HSBC Bank Australia has been ordered to pay a $35m penalty it admitted to serious failures in protecting customers from scams.
The bank was also instructed by the Federal Court to publish adverse publicity orders on its website, its app and in letters to impacted customers.
Her Honour Justice Bennett found HSBC had implemented scam controls on some of its payment systems but did not implement the key controls on the internal IAT payment rail, where the majority of customer losses occurred.
HSBC admitted failures with the ePayments Code occurred because it was slow to investigate customer scam reports – 144 days on average – and did not apply rules in the Code for determining when customers or the bank should bear the losses from scams. HSBC also admitted that it did not have adequate systems in place to help customers get back into their banking after they had been scammed.
Following ASIC’s investigation, HSBC has established a large-scale remediation program that has so far paid around $21.5m in compensation, with further payments due before the end of July 2026. HSBC has also recovered $6.5m and returned those funds to customers.
The Australian Securities and Investments Commission (ASIC) said the case is one of the first of its kind globally and reinforces the responsibility of banks to protect their customers from scams.
ASIC chair Sarah Court described the penalty as “the strongest scam wake-up call yet to the banking industry”.
She said: “Banks have been well on notice about the risks of scams for some time. They have now been given a clear message to have adequate controls and ensure their interactions with scam victims help – not hinder.”
