What happened
There are two threads here, and the larger one is the second. The first is an organised fraud ring that New South Wales Police have investigated since January 2024 through Strike Force Myddleton. It began as an inquiry into “ghost car” loans, finance drawn against luxury vehicles that existed only on paper, and grew into a wider scheme the press named the Penthouse Syndicate. Police allege the syndicate defrauded major banks of more than $250 million, and more than twenty-five people have been charged. Its method, according to police, was less about forged paperwork than about recruiting and corrupting insiders at every stage of a loan, brokers, bankers, lawyers and accountants, each supplying knowledge the others lacked: how a given lender tests serviceability, what its systems flag, how documents are normally structured. Among those charged is Andrew W. Hu, a former National Australia Bank and Commonwealth Bank employee who later worked as a mortgage broker. In December 2025 he was charged with 89 fraud-related offences, accused of helping the syndicate secure close to $100 million in sham mortgage and business facilities. The matter is before the courts.
The second thread is what that scrutiny flushed out elsewhere, and it is where AI enters. On 27 February 2026 the Commonwealth Bank self-reported to police and to the regulators ASIC and AUSTRAC over about one billion Australian dollars of potentially fraudulent home loans. The suspect loans had come through mortgage brokers and the bank’s own introducer scheme, and several accountants were alleged to have supplied false income statements. This exposure has not been attributed to the Penthouse Syndicate; it is a separate and larger problem, surfaced by the closer scrutiny the syndicate investigation had prompted. AUSTRAC has identified doctored and AI-generated documents, forged payslips, bank statements and employer letters, as an emerging method in lending fraud of this kind. The forgeries had passed the banks’ controls. The loans had funded. The properties had settled.
The investigation has since widened beyond any single bank. AUSTRAC has said it is working with the major banks, law enforcement and other regulators to gauge how far the fraud has spread, and has warned of increasingly sophisticated schemes that exploit both technology and intermediaries. The full exposure across the system is still being established.
The mechanics, where AI is involved, are mundane. With a real person’s name, date of birth and employment details, a forger can generate the documents a bank asks for: a payslip on the right letterhead with a salary set just high enough to clear the serviceability calculator, a bank statement showing a plausible deposit pattern, an employer letter. The intake process treats these as evidence. The serviceability test runs against the numbers in the documents, not against any verified source, and the application clears. Because the fraud was spread across many applications and intermediaries rather than concentrated in one banker’s book, the pattern lived at the level of the institution, not the individual file, which is part of why routine controls did not catch it and an organised investigation did.
What an auditable version would have shown
This is a different shape of failure from most entries here. The AI in the Air Canada case, in Mata v. Avianca, in the Olive persona-drift incident, is an AI system failing while its operators are acting in good faith. The fraud cases are the inverse: AI is performing exactly as its users intend, deployed against a counterparty that has not adapted. The audit-trail question doesn’t disappear. It moves. The question becomes: can the counterparty verify the artefacts its system is accepting as evidence?
The Australian banks’ lending workflows currently do not produce, for each loan, a structured record of what was relied on at the moment of approval. The loan file holds copies of the documents the borrower submitted. It does not, by default, hold a record of: who submitted each document, through which channel, when, whether the document carried a verifiable signature from its issuer, whether any check was run against the issuer to confirm authenticity, and which employee made the final approval decision and on what basis. Some of this is in the file in some form. Most is in the system in some form. None of it is, by default, signed, time-stamped, and queryable as one chain of evidence per loan.
When the Penthouse Syndicate’s pattern eventually surfaced at NAB, the forensic team had to reconstruct, loan by loan, what the bank had relied on at approval. Some of that reconstruction was possible from archived files. Much of it depended on staff memory and informal records. The bank could say, in aggregate, that something had gone wrong. It could not show, for any individual loan, exactly which control had failed and exactly why.
A signed conduct record on each loan decision collapses the reconstruction into a query. For each suspect loan, return the structured record. The record names every document relied on, every verification step run or skipped, every officer who touched the decision, every channel the documents arrived through. The pattern across the syndicate becomes visible at audit time, not after a billion dollars has funded.
Where the gap was
The gaps were structural, not exotic, and the syndicate exploited each in turn.
