Modern collaboration tools have made it effortless to share information via links rather than traditional attachments. Today, sharing a link to a cloud-hosted document with a simple click has become standard practice; a reflection of our pursuit of speed, storage efficiency and seamless collaboration. However, this shift, while offering undeniable convenience, presents a complex and often underestimated web of compliance risks for financial firms.
In this blog, we explore link‑sharing compliance, examining how platforms such as Microsoft Teams, SharePoint, OneDrive and Slack encourage link‑based file sharing, the touted benefits for auditability, and the compliance risks lurking beneath the convenience. We also discuss unintended consequences of convenience-driven behaviour and why compliance and IT teams must work hand in hand (rather than playing regulatory whack-a-mole) amidst rapid advances in technology and AI integrations.
Prefer to listen? Take this blog on the go with our AI-generated podcast by listening here.
Key Takeaways
-
A Link Is Not the Content: Merely archiving the URL without capturing the actual document leaves communication details unmonitored.
-
Collaboration platforms encourage real-time file edits. Compliance teams must deploy solutions that capture and store the linked content (including version history) to meet record-keeping and supervision obligations.
-
Rolling out new productivity features or tools without involving Compliance creates 'whack-a-mole' risks. Compliance and IT Must Collaborate from the Start, pairing advanced RegTech with comprehensive policies to maintain continuous oversight.
Contents
The ChanGE
Unlike a traditional attachment, which is a fixed snapshot of a file at the moment it's sent, a shared link points to a document that can be, and often is, modified after the link has been disseminated. This means that the 'attachment' is no longer a static record but a dynamic pointer to an evolving piece of content. Typically, all recipients of a link view the latest version, or at least access a document that can change without any new communication notifying them of these modifications. This inherent dynamism has profound implications for record keeping and eCommunications surveillance, as the version of a document viewed by a recipient today may not be the version that existed when the link was initially shared, or the version that will exist tomorrow.
Over the past 15 years, every major productivity platform has pivoted from sending files as discrete attachments to sharing a single cloud-hosted copy via hyperlink. Milestones such as Microsoft Hotmail’s 2010 SkyDrive '10 GB attachment' links, Google’s 2012 Gmail-Drive integration, Dropbox’s 2012 one-click share links, and SharePoint Online’s 2013 guest-link feature familiarised users with treating a URL as the new attachment. By 2017, collaboration suites like Slack and Microsoft Teams embedded link sharing into daily workflows, post a file in chat and the system auto-creates an accessible OneDrive, SharePoint, or Drive link.
This model took hold because it solved practical pain points. Cloud links bypass email size limits, keep one live 'source of truth', enable real-time collaborative editing, and let IT teams apply granular permissions or kill access on demand. Enterprises accelerated adoption by mandating approved cloud drives (Box, OneDrive, Drive) and discouraging or even blocking traditional attachments to curb data sprawl and malware risk.
The Unstoppable Wave? The Tech Giants Fuelling the Trend
There is an ongoing 'arms race' between collaboration technology and RegTech. Collaboration platforms will continue to introduce novel features to enhance productivity and user experience, many of which will have unintended compliance consequences. RegTech providers must then rapidly evolve their offerings to provide the necessary oversight for these innovations. Firms that fail to keep pace, relying on outdated surveillance technology, will face ever-widening compliance gaps and an accumulation of unmonitored risk. The ability of a RegTech solution to integrate with a wide array of data sources, handle massive data volumes, and apply sophisticated analytics will be critical.
It’s not going away, it’s convenient, pushed by Big Tech, and welcomed by users (though maybe not compliance users!).
Microsoft Teams, SharePoint & OneDrive: Link-Sharing by Design
Microsoft’s collaboration ecosystem is engineered to make link sharing the default or most intuitive method. By default, Office 365 applications and Teams prompt users to save files to the cloud and share a link, rather than sending copies. For example, Microsoft’s own support guidance notes that saving a file to OneDrive/SharePoint and providing a link allows people to view or edit a single up-to-date copy, whereas sending an email attachment creates static copies. The advantages Microsoft highlights include real-time co-authoring and version control, ensuring everyone works on 'the same master version' of a document.
