolerances, scenario testing — sourced from the Microsoft estate.
PRA cybersecurity expectations
Identity, access, monitoring, recovery — evidenced against the SS1/21 framework.
Consumer Duty record-keeping
Retention and discovery for evidence of good consumer outcomes, accessible by audit and compliance.
MIFID II / FCA SYSC 10A
Investment-firm communications recording, monitoring and surveillance via Purview Communication Compliance.
GDPR-enhanced for financial data
Sensitivity labels, DLP, and Insider Risk for the personal data the FCA cares about most.
Fixed-price packs that
fit this sector.
The Cloudbliss services that
fit this sector.
Our compliance officer got the evidence pack she needed for the regulator without anyone working a weekend. Copilot governance was the bit I thought would take six months — Cloudbliss did it in two.
Things sector leaders
actually ask.
For most mid-market FS firms, the Microsoft stack is good enough for the heavy lifting (identity, comms supervision, retention, eDiscovery) once it's set up properly. Dedicated regulated platforms still win for very specific workflows (e.g. front-office trade comms surveillance at scale). We'll be honest about where the line is.
Purview Communication Compliance captures Teams chat, calls, email and approved third-party channels into a supervised review queue with policy-driven sampling, lexicon detection, and reviewer workflow. We design the policies, the reviewer rotation, and the escalation path.
The risky ones are usually free SaaS picked up by individual teams — file-share tools, AI assistants, off-channel comms apps. We help you write the AUP, block what shouldn't be there, and route legitimate need into approved alternatives.
We migrate to Purview Retention with a compliant record set, then decommission the on-prem archive. Most clients find the on-prem archive is over-broad and over-retained — the migration is also a chance to tighten the retention policy.