AI Mortgage Fraud Tops $3bn as ASIC Issues Urgent Warning

Australia's financial regulator says AI-driven mortgage fraud is 'here now' — and has issued 12 urgent steps for brokers and lenders to act on immediately.

The Scale of the AI-Driven Fraud Crisis

Australia's mortgage sector is facing a fraud crisis that has grown beyond what many in the industry anticipated, and the country's corporate regulator has run out of patience with measured responses. On Friday 8 May, the Australian Securities and Investments Commission (ASIC) issued a direct open letter to all financial services licensees and company directors, declaring that artificial intelligence has fundamentally shifted the cyber threat environment.

The Adviser reports that ASIC Commissioner Simone Constant delivered the warning in stark terms: "The clock is at a minute to midnight — if you aren't on top of your cyber resilience already, the time to act and prepare is right now."

The urgency is grounded in documented events. Australia's major banks and law enforcement have identified thousands of suspicious home loan applications involving highly convincing, AI-generated documentation — fabricated payslips, bank statements and tax returns designed to bypass traditional verification systems. Estimates of the total volume of fraudulently obtained home loans now run to approximately $3 billion across multiple lenders. Commonwealth Bank was among the first major lenders to publicly report itself to the authorities, over a suspected $1 billion of fraudulent loans that included AI-generated applications. The total fraud estimate has since expanded as investigations widened.

The fallout has already produced significant casualties. Sub-aggregator Hai Money collapsed in April after parent aggregator Finsure severed its relationship with the business following fraud-related concerns. Investigations are ongoing across several aggregation networks, with reports of arrests and the quiet blacklisting of hundreds of brokers by lenders moving to isolate the loans in question.

Earlier in the year, fintech platform youX was hacked, with the financial and personal data of nearly 500,000 borrowers compromised. In an earlier case involving FIIG Securities Limited, a 2023 cyber attack saw approximately 385 gigabytes of confidential client data stolen and leaked to the dark web — including driver's licences, passport details, bank account numbers and tax file numbers. ASIC pursued that case in court, and FIIG was ordered to pay $2.5 million in penalties after the court found it had failed to adequately protect client data for more than four years.

What ASIC Is Now Requiring From Licensees

ASIC's open letter is not advisory guidance. It comes with a specific instruction: licensees are required to table it as a board agenda item and discuss it at the highest levels of governance. The regulator is placing accountability squarely with directors and executives, not just compliance teams.

Commissioner Constant wrote: "This is not a distant or hypothetical risk. It is here now, evolving quickly and requires the attention of boards and executives. Do not wait for perfect clarity to address the threat posed by new AI models. Instead, act now, and act with discipline, to strengthen the cyber resilience fundamentals that underpin your business."

The letter outlines 12 immediate steps that licensees are expected to address, covering:

- Reassessing cyber plans and focusing efforts on the most critical current risks - Confirming that governance frameworks can facilitate decision-making at the pace required to manage AI-accelerated threats - Identifying and protecting critical assets and systems based on what matters most to the business and its customers - Minimising attack surfaces by reducing exposure of systems to untrusted networks - Regularly reviewing user access and privileges, with specific attention to rising insider threats - Patching systems promptly, given that AI is accelerating the speed at which vulnerabilities are discovered and exploited - Maintaining and regularly testing incident response plans, including business continuity scenarios for high-priority services - Actively managing third-party risk — particularly where external providers introduce concentration or systemic exposure - Using AI for defensive purposes, including identifying vulnerabilities and securing software before release

The warning carries particular weight for mortgage broking, which now facilitates more than 77% of all new home loans in Australia. Brokers and aggregators handle vast quantities of borrower financial data flowing across multiple systems daily — lender platforms, CRMs, serviceability calculators and identity verification tools. Each integration point is a potential exposure.

ASIC's letter follows a parallel intervention from the Australian Prudential Regulation Authority (APRA), which last week warned that AI safeguards across banks and financial institutions had fallen behind the rapid rollout of new tools. Together, the two interventions signal that AI risk governance has become the single most urgent compliance priority across Australia's financial sector.

What This Means If You're Currently Applying for a Loan

If you are in the process of applying for a home loan or refinancing, the heightened fraud environment has practical implications for you as a borrower.

Your financial documentation — payslips, bank statements, tax returns — is exactly the material that fraudsters are fabricating at scale. Legitimate brokers and lenders use secure, encrypted systems to receive and process this information. Be cautious about sharing documentation through unverified channels or platforms you haven't researched.

Be aware that client impersonation using AI-generated voice and video has been identified as an emerging threat in the industry. A caller or video participant who appears to be your broker or lender representative may not be. Verify identities through a separate, known contact channel before sharing sensitive information.

Working with an accredited, reputable mortgage broker provides an additional layer of oversight and accountability in the application process. You can [explore refinancing options](/home-loans/refinance) or [find home loan options suited to first home buyers](/home-loans/first-home-buyer) to understand what a legitimate, secure application process looks like — and what to expect at each stage.

[Source: The Adviser](https://www.theadviser.com.au/tech/48408-the-clock-is-at-a-minute-to-minute-asic-calls-for-urgent-focus-on-ai)