ASIC sues HSBC over alleged failures in scam, fraud fight
The corporate regulator has taken aim at the Antony Shaw-led HSBC Australia after the bank’s alleged failure to stop scams and fraud resulted in customer losses topping $23m.
Business
Don't miss out on the headlines from Business. Followed categories will be added to My News.
HSBC’s Australian customers lost millions from scams and fraud due to the bank’s allegedly weak systems, after criminals figured out how to exploit its networks and impersonate staff.
In court papers lodged on Monday the corporate regulator also alleges the global bank is home to “mule” accounts, allowing cash to be funnelled between bad actors, and says HSBC has failed to get on top of financial crime.
The Australian Securities & Investments Commission claims HSBC failed in its obligations to protect customers from scammers, despite staff within the bank raising the problems internally well before a massive spike in losses.
ASIC claims HSBC was alerted “materially well before January 2023” that it had a significant risk of unauthorised payments”, with scammers able to exploit the bank’s real time payments system after HSBC plugged into the New Payments Platform in May 2023. Despite this, HSBC, led by career banker Antony Shaw, failed to stop a surge in losses from customers between October 2023 and March 2024, with almost $16m lost to scammers after they discovered how to impersonate HSBC staff in calls to customers, the watchdog claims.
Mr Shaw took on the top job at HSBC Australia in September 2022.
ASIC claims HSBC was handed 950 reports of unauthorised transactions between January 2020 and August 2024, totalling $23m in customer losses.
In claims lodged with the Federal Court, ASIC claims HSBC didn’t put in place controls in its mobile banking and online banking platforms until June 2024 and lacked software to detect fraud until at least June 2023. “As a result of HSBC Australia’s failures, its customers have suffered financial harm, incurring losses as a result of falling victim to unauthorised payments, and being unable to make payments as a result of having account restrictions or digital access blocks placed on their accounts for inordinate periods after reporting unauthorised transactions to HSBC Australia,” ASIC claims.
The corporate regulator claims that prior to January 2023 HSBC management realised the bank had “missing controls”, including systems that could substantially protect against unauthorised payments.
HSBC only notified customers in March this year it was imposing controls to deal with impersonation scams, as well as removing the capacity to increase transaction limits from its online banking and mobile banking platforms.
ASIC deputy chair Sarah Court said HSBC’s failings were “widespread and systemic”.
She said scammers had figured out how to spoof HSBC numbers, inserting themselves into text messaging chains from the bank, before gaining access to customer accounts.
“We are of the view that had these processes and systems been adequate – we’re alleging they’re inadequate – some of these losses would have been averted,” Ms Court said.
The case against HSBC is the first time ASIC has launched legal action against a bank for scams and fraud failures.
Ms Court said ASIC’s investigators “won’t hesitate to take court action where we consider a bank has failed to comply with its obligations”.
But she cautioned it was “too early to speculate on penalties”, warning they could be “so high they’re almost theoretical”.
“If we are successful in the case we will be seeking very significant penalties first to send a message to HSBC and hold it to account but also to send a message to the banking sector that they have to take these obligations very seriously,” Ms Court said.
She said HSBC’s scam failings were worsened by the length of time it took to get back to customers and the months many spent unable to access their funds.
“We allege HSBC Australia compounded the problem by failing to comply with its obligations under the ePayments Code and let its customers down when they needed their help the most, on average taking 145 days to investigate customers’ reports that they had been scammed,” Ms Court said.
“We are also concerned that HSBC Australia failed to promptly restore customers’ full access to their bank accounts, on average taking 95 days to do so. One customer did not have full access restored for 542 days.”
Ms Court warned in June that ASIC was looking closely at HSBC.
HSBC, along with other banks, is required to abide by a series of industry codes of practice including reporting unauthorised transactions and telling customers in writing about the outcome of investigations.
ASIC claims HSBC failed to investigate any complaints lodged with the bank in 2020 within the required timeframe.
In 2024, HSBC only managed to investigate 14 per cent of all reports concerning unauthorised transactions within the required period.
Ms Court said HSBC had only remediated some customers who had lost money from the scammers exploiting the bank’s systems.
An HSBC spokeswoman said the bank acknowledged the claims from ASIC.
“We are considering the matters raised and will continue to co-operate and work constructively with ASIC,” she said.
“Protecting our customers from scammers remains a top priority. We continue to make significant investments in our fraud and scam prevention, detection, and response.”
Originally published as ASIC sues HSBC over alleged failures in scam, fraud fight