* Financial Services Cloud *

@Simran Singh the key is to separate case creation from email threading.

If the requirement is only "let the manager create a Case from an email," then Salesforce Outlook/Gmail integration can work. You can expose a Create Case quick action in the Salesforce side panel, and Salesforce docs confirm users can create Cases directly from the email side panel. Attachments can also be logged to Salesforce as Files, depending on the email integration setup (https://help.salesforce.com/s/articleView?id=sales.outlookcrm_side_panel_create_actions.htm&type=5) 

But if the requirement is "all future client replies must automatically stay on the same Case," then Email-to-Case needs to be part of the flow. Salesforce’s Email-to-Case threading works when outgoing Case emails and incoming customer replies are routed back through Email-to-Case. If replies only go back to the Account Manager’s personal inbox, Salesforce will not automatically attach those replies to the Case (Email-to-Case Threading) 

The scalable design is usually: use one central Email-to-Case routing address, then configure mail-system forwarding or a controlled forwarding process from the AM inboxes into that address. Once the Case is created, assign it to the right Account Manager using Flow, assignment rules, or a mapping based on the original recipient/customer/account. Salesforce documents Email-to-Case forwarding as the standard pattern for routing emails into Cases (Salesforce Help | Article) 

The one point to be careful with is the “send from the individual AM email” requirement. If the email truly goes out from the AM’s personal address and the customer replies only to that address, the reply will land in Outlook/Gmail, not automatically in Salesforce. You can show the AM as the owner/agent, but for automatic Case threading, the Reply-To path should route back to Email-to-Case. Salesforce also notes that the default reply From address can be the user’s address, so this needs to be tested carefully in your org (Default Email-to-Case 'From' address for replies to email) 

My recommendation is to use Outlook/Gmail integration for manual Case creation if needed, but use Email-to-Case as the system of record for the lifecycle. If the business insists on true personal inbox ownership for the full thread, then you are likely looking at a custom Microsoft Graph/Gmail API integration rather than standard Email-to-Case alone.

Bob — yes, you're not alone. We've heard the same from others navigating this with large SaaS vendors. Salesforce routing it through a legal addendum is pretty consistent with how they've handled similar requests. 

To your second question: beyond a formal addendum, other approaches that firms have used include a written questionnaire or attestation from the service provider acknowledging the 72-hour notification obligation, or documenting a risk-based vendor oversight decision if a contractual commitment isn't obtainable. The SEC gave some flexibility here — what matters is that your written policies reflect a reasonable effort to obtain that assurance and that you can demonstrate it during an exam. 

On the preparedness side, it's worth getting clear now on exactly what NPI lives in your Salesforce org — things like account numbers, SSNs, income data, credit info, or transaction history. If a breach occurs, Reg S-P requires you to notify affected individuals within 30 days of becoming aware, and the notice needs to clearly describe what information was compromised, the potential risk of harm, and what steps individuals can take to protect themselves. Knowing your data footprint in advance makes that process significantly less painful. 

For what it's worth, our team at LASER Credit Access works with financial institutions on Salesforce regularly and these compliance questions come up a lot. Happy to compare notes if it's helpful. Good luck on the deadline.