As AI becomes increasingly embedded in the advice process, selecting the right technology partner is no longer just an IT decision. In this article, Zahid Bilgrami, CEO of Mortgage Brain, outlines a practical procurement checklist for broker networks, exploring the key questions firms should ask around cost, governance, data security, resilience and Consumer Duty before committing to an AI supplier.
AI has moved out of the IT column. Once a tool sits inside the advice journey, it is a cost risk, a data risk and a Consumer Duty risk at the same time. A board-level procurement decision, not a demo sign-off. UK Finance’s 2026 guidance to boards says exactly that and warns that in most firms nobody is clearly accountable for AI oversight.
This checklist closes that gap. The first four questions draw on Mortgage Brain’s AI Charter; the last two extend it to resilience and Consumer Duty.
One rule before you start: get written answers, not demos. A demo shows you the tool on a good day. A contract clause shows you what you’ll live with.
1. Cost. Is the price you sign the price you keep?
Many “AI powered” mortgage tools are built on a general-purpose model (ChatGPT, Gemini) with branding on top. That makes your supplier a middleman and upstream prices, widely expected to rise sharply, land on your invoice.
- Are upstream price rises passed on or absorbed – in writing?
- Is the fee genuinely flat, or is there per-query pricing underneath?
- Can you fix a price regardless of scale, and cap total spend?
Red flag: “It depends on usage,” with no cap.
Green flag: A fixed, scalable price the supplier controls because it runs its own infrastructure.
2. IP & data. Where does it sit, and who learns from it?
Route through a third-party platform and client data may leave the UK – possibly retained, possibly training someone else’s model. You are the data controller. The liability is yours.
- Is there a DPA naming every sub-processor, including the model provider?
- Zero retention, no training – by default?
- Are all servers and backups UK-based? If not, are SCCs and a Transfer Impact Assessment in place?
- Will the supplier indemnify you against IP infringement?
- Can you purge client data once an application completes?
Red flag: No sub-processor list; “the model provider may use data to improve services.”
Green flag: Documented UK residency, encryption throughout, indemnities in the contract.
3. Consistency. Same case, same answer, every time?
Large language models are probabilistic: ask twice, get two answers. Different compliance interpretations on identical cases do not survive an audit or the Financial Ombudsman.
- Identical input, identical output guaranteed? How is that engineered?
- Does every output carry an auditable “reason text” that would stand up to FOS scrutiny?
Red flag: A black box that can’t explain or repeat its own decisions.
Green flag: Repeatability by design, with a reason trail behind every output.
4. Speed. AI where it’s needed, not for show
Many mortgage tasks are done more cheaply and reliably by rule-based systems. A supplier worth partnering with can tell you exactly where AI earns its keep.
- Which tasks actually use AI and why is it required for each?
- Where would a rule-based system do the job better?
Red flag: Everything defaults to the largest, costliest model and you’re paying for it.
Green flag: A deliberate mix of deterministic systems and targeted AI.
5. Resilience & exit. What happens when it breaks?
Treat this as material outsourcing. Their outage is your operational-resilience problem.
- Security: ISO 27001, Cyber Essentials Plus, a recent independent pen test?
- Uptime: an SLA aligned to your impact tolerances?
- Solvency: does the vendor have runway, and is your revenue a risky share of theirs?
- Audit: can compliance (or the FCA) inspect their systems and logs?
- Exit: can you extract 100% of your logs in a standard format, fast?
- Fallback: a documented plan for a multi-day outage?
Red flag: “We’re pursuing ISO,” no independent testing, no off-boarding plan.
Green flag: Demonstrable longevity and a clean, documented exit.
6. Consumer Duty. The thread through all of it
Your member firms carry the fair value and good outcomes standard. A tool that works against either is your exposure, not the vendor’s.
- Is there evidence the tool has been tested for fair outcomes, not exploiting customer biases?
- Can it justify every recommendation or rejection to FOS standard?
- If the tool’s cost jumps mid-contract, what happens to fair value across your network?
Red flag: No fairness testing; decisions it can’t justify.
Green flag: Documented fairness testing and a clear rationale behind every output.
Who owns this? The board.
Supplier diligence is where AI governance stops being a line in a policy document and becomes operational reality. UK Finance wants AI risk as a standing board item; this checklist is what that looks like in practice.
The networks asking these questions now – of every supplier, incumbents included – will be the ones still comfortable when the pricing and regulatory environment shifts.















