Listen to the Brief
Too Busy to Read? An audio overview is on its way.
A short audio version of After the $1 Billion CBA Probe: Re-Architecting Your Document Verification Workflow Against AI-Generated Payslips will be available shortly.
Document Verification
The Four-Layer Workflow
Defending broker files against AI-generated payslips, statements, and IDs in 2026.
CBA self-reported fraud exposure
Daily fraud signals scanned by CBA’s AI
Lenders called by AUSTRAC for fraud data
Marginal cost of producing a forged payslip in 2026
The Four Verification Layers
Source Verification
Verified data feeds (illion, Frollo, Basiq), emailed payslip trails, ATO income notices pulled from myGov in front of the broker.
Metadata Interrogation
Document creation dates, generating application, font consistency, logo and letterhead artefacts on PDF documents.
Cross-Document Reconciliation
Payslip net pay vs. bank deposits, SG against declared income, rental income vs. lease and credit pattern.
Independent Confirmation
Direct call to employer payroll line, ABN lookup with industry cross-reference, credible web presence checks.
Switch verified bank statement feeds to default delivery this week. The fallback should require a documented reason and trigger metadata review.
Decision Helper
When to Escalate a Document Verification Concern
Tick all that apply to the file. The recommendation updates below.
After the $1 Billion CBA Probe: Re-Architecting Your Document Verification Workflow Against AI-Generated Payslips
Commonwealth Bank’s decision to self-report approximately $1 billion in potentially fraudulent home loans to NSW Police and ASIC has done more than make headlines. It has reset the operating assumption every Australian broker should be working from when reviewing supporting documents. AI-generated payslips, bank statements, and identification documents are no longer rare. They are credible enough to pass through human review, and in some cases through first-pass lender verification systems. Brokers who continue to rely on a 2023-era documentation workflow are exposed to clawback, lender deauthorisation, and, in serious cases, ASIC referral.
The good news is that the verification practices needed to defend a file are not exotic. They are an upgraded version of habits brokers already have. The bad news is that they require the broker to take active steps rather than accept documents at face value — and to record those steps in the file. This article sets out a concrete, workflow-level approach brokers can apply to every residential application this week.
Why the threat model has changed
Three structural shifts make the document verification problem materially worse in mid-2026 than it was even twelve months ago.
First, the cost of producing a high-quality forged payslip or bank statement has dropped to near zero. Open-source large language models combined with template-aware document generators can produce a payslip that matches an employer’s letterhead, applies plausible YTD calculations, and includes accurate superannuation figures. The same applies to bank statements rendered in a major bank’s standard format.
Second, lender fraud detection is now lifting the threshold of what counts as a defensible broker file. CBA’s deployment of a new AI system monitoring more than 80 million signals per day, paired with AUSTRAC pulling fraud data from ten lenders, means that suspect documents are being flagged after submission — and the broker file is the first place the lender looks when explaining how the document was accepted.
Third, ASIC’s BID review has reinforced the principle that documentation is the unit of compliance. A broker cannot defend a recommendation on intent alone; the file must demonstrate what the broker did to verify the financial position they relied on. A fraudulent payslip undetected in the file is a problem. A fraudulent payslip undetected and with no record of verification attempts is a much larger problem.
The four-layer verification model
A defensible 2026 verification workflow operates across four layers. None of them is sufficient on its own. Together, they create a record that demonstrates the broker took reasonable steps consistent with the current threat environment.
Layer 1 — Source verification
The first question on any payslip or bank statement should be: where did this document come from, and can the source be independently confirmed? In practice, this means: requiring bank statements delivered via a verified data feed (illion BankStatements, Frollo, Basiq, or equivalent) rather than uploaded PDFs wherever possible; for employed income, requesting payslips that include an emailed delivery trail from the employer’s payroll system; and for self-employed clients, supplementing payslips with ATO Income Tax Notice of Assessment downloaded directly through myGov in front of the broker where practical.
Verified data feeds are the single largest defence available. A bank statement pulled directly from the institution via API is materially harder to forge than one uploaded as a PDF. Brokers who have not yet moved to verified statements as their default should treat that switch as the highest-leverage process change available in 2026.