In Microsoft Teams chats and channels, file sharing is inherently link-based. When you share a document in Teams, it’s uploaded to OneDrive or SharePoint and a link is sent to recipients, rather than an actual file transfer. This design encourages collaboration: colleagues can simultaneously edit shared files and always see the latest content. Microsoft's documentation even explicitly frames link sharing as simplifying workflow: 'Simplify your workflow with others by collaborating on files in Microsoft Teams.'
Administrators can centrally manage permissions and track sharing events in audit logs. In fact, sharing is so central in Microsoft 365 that a specialised audit schema captures who shared what file with whom and when, giving compliance teams visibility into these actions.
In short, Microsoft has created a culture where link sharing is the default behaviour, touting benefits like centralized storage, access control, and ease of use.
Slack’s Compliance Monitoring and Approach to Link Sharing
Slack, another dominant collaboration platform, also heavily promotes link sharing, particularly through its robust integrations with cloud storage services like OneDrive and SharePoint. Users can create, share, and preview Microsoft documents directly within Slack channels and direct messages, making the process fluid and integrated. According to Slack, you can 'search, share and preview your OneDrive and SharePoint files right from Slack', and the app will even automatically adjust permissions so everyone in the Slack channel can access the linked file
Even without formal integrations, Slack’s culture leans toward link sharing. Users often paste Google Drive or SharePoint links in chat instead of uploading files. Slack will unfurl these links to show a snippet or title, giving context without the file itself changing hands. From the business perspective, this means less file duplication and the ability to enforce existing cloud-storage security policies on shared content. For compliance purposes, however, it means Slack messages frequently contain links to content rather than the content itself - a nuance we’ll explore more when looking at compliance risks.
Still, it’s clear that both Microsoft and Slack actively encourage link-based file sharing as a modern, efficient workflow.
The Allure of Link Sharing
Why have link-sharing practices caught on? Its popularity stems from a blend of practical advantages and broader organisational benefits.
On the functional side, users and IT departments alike are drawn to the functional benefits of streamlined workflows, enhanced real-time collaboration, improved version control, and reduced email clutter that links offer over bulky, static attachments.
On the non-functional side, a big reason is the auditability and control they offer. When files stay within managed platforms (like SharePoint or Slack-integrated OneDrive), every access or edit can be logged. For instance, OneDrive and SharePoint maintain detailed audit logs of file activities. Administrators can run reports to see who accessed or downloaded a document and when, and even which user shared it with whom. This creates an audit trail that traditional email attachments simply don’t provide. If you email a PDF to 10 people, you have no idea who opened it or forwarded it. But if you share a link, you could be notified when a recipient clicks it, as some platforms allow.
Link sharing also brings granular access control benefits. A link can be configured as view-only or editable, set to expire on a certain date, or protected behind login credentials. Microsoft 365 and other enterprise cloud services enable such controls out-of-the-box. For regulated firms, this means sensitive documents aren’t being emailed around uncontrolled; they stay in a protected repository with permissions that can be tightened or revoked as needed. In a financial compliance context, that’s appealing – a firm can claim that confidential reports or client data were only accessible to authorized persons via the shared link, and the link could be killed if needed.
However, this is where the 'convenience-compliance' disconnect often begins. The operational benefits and the presence of some access logs can create a premature sense of comprehensive compliance coverage. The auditability of who accessed a file in a repository is frequently, and dangerously, mistaken for the auditability of what content was communicated as part of a specific message at a specific time. This initial oversight, driven by convenience, lays the groundwork for significant compliance blind spots.
The Regulatory Position
It might surprise today’s compliance teams, accustomed to seeing link sharing as a product of the last decade, that regulators actually addressed the legal status of hyperlinks a full generation ago.
The US Securities and Exchange Commission first tackled hyperlinks in its landmark 1995 and 1996 'Use of Electronic Media' releases and clarified the point in a 2000 interpretive release. The Commission stated that an embedded hyperlink inside any document required to be delivered under the federal securities laws causes the hyper-linked information to be treated as part of that document, an approach now known as the 'envelope theory.' In other words, if a prospectus, email, Teams message, or other communication contains a OneDrive link, the linked file rides in the same 'electronic envelope' and must be delivered, preserved, and supervised exactly as if it were a classic attachment.
