# AI Acceptable Use Policy **Template — adapt to your firm's circumstances** > This is a starting-point template aligned to the MFAA's *Embracing the future: > Towards the safe and ethical use of AI for the mortgage and finance broking > industry* discussion paper (2024). Replace `[bracketed text]` with your firm's > details and adjust the rules in Section 3 to match your risk appetite. > > Reviewed and adapted for `[FIRM NAME]` on `[DATE]`. --- ## 1. Purpose This policy sets out how `[FIRM NAME]` uses Artificial Intelligence (AI) tools in the course of business, and the rules every staff member must follow when doing so. It exists for three reasons: 1. **To protect our clients.** Our clients trust us with sensitive financial information. AI tools are services hosted by third parties — using them responsibly is part of meeting that trust. 2. **To meet industry expectations.** The MFAA has issued guidance on safe and ethical AI use in finance. This policy aligns to those principles. 3. **To make AI useful, not risky.** Clear rules let the team use AI confidently for the right tasks, and stay away from it for the wrong ones. --- ## 2. Scope This policy applies to: - All staff, contractors, and partners of `[FIRM NAME]`. - All AI tools used in the course of `[FIRM NAME]` work, regardless of who pays for them — including personal subscriptions used for work tasks. - All client-facing and internal work products where AI was used in any part of their creation. "AI tools" includes but is not limited to: Claude (Anthropic), ChatGPT (OpenAI), Microsoft Copilot, Google Gemini, and any other large language model or generative AI service. --- ## 3. The five principles (MFAA-aligned) Our use of AI is governed by five principles. Every rule below derives from one of them. ### 3.1 Privacy **What it means:** be deliberate about what data goes into AI tools and where it ends up. **The rules:** - Do not enter the following into any AI tool unless explicitly approved by `[AI LEAD ROLE]`: - Client names combined with financial details - Identity documents, ID numbers, dates of birth - Bank account numbers, credit card numbers - Tax File Numbers - Material non-public information about a deal or client - The following are generally OK to use with AI tools, with care: - Generic financial concepts and templates - De-identified examples (names changed, figures rounded, identifying detail removed) - Public information about lenders, products, regulations - Internal documents that contain no client-identifying material - If unsure, ask `[AI LEAD]` before pasting. ### 3.2 Bias and accuracy **What it means:** AI tools can be confidently wrong. Verify before relying. **The rules:** - AI output must be reviewed for accuracy before use in any client-facing or decision-supporting work. - Specifically verify: financial figures, lender names, regulatory references, dates, citations, and any specific commitment or covenant language. - Treat AI output as a draft from a junior colleague — useful, but never authoritative. - If you cannot verify something the AI has produced, do not use it. ### 3.3 Accountability **What it means:** the human using the AI is responsible for the output. "The AI did it" is not a defence. **The rules:** - The staff member who uses AI to produce work owns that work in full. - AI-assisted work is reviewed and signed off by the same person who would review it if produced manually — drafting with AI does not change the approval chain. - `[AI LEAD]` is the firm's point of accountability for AI tool selection, vendor due diligence, and policy maintenance. ### 3.4 Transparency **What it means:** be clear with clients (and with each other) about how AI is used. **The rules:** - We do not need to disclose AI use to clients on every interaction. AI is treated as a productivity tool, similar to spell-check or a calculator. - If a client asks whether AI was used in their work, we answer honestly. - We never present AI-generated content as the personal analysis of a named staff member without that staff member having reviewed and approved it. - Internally, AI use is logged where the tool supports it (e.g. Claude's shared workspace history), and management may review prompts and outputs for quality and policy compliance. ### 3.5 Human element **What it means:** AI augments judgement. It does not replace it. **The rules:** - AI is used as a drafting and research assistant, not as an autonomous decision-maker. - No client-facing communication, advice, or document leaves the firm without a human review step. - Relationship-critical interactions (advice conversations, sensitive client communications) are conducted by humans, not AI. - AI is never used to fabricate communications presented as if from a staff member — e.g. AI-generated emails sent in someone else's name. --- ## 4. Approved tools The following AI tools are approved for use at `[FIRM NAME]` as of `[DATE]`: | Tool | Provider | Approved for | Data location | |------|----------|--------------|---------------| | `[e.g. Claude Team]` | `[Anthropic]` | `[General drafting, summarisation, review]` | `[Inference: US. Storage: US.]` | | `[Add others as approved]` | | | | Tools not on this list must be approved by `[AI LEAD]` before use. To request approval for a new tool, provide: vendor name, what the tool does, what data would flow to it, where the vendor processes data, vendor's security/compliance posture. --- ## 5. AI lead role `[NAME / ROLE]` is designated as the firm's AI lead. **Responsibilities:** - Maintain this policy and the approved tools list. - Review and approve any new AI tools before deployment. - Keep prompt templates and shared resources current. - First point of contact for staff questions about acceptable use. - Surface compliance or vendor concerns to firm leadership. - Coordinate any AI-related incident response. **Time commitment:** approximately `[2–4 hours per month]`. --- ## 6. Incidents An "AI incident" is any of the following: - Sensitive data entered into an AI tool in breach of Section 3.1. - A client raises a concern about AI use in their work. - An AI-assisted output reaches a client with material errors. - A vendor announces a change to data handling that affects our risk profile. - Suspected vendor breach or compromise of an AI service we use. **If an incident occurs:** 1. Stop using the affected tool for the affected workflow. 2. Notify `[AI LEAD]` within 24 hours. 3. `[AI LEAD]` assesses scope and impact, escalates to firm leadership if client data exposure is suspected. 4. Document what happened, what was affected, what was done. 5. Review whether policy or tooling needs adjustment. --- ## 7. Review This policy is reviewed annually, or sooner if: - Tools we use materially change their data handling or terms. - New industry guidance is issued (e.g. updated MFAA papers, ASIC guidance). - An incident reveals a gap in the policy. **Last reviewed:** `[DATE]` **Next scheduled review:** `[DATE + 12 MONTHS]` --- ## 8. Acknowledgement All staff acknowledge they have read and understood this policy on commencement and at each annual review. A signed acknowledgement is held in the personnel file. --- *This template is provided for use by `[FIRM NAME]` and may be freely adapted. It is aligned to MFAA principles but is not a substitute for legal or compliance advice. Consult your compliance adviser if your business has specific obligations beyond those covered here.*