Australia’s communications watchdog ACMA is facing criticism after it issued a warning, with no penalty, to a global telecommunications company that allowed more than 1,000 scam texts to reach Australians.
The text messages, which impersonated global bank HSBC, were part of a four-year scam campaign in which HSBC received more than 1,000 reports of unauthorised transactions with a total transaction value of $34.6 million.
On Thursday, after the Australian Securities and Investments Commission (ASIC) brought HSBC to the Federal Court, the bank admitted to a range of serious customer protection failures and agreed to a $35 million penalty.
But while ASIC celebrated its court outcome, the Australian Communications and Media Authority (ACMA) has been scrutinised for a comparatively limp-wristed response.
Despite confirming in late 2024 that US telco Telesign had failed to declare 1,121 scam messages that passed through its network, an ACMA spokesperson explained that issuing a direction to comply was “the strongest enforcement option currently available” for a first-time breach of the industry scams code.
Information Age understands the telco may face penalties up to $250,000 if it now violates ACMA’s warning.
A victim who lost nearly $50,000 to the HSBC scam told ABC News the lack of consequences was “upsetting”.
Australian Communications Consumer Action Network (ACCAN) chief executive Carol Bennett said the regulator “should have the power to issue penalties and demand corrective action in the first instance”.
“Warnings are less useful,” Bennett told Information Age.
“We need to ensure that any regulation, particularly applicable to international companies, has teeth and carries appropriate weight to drive compliance.”
Telesign owns up, blames ‘manual processes’
Though ACMA worked with ASIC in March 2024 to examine the HSBC scam traffic, it wasn’t until August 2024 that Telesign was probed under a separate, broader ACMA investigation.
Including the 1,121 HSBC scam texts, ACMA found Telesign failed to share information about more than 11,000 SMS scam messages.
An ACMA spokesperson said “these investigations are highly complex”, “involve interrogation of an extensive amount of data”, and “can take a number of months to finalise”.
“ACMA rejects any suggestion that it failed to act promptly in response to the HSBC impersonation scams,” they said.
Though ACMA did not mention HSBC in its Telesign investigation report, the California-based telco confirmed to Information Age that a scammer impersonating HSBC was able to send fraudulent messages via its platform.
The telco explained its “detection framework” at the time relied partly on manual processes and “earlier-generation filtering approaches” which were not able to “identify and suspend the fraudulent traffic in time”.
Among other measures, the telco said it had since deployed machine learning-based content filtering, strengthened its customer vetting and onboarding controls, and reinforced its monitoring, auditing, and blocking procedures.
“Telesign remains committed to support broader efforts to reduce scam activity and reinforce trust in digital communications, and continues to engage closely with regulators and industry bodies to this effect,” said the company.
The Albanese government has proposed changes which would boost penalties available to ACMA to $10 million, and remove the requirement for an initial warning.
If passed, the Telecommunications (Enhancing Consumer Safeguards) Bill would supplement a forthcoming SMS Sender ID Register that will help flag suspicious texts.
“However, powers are only as good as the willingness of the regulator to apply them,” said Bennett.
“Stronger powers must now be matched by strong enforcement.”
HSBC accepts penalty in ‘last-minute about-face’
Separate from Telesign’s warning, HSBC came under fire from ASIC for failing to have adequate controls on its internal transfer system, which ultimately exposed customers to a greater risk of unauthorised payments.
“The $35 million penalty ordered against HSBC is the strongest scam wake-up call yet to the banking industry,” said ASIC chair Sarah Court.
Though HSBC has recovered $6.5 million from the scam, compensated customers some $21.5 million, and agreed to ASIC’s proposed penalty, Consumer Action Law Centre chief executive Stephanie Tonkin criticised the bank for offering robbed customers “no support”.
“[HSBC was] instead blaming and shaming them and covering up low-ball offers of reimbursement with non-disclosure agreements,” said Tonkin.
“It was a last-minute about-face by the bank that led to a reduced penalty, which should have been many millions more.”
A HSBC spokesperson told Information Age the bank was “pleased to have reached an agreement to resolve the proceedings with ASIC”.
“We apologise to our customers who were impacted by these events,” they said.
“[This agreement] recognises our customer redress program and the significant enhancements made to our fraud and scam prevention, detection and response.”
