The Commonwealth Bank of Australia (CBA) has alerted authorities to a possible fraud racket that obtained approximately $1 billion in illegitimate home loans, including through the use of artificial intelligence.

In what could be the largest fraud case against Australia’s biggest bank, CBA is reviewing how many suspicious loans were fraudulently obtained.

The bank reported itself to police and the corporate watchdog after two whistleblowers last year lodged complaints via CBA’s fraud-reporting platform ‘SpeakUp’, as reported by the Australian Financial Review (AFR).

These complaints accused a mortgage broker and a lender in CBA’s private banking division of forging income statements.

One of the whistleblowers reportedly suggested the pair “engaged in document forgery in order to secure home lending approvals”.

Neither the bank or authorities have publicly disclosed how AI may have been used in the suspected fraud racket.

Following an internal review of its compliance practices, CBA called in authorities to determine which loans involved shell companies or were based on fraudulent documents and suspicious deposits.

A spokesperson for NSW Police told Information Age the State Crime Command’s Financial Crimes Squad intends to “meet representatives from the CBA” sometime this week.

The Australian Securities and Investments Commission (ASIC) declined to comment.

NAB fraud spurs CBA to action

Though CBA was reviewing its loan book as early as July last year, it intensified efforts after news of an alleged $150 million fraud against National Australia Bank (NAB).

Members of the syndicate – including lenders, brokers and realtors – allegedly used insider knowledge to acquire loans for luxury properties and other purposes.

The operation, dubbed the Penthouse Syndicate, was allegedly headed by former CBA and NAB banker Andrew Hu.

Though CBA’s first whistleblower reportedly reached out in February 2025, the AFR reported that NSW Police were informed of issues within CBA’s loan book sometime between October and November.

The bank has since updated its loan referral program – which historically offered commissions to real estate agents and other partners in exchange for customer leads – to no longer accept referrals from clients who have not already held a loan with the bank for at least six months.

Westpac, ANZ report fraud to police

Though CBA’s latest loan scandal has not been publicly linked to the Penthouse Syndicate, an investigation of the syndicate has reportedly expanded to include the other remaining big banks Westpac and ANZ.

As of Friday, the two banks were reportedly confirmed to have contacted NSW Police over possible loan-related fraud.

Since the initial $150 million fraud was allegedly identified at NAB, sources have told the AFR that suspected fraud loans linked to Penthouse Syndicate investigations were expected to exceed $300 million.

ANZ, NAB and Westpac were contacted for comment, but did not respond prior to publication.

New tech, same playbook

Speaking with Information Age, Jamieson O'Reilly, white hat hacker and founder of information security company Dvuln, said although CBA’s case could likely mark “the first at this scale where AI-generated documentation appears to have been a primary mechanism”, the potential use of AI wasn’t what stood out.

O’Reilly explained that through his former connections with people who had experience hacking banks and ATMs, he found banks were often exposed thanks to insiders.

“That was over 15 years ago – the tools have changed beyond recognition, and the AI being used to generate fake documents today would have been science fiction back then,” O’Reilly said.

“But the playbook – and reliance on someone inside with just enough knowledge and just enough deniability – I don’t think that part has changed at all.

“Technology doesn't defeat institutional trust, it just makes exploiting it faster and harder to trace.”

Indeed, O’Reilly estimated CBA’s potential fraud showed signs of a “well-oiled local criminal syndicate with strong internal connections”.

“I think, just like with past exploits such as the Penthouse Syndicate, people who know the system and the people inside it may have built an operation disciplined enough to sustain this kind of exposure without tripping early detection.”

He emphasised that investigations are ongoing and the full attack surface of the potential fraud is not known, but there are a number of proven methods banks can take to spot potential AI-generated document fraud – including linguistic and pattern analysis.

“Sentence structure uniformity, statistical regularities in word choice, formatting consistency that's slightly too clean – AI output has fingerprints even when metadata isn’t available,” he said.

“What I'd be doing at a bank's scale is running that kind of analysis across a data lake of customer-submitted documents, and looking for hotspots and concentrations of likely AI-generated content across the broker and referral channel.”

CBA did not respond to requests for comment, though Information Age understands the bank expects to recover a significant portion of the suspected fraud.

Financial regulator weighs in on AI fraud

Brendan Thomas, chief executive for financial crimes regulator AUSTRAC, told Information Age “the rise of AI creates both risks and opportunities”.

“While businesses can use it to strengthen their anti-money laundering programs, particularly as part of their transaction monitoring programs, criminals are also using AI to facilitate fraud and scams,” he said.

Thomas urged regulated businesses to regularly review their systems "to make sure they are robust and create a hostile environment for criminal activity, so they can ward off existing, new and emerging threats."