The FCA’s 2024 finalised guidance on social-media promotions echoes that spirit: risk disclosures must be visible without forcing consumers to click 'see more' or follow a secondary link. Although aimed at retail marketing, the same principle applies to institutional communications, critical information cannot be tucked away behind a hyperlink.
The Hidden Peril: When Convenience Creates Compliance Blind Spots
Despite the advantages, shared links pose significant compliance risks because the actual content being shared may not be captured in communication archives. An email or chat that contains only a hyperlink might be archived without the underlying document. Unless compliance solutions proactively retrieve and retain the linked content, surveillance systems are left with an empty pointer.
In other words, if employees shared a sensitive PDF via a Slack link, an archive of Slack data would show the URL but not the PDF’s contents. This makes regulatory oversight and e-discovery more complicated. Moreover, the documents behind links can be updated or changed after the fact, raising questions about which version of the content should be considered the official record.
The Core Surveillance Challenge: A Link is Not the Content
The central problem for eCommunications surveillance is stark: a captured message containing a hyperlink is not equivalent to capturing the actual content of the document residing at that link's destination. Traditional surveillance systems may record the URL and the surrounding text, but they often lack the capability to automatically 'follow the link,' retrieve the linked document, especially the version contemporaneous with the sharing event, and analyse its content for compliance risks such as market abuse, data leakage, or regulatory breaches.
This creates what can be termed the 'phantom attachment' problem. From a compliance officer's perspective reviewing a communication log, a shared link without its underlying content captured and readily available for inspection means the substance of what was shared is invisible. The record indicates an item was exchanged, but its nature, its risk, remains unknown to the surveillance system at the point of initial review. This fundamentally undermines the purpose of eCommunications surveillance, which is to understand and mitigate risks embedded in the content of communications.
The Illusion of Control: Why Access Logs Aren't Enough
A common misconception is that the access logs provided by cloud storage platforms like SharePoint or OneDrive fulfil all necessary compliance obligations related to shared links. While these logs can indicate who accessed a particular file from the repository and when (for certain link types), they do not satisfy the broader regulatory requirements for supervising the substance of business communications. 
This leads to an 'audit trail misdirection.' Access logs are valuable for document access governance within the cloud environment—controlling and tracking who can see or modify specific files stored in SharePoint or OneDrive. However, they do not inherently provide an audit trail for communication content compliance. The latter demands knowing what information was actually communicated (i.e., the content of the linked file as it was intended to be seen by the recipient in the context of that specific message) at the point of sharing. For instance, knowing an employee accessed 'Q3_Financials_Draft.docx' from OneDrive on Monday does not tell a compliance officer whether that document contained Material Non-Public Information (MNPI) when it was shared via a Teams message by another employee the previous Friday. The access log pertains to the repository; the communication compliance obligation pertains to the content exchanged during the communication event. This distinction is critical and often overlooked, leading to a false sense of security.
Proliferation of Digital Touch Points
Another unintended effect is the sheer increase in digital touchpoints that compliance must monitor. Link-sharing makes it so easy to pass files around that the volume of shared content skyrockets. A team might exchange dozens of OneDrive links in a day, where previously they might have sent a couple of email attachments. Each of those links could point to lengthy documents, spreadsheets, or slide decks that now potentially fall under record-keeping requirements. Compliance teams not only have to worry about capturing these materials, but also reviewing them for sensitive or inappropriate content. It’s a volume and complexity problem: convenience-driven behaviour creates more bits of data in more places, which can overwhelm compliance workflows if not managed properly.
Practical Scenarios
To illustrate the risk, consider a few scenarios of how a link-sharing event may unfold;
1. Trader Shares MNPI via Slack: A trader privately shares a Slack message with a link to a confidential spreadsheet containing material non-public information (MNPI) about a pending merger. The firm’s surveillance system dutifully archives the Slack message text (the URL), but not the content behind the link. The MNPI in the spreadsheet goes undetected by compliance, potentially enabling insider trading.
