By Aisha Dow
Banking giant HSBC did not act on repeated warnings from its own fraud experts about a security loophole until hundreds of its customers had lost millions of dollars in a bank-impersonation scam.
The warnings from the bank’s fraud steering committee are detailed in excerpts of documents filed by the national corporate regulator, the Australian Securities and Investments Commission (ASIC), which is suing the local subsidiary of HSBC for “widespread and systemic” failures to protect its customers from scams.
A string of allegations has been made about HSBC’s failings to protect its Australian customers from scams.Credit: Marija Ercegovac
The documents also reveal for the first time that one group of fraudsters linked to the scam used local HSBC accounts to move money to beneficiaries in Pakistan.
It follows an earlier investigation by this masthead that exposed how HSBC had moved too slowly to detect and respond to repeated red flags about the scam, including a failure to identify overseas logins directing movements of large amounts of money to accounts with which customers had never previously interacted.
The signature scam, which ran in 2023 and 2024, involved criminals repeatedly and successfully impersonating HSBC staff.
They would contact potential victims via text messages or calls that appeared to come directly from HSBC and trick people into handing over passcodes by telling them that they needed the information to reverse dubious charges on their accounts. Some people lost their life savings.
The irony of these cases is that fraudsters were claiming to do what the bank itself could not – detect and stop suspicious transactions in their tracks.
The court documents show that in March 2021, HSBC bank staff noted in a presentation on its fraud-mitigation strategy that HSBC Australia had “no real-time interception or payment-holding to clarify suspicious transaction content with customer[s]” and that it would cost $380,000 to set up that sort of payment interception.
Similar warnings were made repeatedly in the years to come, according to the ASIC statement of claim filed to the federal court.
“[C]urrently, HSBC do not have the capability to stop an online transfer of funds from one bank account to another,” said another presentation given in October 2022 to HSBC’s Australian wealth and personal banking fraud steering committee.
By July 2023, the court documents show that Matthew Hannan, HSBC Australia’s head of fraud management, was making a “special” presentation about an “HSBC impersonation scam” in which he had said that 50 customers had lost money in the emerging scam, sometimes after receiving text messages that tricked them into sharing personal information.
In September the same year, a slide pack for an HSBC Australia committee meeting discussing impersonation scams said: “current limitations on desktop banking monitoring and real-time interception are impacting our ability to disrupt and prevent these attacks”.
ASIC alleges that HSBC Australia didn’t implement adequate real-time fraud payment monitoring, including capabilities to detect and block suspicious activity, across both mobile and online banking, until about May 2024, at the tail end of the swindle.
The corporate regulator also highlighted other alleged security deficiencies, claiming HSBC did not implement a digital fraud behavioral biometric system called BioCatch, and digital fraud device identification capabilities, via ThreatMetrix, for online banking until June 2024.
In January 2022, the minutes of one of the bank’s fraud steering committee meetings noted that “losses resulting from these scam cases and determinations would likely have been avoided with BioCatch/ThreatMetrix implementation for transactional monitoring”.
In December 2023, as the reports from the impersonation scam mounted, another internal presentation warned that until these systems were implemented for online banking, the fraud team “cannot disrupt scams, and losses will continue to mount”.
HSBC Australia customers lost $18 million via impersonation scams in the 2023 financial year, and $24 million in the first nine months of 2024, according to court documents. About 950 reports of unauthorised transactions were made to HSBC Australia between January 2020 and August last year.
HSBC was due to file its defence in the case early last month, but failed to do so. At a hearing in May, Justice Elizabeth Bennett ordered the bank to provide a written explanation of its non-compliance.
A solicitor acting for HSBC Australia earlier submitted that the bank had identified inaccuracies in data presented to the court that it needed to correct before it would be appropriate to file its defence.
Asked about the repeated internal warnings of the bank’s inability to halt suspicious transactions highlighted in ASIC’s statement of claim, an HSBC spokesperson replied: “As the matter is before the court, we are unable to comment.”
The case returns to court in July. HSBC is now due to file a defence by Friday.
Start the day with a summary of the day’s most important and interesting stories, analysis and insights. Sign up for our Morning Edition newsletter.