Australia's four big banks were hit with AI-assisted mortgage fraud at scale, beginning with the Penthouse Syndicate at NAB and ending, so far, with a $1 billion review at CBA

What happened

There are two stories here, and the second is the bigger one. The first is the case of Andrew Hu, a former lending officer at the Commonwealth Bank and then at the National Australia Bank, who was charged in late 2025 with 89 fraud-related offences for his alleged role in a syndicate the press named the Penthouse Syndicate. The allegation against the syndicate is that it used insider knowledge of bank approval workflows, combined with falsified supporting documents, to extract approximately $150 million in home loans from NAB. By the time CBA had identified Hu's earlier conduct on its own books, the bank was out roughly $15 million. The matter is ongoing.

The second story is what the NAB investigation flushed out at the other banks. On 27 February 2026, the Commonwealth Bank reported itself to NSW Police, ASIC and AUSTRAC. The bank had reviewed its broker-introduced mortgage book in the aftermath of the Penthouse Syndicate scrutiny, and the review had identified approximately one billion Australian dollars of home loans where the supporting documentation appeared to have been fabricated. Critically, the reporting on this $1 billion exposure is careful to note that it has not been alleged to be the work of the Penthouse Syndicate. It is a separate problem, on a larger scale, surfaced by the look-deeper culture the NAB matter had forced. A portion of those loans had supporting documents produced or altered using generative AI. The documents had passed the bank's existing controls. The loans had funded. The properties had settled. The money was gone.

Within weeks, both Westpac and ANZ contacted NSW Police about suspected fraudulent loans on similar fact patterns. The total exposure across the four major banks is still being established. CBA's CEO told analysts in early March 2026 that the $1 billion figure was a working estimate, not a final number. APRA had begun requesting mortgage data from ten banks under formal information-gathering orders by mid-March.

The mechanics, where AI is involved, are mundane. A broker or insider with access to a real customer's name, date of birth and employment history generates the supporting documents the bank needs: a payslip on the employer's letterhead with the salary set just high enough to clear the bank's serviceability calculator, a bank statement showing a plausible deposit pattern over three months, an employer letter confirming employment. The bank's intake process accepts these as evidence. The serviceability calculator runs against the numbers in the documents, not against any verified source. The application clears.

Where Hu's conduct was distinctive, it was on the inside-knowledge side. Hu allegedly understood which documents triggered manual review and which did not, which patterns the bank's fraud-detection algorithms flagged and which they ignored, and how to distribute applications across multiple bankers and brokers so that no single employee accumulated a suspicious cluster on their books. The applications were routed through email and WhatsApp where possible, outside the formal pipeline that would have generated a clean audit trail at intake. The deviation from the bank's normal channels was, in itself, a signal. The bank did not catch the signal in real time because the signal was not part of any loan's structured record.

What an auditable version would have shown

This is a different shape of failure from most entries here. The AI in the Air Canada case, in Mata v. Avianca, in the Olive persona-drift incident, is an AI system failing while its operators are acting in good faith. The fraud cases are the inverse: AI is performing exactly as its users intend, deployed against a counterparty that has not adapted. The audit-trail question doesn't disappear. It moves. The question becomes: can the counterparty verify the artefacts its system is accepting as evidence?

The Australian banks' lending workflows currently do not produce, for each loan, a structured record of what was relied on at the moment of approval. The loan file holds copies of the documents the borrower submitted. It does not, by default, hold a record of: who submitted each document, through which channel, when, whether the document carried a verifiable signature from its issuer, whether any check was run against the issuer to confirm authenticity, and which employee made the final approval decision and on what basis. Some of this is in the file in some form. Most is in the system in some form. None of it is, by default, signed, time-stamped, and queryable as one chain of evidence per loan.

When the Penthouse Syndicate's pattern eventually surfaced at NAB, the forensic team had to reconstruct, loan by loan, what the bank had relied on at approval. Some of that reconstruction was possible from archived files. Much of it depended on staff memory and informal records. The bank could say, in aggregate, that something had gone wrong. It could not show, for any individual loan, exactly which control had failed and exactly why.

A signed conduct record on each loan decision collapses the reconstruction into a query. For each suspect loan, return the structured record. The record names every document relied on, every verification step run or skipped, every officer who touched the decision, every channel the documents arrived through. The pattern across the syndicate becomes visible at audit time, not after a billion dollars has funded.

Where the gap was

The gaps were structural, not exotic, and the syndicate exploited each in turn.

The first is at the document-provenance layer. Australian banks accept payslips and bank statements as evidentiary artefacts in loan applications. The institutions that issue those payslips and statements, employers, other banks, do not, by default, sign the artefacts in a way that lets the receiving institution verify them programmatically. A payslip is a PDF. Anyone with the original layout and a plausible salary number can produce one. Generative AI lowered the credibility threshold of that forgery to near zero. The fix at this layer exists and has been on the agenda for years: open-banking attestation, where the issuing bank signs the statement and the receiving bank verifies the signature. Adoption has lagged because the cost has fallen on issuers and the benefit on receivers. The Penthouse Syndicate matter, and the wider $1 billion review, will move that calculation.

