Coltbridge×AI Tooling
A Practical Guide

How AI tools actually work

A "Large Language Model" — Claude, ChatGPT, Copilot, Gemini — is essentially a sophisticated autocomplete that has read most of the public internet. You give it text. It generates text back. That's the whole trick. The magic is in how good it has become at it.

Three things to internalise:

• It runs in a datacentre, not on your laptop. The actual AI lives on specialised chips (GPUs) in a building somewhere. Where that building is matters a lot.
• It doesn't remember you. Every chat starts fresh. Some products bolt memory features on top, but the underlying model is amnesiac.
• It can be confidently wrong. "Hallucination" — the model fabricating names, numbers, regulations. Always verify before relying on outputs.

Where your data goes

When you type something into an AI chat box, your text takes a journey. Three stages, each with different implications:

What this means for Coltbridge

The country the datacentre sits in is the country whose laws govern your data while it's being processed. For an ACL-licensed advisory firm doing mid-market debt work:

• Not catastrophic, but not zero. Your clients may have contractual or commercial expectations about confidentiality that don't easily fit "we sent your financials to a US AI service."
• The MFAA AI guidance puts privacy front and centre. Privacy of client data is one of the five principles for safe AI use (see Section 3).
• Worth being deliberate about. Choose an option where you can answer "where does our data go" with a clear, defensible sentence.

MFAA principles & free policy

The MFAA's discussion paper Embracing the future: Towards the safe and ethical use of AI for the mortgage and finance broking industry identifies five principles for safe AI use in finance. They're sensible, and they apply equally well to debt advisory work even though the paper was written for retail brokers.

The free policy template

We've drafted an MFAA-aligned acceptable-use policy template you can adapt for Coltbridge. It's about three pages, structured around the five principles above, with concrete rules for each. Replace the bracketed fields with your specifics — firm name, AI lead, approved tools, review cadence — and you have a defensible governance document.

Aligned to MFAA principles. Not a substitute for legal advice — review with your compliance adviser before formally adopting it.

Yes, you can use Claude Pro

The single most common question we get from firms in your position is some version of: "Can we actually use a normal Claude subscription, or do we need something fancier to be compliant?" Short answer: yes, you can. Long answer: with the right habits, a standard Claude Pro, Team, or Max subscription is genuinely fine for ACL-licensed debt advisory work. Here's why.

The legal mechanism that makes it work

Three facts in combination:

• ACL licensees aren't bound by APRA-style data residency rules. Those rules apply to ADIs, RSEs, and other APRA-regulated entities. ASIC's general obligations for credit licensees (RG 104) and dispute resolution requirements (RG 271) don't prohibit offshore AI services.
• De-identified data isn't "personal information" under the Privacy Act. That means APP 8 — the cross-border disclosure principle that would otherwise apply when you send personal information overseas — isn't triggered. This is the legal hinge the whole approach turns on.
• Anthropic's commercial terms explicitly state they don't train on customer data. So inputs you provide to Pro, Team, or Max don't propagate into the model. Your prompts live in their infrastructure, used to generate your response, then bounded by their retention policy.

Combine those, and the picture is: a Claude subscription with sensible obfuscation habits keeps your client data outside the categories that trigger the rules people worry about. Not because of clever workarounds, but because that's how the rules are designed.

What "obfuscation" actually means in practice

We're not talking about cryptographic anonymisation or formal de-identification protocols. We're talking about a habit: before pasting, swap identifying details for placeholders. It takes ten seconds and it changes the legal character of the data.

What about the M365 connector?

The Claude M365 connector (covered in Section 5) reads your SharePoint and Outlook directly. That data is identifying by definition — there's no obfuscation step. This is fine because the connector is permission-mirrored: Claude can only see what each user can already see, and the same paid commercial terms apply. The data flows under your firm's commercial agreement with Anthropic, not under the looser personal-account terms.

It does mean the connector represents a stronger commitment than copy-paste with obfuscation — so it's worth being deliberate about turning it on, and worth covering it explicitly in your acceptable-use policy.

A note on legal advice

None of this is legal advice. We're not lawyers. What we can tell you is that this is the pattern we see consistently across Australian financial advisory firms using AI well — and it's the pattern the MFAA paper points toward, even if it doesn't say it as plainly as we have here.

Confirm with your compliance adviser before formally adopting it. But your instinct that you can probably just use a Claude subscription is correct. You don't need our permission, you don't need expensive infrastructure, and you don't need to wait. The downloadable policy template in Section 3 codifies exactly this approach — fill it in, get it signed off, and you're moving.

The four real options

For a firm of your shape, four pathways are worth understanding. Everything else is a flavour of one of these.

