🚨 Use our FREE data vulnerability scanner. Identify and fix DNS issues. Start Your Scan

FCA-Compliant Backup for Microsoft 365

July 19, 2021
FCA Financial Conduct Authority

To comply with Financial Conduct Authority (FCA) data retention rules, how long, do you think, must a financial sector business keep all email? Answer: six years.

All other financial records: 3 – 6 years. Even a phone call has to be retained for six months. In short, the FCA’s data retention policies are highly demanding.

Good job, then, that so many financial sector businesses have their data backed up in Microsoft 365, eh?

Only that’s not the case at all.


Spoiler alert: Microsoft 365? Backup not included…

Microsoft is not responsible for backing up your data – you are. (Just take a look at its Shared Responsibility Model in this previous post).

Without backup, compliant data retention is not possible – so if you’re a business in the financial sector, you could be operating outside the law. Let that sink in.

But also, of course, lack of backup puts your business-critical data (and therefore your business itself) at considerable risk. Just one accidental or malicious deletion, or cyber-attack, is all it takes.

And this risk extends to every Microsoft 365 application your business uses – email, Office, SharePoint, OneDrive, PowerPoint… you name it.

So what can you do about it?


What backup is, and why 365 fails

First of all, it’s important to understand what distinguishes data backup from Microsoft 365, and the difference between compliant and non-compliant backup.

Essentially, this boils down to three things: retention, ease of access, and ease of search and insight – and 365 falls at all three fences:

  • Retention – 365 is intended only to give you access to past versions of your data over a short period of time. Once the data reaches the final deletion folder, it’s simply not kept there long enough to constitute compliant retention (just 14 – 30 days, typically). It is then purged irreversibly.
  • Ease of access – This is set in stone in the FCA Handbook. The FCA must be able to acquire data “readily” and “in a way accessible for future reference”. Taken together, these requirements exceed 365’s capabilities, since it’s impossible to retrieve anything, “readily” or otherwise, if it hasn’t been stored long enough for retrieval to subsequently take place!
  • Ease of search and insight – Here again, 365 just doesn’t come up to par. The FCA must be able “to reconstitute each [data] element in a clear and accurate manner and to identify easily any changes, corrections or other amendments…” Whilst 365 certainly has limited versioning capability, no versions at all are retained beyond the 14 – 30-day period mentioned above – so the service is, once again, non-compliant.

What, then, do financial services businesses need to do to get on the right side of the law?


Backup fit for financial purpose

The obvious answer is firstly to connect 365 to a true backup service – as Microsoft recommends in its own terms and conditions! –  and, secondly, to choose a cloud-based one that is FCA-compliant. But what does this compliance actually deliver in practice?

Unsurprisingly, it’s about retention. This means the ability to store many different versions of any given item of data over a period of many years, if required.

But it’s also about how easily and accurately that data can be retrieved. When the FCA is clamouring for a particular version of a document or file, it’s no good having to wait to download an entire batch of data, and then manually trawl through it to find the target.

Far better to use a backup solution that enables you both to easily search for and find specific versions of data, but also to rapidly recover them back into your systems, directly into 365, with no download waits and no delay.

Between them, these two capabilities deliver exactly what the FCA stipulates: long-term retention, ready access, and detailed version availability.

(Oh, and they also enable you to get your business back up and running rapidly if your data goes AWOL).


What else to look for in your backup solution

Of course, data backup must deliver beyond the purely regulatory. In particular, look for:

Comprehensive data coverage

Daily, automatic backups, covering all the 365 data your business relies on – SharePoint, Office, OneDrive, mailboxes, folders, contacts, calendar, tasks, and everything else.


UK-based service and data centres, safe from US Patriot Act snooping, with GDPR (ISO 27001) compliance, and Government-grade, 256 bit AES encryption to keep your and your customers’ data secure both in transit and at rest, using a key that only you have access to.

Ease of use, quality of service

A solution that can be set up in minutes and operated from a simple, web-based control panel, backed by UK-based, 24/7 technical support.

Get all this right, and you’ll enjoy all the undoubted productivity, convenience, and cost-effectiveness of Microsoft 365, with minimal compliance and business risk.

Get it wrong, and when the FCA comes knocking, it may just ruin your year.