Multinational banking giant HSBC will need to pay compensation to a scam victim who lost $47,000 in an unauthorised transaction.
After suffering a significant financial loss and coming to heads with HSBC over potential reimbursement, the victim made a complaint to the Australian Financial Complaints Authority (AFCA).
After a suspicious SMS and phone exchange, the complainant, who AFCA refers to as ‘Mr T’, had an unwanted transaction for $47,178.54 appear on their HSBC offset account.
The scam started June 2023 when T received a text which claimed to be from the bank and warned him of a $740 payment being attempted through online retailer Amazon.
Following the playbook of a standard phishing scam, the message prompted T to make contact via a 1300 phone number.
Once on a call, T was greeted with an interactive voice response identical to that of the bank’s legitimate phoneline.
He proceeded to hand over two six-digit passcodes which would later enable the scammer to effectively steal his funds in one lump transaction.
In the AFCA case, HSBC argued T was ineligible for reimbursement of the transaction because he breached a clause of the ePayments code which stipulates users must not “voluntarily disclose” passcodes to others.
In a landmark decision, AFCA ruled in favour of the victim.
“The panel is of the view the complainant did not voluntarily disclose the passcodes to the scammer,” wrote AFCA.
“The scammer’s manipulative tactics resulted in a degree of coercion that impacted the complainant’s free will and choice, so the complainant felt compelled to disclose the passcodes.”
AFCA decided T is not only entitled to compensation for the disputed transaction, but also for lost interest which would have been applied to a home loan, $5,000 contribution to the legal costs he incurred, and an additional $1,000 for non-financial loss compensation.
No, he wasn’t “voluntarily” scammed
The case focused on the use of the word “voluntarily” in Australia’s ePayments code – which AFCA noted isn’t explicitly defined within the code itself.
Going by the Macquarie Dictionary definitions of “acting of one’s own will or choice, relating to or depending on voluntary action…” and “acting or done without compulsion”, AFCA was satisfied T “acted involuntarily” when he disclosed sensitive passcodes to the scammer.
AFCA noted the scammer “established credibility” by effectively wedging themselves into a chain of existing legitimate messages between the bank and T – seemingly via an SMS spoofing attack.
SMS ‘spoofing’ typically sees scammers use Voice Over Internet Protocol (VoIP) technology to falsify caller information and appear as a legitimate sender.
So common is the issue that Australian government is mulling a Sender ID Registry initiative to verify branded messages.
In explaining its reasoning, AFCA noted the complaint’s will was “impacted to the point it was overborne” by the scammer’s methods.
AFCA added the scammer knew the victim’s name, created a sense of urgency by referencing the fake Amazon transaction, and performed conduct which was consistent with “previous ways the bank had legitimately engaged with the complainant”.
The Australian Financial Complaints Authority made a landmark ruling against HSBC. Photo: Shutterstock
HSBC tried to shirk liability for the transaction by pointing out the 1300 number did not belong to the bank, but AFCA wasn’t convinced.
“It is unreasonable to expect a consumer to identify a fake 1300 number in a SMS when the communication channel legitimately belonged to the bank,” AFCA said.
David Hofierka, senior policy officer at Consumer Action Law Centre, said the consumer advocacy organisation welcomed the “consumer centred approach” in addressing scam victims’ complaints.
“[It] reflects the reality, complexity and sophistication of scams where ordinary people are often completely defenceless,” said Hofierka.
“The decision also supports the argument that in essence all scams should be treated as unauthorised, in that, no one would ever voluntarily disclose their private banking details or passcodes to a scammer though their own ‘free choice’.”
Could this set a precedent?
While banks are increasingly teaming with government and telecommunications providers in the fight against scammers, Australians are still largely unprotected.
Banks outside of the Big Four were recently found to be woefully underprepared in handling scams, with an ASIC analysis finding across 15 financial institutions, only 19 per cent of scam transactions were detected and stopped in fiscal 2022-23.
And while customers ate 96 per cent of the losses for the period, government has continued to idle on the prospect of forcing banks to make scam repayments.
When asked what AFCA’s recent ruling could mean for Australian scam victims, Hofierka said “consumers still face an uphill battle to get their money back”.
“Only time will tell whether approaches towards dispute resolution will develop to assist consumers better, but as it stands, the vast majority of scam complaints, including those at AFCA, have gone against the scam victims,” said Hofierka.
“We generally find that when a consumer is successful, its only in a very limited set of circumstances, when they have managed to jump through every hoop and ticked every box.”
In the UK, consumer protections introduced this month will see victims of Authorised Push Payment (APP) scams reimbursed for fraudulent transactions within five business days.
APP scams refer to when someone is tricked into sending money to an illegitimate party via bank transfer – and under the UK’s new laws, some 99 per cent of claims “by volume” will be covered up to $165,000 (£85,000) reimbursement as standard.
Hofierka posited a similar “modified reimbursement framework” for Australia, where scam victims could get their money back in a timely manner apart from limited circumstances such as gross negligence.
“It would significantly reduce the timeframe and costs of scams disputes for all parties involved and incentivise all businesses to do all they can to prevent scams as they will always be on the hook if they do not,” said Hofierka.
The Sydney Morning Herald reports AFCA has received some 329 complaints related to similar HSBC impersonation scams, of which 121 are still open.
The authority’s lead ombudsman for transactions, Suanne Russell, told the Sydney Morning Herald if a future case were to “resolve around very similar facts”, a similar decision “would be likely”.
“As always, we encourage all financial firms to think about whether they should be resolving consumer complaints without the need for intervention by AFCA,” said Russell.
HSBC did not respond to Information Age when asked about the case or its approach to tackling scams.
