By Aisha Dow
Banking giant HSBC knew it had gaps in its fraud control systems but failed to fix them in the months before hundreds of its Australian clients were fleeced of millions of dollars in a lucrative impersonation scam, the country’s corporate regulator claims.
The Australian Securities and Investments Commission (ASIC) on Monday said it was suing the Australian subsidiary of one of world’s largest financial institutions for “widespread and systemic” failures to protect their customers from scams.
HSBC further failed customers by taking months to investigate scam reports – including from some people who had lost their life savings – while blocking their access to their accounts, ASIC has alleged. Many of the bank’s customers were each scammed of tens of thousands of dollars.
“HSBC Australia let down its customers when they needed its help the most,” ASIC deputy chair Sarah Court said.
Court said while HSBC’s governance issues dated back to January 2020, they had the greatest impact from the middle of last year when there were escalating reports that scammers had been able to access HSBC accounts by impersonating the bank’s staff.
About 950 reports of unauthorised transactions were made to HSBC Australia between January 2020 to August this year. Customers had more than $23 million stolen.
However, about two-thirds of these losses – almost $16 million – occurred over the six months between October 2023 and March, when HSBC customers were being repeatedly targeted by the sophisticated bank impersonation scam.
ASIC’s announcement on Monday follows an investigation by this masthead that revealed HSBC had dawdled in its response to scammers, who used the same or similar tactics to steal from hundreds of the bank’s Australian customers.
Criminals masquerading as HSBC workers infiltrated genuine text message chains from HSBC or made it appear like they were calling from the bank’s real phone number to convince victims that their accounts had been compromised.
Even as customers’ passwords were changed and large amounts of money were moved by people overseas or those using private internet servers, the bank failed to stop the suspicious transactions.
In documents filed with the Federal Court, ASIC claims that HSBC’s decision to introduce a new payments platform in May 2023, that allowed near-real-time payments to third parties, increased the risk of unauthorised or scam payments.
“We allege that from at least January 2023, HSBC Australia was aware of the risks of unauthorised transactions occurring and that there were gaps in their fraud controls,” Court said.
“This resulted in some customers getting scammed out of $90,000 or more.”
After customers were scammed, ASIC alleges HSBC Australia “compounded the problem” by taking an average of 145 days, or almost five months, to investigate customers’ scam reports.
The problem has persisted, ASIC claims, as the bank met its required investigative time-frames only 14 per cent of the time over the first eight months of 2024.
The financial services regulator has also alleged there were widespread, systemic and significant failures by HSBC Australia to reinstate customers’ full access to their bank accounts after they were scammed. It took an average 95 days for customers’ banking access to be restored. One customer did not have full access restored for 542 days, ASIC has alleged.
Sunni Wan, an HSBC customer who had $50,000 stolen after receiving a message that appeared to come from the bank, said she had to borrow money from a friend following the scam as the bank froze her account, blocking her access to her money.
She said staff at her local branch said there was nothing that they could do to help.
“The guy … in the branch with me – he was just so heartless. He was just giving me tissues and he was trying to get rid of me quickly,” she said.
“He said ‘there’s nothing we can do … at the branch level because the branch level can’t do anything, we need to wait for the fraud team and that would take six to eight weeks’.”
Wan said HSBC should compensate victims for the emotional stress caused by the scam and the time it took them to advocate for compensation.
On Monday, an HSBC spokesperson said “we are considering the matters raised and will continue to co-operate and work constructively with ASIC”.
“Protecting our customers from scammers remains a top priority. We continue to make significant investments in our fraud and scam prevention, detection and response.”
Melbourne engineer Aaron, who did not wish to use his last name for privacy reasons, had $45,000 taken from his family’s HSBC home loan account in late February.
The father of two was sitting in his car during a lunch break when he received a call from someone who introduced themselves as a member of HSBC’s fraud team.
Because the scammer called him using the bank’s real number (a technique known as spoofing) and already knew several of Aaron’s personal details, they convinced Aaron to provide several one-time passwords, which they then used to take over his account. The criminals were then able to raise the daily transfer limit on Aaron’s account from $5000 to $50,000.
This same technique was also used with other victims, but it took HSBC almost a year to stop allowing adjustments to daily limits to be made using online banking.
In May, HSBC offered Aaron a $1000 “goodwill payment”. Aaron rejected the offer and complained to the Australian Financial Complaints Authority. HSBC later said it would reimburse Aaron the entire amount stolen plus a $2000 goodwill payment, and acknowledged “we could have responded in a timelier manner”.
Aaron said he was saddled with shame and fear over the saga and had to mend damaged personal relationships.
“Getting me the money back was a relief, but I’m probably always going to be mentally scarred,” he said.
“A lot of people [believe] the bank is there to protect your money. They’re not there to protect your money, from my point of view right now – they’re there to protect their own interests.“
HSBC has previously said it had improved its fraud and scam prevention systems, including increasing SMS warnings for customers making payments of more than $500, limiting payments to some cryptocurrency platforms and adding 70 people to the bank’s fraud and scams team.
Court, the ASIC deputy chair, said scammers were constantly looking for new ways to exploit people. She warned ASIC would not hesitate to take further action in court if the regulator believed other banks had failed to comply with their obligations to protect customers.
“Customers can lose their life savings in an instant. Scammers do not discriminate,” Court said.
“All banks need to pull their weight in the fight against scams.
“ASIC is seeking declarations of contraventions, pecuniary penalties, adverse publicity orders and costs.“
Start the day with a summary of the day’s most important and interesting stories, analysis and insights. Sign up for our Morning Edition newsletter.