Open Banking and ATO Data: The File Standard Quietly Replacing Payslip Verification – and What Brokers Should Rebuild First

Three things happened in the past 60 days that, taken together, signal a structural shift in how Australian mortgage files will be verified by the end of 2026. The CBA $1 billion AI-fraud probe widened to include other major banks. The FBAA publicly pushed lenders to dismantle the introducer programs that fraud networks have exploited. And — most importantly — a chorus of industry voices, including The Adviser, several aggregator CEOs, and senior ASIC commentary, started pointing to the same proposed antidote: open banking plus ATO data as the new file verification standard.

This is not a future-decade trend. It is a 12-to-18-month operational change that will reshape what brokers collect, how files are built, and how lender turnaround actually feels in 2027. Brokers who adapt early will look like the modern operator. Brokers who do not will be the ones whose files keep getting kicked back for documents that the lender already has via API.

Where We Are Today

The current Australian mortgage file is, in 2026, still largely a document-based artefact. Payslips, bank statements, tax returns, employment letters — all collected from the borrower, all uploaded by the broker, all verified by the lender’s processing team. The CBA fraud probe surfaced what most brokers already suspected: this verification chain is no longer fit for purpose against AI-generated documents. A credible payslip can now be fabricated by an open-source model in under 60 seconds.

The Consumer Data Right framework has been live since 2020 for banking and since 2024 for taxation. The infrastructure exists. What has been missing is the lender-side and broker-side adoption pressure. The fraud crisis has supplied that pressure, fast.

What Is Coming

The proposed shift, now being articulated openly by aggregators, lenders, and senior compliance commentators, is a verification stack that combines two consented-data feeds.

The first is open banking via the CDR. Borrowers consent to share read-only access to their transaction accounts directly from the bank to the lender. Income deposits, expense patterns, existing liabilities, and account behaviour come through as authenticated machine-readable data, not as PDF statements. There is no payslip to fake because the lender is reading the salary deposit directly from the originating bank.

The second is ATO data sharing. Borrowers consent to share income, business income, and tax position data directly from the ATO. Notice of Assessment, recent tax returns, single touch payroll income summaries, and PAYG payment summaries arrive as authenticated, ATO-issued data. There is no tax return PDF to fabricate.

Combined, the two feeds answer the core mortgage underwriting questions — who is the borrower, what do they earn, what do they owe, how do they manage cash — with cryptographically verifiable data the borrower has explicitly consented to share. The fraud surface area collapses dramatically.

Why Brokers Should Care

Three reasons, in order of operational impact.

First, file composition is changing. The “supporting documents” list on your application checklist is going to look materially different in 2027. Two payslips, three months of bank statements, last year’s NOA — these stay as fallback, but the primary data source becomes the consented API feed. Brokers who continue to lead with the document list when the lender wants the API consent will look outdated, and their files will go to the back of the queue.

Second, turnaround times will diverge dramatically between API-enabled files and document-only files. Lenders piloting CDR-based verification are already reporting 24–48 hour reductions in initial assessment time for files using full API consent. Macquarie, ING, and ANZ are the visible early adopters. CBA and Westpac are testing internally. The broker who routes the right file to the right lender on the right verification track will out-settle the broker who treats all files as document files.

Third, fraud liability is shifting. ASIC commentary in the past 90 days has explicitly suggested that lenders relying on document-only verification when API verification was available may struggle to argue they exercised appropriate diligence in a fraud-related complaint. The same logic, eventually, will apply to brokers. The broker file note that says “borrower declined CDR consent and we proceeded with documents only” will need to explain why.

What Brokers Should Be Doing in the Next 90 Days

Three concrete operational steps.

Step 1: Audit your aggregator’s CDR readiness

Most major aggregators have integrated, are integrating, or are piloting CDR data feeds into their broker software. AFG, Connective, and PLAN have public roadmaps. Your aggregator BDM should be able to tell you precisely where you sit on the rollout, what the broker user experience looks like when CDR consent is requested, and which lenders on your panel currently accept CDR-based file submission.

If your aggregator cannot answer those questions clearly, raise it at the next quarterly review. The brokers who hold their aggregator to account on CDR readiness now will be using the workflow six months ahead of the brokers who wait for the rollout to land.

