The Australian Securities and Investments Commission (ASIC) has launched legal proceedings against HSBC Australia, alleging systemic failures in protecting customers from financial scams.
According to documents filed in the Federal Court, HSBC failed to implement adequate controls to prevent unauthorised transactions and did not fulfill its obligations under the ePayments Code to investigate scam reports promptly or reinstate access to blocked accounts in a reasonable timeframe.
ASIC claims that between January 2020 and August 2024, HSBC received approximately 950 reports of unauthorised transactions, resulting in customer losses totaling A$23 million.
A significant portion—nearly A$16 million—was lost between October 2023 and March 2024.
The scams often involved fraudsters impersonating HSBC staff to gain access to customer accounts, frequently through smishing attacks that tricked customers into revealing sensitive information.
Despite being aware of these risks since at least January 2023, ASIC alleges HSBC Australia failed to address critical gaps in its fraud detection and prevention systems.
For example, digital fraud behavioral biometrics and device identification features were only implemented in 2024, leaving customers vulnerable for an extended period.
Real-time fraud monitoring was also delayed, with key measures introduced between June 2023 and June 2024.
Investigations into unauthorised transaction reports were significantly delayed, taking an average of 145 days to complete—well beyond the 45-day maximum required under the ePayments Code.
In 78% of the cases, HSBC failed to meet the prescribed timeframes, with compliance rates as low as 0% in 2020 and 4% in 2021.
One customer waited over 500 days for their case to be resolved.
In addition to delayed investigations, ASIC highlighted failures in restoring access to blocked accounts.
Customers whose accounts were restricted or blocked following reports of fraud faced an average delay of 95 days in regaining full access, with the longest delay recorded at 542 days.
ASIC Deputy Chair Sarah Court described HSBC’s failings as “widespread and systemic,” accusing the bank of breaching its obligations under the Corporations Act and the National Consumer Credit Protection Act.
She stressed that “all banks need to pull their weight in the fight against scams” to uphold consumer protection standards.
ASIC is seeking court orders for declarations of contraventions, pecuniary penalties, and adverse publicity measures against HSBC Australia.
The regulator’s action comes as Australians face mounting financial losses to scams, which totaled A$2.74 billion in 2023, according to the ACCC.
The case also sheds light on broader regulatory concerns. ASIC’s enforcement coincides with proposed legislation to establish a Scams Prevention Framework, aiming to impose stricter obligations on financial institutions to combat fraud.
Featured image credit: Edited from Unsplash