Corporate regulator ASIC has alleged that HSBC Bank Australia Limited (HSBC Australia) failed to adequately protect customers scammed out of millions of dollars, according to documents filed by ASIC in the Federal Court on Monday.

ASIC terms failures at HSBC Australia as “widespread and systemic”.

Between January 2020 and August 2024, HSBC reportedly received approximately 950 reports of unauthorised transactions, resulting in customer losses of about $23 million.

Almost $16 million of this occurred in the six months from October 2023 to March 2024.

It says that HSBC Australia failed to have adequate controls in place to prevent and detect unauthorised payments and failed to comply with its obligations to investigate customer reports of unauthorised transactions within the specified timeframes required, and to promptly reinstate their banking services in a timely manner.

 

ASIC claims that there was a significant escalation in reports of unauthorised transactions by HSBC Australia customers from mid-2023 which often occurred after scammers had obtained access to their accounts by impersonating HSBC Australia staff.

“We know scammers are constantly looking for new ways to exploit people. Customers can lose their life savings in an instant. Scammers do not discriminate,” said ASIC Deputy Chair Sarah Court.

“We allege that from at least January 2023, HSBC Australia was aware of the risks of unauthorised transactions occurring and that there were gaps in their fraud controls. This resulted in some customers getting scammed out of $90,000 or more.”

Court added that HSBC Australia compounded the situation by failing to comply with its obligations under the ePayments Code, on average taking 145 days to investigate customers’ reports that they had been scammed.

The bank also allegedly failed to promptly restore customers’ full access to their bank accounts, on average taking 95 days to do so. One customer, it noted, did not have full access restored for 542 days.

Under the ePayments Code, an institution has to complete an investigation into a report of an unauthorised transaction and advise the customer in writing of the outcome in a timely manner. It has to do so typically within 21 days of receiving a report, during which it must either complete its investigation and advise the customer of the outcome or advise the customer more time is required to complete the investigation. Under the code, there is an extended timeframe of 45 days of receiving a report to complete their investigation, unless there are exceptional circumstances. Exceptional circumstances may include delays caused by other banks or foreign merchants involved with the transaction.

According to the ACCC, in 2023, Australians lost $2.74 billion to scams.