Coinciding with reports that the Commonwealth Bank (CBA) has referred a suspected ~AUD1 billion in potentially fraudulently obtained home loans to authorities, Australia is implementing major 2026 reforms to its Anti-Money Laundering and Counter-Terrorism Financing (AML/CTF) Act.
The changes are intended to strengthen rules to meet global standards. From 1 July 2026, new 'tranche 2' sectors will come under Australian Transaction Reports and Analysis Centre (AUSTRAC) regulation, alongside broader modernisation (including digital currency/virtual asset updates)1.
AML/CTF 2026 reforms tighten expectations on lending verification and channel risk
Australia's reformed AML/CTF regulations introduce an outcomes-focused, risk-based approach and expand the regime to new high risk services from 1 July 20262.
What's changing:
- Expansion (tranche 2): Additional high-risk services — including services provided by real estate professionals and certain professional service providers (e.g., lawyers and accountants) — become regulated.
- Digital currency/virtual asset modernisation: Reforms update the regulation of digital currency and virtual asset/payments technology.
Why this matters to lenders and brokers
Regulators and banks are increasingly focused on how criminals exploit property, lending and intermediaries to move illicit funds — so originations, referral arrangements and verification evidence are likely to face higher scrutiny.
Overview: What's reported about the suspected CBA AUD1 billion loan fraud
Improvements to verifications to prioritise now
Other financial lenders have flagged similar concerns about falsified/AI-assisted documentation and reporting of fraud attempts applied via mortgage broking and referral channels.
"The CBA situation isn't a single-institution failure," comments Dominic Tayco, principal, Thaddeus Martin Consulting, specialists in compliance and governance advisory for financial services. "It's a stress test of the entire industry's verification architecture. We've been verifying documents when we should have been verifying people."
Practical steps to implement best practices in verification include:
- Customer due diligence evidence — ability to demonstrate how identity, income and source-of-funds were validated (not just checked)
- Channel governance — tighter oversight of broker/referrer-introduced files and exceptions
- Record quality — maintain audit-ready decision trails showing what was verified, how and by whom
How the CBA suspected loan fraud highlights AI-enabled documentation risk for lenders
The CBA case underscores a growing documentation threat — criminals can use AI-assisted forgery to produce convincing income and financial documents, putting pressure on lenders' verification controls — particularly in lending models that prioritise fast approvals and rely on broker/referrer-originated applications.
With reforms ahead, the verification standards must be higher — verification should be designed as a tighter, end-to-end validation process, with clear evidence captured at each decision point to prevent higher risk of fraudulent documentation slipping through.
What AI driven documentation fraud means for non-bank lenders and brokers
Non-bank lenders and brokers may be perceived as easier targets due to faster processing times and heavier reliance on broker-introduced clients where speed-to-approval and third-party origination are competitive advantages — unless verification controls are demonstrably strong.
"Non-bank lenders and brokers need to understand that AUSTRAC's data notices to the major lenders will inevitably produce downstream scrutiny of the broker channel," Tayco says.
"If a fraudulent loan originated through your referral pipeline, the question will be whether your compliance program was designed to detect it. Under the reformed AML/CTF framework, liability extends beyond the front-line entity to anyone with practical influence over a reporting entity, which means holding companies, aggregators and group structures are now directly in scope."
He also notes that directors and officers' (D&O) policies typically exclude fines and penalties for regulatory breaches, and insurers are increasingly likely to ask whether lenders have a compliant AML/CTF program.
Loan application fraud: Red flags to watch for
- Pay slips or financial statements that appear overly consistent or contain unusual metadata (e.g., formatting anomalies, inconsistent employer details, mismatched totals across documents)
- Customers unwilling to provide direct-from-source documents, such as ATO links or employer-verified records
- Borrowers holding multiple credit products across various institutions without clear rationale
- Inconsistent deposit patterns or unexplained international fund flows
Actions to tighten risk mitigation in verification fraud across financial lending channels
- Increase 'direct-from-source' validation (where feasible): ATO, payroll provider, employer confirmation
- Add document authenticity screening (forensic/anomaly detection) for pay slips, statements, IDs
- Implement risk-tiered workflows (more checks for higher-risk segments; faster paths for low-risk)
- Strengthen referral-source governance for broker channels — onboarding standards, monitoring, audits and enhanced training for staff on emerging fraud typologies and AI-generated documents
- Require dual verification for complex entities (company/trust), high-value loans or unusual funding patterns
- Prepare for tighter controls across industry practices such as more face-to-face identity verification and increased biometric requirements.
How Gallagher can help
Gallagher Cyber risk experts and Professional & Financial Risks team works with large organisations and mid-market clients to provide advice and support on risk and insurance. Get in touch and let us help you take the next step.
