By Aisha Dow
Banking giant HSBC may have to compensate customers robbed by scammers after a consumer watchdog found a victim should not have been held responsible for their $47,000 loss.
In a landmark ruling, the Australian Financial Complaints Authority rejected HSBC’s claim it was not liable when a sophisticated scammer masqueraded as a bank worker to raid the victim’s account, an argument it has used to deny compensation to other victims.
Sydney woman Sunni Wan is one of the victims still battling HSBC for compensation.Credit: Nikki Short
The authority also criticised HSBC’s customer service and its adversarial approach to the case.
The “lead decision” involving one of the cases is considered a change of approach for the financial services complaints body, in favour of victims, and came after an investigation by this masthead uncovered major failures in HSBC’s response to the signature scam.
Over at least 10 months in 2023 and 2024, fraudsters were able to infiltrate genuine text message chains from HSBC to make victims believe their accounts had been compromised and scare them into handing over passcodes to a fake bank worker.
Even when customers realised they were being scammed as they were still speaking with the scammer, HSBC was unable to retrieve their money because criminals quickly changed the victim’s daily transfer limits and moved money into new accounts and cryptocurrency.
This masthead revealed that in some cases, consecutive logins were being made on HSBC accounts from different countries, making it impossible that they could have been made by the same person.
In the case considered in detail by the Australian Financial Complaints Authority, a man identified only as “Mr T” received a text message in June last year that appeared in a thread of legitimate text messages previously sent by HSBC.
It warned him that a $740 transaction was being attempted by Amazon, and instructed him to call a 1300 number if he did not authorise it.
When the man called the 1300 number, he was greeted by an interactive voice response recording identical to that used by the bank, and the scammer knew his personal details, such as his bank username.
The crook then asked him to verify his identity by disclosing two banking passcodes, which were used to steal just over $47,178 from his account.
HSBC had argued that in the case of Mr T, and many other cases examined by this masthead, the victim was ineligible for any reimbursement of the stolen funds because they had breached a clause of the ePayments code which says users must not “voluntarily disclose one or more passcodes to anyone”.
But this argument was rejected by the Australian Financial Complaints Authority, which found the scammer’s manipulative tactics meant the victim felt compelled to disclose the passcodes, and therefore was not voluntary.
“The panel is satisfied the scammer created a sense the complainant needed to act urgently to prevent the loss of his funds, and the overall impression he was dealing with the bank, and it would therefore not be fair in all the circumstances to find the disclosure of the passcodes was voluntary,” the decision said.
The finding is significant because, as a lead decision, it decides on core issues and principles that can be applied to a batch of similar cases, although each would still be decided on its individual merits.
“If another case were to resolve around very similar facts, a similar decision would be likely,” explained the authority’s lead ombudsman for transactions, Suanne Russell.
“In this particular lead decision, regarding an HSBC impersonation scam case, the focus was on the disclosure of passwords that were necessary to carry out the transaction and whether this was voluntary.”
HSBC was instructed to pay the complainant $47,028, plus $5000 in legal costs and $1000 for compensation for its failure to meet the Banking Code of Practice around customer service.
Stephanie Tonkin, chief executive of the Consumer Action Law Centre, said the authority’s determination was surprising for several reasons, including because the panel described the bank’s conduct as “adversarial”.
“This isn’t the first time a bank has been aggressive at AFCA. We’ve seen plenty of times, but for it to be publicly called out like that, in a determination, that is significant,” she said.
The Australian Financial Complaints Authority has received 329 complaints related to the HSBC impersonation scam, of which 121 are still open.
“As always, we encourage all financial firms to think about whether they should be resolving consumer complaints without the need for intervention by AFCA,” Russell said.
HSBC was asked if it would review its liability findings for customers impacted by the scam in light of the authority’s finding, but a spokesperson did not answer the question.
Instead, they said the bank acknowledged the decision, which they described as related to a “historic and specific type of bank impersonation scam”.
“The outcome has been accepted by the customer and is now resolved,” they said.
”Falling victim to a fraud is a distressing situation. We remain committed to working with industry and government to disrupt scams and protect customers, and will continue to work hard to support victims of scams.”
Sunni Wan, who leads a support group of about 70 of the scam’s victims, is one of the people whose case is still before the authority.
She had almost $50,000 stolen from her in December, after receiving a message that appeared to come from the bank. Wan had been saving the money as a buffer for interest rate rises and to fund her mother’s knee operation.
Despite hanging up on the scammer mid-call and immediately contacting HSBC, the bank wasn’t able to retrieve Wan’s money. Instead, the bank’s fraud team found her liable for the losses because she “voluntarily” disclosed bank passcodes.
The Sydney woman said that following the lead decision, about half-a-dozen people had been offered reimbursement from the bank. But the majority of the people in the support group had not yet received an offer.
“They’re [HSBC] being dragged kicking and screaming to this,” Wan said. “It’s pretty poor.”
Start the day with a summary of the day’s most important and interesting stories, analysis and insights. Sign up for our Morning Edition newsletter.