Your Loan Data and AI: What Banks Actually Need to Know

Every time we talk to a bank about AI-powered underwriting, the first real question is some version of: "What happens to our loan data?"

Fair question. If you're a community bank or credit union evaluating AI tools for your lending operation, you should be asking it. The problem is that most vendors answer with marketing language - "bank-grade security" and "enterprise-ready" - without telling you what's actually happening at the infrastructure level.

So let's get specific.

The "Training" Question

The single biggest concern we hear: "Will our borrower financial data be used to train your AI?"

No. Both of our AI providers — Google and AWS — contractually guarantee it.

Aloan uses Google Cloud Vertex AI and AWS Bedrock for AI processing. Both are enterprise API services used widely across the financial services industry. Both providers offer contractual guarantees that customer inputs and outputs are never used to train, improve, or fine-tune foundation models.

This isn't a pinky promise. It's in the service agreements. Google documents their data governance commitments. AWS documents theirs. Your data goes in, gets processed, results come back, and nothing is retained.

There's a meaningful difference between using AI through a browser chat window and using enterprise API services with data governance agreements. The enterprise API path — which is what Aloan uses exclusively — comes with contractual commitments around data handling, retention, and training exclusion that consumer-facing products don't guarantee by default.

What Happens When a Loan Doc Hits Our Platform

Here's the actual data flow when your analyst uploads a set of tax returns, bank statements, and financials into Aloan:

1. Upload and encryption. Documents hit our platform over TLS-encrypted connections and are stored encrypted at rest on US-hosted infrastructure.
2. AI processing via encrypted API calls. When we need AI to extract data, classify documents, or generate analysis, we make encrypted API calls to Vertex AI or Bedrock. The model processes the request and returns results.
3. Zero retention by AI providers. After processing, neither Google nor AWS retains your data. No copies, no caches, no training queues. The model provider has no access to your data after the API call completes.
4. Results delivered to the user. The extracted data, spreads, risk flags, and credit analysis are assembled in the platform and presented to your lending team with full source-document traceability.

At no point does a third party have access to your loan documents. The AI providers don't store them. They don't see your account. They don't know who you are. It's a stateless API call - in, process, out, gone.

The Examiner Conversation

If you're a regulated institution, the question isn't just "is this secure?" - it's "can I defend this to my examiner?"

We built for that. Aloan's architecture aligns with three frameworks that examiners care about:

• FFIEC guidance on technology risk management - covering controls for third-party technology services, information security, and business continuity planning.
• OCC 2023-17 (Third-Party Risk Management) - the updated interagency guidance on managing risks from third-party relationships, including fintechs. Our documentation is structured to fit directly into your vendor management process.
• SR 11-7 (Model Risk Management) - the interagency statement on model risk. This is the big one for AI. Every output Aloan generates traces back to source documents. Your examiner can pull any number in a credit memo and see exactly which page of which tax return it came from.

The traceability piece is worth emphasizing. When an examiner samples a loan file that used AI-assisted underwriting, they need to be able to verify the work. If the AI says DSCR is 1.35x, the examiner needs to see the income and expense numbers that produced it, and where those numbers came from in the borrower's financials. Aloan provides that chain from output to source document - not just for the examiner, but because your credit analysts need it too.

Infrastructure Certifications

Our AI inference providers - Google Cloud (Vertex AI) and AWS (Bedrock) - maintain:

• SOC 2 Type II - independent audit of security controls, availability, and confidentiality
• ISO 27001 - international standard for information security management
• FedRAMP - federal cloud security authorization
• HIPAA eligibility
• GDPR compliance

We can provide documentation of our security controls, our providers' certifications, penetration test results, and data flow documentation as part of your vendor due diligence. This isn't something you have to pry out of us — it's ready to go. Just ask.

What We Don't Do

Sometimes the clearest way to explain a security posture is to list the things you won't find:

• We don't use your data to train models. Ever.
• We don't sell, share, or monetize customer data.
• We don't use consumer AI services (no ChatGPT, no browser-based tools).
• We don't retain data longer than needed to provide the service.
• We don't give AI providers access to your account, your data, or your identity.

The Real Risk Calculation

Here's what we think the honest conversation sounds like: Yes, using AI in underwriting introduces a new vendor and a new technology into your process. That's a real consideration that deserves real due diligence.

But the alternative isn't risk-free either. Manual spreading has error rates. Analysts miss things when they're processing their twentieth deal of the month. Document collection takes weeks instead of hours. Covenant monitoring falls behind because nobody has time to pull the reports.

The question isn't "is AI perfectly safe?" - it's "does this vendor's security posture meet my standards, and does the operational benefit justify the relationship?" For regulated institutions that need examiner-ready audit trails, enterprise-grade infrastructure, and contractual data protection guarantees, those are questions we've built specifically to answer.