The first is at the document-provenance layer. Australian banks accept payslips and bank statements as evidentiary artefacts in loan applications. The institutions that issue those payslips and statements, employers, other banks, do not, by default, sign the artefacts in a way that lets the receiving institution verify them programmatically. A payslip is a PDF. Anyone with the original layout and a plausible salary number can produce one. Generative AI lowered the credibility threshold of that forgery to near zero. The fix at this layer exists and has been on the agenda for years: open-banking attestation, where the issuing bank signs the statement and the receiving bank verifies the signature. Adoption has lagged because the cost has fallen on issuers and the benefit on receivers. The Penthouse Syndicate matter, and the wider $1 billion review, will move that calculation.
The second is at the intake-channel layer. Bank loan workflows have a formal pipeline for application documents. Hu’s network used informal channels where they could: WhatsApp, personal email, hand-passed PDFs between insiders. Those routes bypassed the bank’s normal audit trail at the point documents entered the system. If every document arriving in a loan pipeline carried a structured provenance entry naming the channel, and any out-of-band route flagged the loan for additional verification, the deviation would have surfaced as the signal it was.
The third is at the cross-applicant pattern layer. The syndicate’s tradecraft was to distribute applications across multiple bankers, brokers and channels so no single employee’s portfolio showed the pattern. Each banker’s book looked clean. The pattern existed at the institution level. Catching it required signed, structured records of every document submission and every approval, queryable across the population of loans, watched continuously for fingerprints repeating across applications: the same WhatsApp source, the same prep style, the same hashes turning up on documents that claimed to come from unrelated employers. The records did not exist in queryable form. The pattern took months to surface, and surfaced first through whistleblower complaints rather than routine analytics.
What governance should have looked like
The governance question for AI-as-weapon is not how to stop bad actors from generating documents. They will. The question is whether the institution receiving the documents is set up to verify what it is looking at and to make every verification step recordable, queryable and auditable across the whole book.
The bank’s to-do list, in order of how soon each piece needs to ship:
Document-provenance attestation at intake. Payslip issuers, bank statement issuers, and employer-letter issuers sign what they release. The receiving bank verifies the signature. AI-generated documents do not carry the issuer’s signature; they fail verification and route to manual review. The open-banking infrastructure for this exists. Adoption needs to be accelerated to mandatory rather than encouraged.
Out-of-band channel detection in the conduct record. Every document entering a loan pipeline carries a provenance entry naming the channel it arrived through. Email, WhatsApp, hand-passed PDFs all get flagged. Volume of out-of-band intake per banker, per broker, per region becomes a metric the bank’s risk team watches in real time, not after the forensic team has spent six weeks reconstructing from email archives.
Cross-applicant analytics on signed records. With structured records of every document submission, every verification step and every approval, the bank’s risk function can run population-level queries continuously: which submissions share document fingerprints, which approvals cluster around the same brokers, which serviceability calculations have suspiciously similar inputs. The Penthouse Syndicate’s edge was distributing applications so individual portfolios looked clean. Aggregated, signed records remove that edge.
The conventional response in banking circles has been to fund AI-based fraud-detection vendors to fight AI with AI. That is part of the answer. It is not enough on its own. The deeper answer is that the bank’s evidentiary chain has to be as auditable as the bank wants its borrowers’ documents to be. The bank that can produce, on demand, a signed record of every document it relied on and every verification it ran is the bank that can answer, definitively, which loans were sound and which were not. The banks that cannot will spend the rest of 2026 reconstructing.
The reference implementation of VerificationGate and ConductRecord is open source. It lives at github.com/saffronandindia/headlights-oss, Apache 2.0 licensed and free to install. Anyone can read every line and verify the signatures. The repository is public now.
Sources
- AI heist: CBA calls police over $1b loan fraud (Information Age, ACS)
- CBA self-reports to police over AI $1bn loan fraud (Cyber Daily)
- Why Commonwealth Bank’s $1 billion suspected loan fraud should change how we bank (UNSW)
- Commonwealth Bank uncovers $1bn in suspected home loan fraud (Mortgage Professional Australia)
- CBA Suspected Loan Referral Fraud Escalates: What AUSTRAC and ASIC’s Involvement Means Next (Cowell Clarke)
- Australia’s top business-crime cases: Insights into white-collar crime trends (Clayton Utz)