Australia’s corporate regulator is suing multinational banking giant HSBC for allegedly failing to adequately protect customers who lost millions of dollars to scams.
The lawsuit comes after HSBC received approximately 950 reports of unauthorised transactions from customers between January 2020 and August 2024, the Australian Securities and Investments Commission (ASIC) said.
While this equated to roughly $23 million in customer losses, near $16 million of these losses occurred in just six months between October 2023 and March 2024.
“ASIC alleges that there was a significant escalation in reports of unauthorised transactions by HSBC Australia customers from mid-2023 which often occurred after scammers had obtained access to their accounts by impersonating HSBC Australia staff,” said ASIC.
According to files lodged in the Federal Court on Monday, ASIC alleged HSBC Australia failed to have “adequate controls” in place to prevent and detect unauthorised payments occurring from customer accounts.
Specifically, ASIC suggested the bank did not have adequate real time fraud payment monitoring, adequate customer authentication and access controls (such as digital fraud behavioural biometrics or fraud device identification capabilities for transactions) and notably, adequate or sufficient rules to detect potentially fraudulent activity.
While court files suggest the bank has since covered these purported weak spots, the regulator ultimately alleged HSBC Australia failed to have adequate prevention and detection controls from 1 January 2023 to 1 June 2024.
Failures “widespread and systemic”
ASIC highlighted fraud activity which involved customer accounts being used as “money mules”, or which otherwise saw scammers impersonate HSBC Australia staff in targeted SMS phishing scams.
One incident saw an HSBC customer lose $47,000 in a single unauthorised transaction after a fraudster posed as HSBC staff to dupe them out of banking passcodes – a scam which the bank was later made to pay compensation for.
ASIC deputy chair Sarah Court backed the allegations, noting HSBC Australia’s failures were “widespread and systemic”.
“The bank failed to protect its customers,” said Court.
“We allege that from at least January 2023, HSBC Australia was aware of the risks of unauthorised transactions occurring and that there were gaps in their fraud controls.
“This resulted in some customers getting scammed out of $90,000 or more.”
HSBC did not respond to Information Age when asked for comment.
Investigations idled for months
ASIC further alleges HSBC Australia failed to comply with its obligations to investigate the reported transactions within timeframes specified under the ePayments Code.
Under the code, the bank is obligated to complete an investigation into a report of an unauthorised transaction and advise the customer of the outcome – typically in no more than 45 days.
ASIC suggested in 66 per cent of 950 cases, the bank took more than 100 days to complete investigations.
“We allege HSBC Australia compounded the problem by failing to comply with its obligations under the ePayments Code and let its customers down when they needed their help the most, on average taking 145 days to investigate customers’ reports that they had been scammed,” said Court.
ASIC finally alleges that after applying restrictions to customer accounts during investigations, HSBC Australia failed to “promptly reinstate” banking services in a timely manner.
The commissioner noted for 872 blocked customers, 90 per cent were left waiting more than 21 days for account use and access to be fully reinstated, or to be advised on the relevant reinstatement process.
“We are also concerned that HSBC Australia failed to promptly restore customers’ full access to their bank accounts, on average taking 95 days to do so,” said Court.
“One customer did not have full access restored for 542 days.”
ASIC is now seeking penalties and costs, with Court telling the ABC the maximum penalties are “so high that I would say they are almost theoretical”.
“All banks need to pull their weight in the fight against scams,” she said.
“We will not hesitate to take court action where we consider banks fail to comply with their obligations to protect their customers.”
