HSBC’s Australian banking arm has acknowledged major failures in keeping its customers safe from scams and now faces a potential penalty of A$35 million — roughly $24.59 million in U.S. dollars — pending a federal court’s approval, according to Australia’s corporate regulator.
The Australian Securities and Investments Commission, known as ASIC, announced Thursday that it and HSBC will jointly ask the Federal Court to sign off on the proposed punishment.
According to ASIC’s investigation, HSBC failed to keep proper controls over its internal transfer systems during a 12-month window stretching from May 2023 through May 2024. That gap in oversight left customers more vulnerable to unauthorized transactions.
The investigation also revealed that the bank had been aware of a growing impersonation scam threat as far back as May 2021 — cases in which criminals posed as HSBC representatives to deceive customers.
ASIC Chair Sarah Court called the case a landmark moment: “This is one of the first cases of its kind globally and sends a clear message that protecting customers from scams is a core responsibility of banks.”
Beyond the lapse in controls, the regulator found that HSBC violated its financial services license obligations by failing to adequately stop scams from occurring and by taking an average of 144 days to follow up on customer-reported incidents.
The bank also lacked sufficient systems to help customers who were locked out of their accounts following scam-related incidents, ASIC noted.
An HSBC spokesperson responded to the findings via email, stating: “(We) have reached an agreement to resolve the proceedings with ASIC, which recognises our customer redress program and the significant enhancements made to our fraud and scam prevention, detection and response.”
The settlement is not yet final. The Federal Court must still review and determine whether the proposed penalty and any additional orders are appropriate before anything is officially decided.