The M365 connector — what just changed

In late 2025 Anthropic released a Microsoft 365 connector for Claude that materially changes the office-integration picture. Available on all Claude plans — Pro and Team included — and once enabled, Claude can:

• Search and read your SharePoint sites and document libraries
• Search and read files in OneDrive
• Read and search Outlook emails (incl. archived threads)
• Read Teams chat messages and channel discussions
• Read Calendar events and online-meeting transcripts

For Coltbridge, this is the workflow gap-closer. An advisor can ask:

• "Find the IM template we used for [Client X] last quarter and adapt it for [Client Y] using their briefing notes in SharePoint."
• "Summarise the email thread with [Lender Y] about the refinancing — what did we agree on rate, fees, and covenants?"
• "Pull the deal notes from our last three meetings with [Client Z] and flag anything still outstanding."

What it actually costs

Two ways to pay for AI: subscription (flat per user per month) or pay-per-use (pennies per token). For a 5-person firm starting out, subscription wins on simplicity and predictability.

Subscription pricing (April 2026)

Real Coltbridge tasks (pay-per-use, Claude Sonnet 4.6)

• Drafting an Information Memorandum section: ~$0.08 per draft
• Reviewing a 50-page term sheet: ~$0.15 per review
• 30-minute iteration session on a financing structure: ~$0.60
• One advisor heavy day: ~$3–5

For 5 people exploring AI, subscription wins. Claude Team at ~$230/month total is paying for predictability, polish, and account management. You won't hit the break-even point with API tokens until you're doing 30+ heavy sessions per user per workday — way beyond exploration phase.

A simple way to start

You can run this entire path yourselves over three to four weeks. Five steps. Total commitment to first decision point: about $30 AUD.

That's the whole path. If you'd like a hand with any of it, see Section 8. But none of this requires us — it requires one curious person, a couple of conversations, and a free policy document.

Common pitfalls to avoid

Six ways AI gets used badly in finance firms. Avoiding these is most of the battle.

• Trusting numbers. AI fabricates figures with extreme confidence. Verify every financial value, percentage, date, and citation before output leaves the firm. This is the single highest-risk failure mode in advisory work.
• Pasting client-identifying data into free tools. ChatGPT free, Gemini free, Copilot free — these have different data handling than the paid tiers, and personal accounts don't carry your firm's data agreements. If a tool isn't on your approved-tools list, treat it as the public internet.
• Letting AI hit "send." Drafting with AI is fine. Iterating with AI is fine. But the moment a piece of content leaves the firm, a human must have reviewed and approved it. AI-drafted client emails that go out unchecked is how reputational damage starts.
• Believing it understands your firm. AI is great at general knowledge, average at specifics. It will get lender names, current product features, regulatory references, and Australia-specific details wrong. Treat it as a knowledgeable generalist, not a Coltbridge expert.
• Skipping the policy. "We'll write the AI policy later" tends to mean "we'll write the AI policy after the incident." The downloadable template above is deliberately simple — a few hours of work and you're protected.
• Treating it as autonomous. AI is a junior colleague who needs supervision. It's not a replacement for advisor judgement. Workflows that try to remove the human entirely fail in ways that workflows with humans-in-the-loop don't.

The pattern underneath

Most AI failures in finance firms come from treating the tool as more capable than it is — assuming it knows your specifics, trusting its outputs without verification, removing human review steps to save time. The firms that use AI well treat it as a thoughtful but unreliable assistant. Useful, but never authoritative.

If you want hands-on help

Most firms can run the path above on their own. The five steps are deliberately simple, the policy template covers the governance basics, and Claude Team's setup is genuinely a self-service experience.

That said — if you find a workflow you'd like to automate and can't quite get there yourselves, we're available ad-hoc at $200/hr + GST. No retainers, no minimums, no ongoing commitments.

Common things people ask us for

• Prompt engineering for specific recurring tasks. A Coltbridge-specific prompt for IM drafting, term sheet review, or lender comms can take a generic chat session and turn it into a repeatable, reliable workflow. Typically 2–4 hours per workflow.
• Workflow design. Turning "wouldn't it be great if AI could..." into something that actually works — including identifying when AI shouldn't be used. Usually a 2–3 hour scoping session followed by build work.
• Tool selection & setup when something more advanced than Claude Team is genuinely needed — onshore Bedrock deployment, custom MCP integrations, agent workflows. Quoted on a per-engagement basis after a free scoping conversation.
• Compliance review. Independent assessment of how you're using AI against MFAA principles. Useful before client audits or when onboarding new staff. Typically 4–6 hours.
• Training. A 90-minute team session on practical AI use, MFAA principles in practice, and verification habits. $400 + GST for a session of up to 10 people.

How engagements work

• Free 45-minute scoping conversation to understand what you need.
• Written quote with a specific deliverable and a fixed-hour estimate.
• Work begins after you say yes. Invoiced on completion.
• If we hit the hour limit and aren't done, we discuss before continuing — never a surprise overrun.
• Engagements are project-based. No ongoing retainers. Re-engage when you want.