2. Wealth Advisor’s Off-Channel Link to Client: A wealth adviser, pressed by a client for quick information, uses a personal email to send a Dropbox link containing an updated portfolio recommendation. This off-channel communication bypasses the firm’s official email and chat platforms, so it isn’t captured by compliance systems. The advisor has effectively taken a business conversation 'off the books'.
Chasing Innovation: The Whack-a-Mole Dilemma
For compliance teams, this means expanding their radar beyond email and voice calls to an exploding universe of digital interactions. Every new integration (e.g. Slack adding a Whiteboard feature or Teams adding task comments) is another mole that might pop up. It’s not feasible to ban every new tool, so firms must approach the problem strategically. Some have created 'permissible use' lists and proactive governance programmes - where compliance, legal, and IT evaluate emerging tools or features before they are enabled. The idea is to avoid the whack-a-mole of retroactive enforcement by baking compliance into the rollout of technology. A good example is how some banks rolled out Microsoft Teams with certain features disabled until archiving solutions were in place, then gradually enabled things like persistent chat or file sharing once they knew those could be captured. Such foresight can save a lot of headache (and fines) down the road.
This 'feature velocity' from tech providers significantly outpaces the 'compliance velocity' of many financial institutions. The rigorous process of assessing, approving, and integrating new communication functionalities into existing surveillance and record keeping frameworks can take months, if not years. By the time one feature is addressed, several new ones may have emerged, creating a persistent and growing gap.
This challenge is compounded by the rise of 'Shadow IT', where employees, seeking efficiency or convenience, adopt unauthorized applications or platform features for business communication. These off-channel communications bypass established compliance oversight entirely, creating significant unmonitored risk. The business side may propose new platforms to enhance client interactions without fully appreciating the compliance investment required, further straining resources.
Compliance and IT: Partnering from Day One
One clear lesson from these trends is the importance of compliance involvement in IT rollouts. Decisions about collaboration tools should never occur in a vacuum separate from compliance oversight. Instead, compliance officers and IT teams need to work in tandem, from vendor selection to configuration and deployment. This collaboration ensures that from day one, new tools meet the firm’s surveillance and retention requirements (or that proper exceptions and controls are put in place). In practice, this might mean compliance teams get a sandbox to test how a new feature (say, Slack Connect or Teams shared channels) works and what data it generates, so they can adjust policies accordingly. It might also mean engaging vendors of archival and supervision systems to update connectors or build new ones for the latest features.
A strong partnership between compliance and IT can transform what could be a reactive scramble into a proactive strategy. Rather than compliance saying 'No, block this feature' by default, the teams can ask 'How can we enable this feature safely?' Sometimes the solution is technical, e.g., enabling an API to pull message content or turning on an audit log feed. Other times it’s procedural, e.g., training users that if they share a link externally, they must also upload the document to the compliant archive. Often it’s a bit of both. The key is that compliance has a seat at the table whenever communication technology is introduced or changed. Not only does this prevent risky blind spots, but it also aligns with regulatory expectations that firms supervise all communication channels effectively.
Conclusion
The shift towards link sharing in enterprise eCommunications is an undeniable and, for many, an indispensable evolution. It brings substantial benefits in terms of collaboration, efficiency, and version control. However, for financial firms operating under a stringent regulatory spotlight, this convenience is a double-edged sword, introducing significant, often hidden, compliance risks if not managed with foresight and the right technological capabilities. The core issue remains: a link is not the content, and without the ability to see, analyse, and archive the information being shared via these links, firms are operating with critical blind spots.
The proliferation of link sharing, especially with the rise of Microsoft Teams compliance and Slack compliance concerns, and the increasing integration of AI in compliance workflows, means this challenge will only grow. Firms can no longer afford a reactive, 'whack-a-mole' approach.
Instead, by critically evaluating current capabilities and strategically investing in modern surveillance solutions, financial institutions can confidently harness link sharing's benefits while maintaining robust regulatory readiness.
Sources
