Opinion
Scam strike on global giant is a warning shot to banks
Elizabeth Knight
Business columnistThe line between who should cop the blame for letting scammers raid the henhouse is blurring, and the Australian outpost of one of the world’s largest banks - HSBC - has just found out the hard way what happens when you drop the ball.
So, who does the buck stop with when it comes to a scam? Is it the bank that didn’t catch the criminals nor shore up its defences adequately, or the customer who was loose with their personal information?
The Australian Securities and Investments Commission’s (ASIC) decision to sue HSBC Australia for its alleged failure to protect its customers would suggest the corporate regulator wants the banks to do the heavy lifting.
The legal action, announced on Monday, moves the needle on scams further away from ‘customer beware’ to ‘bank beware’.
HSBC Bank Australia, the Australian subsidiary of HSBC now in ASIC crosshairs.Credit: Bloomberg
Australia’s banking sector is investing hundreds of millions of dollars on scam protection, so HSBC finding itself on the wrong end of the scam protection spectrum is a particularly bad look for the sector.
And while ASIC may have honed in on the proverbial low-hanging fruit of the banking industry, its action will galvanise the attention of the whole industry. The one thing banks know really well is that while prevention is costly, remediation hurts a lot more.
Scams, which grow bolder and more sinister every day, are a scourge for which no one wants to take responsibility. But in this case, HSBC’s alleged inaction was seemingly too much for ASIC to ignore.
The regulator’s move follows a series of investigative reports by this masthead that outlined numerous incidents of customers being tricked into supplying their bank details and passwords by criminals posing as the bank’s staff. And the regulator is not asking the court to require HSBC to compensate customers for the amounts stolen from their accounts - which between January 2020 and August 2024 amounted to some $23 million.
All of this comes on the back of a growing chorus of consumer advocates pushing for banks to take more responsibility for scams that cost customers more than $2.7 billion a year. Of this amount, customers receive compensation to the tune of an alarmingly low 5 per cent.
The counter from the banks is that forcing them to pick up the tab for every scam will make Australia a honey pot for scammers and a haven for digital criminality. They add that it could also demotivate customers from being more vigilant in protecting themselves from scammers.
But ASIC’s allegations are not focused on compensation, they hone in on duty of care and HSBC’s alleged inability to adhere to it. The regulator alleges HSBC Australia failed to have adequate controls in place to prevent and detect unauthorised payments and failed to comply with its obligations to investigate customer reports of unauthorised transactions within the required timeframes.
It also claims customers were locked out of their accounts for 145 days on average, with one person losing account access for 542 days. The core thrust of the regulator’s allegations is that HSBC’s paper thin armour exposed customers to scammers.
ASIC deputy chair Sarah Court at the press conference held in Sydney over HSBC scams.
HSBC Australia customers with digital accounts were exposed to the risk of third-parties, through forgery or obtaining access to their Online Banking and making unauthorised payments.
This activity included fraudsters using HSBC Australia accounts as ‘money mule’ accounts that fraudulently channelled funds to other financial institutions, and customers being subject to phishing, which involves criminals impersonating HSBC Australia staff requesting customers to reveal sensitive information such as their login credentials via a text message.
Fraudsters were also able to infiltrate genuine text message chains from HSBC to make victims believe their accounts had been compromised and scare them into handing over passcodes to a fake bank worker.
Meanwhile, the federal government’s impending anti-scams legislation is slated to improve the lot of victims - and while it is being hailed by some as the antidote, there is a cohort that believes it doesn’t go far enough to shift responsibility to the banks.
At the very least, they think it falls well short of being best in class by international standards. And that’s what makes the ASIC action against HSBC (focused on duty of care rather than just compensation) an important test case on the nature of liability when it comes to scams.
The Business Briefing newsletter delivers major stories, exclusive coverage and expert opinion. Sign up to get it every weekday morning.