It isn’t a fraud tool problem. It’s an architecture problem.
Consider this: in 2024, 26% of Australian mortgage brokers reported being impacted by fraud or scams. By 2025, that figure had jumped to 74% according to Equifax’s Mortgage Broker Pulse Survey of over 1,000 brokers. At the same time, over 95% of Canadian mortgage fraud cases (a market that closely mirrors Australia’s) involved fake pay stubs, employment letters, or bank statements. AI-generated documents that visual inspection simply can’t catch.
The industry’s response has been to reach for more controls. More checks at origination. More friction. More manual review. And yet, the fraud keeps getting through.
The issue isn’t the strength of individual controls. It’s that those controls were never designed to talk to each other.
That distinction matters more than it might seem. Because the way you diagnose a problem determines the solution you build. Right now, most financial institutions are building mortgage fraud solutions. What they actually need is a fundamental rethink of how identity verification, document verification and fraud monitoring connect.
Here’s the uncomfortable truth about fraud controls in Australian banking: the individual capabilities are, broadly speaking, pretty good. KYC and AML verification processes have improved significantly. Document verification technology exists. Fraud monitoring platforms are in place. Biometrics and liveness detection have made identity takeover harder at the front door.
However, the losses persist despite these controls. Not because any single control failed. Because the controls were never designed to talk to each other.
Identity verification was built to answer one question: is this person who they say they are?
Document verification was a separate investment, often owned by a different team, answering a different question: are these documents authentic? Fraud monitoring asked a third question about transaction patterns. AML screening is connected to its own databases. Behavioural analytics sat somewhere adjacent to fraud, barely integrated with anything else.
Each question has a tool. Each tool has a team. Each team built integrations relevant to their specific remit, and then largely stopped talking to the others once the project wrapped.
The result is a control environment made up of capable, individually justified point solutions that share a customer but don’t share a common evaluation moment. The fraud that’s moved through Australian mortgage channels didn’t defeat any of those controls. It navigated the gaps between them.
It’s worth being specific about the document verification challenge, because the threat has shifted in ways that change what an adequate response looks like.
AI-generated payslips and bank statements aren’t crude forgeries anymore. They’re structurally coherent documents – correct formatting, plausible employer details, internally consistent numbers, no obvious visual tell. The technology that produces them isn’t restricted to sophisticated criminal networks. It’s widely accessible.
Basic optical character recognition (OCR) and visual inspection aren’t reliable controls against this. They weren’t really designed to be. The distinction that matters now isn’t between something that looks real and something that doesn’t. It’s between a document that was genuinely issued by the entity it claims to represent, and one that was generated to look that way.
Making that distinction requires forensic analysis: image metadata, pixel-level examination, verification against primary source data. The capability exists in the market. The gap is whether it’s deployed at the right point in the process, and whether its output is actually connected to the origination decision.
In most institutions, it isn’t. Not in the way it needs to be.
Document intelligence should be answering questions at origination that most lenders still aren’t asking consistently:
Biometric identity is reasonably well implemented in Australian banking for origination, but it’s mostly treated as a single-use control. The biometric confidence established at application isn’t consulted again when settlement instructions change, when a loan variation is submitted, or when account details are modified. At those moments, re-authentication typically falls back to a password and an SMS.
Device intelligence assesses whether:
Behavioural biometrics observe how the person is actually interacting with the interface:
These signals can’t be replicated by a stolen credential or fabricated by a synthetic identity. They generate signals continuously across the session rather than at a single verification moment, and they’re sensitive to precisely the kind of assisted or scripted session that characterises coordinated broker fraud.
None of these layers can answer the critical question alone. Together, they can. Not just who is this person and are these documents real – but is this the actual customer, operating this session themselves, right now?
That’s the question the current architecture isn’t equipped to ask.
The solution isn’t a new point tool. It’s a layer that connects the existing ones.
An orchestration approach changes what's detectable: it evaluates document confidence, identity assurance, device signals, and behavioural patterns simultaneously at each high-risk interaction. Not because any individual signal gets stronger. Because the combined weight of signals that are individually ambiguous become conclusive together.
When a mortgage application arrives through a broker channel, the question shouldn’t be: does the KYC check pass, and separately, do the documents look acceptable? It should be: given the forensic characteristics of these documents, the biometric confidence at onboarding, the device history and the session behaviour, what’s the combined confidence level that this is a legitimate application?
If the documents show forensic anomalies, the device has no prior association with the account and the session navigation looks scripted, the combined signal is conclusive in a way that none of those observations is on its own. The application gets flagged before approval, not reconstructed after settlement.
The same logic extends to re-authentication. A change to settlement account details should trigger a step-up–face re-matched against the enrolled biometric from origination, device assessed against customer history, session behaviour compared to baseline. A confidence score generated and logged at the moment of the transaction.
When a dispute arises, or a regulator asks, the evidence of what was known and what decision was made exists at the point of the interaction.
This is also where the audit trail question becomes commercially significant. Regulators and courts don’t just want to know that a control existed. They want to see that it was active, that it produced a documented output and that the output informed a decision. It’s the difference between showing that your fraud prevention process was running and showing exactly what it evaluated and what it concluded, in real time.
That standard is achievable. But it requires the signals to be connected before the decision is made, not stitched together after something goes wrong.
Most institutions currently have document verification, identity, device intelligence, fraud monitoring and AML screening sitting under different ownership, different technology stacks and different budget authorities that accumulated separately over years. Getting those capabilities to share a common evaluation moment and a common data schema is a genuine engineering and organisational challenge.
It’s a one-time cost to address ongoing exposure to fraud.
The governance questions have shifted. It’s no longer enough to ask do we have identity verification? The more important question is where identity confidence exists in the control stack and whether it’s consulted at the moments of highest transactional risk, not just at the front door.
It’s no longer enough to ask do we have document verification? The question is whether it’s calibrated for AI-generated forgeries and whether its output is connected to the origination decision in a way that actually changes outcomes.
And for compliance and audit specifically: can the institution demonstrate, to a regulator or a court, a coherent and documented chain of control evaluation across a disputed transaction? That’s a different evidentiary standard than most institutions are currently equipped to meet.
The direction of regulatory travel – AML/CTF Tranche 2 extending obligations to accountants, lawyers and real estate professionals from July 2026, combined with the Scams Prevention Framework introducing new detection and reporting obligations - is toward institutions being expected to show not just that controls existed, but that they were active, connected and producing documented outputs at the right moments.
Here’s the thing: the sector has already invested in most of the building blocks. Document intelligence, biometric identity, device signals, behavioural analytics – these capabilities exist. The investment isn’t wasted.
The gap is architectural. Better connectivity between controls that already exist, evaluated through a common layer at the right moments, producing decisions that are legible across fraud, compliance and audit simultaneously.
That’s either a reassuring observation or a slightly uncomfortable one, depending on your position.
For institutions that have spent years and significant budget building each of those layers independently, the idea that the answer isn’t more investment but better architecture can feel deflating. In practice, though, it’s the more tractable problem. Connecting capable systems through a shared orchestration layer is a clearer engineering task than trying to make any individual control detect fraud it was never designed to catch.
The banks and other lenders that navigate the next few years most effectively probably won’t be the ones with the most controls. They’ll be the ones where the controls are coordinated to appropriately manage risk.
Banks don’t have a mortgage fraud problem. They have a signal fragmentation problem. Mortgage fraud losses are just where it surfaces in one part of the industry.
And those two problems have very different solutions.
Interested in how unified KYC, AML verification, document verification and fraud orchestration can close the gaps in your control environment? Talk to the FrankieOne team.