15th May 2026 – Written by Zahid Bilgrami
Mortgage data is among the most sensitive personal financial information there is – income, debts, credit history, ID documents. The kind of data that, in the wrong hands, causes real harm to real people.
So when your team puts client data into an AI tool, do you know where it actually goes? Here’s what most brokers don’t realise.
Your vendor may have built the interface and branded it for mortgages, where your client’s data is actually processed is often happening on someone else’s infrastructure entirely. That’s a serious governance question.
Many major providers reserve the right to use inputs for model training unless enterprise agreements explicitly prohibit it, and those protections aren’t always watertight. Once data is absorbed into a model, you can’t pull it back out. There’s no clean remediation path, just a disclosable incident.
Brokers often assume a contract with a UK provider means their data stays in the UK. It doesn’t. Your contract is with your provider. Your provider’s contract is with the AI model company. And that company’s servers may sit in a US data centre regardless. Under UK GDPR, exporting personal data to a jurisdiction without adequate protection is a serious regulatory issue.
Before any AI system touches client data:
• Where is it processed?
• Who has access?
• Could it be used to train the provider’s AI model?
• What happens if there’s a breach?
If your provider can’t answer all four clearly, in writing, you have a material exposure you haven’t reckoned with.
Once client data flows through third-party AI, your firm is exposed to prompt injection attacks, phishing material surfacing in model outputs, “service improvement” clauses that let provider staff view your data, and a near-total loss of control over locating, correcting or deleting it.
Firms with proper AI data governance in place now will be well placed as oversight develops. Firms without will be playing catch up in a much less forgiving environment.
Get clear written answers on:
• Is my client’s data processed by your own AI, or by a third party?
• Where, geographically, is it processed?
• Can you prove contractually it doesn’t leave UK or EU jurisdiction?
• Is it ever used to train your AI or any third-party model?
• What happens if there’s a breach upstream, at the AI provider?
• Can I see your sub-processor list, kept current?
• How does right-to-erasure work if the data has already been processed by a third-party AI?
Because we build and run our own AI, none of the above applies to data shared with us. Client data stays inside Mortgage Brain’s systems, not passed elsewhere. It isn’t processed outside UK or EU jurisdiction. It isn’t at risk of training someone else’s model.
We also hold a vast amount of proprietary industry data – lender policy criteria, product pricing, decades of market knowledge – that simply doesn’t exist inside public general-purpose AI models. So you’re not just protecting client data, you’re getting outputs grounded in real mortgage infrastructure rather than generic internet assumptions.
Brokers handle the most sensitive data in the mortgage journey. That responsibility is yours.