iscover 
Following a hearing in Melbourne on Thursday (18 June), Justice Bennett ordered HSBC Bank Australia to pay the penalty and publish adverse publicity notices on its website, mobile app and in letters to affected customers.
The Federal Court's ruling follows admissions by HSBC that it failed to maintain adequate controls to prevent unauthorised transactions, took too long to investigate scam reports, and had inadequate systems to assist customers whose accounts had been locked following a scam.
The case stems from more than 1,000 reports of unauthorised transactions received by HSBC between January 2020 and August 2024, with a total transaction value of $34.6 million.
ASIC commenced civil penalty proceedings against HSBC in December 2024, alleging the bank failed to adequately protect customers from scams and breached its financial services licence obligations.
Following ASIC's investigation, HSBC has also established a large-scale remediation program and has so far paid approximately $21.5 million in compensation, with further payments expected before the end of July 2026. The bank has also recovered and returned a further $6.5 million to affected customers.
As part of the proposed resolution, HSBC admitted:
-
Between May 2023 and May 2024, it failed to maintain adequate controls on its internal transfer system, exposing customers to a greater risk of unauthorised payments.
-
It was aware from May 2021 of the growing risk of impersonation scams, where scammers posed as HSBC representatives.
-
Reports of unauthorised transactions surged by approximately 380 per cent in 2023 and 2024, largely driven by impersonation scams.
-
Customers were exposed to greater financial and non-financial harm as a result of those failures.
-
It breached its financial services licence obligations due to major delays in investigating scam reports, which took an average of 144 days to finalise.
-
It had inadequate systems in place to help customers regain access to accounts that had been locked after a scam was reported.
In her reasoning, Justice Bennett considered HSBC's contraventions to be serious and found the agreed penalty was within the appropriate range.
The court also found HSBC had implemented scam controls on some of its payment systems but failed to implement key controls on its internal transfer payment rail, where the majority of customer losses occurred.
Justice Bennett further held that HSBC's failures in relation to the ePayments Code were widespread and systemic.
ASIC chair Sarah Court said: "Today's outcome is one of the first of its kind globally and the $35 million penalty ordered against HSBC is the strongest scam wake-up call yet to the banking industry.
"Banks have been well on notice about the risks of scams for some time. They have now been given a clear message to have adequate controls and ensure their interactions with scam victims help – not hinder."
Some customers lose tens of thousands
Having been left vulnerable, customers reportedly lost tens of thousands of dollars.
Some customers reported having to borrow money from elsewhere, taking on extra shifts at work, or fearing they would struggle to meet their home loan repayments.
Some of the customers who reported being scammed included:
-
A 51-year-old dental technician from NSW who lost $47,000 – almost all her savings.
-
A 25-year-old part-time architectural assistant from NSW who lost $50,000 – his life savings.
-
A Victorian couple in their 50s who lost $48,000 that was transferred out of their home loan.
-
A 41-year-old Victorian father who lost $50,000.
“HSBC’s alleged failures left customers more vulnerable to scams, tens of millions of dollars out of pocket and waiting months to find out what had happened to their money,” Court said.
“Individual customers lost tens of thousands of dollars which, for some, were their life savings, causing them real stress and uncertainty.”
What happened?
According to ASIC’s original allegations, the financial services regulator said that there was “a significant escalation” in reports of unauthorised transactions by HSBC Australia customers from mid-2023.
ASIC said that it often occurred after scammers had obtained access to their accounts by impersonating HSBC Australia staff.
On 2 February 2024, Scamwatch released a scam alert on the HSBC Australia impersonation scam. The scam involved the victim receiving a fake text or call pretending to be from HSBC, which urged them to provide personal details and bank codes to prevent fraud. However, in actual fact, the HSBC “representatives” were scammers attempting to steal their account information.
ASIC said that, between January 2020 and August 2024, HSBC received approximately 950 reports of unauthorised transactions, resulting in customer losses of about $23 million.
Almost $16 million of this occurred in the six months from October 2023 to March 2024, according to ASIC.
The regulator also alleged that the bank was aware of the risks of unauthorised transactions occurring and had holes in its fraud controls.
Moreover, despite the ePayments Code obligating subscribers (including HSBC Australia) to investigate unauthorised transactions within 21 days of receiving a report – and completing an investigation within 45 days of receiving a report – ASIC alleges that it took the bank an average of 145 days to investigate customers’ reports that they had been scammed.
[Related: Broker fraud may be low, but the stakes are high]
Want to see more stories from trusted news sources?Make Broker Daily a preferred news source on Google.