HSBC Bank Australia Limited (HSBC Australia) failed to adequately protect customers scammed out of millions of dollars, according to documents filed by ASIC in the Federal Court today.

ASIC alleges HSBC Australia failed to have adequate controls in place to prevent and detect unauthorised payments and failed to comply with its obligations to investigate customer reports of unauthorised transactions within the specified timeframes required, and to promptly reinstate their banking services in a timely manner.

ASIC alleges that there was a significant escalation in reports of unauthorised transactions by HSBC Australia customers from mid-2023 which often occurred after scammers had obtained access to their accounts by impersonating HSBC Australia staff.

Between January 2020 and August 2024, HSBC received approximately 950 reports of unauthorised transactions, resulting in customer losses of about $23 million. Almost $16 million of this occurred in the six months from October 2023 to March 2024.

ASIC Deputy Chair Sarah Court said, ‘We allege HSBC Australia’s failings were widespread and systemic, and the bank failed to protect its customers.

‘We allege that from at least January 2023, HSBC Australia was aware of the risks of unauthorised transactions occurring and that there were gaps in their fraud controls. This resulted in some customers getting scammed out of $90,000 or more.

'We allege HSBC Australia compounded the problem by failing to comply with its obligations under the ePayments Code and let its customers down when they needed their help the most, on average taking 145 days to investigate customers’ reports that they had been scammed.’

‘We are also concerned that HSBC Australia failed to promptly restore customers’ full access to their bank accounts, on average taking 95 days to do so. One customer did not have full access restored for 542 days.’

ASIC alleges HSBC Australia failed to have:

From January 2020, adequate systems and processes to ensure that significant, widespread or systemic non-compliance with its obligations to investigate reports of unauthorised transactions within specified timeframes and to promptly reinstate banking services to customers who reported unauthorised transactions; and

From 1 January 2023 to 1 June 2024, adequate controls for the prevention and detection of unauthorised payments.
ASIC contends that as a result, HSBC Australia failed to do all things necessary to ensure that:

The financial services covered by its Australian financial services licence were provided efficiently, honestly and fairly in contravention of its obligations under s 912A(1)(a) of the Corporations Act 2001 (Cth); and
the credit activities authorised by its credit licence were engaged in efficiently, honestly and fairly in contravention of its obligations under s 47(1)(a) of the National Consumer Credit Protection Act 2009 (Cth).

"We know scammers are constantly looking for new ways to exploit people. Customers can lose their life savings in an instant. Scammers do not discriminate," Court said.

"All banks need to pull their weight in the fight against scams. We will not hesitate to take court action where we consider banks fail to comply with their obligations to protect their customers."

ASIC is seeking declarations of contraventions, pecuniary penalties, adverse publicity orders, and costs.

The ePayments Code plays an important role in the regulation of electronic payment facilities in Australia. It applies to consumer electronic payment transactions, including ATM, EFTPOS and credit card transactions, online payments, internet and mobile banking, and BPAY. It complements other regulatory requirements, including financial services and consumer credit licensing, advice, training and disclosure obligations under the Corporations Act 2001 and the National Consumer Credit Protection Act 2009.

HSBC Australia has obligations as a subscriber to the ePayments Code to complete an investigation into a report of an unauthorised transaction (Report) and advise the customer in writing of the outcome. An unauthorised transaction is a transaction that is not authorised by a customer. Under the ePayments Code, HSBC Australia is required to:

  • within 21 days of receiving a Report, either complete its investigation and advise the customer of the outcome or advise the customer more time is required to complete the investigation;
  • within 45 days of receiving a Report, complete its investigation, unless there are exceptional circumstances. Exceptional circumstances may include delays caused by other banks or foreign merchants involved with the transaction.

On 2 February 2024, Scamwatch released a scam alert on the HSBC Australia impersonation scam.