Step 2: Develop a client-facing CDR consent script

Most clients have not encountered CDR consent in a mortgage application yet. The first time they see it will be a friction point if you are not ready to explain it. A short, broker-confident explanation — “we are going to give you the option to securely share your bank data and ATO data directly with the lender; it takes 90 seconds, it is read-only, and it usually means a faster approval” — converts the friction point into a credibility moment.

The broker who can explain CDR consent in 30 seconds without reading from a script signals exactly the level of modern professionalism investor clients and high-value owner-occupier clients are looking for in 2026.

Step 3: Rebuild your fact-find for the consented-data era

The traditional fact-find collects a lot of data the lender will eventually pull via API. Address history, employer details, income breakdown, existing accounts — much of this will come through CDR more accurately than the borrower can self-report. Your fact-find can shrink to focus on what API data does not capture: borrower intent, asset position outside CDR-reporting institutions, structuring preferences, BID-relevant priorities and trade-offs.

This is not just an operational efficiency play. It is a positioning play. The broker who runs a streamlined modern fact-find feels different to the client than the broker who is still collecting eight pages of redundant information.

Risks and Blind Spots

The shift is not without operational risk for brokers, and a clear-eyed view matters.

First, not every borrower will consent to CDR. Some will decline on privacy grounds. Some clients — particularly those with complex business income, foreign income, or family-trust structures — will have data flows that do not map cleanly to the CDR schema. The traditional document path will remain for these cases, and the broker who can run both workflows fluidly is the broker who keeps the broadest client base.

Second, the API feeds change the broker’s file-quality leverage. Today, a strong broker can position a marginal client well by curating the document set. In the consented-data era, the data is the data — the broker’s leverage shifts upstream, to the structuring conversation and downstream to the lender selection. This is a different game, and the brokers who lean into it will outperform the brokers who keep optimising for document curation.

Third, BID file documentation needs to evolve. If the lender’s underwriting now relies on API-pulled data the broker did not handle directly, the broker’s file note needs to capture what was reviewed, when, and what was relied on. ASIC’s BID review has flagged the need for clear file notes when third-party data is in the loop. This is not yet a regulatory action point, but it is a foreseeable one.

Opportunities

The opportunity here is positioning. Brokers who adopt the consented-data workflow early sit in a small group of “modern operator” brokers in their local market. They get faster turnarounds, fewer document chases, and a credibility advantage in client conversations and referral-partner relationships.

The secondary opportunity is in lender selection. The lender panel will divide, over the next 18 months, into “API-mature” lenders and “document-only” lenders. The API-mature lenders will offer faster decisions and tighter pricing on clean files. Brokers who know which lender to route a CDR-consenting client to will systematically deliver better client outcomes — which is precisely the BID-aligned positioning the regulator wants to see.

The third opportunity is internal operational margin. The shift to consented-data files removes a meaningful amount of administrative work from the broker workflow. A solo broker who runs 40 settlements a year saves a measurable number of hours per file once CDR is in steady use. That capacity is the funnel for the next 20 settlements.

Practical Steps This Quarter

• Email your aggregator BDM with three questions: where are you on CDR rollout, which panel lenders accept CDR files today, what is the broker user experience when CDR consent is requested?
• Draft a 60-second client-facing CDR consent explanation and rehearse it
• Identify two clients in your active pipeline who would be good early candidates for a CDR-consented submission
• Review your fact-find and identify three sections that become redundant under CDR
• Add a file-note prompt that captures whether CDR was offered and the client’s decision
• Track turnaround time differential between CDR and document files in your CRM

Conclusion

The verification standard is changing because the fraud reality demands it. The brokers who lead the change will look like the obvious choice to the modern borrower; the brokers who lag will look like a holdover from a slower, more friction-heavy era. The next 12 to 18 months is the window where this shift becomes table stakes. Use the quarter to audit your aggregator readiness, prepare your client conversations, and rebuild the parts of your workflow that the new file standard makes redundant. The broker channel will look operationally different by mid-2027. The brokers who set themselves up for that now will be the ones still defining the standard rather than chasing it.