Compliance for Claude inside Microsoft 365 — the full walkthrough

Most regulated lenders run on Microsoft 365 — Teams chat, SharePoint document libraries, Word, OneDrive. Claude Cowork is Anthropic’s integration into that envelope. Every Compliance for Claude download is built to drop into your existing M365 compliance workflow: a P&P .docx opens in Word; a regs bundle .zip lives in SharePoint; the Compliance Log .md attaches to any Cowork chat.

This page is the full walkthrough for a compliance officer at an M365 shop: which pattern to use, when, and what the folder structure should look like so the audit trail survives.

Three patterns, ranked by use case

Pick the pattern that matches the work in front of you. They share files; they differ in where the Claude conversation happens and how long the artifact set persists.

PATTERN A ~30 seconds

Quick spot-check in Teams chat

Use when: a quick regulatory question. One-shot. No artifact set to preserve.

  1. Open Cowork in Teams.
  2. Open any register or P&P page on this site; copy its URL or the verbatim text.
  3. Paste into Cowork → ask the question.
  4. Done.

Audit trail: Teams chat history + Anthropic Compliance API capture both record the session. No structured artifact set produced.

PATTERN C ~2–6 hours

Heavy line-by-line review in Word

Use when: a major P&P rewrite. Track Changes on. Counsel will review the redline.

  1. Open the P&P .docx in Word with Track Changes on.
  2. Side-panel Cowork (Word + Cowork integration).
  3. Attach regs .zip and Compliance Log to the Cowork side-panel.
  4. Walk section by section. Apply edits to the .docx as you go.
  5. End with give me the log. Paste into Appendix A.

Audit trail: Word’s Track Changes history + Compliance Log output + Cowork transcript. Strongest single-document record.

Recommended SharePoint folder structure (Pattern B)

The structure below is built so that (a) each P&P’s artifact set is self-contained, (b) the audit trail lives in the same folder as the work, and (c) an examiner walks through the library and finds the answer to every common question without your help.

SharePoint > Compliance Site > Document libraries > "Compliance for Claude Compliance Reviews"
│
├── _evidence-feed/                    ← Compliance API monthly export drops here
│   ├── 2026-01_claude-sessions.ndjson
│   ├── 2026-02_claude-sessions.ndjson
│   └── ...
│
├── _agents/                           ← shared resources, downloaded once
│   ├── mc4c-session-logger.md         ← the Compliance Log (reusable)
│   └── README-which-prompts.md        ← your team's playbook prompts
│
├── 2026-Q1/
│   ├── loss-mit-program/
│   │   ├── servicing-loss-mitigation-program.docx     ← original from /pp/
│   │   ├── loss-mit-update-check.zip                  ← regs bundle download
│   │   ├── session-log-2026-02-14.md                  ← Compliance Log output
│   │   ├── DRAFT-v2.docx                              ← in-progress edit
│   │   └── FINAL-v2.0.pdf                             ← signed-off PDF for DMS
│   │
│   ├── avm-governance/
│   │   ├── avm-governance-program.docx
│   │   ├── avm-rule-update-check.zip
│   │   ├── session-log-2026-02-22.md
│   │   ├── DRAFT-v3.docx
│   │   └── FINAL-v3.0.pdf
│   │
│   └── 2026-Q1-REVIEW-SUMMARY.md      ← rollup memo for your CCO/SVP
│
├── 2026-Q2/
│   └── ...
│
└── _readme.md                         ← library purpose + filing rules

The two leading-underscore folders (_evidence-feed, _agents) sort to the top in SharePoint’s default alphabetical view. Quarter folders fall below them in date order. The 2026-Q1-REVIEW-SUMMARY.md file is the rollup artifact you produce after each quarter’s reviews — that’s what an SVP/CCO reads.

Pattern B, step by step

The recommended pattern in detail. Walk through this once and your library becomes self-running.

Step 1 — One-time setup

Done once per team, then never again.

  1. Create the SharePoint library on your compliance site: “Compliance for Claude Compliance Reviews.” Permissions: compliance team + audit + designated SVP/General Counsel reviewers.
  2. Create _agents/. Download the Compliance Log once. Drop it in _agents/mc4c-session-logger.md. Every P&P review references this single file going forward.
  3. Create _evidence-feed/. This is where your IT admin drops the monthly Anthropic Compliance API export. See the request template you hand IT.
  4. Write _readme.md as a one-page library doc: who owns it, what goes in each folder, retention policy (7 years matches most firms’ compliance-record-retention policy).

