90 incidents on record · 2026 Headlights Incident reports by Ellie Harris · Melbourne
10 new this week Library last updated 13 July 2026
← The incident library
HD-INC-016
Financial services · Australia · 2026 · AI as weapon

Australia's banks were hit by mortgage fraud at scale, including allegedly AI-forged loan documents, with the Commonwealth Bank reporting about $1 billion in suspect loans

By Ellie Harris · Filed 2025 to 2026

Alleged: Commonwealth Bank of Australia, National Australia Bank; alleged Penthouse Syndicate (multiple people charged, including Andrew Hu) developed or deployed the AI system implicated in this incident. Details are drawn from public reports; parties are presumed innocent of any wrongdoing not established by an official finding.

Australia's banks were hit by mortgage fraud at scale, including allegedly AI-forged loan documents, with the Commonwealth Bank reporting about $1 billion in suspect loans

What happened

There are two threads here, and the larger one is the second. The first is an organised fraud ring that New South Wales Police have investigated since January 2024 through Strike Force Myddleton. It began as an inquiry into “ghost car” loans, finance drawn against luxury vehicles that existed only on paper, and grew into a wider scheme the press named the Penthouse Syndicate. Police allege the syndicate defrauded major banks of more than $250 million, and more than twenty-five people have been charged. Its method, according to police, was less about forged paperwork than about recruiting and corrupting insiders at every stage of a loan, brokers, bankers, lawyers and accountants, each supplying knowledge the others lacked: how a given lender tests serviceability, what its systems flag, how documents are normally structured. Among those charged is Andrew W. Hu, a former National Australia Bank and Commonwealth Bank employee who later worked as a mortgage broker. In December 2025 he was charged with 89 fraud-related offences, accused of helping the syndicate secure close to $100 million in sham mortgage and business facilities. The matter is before the courts.

The second thread is what that scrutiny flushed out elsewhere, and it is where AI enters. On 27 February 2026 the Commonwealth Bank self-reported to police and to the regulators ASIC and AUSTRAC over about one billion Australian dollars of potentially fraudulent home loans. The suspect loans had come through mortgage brokers and the bank’s own introducer scheme, and several accountants were alleged to have supplied false income statements. This exposure has not been attributed to the Penthouse Syndicate; it is a separate and larger problem, surfaced by the closer scrutiny the syndicate investigation had prompted. AUSTRAC has identified doctored and AI-generated documents, forged payslips, bank statements and employer letters, as an emerging method in lending fraud of this kind. The forgeries had passed the banks’ controls. The loans had funded. The properties had settled.

The investigation has since widened beyond any single bank. AUSTRAC has said it is working with the major banks, law enforcement and other regulators to gauge how far the fraud has spread, and has warned of increasingly sophisticated schemes that exploit both technology and intermediaries. The full exposure across the system is still being established.

The mechanics, where AI is involved, are mundane. With a real person’s name, date of birth and employment details, a forger can generate the documents a bank asks for: a payslip on the right letterhead with a salary set just high enough to clear the serviceability calculator, a bank statement showing a plausible deposit pattern, an employer letter. The intake process treats these as evidence. The serviceability test runs against the numbers in the documents, not against any verified source, and the application clears. Because the fraud was spread across many applications and intermediaries rather than concentrated in one banker’s book, the pattern lived at the level of the institution, not the individual file, which is part of why routine controls did not catch it and an organised investigation did.

What an auditable version would have shown

This is a different shape of failure from most entries here. The AI in the Air Canada case, in Mata v. Avianca, in the Olive persona-drift incident, is an AI system failing while its operators are acting in good faith. The fraud cases are the inverse: AI is performing exactly as its users intend, deployed against a counterparty that has not adapted. The audit-trail question doesn’t disappear. It moves. The question becomes: can the counterparty verify the artefacts its system is accepting as evidence?

The Australian banks’ lending workflows currently do not produce, for each loan, a structured record of what was relied on at the moment of approval. The loan file holds copies of the documents the borrower submitted. It does not, by default, hold a record of: who submitted each document, through which channel, when, whether the document carried a verifiable signature from its issuer, whether any check was run against the issuer to confirm authenticity, and which employee made the final approval decision and on what basis. Some of this is in the file in some form. Most is in the system in some form. None of it is, by default, signed, time-stamped, and queryable as one chain of evidence per loan.

When the Penthouse Syndicate’s pattern eventually surfaced at NAB, the forensic team had to reconstruct, loan by loan, what the bank had relied on at approval. Some of that reconstruction was possible from archived files. Much of it depended on staff memory and informal records. The bank could say, in aggregate, that something had gone wrong. It could not show, for any individual loan, exactly which control had failed and exactly why.

A signed conduct record on each loan decision collapses the reconstruction into a query. For each suspect loan, return the structured record. The record names every document relied on, every verification step run or skipped, every officer who touched the decision, every channel the documents arrived through. The pattern across the syndicate becomes visible at audit time, not after a billion dollars has funded.

Where the gap was

The gaps were structural, not exotic, and the syndicate exploited each in turn.

