The Australian Securities and Investments Commission (ASIC) has launched legal proceedings against HSBC Bank Australia (HSBC Australia), alleging the bank failed to protect customers who lost millions of dollars to scammers.
The claims were detailed in court documents filed by the ASIC in the Federal Court.
According to the ASIC, HSBC Australia lacked adequate systems to prevent and detect unauthorised transactions.
The bank also allegedly failed to meet its obligations to probe customer reports of such transactions within specified timeframes and to promptly reinstate banking services for affected customers.
The regulator noted a significant increase in reports of unauthorised transactions starting in mid-2023. Many incidents occurred after scammers, posing as HSBC staff, gained access to customer accounts.
Between January 2020 and August 2024, HSBC Australia reportedly received around 950 reports of unauthorised transactions, resulting in customer losses totalling A$23m ($14.6m).
Nearly A$16m ($10.14m) of those losses occurred over six months between October 2023 and March 2024.
ASIC claims HSBC Australia breached its obligations by failing to implement effective systems for investigating unauthorised transactions and restoring customer services from January 2020.
The regulator further alleges HSBC did not have adequate controls to prevent and detect unauthorised payments between January 2023 and June 2024.
As a result, ASIC contends HSBC Australia violated section 912A(1)(a) of the Corporations Act 2001 (Cth) and section 47(1)(a) of the National Consumer Credit Protection Act 2009 (Cth).
These laws require banks to deliver financial and credit services efficiently, honestly, and fairly. ASIC is seeking court declarations, financial penalties, adverse publicity orders, and costs.
ASIC Deputy Chair Sarah Court said: “We allege HSBC Australia compounded the problem by failing to comply with its obligations under the ePayments Code and let its customers down when they needed their help the most, on average taking 145 days to investigate customers’ reports that they had been scammed.
“We are also concerned that HSBC Australia failed to promptly restore customers’ full access to their bank accounts, on average taking 95 days to do so. One customer did not have full access restored for 542 days.”
HSBC Australia subscribes to the ePayments Code, which regulates electronic payment transactions in Australia. The code requires banks to investigate unauthorised transaction reports within 21 days and provide customers with written outcomes.
Investigations must be completed within 45 days unless exceptional circumstances, such as delays caused by foreign merchants or other banks, are identified. The action against HSBC comes amidst rising scam-related losses across Australia.
The Australian Competition and Consumer Commission (ACCC) said that Australians lost A$2.74bn ($1.7bn) to scams in 2023. Scamwatch, which monitors fraudulent activities, previously issued an alert warning consumers of scammers impersonating HSBC staff.
