
Table of Contents
Why Clean Data Alone Can’t Protect Lenders From Risk
I was on a podcast recently talking about technology in specialty lending, and the host said something that stuck with me. We were talking about data quality, which is the topic everyone in this industry wants to talk about, and he made a distinction I had not heard articulated quite that way before. He separated data quality from controls. Most of the conversation in lending technology circles treats those as the same problem. They are not. And the difference between them is where a lot of lenders are quietly exposed.
The Industry Is Obsessed With Dirty Data
If you have spent any time around loan operations, servicing, or a digital transformation initiative at a lender, you have heard the phrase dirty data more times than you can count. Duplicate borrower records. Inconsistent field formats. Stale collateral values. Loan officers entering the same information three different ways in three different systems. It is a real problem, and I am not going to tell you otherwise. Bad data creates bad reporting, bad reporting creates bad decisions, and bad decisions compound over a loan book that might carry hundreds of millions of dollars in exposure.
So lenders spend money and time on data cleanup projects. They bring in consultants to standardize fields. They migrate to new systems with cleaner schemas. They build dashboards that promise a single source of truth. All of that is worthwhile work. But here is the uncomfortable part. None of it prevents the kind of failure that actually causes the most damage at most lending organizations. Clean data describes what is true. It does not govern what people are allowed to do with that information, or what happens before an action becomes irreversible.
Controls Are a Different Layer Entirely
Controls are the guardrails that sit on top of data and on top of process. They are the rules that determine who can approve a loan above a certain size, who can release funds, who can see a borrower’s full financial file, and what has to happen before a wire goes out the door. Controls do not care whether the underlying data is perfectly clean. They care about sequence, authority, and verification. A lender can have immaculate data and still have someone wire the wrong amount, approve a loan that should have gone to a second reviewer, or grant system access to someone who should not have it. I have seen this happen at organizations that had genuinely good data hygiene. The data was not the problem. The absence of a checkpoint was the problem.
This distinction matters more as lending organizations grow. A five-person shop can rely on informal controls, because everyone knows everyone and someone will probably catch a mistake before it becomes expensive. That informal safety net disappears the moment a lender scales past a certain size, adds new loan products, brings on new staff, or starts operating across multiple offices or business lines. At that point, if controls are not built into the workflow itself, they exist only in policy documents that nobody consistently follows under deadline pressure. And deadline pressure is the normal operating condition in loan operations, not the exception.
A Story That Has Stayed With Me
I will tell you why this topic is personal for me. Early in my career, I was processing a wire transfer and fat fingered an extra zero into the amount field. The transfer went to a bait and tackle shop in Montana, right before their busiest season of the year. We never got that money back. There was no system in place that flagged the transaction, no secondary approval that would have caught an amount that was ten times larger than it should have been, nothing that stood between a single keystroke and a permanent loss. The data in our system was accurate right up until the moment I typed the wrong number into it. Clean data did nothing to stop that error, because the error was not a data quality problem. It was a missing control.
That experience is a big part of why I ended up building lending technology instead of just using it. Every time I talk to a COO or a head of lending operations about their systems, I am listening for whether they have thought about controls as a distinct discipline from data management. Most have not, not because they are careless, but because the industry conversation has trained everyone to think about the problem the wrong way. Vendors sell data quality tools. Consultants sell data governance frameworks. Almost nobody is selling operational control architecture, because it is harder to demo and harder to put in a slide deck. But it is the thing that actually prevents the losses that show up in board meetings.
Where Lenders Are Most Exposed
In my conversations with operations leaders across specialty finance, CDFIs, commercial lenders, and private credit funds, the exposure tends to cluster in a few predictable places. The first is funding and disbursement. Anywhere money physically leaves the organization is the highest stakes moment in the entire loan lifecycle, and it is often the least protected step in the process, because by the time a loan reaches funding, everyone assumes the hard work of underwriting and approval is already done. That assumption is exactly what makes funding dangerous. A control failure at underwriting usually gets caught somewhere downstream. A control failure at disbursement is frequently final.
The second area of exposure is access and permissions. As lending organizations grow, they add staff, add departments, and add third-party partners who need some level of system access. Permissions get granted in the moment to solve an immediate problem, and they rarely get revisited. I have sat with operations teams who could not tell me, without pulling a report and manually reviewing it, who currently had authority to approve a loan above a certain threshold. That is not a data quality gap. That is a control gap, and it is one that creates real regulatory and financial risk, particularly for lenders operating in regulated categories like government-backed lending or CDFI programs where audit exposure is constant.
The third area is the handoff between systems. Most lenders I talk to are not running one unified platform. They are running a loan origination system, a separate servicing system, a document repository, and a handful of spreadsheets that fill the gaps nobody built for. Every handoff between those systems is a point where a control can silently disappear. The origination system might require a second approval for large loans. The servicing system, being a completely separate piece of software from a different vendor with different logic, might not enforce that same rule once the loan moves into servicing. Nobody designed that gap on purpose. It emerged because the systems were never built to share a control framework in the first place.
Why This Gets Worse as Lenders Scale
The lenders who get hurt worst by this are usually not the smallest ones. Small lenders are informally protected by low volume and close oversight. The lenders most exposed are the ones in the middle of a growth curve, adding loan products, adding staff, adding geography, and doing it on infrastructure that was designed for a smaller, simpler operation. I have watched organizations double their loan volume in eighteen months while their operational control structure stayed exactly the same as it was when they were half the size. Everyone is moving fast, everyone is focused on growth, and controls quietly become the thing nobody has time to revisit until something goes wrong.
This is also where technology decisions matter more than people give them credit for. A platform that treats controls as configurable workflow logic, built into the approval chain, the funding process, and the permissioning structure, gives an operations leader the ability to enforce consistency without relying on individual discipline. A platform that treats controls as an afterthought, or leaves them to policy documents and manual review, puts the entire organization at the mercy of every individual employee getting every step right, every single time, under pressure, forever. That is not a sustainable control strategy. It is a hope strategy.
What Operational Leaders Should Actually Be Asking
If you are a COO or head of lending evaluating your own exposure, the useful question is not whether your data is clean. Ask instead whether your systems physically prevent someone from taking an action they should not be authorized to take, or whether your systems simply record that the action happened after the fact. Ask whether a large disbursement requires a second set of eyes by design, or whether it requires a second set of eyes only because someone remembers to ask for one. Ask whether permissions are reviewed on a schedule, or whether they accumulate silently until an audit forces a cleanup.
None of this is about finding a villain or blaming your team. Almost every control gap I have seen was built by well-intentioned people solving an immediate problem without thinking about the long-term structure they were creating. The fix is not a lecture about diligence. It is building an operational structure where the right thing happens automatically, because the workflow requires it, not because someone remembered to check.
Clean data is worth pursuing. I am not arguing against it. But if a lender is only investing in data quality and treating that as their risk management strategy, they are protecting themselves against the wrong failure mode. The wire transfer that never comes back, the loan approved by someone who should not have had that authority, the access granted and never revoked, none of those are data problems. They are control problems. And control problems do not show up in a data quality report. They show up in a loss statement, or worse, in a regulatory exam. The lenders who understand that distinction early are the ones who scale without a costly lesson attached to it.