The first is at the document-provenance layer. Australian banks accept payslips and bank statements as evidentiary artefacts in loan applications. The institutions that issue those payslips and statements, employers, other banks, do not, by default, sign the artefacts in a way that lets the receiving institution verify them programmatically. A payslip is a PDF. Anyone with the original layout and a plausible salary number can produce one. Generative AI lowered the credibility threshold of that forgery to near zero. The fix at this layer exists and has been on the agenda for years: open-banking attestation, where the issuing bank signs the statement and the receiving bank verifies the signature. Adoption has lagged because the cost has fallen on issuers and the benefit on receivers. The Penthouse Syndicate matter, and the wider $1 billion review, will move that calculation.

The second is at the intake-channel layer. Bank loan workflows have a formal pipeline for application documents. Hu’s network used informal channels where they could: WhatsApp, personal email, hand-passed PDFs between insiders. Those routes bypassed the bank’s normal audit trail at the point documents entered the system. If every document arriving in a loan pipeline carried a structured provenance entry naming the channel, and any out-of-band route flagged the loan for additional verification, the deviation would have surfaced as the signal it was.

The third is at the cross-applicant pattern layer. The syndicate’s tradecraft was to distribute applications across multiple bankers, brokers and channels so no single employee’s portfolio showed the pattern. Each banker’s book looked clean. The pattern existed at the institution level. Catching it required signed, structured records of every document submission and every approval, queryable across the population of loans, watched continuously for fingerprints repeating across applications: the same WhatsApp source, the same prep style, the same hashes turning up on documents that claimed to come from unrelated employers. The records did not exist in queryable form. The pattern took months to surface, and surfaced first through whistleblower complaints rather than routine analytics.

What governance should have looked like

The governance question for AI-as-weapon is not how to stop bad actors from generating documents. They will. The question is whether the institution receiving the documents is set up to verify what it is looking at and to make every verification step recordable, queryable and auditable across the whole book.

The bank’s to-do list, in order of how soon each piece needs to ship:

Document-provenance attestation at intake. Payslip issuers, bank statement issuers, and employer-letter issuers sign what they release. The receiving bank verifies the signature. AI-generated documents do not carry the issuer’s signature; they fail verification and route to manual review. The open-banking infrastructure for this exists. Adoption needs to be accelerated to mandatory rather than encouraged.

Out-of-band channel detection in the conduct record. Every document entering a loan pipeline carries a provenance entry naming the channel it arrived through. Email, WhatsApp, hand-passed PDFs all get flagged. Volume of out-of-band intake per banker, per broker, per region becomes a metric the bank’s risk team watches in real time, not after the forensic team has spent six weeks reconstructing from email archives.

Cross-applicant analytics on signed records. With structured records of every document submission, every verification step and every approval, the bank’s risk function can run population-level queries continuously: which submissions share document fingerprints, which approvals cluster around the same brokers, which serviceability calculations have suspiciously similar inputs. The Penthouse Syndicate’s edge was distributing applications so individual portfolios looked clean. Aggregated, signed records remove that edge.

The conventional response in banking circles has been to fund AI-based fraud-detection vendors to fight AI with AI. That is part of the answer. It is not enough on its own. The deeper answer is that the bank’s evidentiary chain has to be as auditable as the bank wants its borrowers’ documents to be. The bank that can produce, on demand, a signed record of every document it relied on and every verification it ran is the bank that can answer, definitively, which loans were sound and which were not. The banks that cannot will spend the rest of 2026 reconstructing.

The reference implementation of VerificationGate and ConductRecord is open source. It lives at github.com/saffronandindia/headlights-oss, Apache 2.0 licensed and free to install. Anyone can read every line and verify the signatures. The repository is public now.

Sources

The mailing list

Fresh incident reports every week. One email to match.

We add new incidents to the library regularly, and send a single short email each week with what's new. The library stays free and open; this is just how you keep up with it.

No tracking. Unsubscribe in one click.

The record

An auditable system would have produced a signed, tamper-evident record the moment this happened: what the system did, the version that did it, the basis it acted on, and the action taken, and Commonwealth Bank of Australia, National Australia Bank; alleged Penthouse Syndicate (multiple people charged, including Andrew Hu) could have produced it on demand.

This is the record the system as deployed did not produce in a signed, auditable form.

What this teaches
Capture what happened when it happens
What the system did, the version that did it, the basis it acted on, and the action taken, recorded at the moment, not reconstructed after.
Sign it, so no one has to trust the record-keeper
A tamper-evident entry. Edit it later and the signature breaks. The record does not ask for the benefit of the doubt.
Make it verifiable by anyone
A court, a regulator, a customer's lawyer can check the record themselves, without taking the company, or us, at our word.

Headlights summarises publicly reported AI incidents. All summaries are independently written, attributed to their original sources, and intended for research and educational purposes. Allegations are identified as such until established through official findings.

Last reviewed June 2026. This report is based on the sources listed above and reflects information available at the time of review; later developments may not be captured. Where a person is described as charged with or alleged to have done something, that allegation is unproven unless a conviction or a court or regulatory finding is stated. Headlights publishes journalism and commentary, not legal advice.

Want to write back?

Direct to my inbox.

ellie@useheadlights.com →