Layer 2 — Metadata interrogation
Where PDF documents are unavoidable, metadata interrogation is the second layer of defence. Free tools and built-in operating system viewers will show: the document creation date and time, the application used to create the document, whether the document has been edited, and the page-by-page font and image consistency.
Suspect signals include: a payslip with a creation date the day before submission, a bank statement created in a generic PDF editor rather than the bank’s document generator, fonts that change subtly between line items, and image artefacts where logos or letterheads have been overlaid. None of these is conclusive proof of fraud. All of them justify the broker requesting a verified data feed alternative.
Layer 3 — Cross-document reconciliation
The third layer is internal consistency. A genuine application file should reconcile across documents: payslip net pay flowing into bank statement deposits within a normal pay cycle, superannuation contributions matching the SG percentage on declared income, and rental income shown on the payslip line consistent with the lease agreement and bank credit pattern.
Where the file does not reconcile, the broker should record the discrepancy, request clarifying documents, and document the resolution. Lender fraud teams pull this exact pattern of cross-document checks. A broker file that demonstrates the same checks were performed pre-submission is in a far stronger position than one that doesn’t.
Layer 4 — Independent confirmation
The fourth layer is the one most brokers skip when files are time-pressured. For files where the income basis, employer, or financial position is unusual, the broker should attempt independent confirmation: a direct call to the employer’s payroll line (not a mobile number provided by the client), an ABN lookup with cross-reference to the client’s claimed business activity, and a Google search of the employer that returns a credible web presence consistent with the size and industry claimed.
These steps take minutes. They are the difference between a defensible file and a fragile one if questions are later asked.
What to record in the file note
Every verification step needs to leave a trace. The BID review made this point repeatedly: ASIC is looking for contemporaneous documentation of the broker’s reasoning. The same standard applies to verification. A defensible file note in 2026 should include: which data feeds were used and when, any metadata observations made on PDF documents and the broker’s response, any reconciliation steps performed across documents, and any independent confirmation attempts and outcomes.
This does not need to be lengthy. A three or four-line entry in the broker’s CRM, time-stamped, will satisfy the standard. The absence of any such note is the issue, not the length.
A practical weekly process change
For brokerages that want a single tactical change this week, the most valuable move is to standardise verified bank statement feeds as the default delivery method for every new application. The fallback — PDF upload — should require a documented reason and trigger the metadata and reconciliation layers automatically.
For payslips, the equivalent change is a tick-box in the file checklist confirming the broker has reviewed the most recent two payslips and the corresponding bank statement deposits, with any discrepancy investigated before submission. The checklist creates the audit trail. The audit trail creates the defence.
The supervision and aggregator angle
Principals and aggregators are increasingly publishing their own verification expectations. Brokers operating as authorised credit representatives should confirm that their personal practice meets the documented standard of the head licence — not the looser standard they may have used in prior years. If the head licence requires verified data feeds, the personal practice should match.
Lenders are also raising the bar. CBA’s revised loan referral program, which now excludes referrals from clients who have not held a CBA loan for at least six months, signals a broader move toward known-source-of-business as a fraud defence. Brokers should expect more lenders to introduce similar source-of-business filters over the coming months. The brokers who maintain clean, well-documented files will benefit. Those who do not will see their accreditations come under quiet review.
Conclusion
CBA’s $1 billion probe is the loudest signal yet that the document fraud environment has shifted permanently. AI-generated documents are now part of the operating reality. Brokers cannot eliminate them from the application stream, but they can build a verification workflow that detects them, documents the detection process, and demonstrates compliance with ASIC’s evolving expectations.
The four-layer model — source, metadata, reconciliation, independent confirmation — does not require new technology investment. It requires the discipline to apply existing tools consistently and to record what was done. That discipline is now the difference between a defensible broker file and an exposed one.
Disclaimer: This article is for general information and professional development purposes only. It does not constitute legal, compliance, or financial advice. Brokers should consult their aggregator’s compliance team and, where required, seek independent legal advice regarding their obligations under the National Consumer Credit Protection Act 2009 and ASIC’s responsible lending guidelines.