Step 2 — Start a P&P review

  1. Identify the P&P. Pick from your firm’s existing P&P library.
  2. Create the quarter folder + P&P subfolder. E.g. 2026-Q1 > loss-mit-program/.
  3. Drop in the source files:
    • Your current P&P .docx (or the Compliance for Claude template).
    • The matching regs .zip from a playbook page on this site.
    The Compliance Log is referenced from _agents/ — don’t copy it per folder.
  4. Start a Cowork session in Teams in your compliance channel. Attach all three files (drag from SharePoint, or use Cowork’s SharePoint file picker).

Step 3 — Run the playbook prompt

Paste the matching prompt from the regulatory update kit or use one of the worked examples on the homepage. The Compliance Log automatically maintains three running tables during the session (obligations reviewed, edits proposed, fact-finds opened).

Iterate. Push back on flagged rows. Ask for the regulator quote supporting each finding. Apply edits to the .docx as you go.

Step 4 — Close the session

  1. Type give me the log. Claude outputs the full review record + the formal P&P Change Log Entry.
  2. Save the log as session-log-2026-02-14.md in the P&P folder.
  3. Open the .docx in Word (the version with your edits). Scroll to Appendix A — Change Log (already scaffolded). Paste your Change Log Entry as a new row. Add the section-by-section description below.
  4. Save As → PDF. Name it FINAL-v[X.Y].pdf. Drop into the P&P folder alongside the source files.

Step 5 — End of quarter

  1. Write 2026-Q1-REVIEW-SUMMARY.md at the top of the quarter folder. Cowork can draft this for you — attach every session log from the quarter, prompt: “Summarize the quarter’s P&P reviews. Coverage: which P&Ps were touched, which obligation IDs got flagged, what edits landed, what remains open.”
  2. Hand the summary to your SVP/CCO. It’s one page; they can act on it.
  3. Compliance API check. Drop the latest export into _evidence-feed/. If you’ve already built the reconciliation tooling (see the Compliance API page), run it — any Compliance API session that touched a /pp/ file but has no matching Compliance Log output = a coverage gap to investigate.

Microsoft 365 gotchas worth knowing

SharePoint vs. OneDrive — pick SharePoint for audit-trail folders

Files in your personal OneDrive sit under your name; they leave when you leave. SharePoint document libraries are team-owned and survive personnel changes — the right location for compliance evidence with a 7-year retention.

Cowork file-size limits

Large regs bundles can exceed Cowork’s per-attachment cap. All Compliance for Claude playbook bundles ship pre-trimmed to fit; if you assemble your own bundles, keep individual zips under ~5 MB to be safe. Use multiple smaller attachments if needed.

Track Changes interaction in Word + Cowork

When you edit a P&P in Word with Track Changes on, Cowork sees the active rendered version — it doesn’t see your tracked changes as before/after pairs. If you want Claude to review your edits, save a snapshot copy (without Track Changes) and attach both old + new to a fresh Cowork session. Use the “Compare two versions” prompt pattern from the homepage.

Search across the library

SharePoint’s built-in search will index your Compliance Log .md files and the .docx files. Search across the library for “§1024.41(b)(2)” and find every review that touched that obligation — useful when an examiner asks about a specific cite.

M365 + your AI inventory

Good AI governance — and Fannie Mae’s AI Lender Letter (LL-2026-04) — calls for maintaining an inventory of the AI you use. “Claude” is one entry in that inventory. The combination of Cowork sessions (Compliance API metric) + Compliance for Claude Compliance Log outputs (regulatory scope) gives you an inventory entry that updates itself quarterly — you don’t hand-collect metrics every audit cycle.

See the Compliance API page for the five-move integration sequence.

What to do next

  1. Set up the SharePoint library — the one-time setup section above.
  2. Download the Compliance Log once (here) and drop it in _agents/.
  3. Pick one P&P from your library that’s overdue for a refresh.
  4. Run Pattern B once. ~2 hours including the file copying. The first time is the slow time; subsequent reviews drop to ~1 hour.
  5. Have your IT admin enable Compliance API export to _evidence-feed/ — hand them the request template.