ASIC sounds alarm as AI-driven mortgage fraud accelerates

The Australian Securities and Investments Commission (ASIC) issued a warning Friday, over the growing cyber risks posed by artificial intelligence, warning that the technology is rapidly reshaping Australia’s lending landscape as AI-driven mortgage fraud and financial scams become increasingly sophisticated.

In an open letter, the regulator urged financial services licensees and company directors to take immediate action, cautioning that AI is lowering the barriers for cybercriminals and accelerating the scale and complexity of attacks targeting the financial system.

"The rapid evolution of frontier artificial intelligence models marks a significant shift in the cyber threat landscape," ASIC's Commissioner Simone Constant wrote in an open letter. "These models are accelerating both capability and accessibility, lowering the barrier to sophisticated cyber activity, increasing the speed and scale of attacks, and enabling new forms of exploitation that were previously out of reach for most actors. 

"This is not a distant or hypothetical risk," the letter continued. "It is here now, evolving quickly and requires the attention of boards and executives."

The warning comes amid a backdrop of increased mortgage fraud, fuelled in part by the same AI technology increasingly being adopted by lenders and brokers to improve speed and efficiency. Recent reports suggest mortgage fraud has grown into a multi-billion-dollar problem, with falsified or manipulated payslips, bank statements and employment records helping borrowers — and organised fraudsters — secure loans they otherwise would not qualify for. Increasingly, many of these AI-generated documents are sophisticated enough to slip through traditional verification systems, driving both the scale and complexity of fraudulent applications.

The issue isn't new, as Constant pointed out in her letter. Past concerns over misconduct lead to the 2017 Royal Commission into Misconduct in the Banking, Superannuation and Financial Services Industry probe. The investigation triggered regulatory tightening across the sector, including the introduction of the Best Interests Duty (BID) law, which requires brokers to act in the best interests of their clients. 

"But [increased use of AI] does mean existing controls are more likely to be tested, more often, and under greater pressure," Constant wrote, arguing that market players in Australia's financial services sector cannot afford to delay their response to emerging AI risks.

"Do not wait for perfect clarity to address the threat posed by new AI models," the regulator continued. "Instead, act now, and act with discipline, to strengthen the cyber resilience fundamentals that underpin your business."

The latest intervention builds on ASIC’s broader 2026 risk outlook, which has repeatedly flagged AI-driven cybercrime as a systemic threat to Australia’s financial system, with regulators warning that criminals are evolving faster than many compliance frameworks can adapt.

In recent developments, a Sydney-based lawyer and an accountant  in Melbourne have been charged in fraud-related matters, while authorities continue investigating brokers linked to major groups, including LMG and Finsure. 

For brokers and lenders, the risks are becoming increasingly serious. As mortgage fraud grows more sophisticated, fraudulent applications are becoming harder to distinguish from legitimate borrowers, particularly as AI enables the seamless fabrication of entire borrower profiles, from fake employment histories to manipulated financial records and supporting documents.

The consequences for brokers can be severe. Undetected fraud has the potential to expose brokers to compliance breaches, reputational damage and, in some cases, the loss of their licences if fraudulent applications make it through approval processes under their watch.

"There's a lot of client impersonation: AI generated voice and video cloning, which means a call or video from someone who sounds and looks like your client may not actually be them," Rory Sercombe, owner and broker at Melbourne-based Own Home Loans, told Australian Broker. "This is a real concern that will only worsen."

ASIC's tips

The regulatory outlined 12 practical steps market players can take to protect themselves. 

• Reassess your cyber plans and refocus efforts on the most critical risks in today’s threat environment. 
• Confirm your cyber risk, governance and overall risk and decision-making frameworks consider the cumulative impact of interrelated vulnerabilities and facilitate clear decision making and escalation at the pace necessary to manage risk. 
• Identify and protect critical assets and systems, with a clear understanding of what matters most to your business and customers. 
• Strengthen cyber security fundamentals by regularly reviewing and validating core controls. 
• Minimise attack surfaces by reducing exposure of systems and services to untrusted networks. 
• Regularly review user access and reassess privileges, to protect against unauthorised access. Insider threats are increasing and entities should monitor for warning signs and act to restrict access where concerns are identified. 
• Patch systems promptly, recognising that AI is accelerating vulnerability discovery and exploitation. 
• Review and strengthen patch management processes, considering challenges daily patching may present to identification, testing, and governance of critical updates. 
• Implement layered, defence-in-depth architectures that assume breach and restrict lateral movement. 
• Prepare for incident response by maintaining and exercising incident response plans and playbooks including business continuity plans and identification of highest priority services, channels and platforms. 
• Actively manage third-party risks, particularly where services introduce concentration or systemic exposure. 
• Use AI for defensive purposes, where appropriate, including identifying vulnerabilities and securing software before release. 

"If brokers follow safe protocols, do their due diligence and raise any concerns with their aggregator around client or documentary authenticity, you will be better protected against losing accreditations, suffering financial penalties or worse," said Blake Buchanan, general manager of aggregator group Specialist Finance Group (SFG). 

"AI is here to stay," he added. "So we need to ensure that we remain vigilant about how it can be used by bad actors."