The second is at the intake-channel layer. Bank loan workflows have a formal pipeline for application documents. Hu's network used informal channels where they could: WhatsApp, personal email, hand-passed PDFs between insiders. Those routes bypassed the bank's normal audit trail at the point documents entered the system. If every document arriving in a loan pipeline carried a structured provenance entry naming the channel, and any out-of-band route flagged the loan for additional verification, the deviation would have surfaced as the signal it was.

The third is at the cross-applicant pattern layer. The syndicate's tradecraft was to distribute applications across multiple bankers, brokers and channels so no single employee's portfolio showed the pattern. Each banker's book looked clean. The pattern existed at the institution level. Catching it required signed, structured records of every document submission and every approval, queryable across the population of loans, watched continuously for fingerprints repeating across applications: the same WhatsApp source, the same prep style, the same hashes turning up on documents that claimed to come from unrelated employers. The records did not exist in queryable form. The pattern took months to surface, and surfaced first through whistleblower complaints rather than routine analytics.

What governance should have looked like

The governance question for AI-as-weapon is not how to stop bad actors from generating documents. They will. The question is whether the institution receiving the documents is set up to verify what it is looking at and to make every verification step recordable, queryable and auditable across the whole book.

from headlights import (
    ConductRecord,
    DocumentProvenance,
    PersonaGuard,
    sign,
    chain,
)
from datetime import datetime, timezone

# Each document arriving in a loan pipeline gets wrapped in a provenance
# record at intake. The channel, the submitter, and any signature from
# the document's issuer are all captured.
payslip = DocumentProvenance(
    document_type="payslip",
    submitted_by="broker_id_4f2a",
    submitted_via="email",                    # not the formal pipeline
    submitted_at=datetime.now(timezone.utc),
    claimed_issuer="ACME Pty Ltd",
    issuer_signature=None,                    # no attestation from issuer
    issuer_signature_verified=False,
    fallback_verification="manual_review_required",
)

# The guard rejects documents that cannot be tied to a verifiable issuer
# unless a human reviewer has explicitly approved the alternative
# verification path, with reasons recorded in the chain.
guard = PersonaGuard(
    require_issuer_signature=True,
    fallback_allowed=True,
    fallback_requires_human_review=True,
)
guard.check(payslip)
# raises if no signature and no human-reviewed fallback

# Each loan decision aggregates its document-provenance records and
# its human-review records into a signed conduct record.
loan_record = ConductRecord(
    decision_type="home_loan_approval",
    loan_id="HL-2026-018372",
    applicant_id_hash=sha256(applicant_id),
    documents=[payslip.hash(), bank_statement.hash(), employer_letter.hash()],
    serviceability_inputs=calc_inputs_hash,
    serviceability_result="approved_with_buffer",
    human_authoriser_id=lending_officer_id,
    out_of_band_channels_detected=["email"],   # flagged for institution-level review
    timestamp=datetime.now(timezone.utc),
    previous_record_hash=last_record.hash(),
)

signed = sign(loan_record, key=bank_private_key)
chain.append(signed)

The bank's to-do list, in order of how soon each piece needs to ship:

Document-provenance attestation at intake. Payslip issuers, bank statement issuers, and employer-letter issuers sign what they release. The receiving bank verifies the signature. AI-generated documents do not carry the issuer's signature; they fail verification and route to manual review. The open-banking infrastructure for this exists. Adoption needs to be accelerated to mandatory rather than encouraged.

Out-of-band channel detection in the conduct record. Every document entering a loan pipeline carries a provenance entry naming the channel it arrived through. Email, WhatsApp, hand-passed PDFs all get flagged. Volume of out-of-band intake per banker, per broker, per region becomes a metric the bank's risk team watches in real time, not after the forensic team has spent six weeks reconstructing from email archives.

Cross-applicant analytics on signed records. With structured records of every document submission, every verification step and every approval, the bank's risk function can run population-level queries continuously: which submissions share document fingerprints, which approvals cluster around the same brokers, which serviceability calculations have suspiciously similar inputs. The Penthouse Syndicate's edge was distributing applications so individual portfolios looked clean. Aggregated, signed records remove that edge.

The conventional response in banking circles has been to fund AI-based fraud-detection vendors to fight AI with AI. That is part of the answer. It is not enough on its own. The deeper answer is that the bank's evidentiary chain has to be as auditable as the bank wants its borrowers' documents to be. The bank that can produce, on demand, a signed record of every document it relied on and every verification it ran is the bank that can answer, definitively, which loans were sound and which were not. The banks that cannot will spend the rest of 2026 reconstructing.