Australia's corporate regulator has disclosed that HSBC Bank Australia faces a proposed penalty of A$35 million after the bank admitted to serious shortcomings in its defences against scams. The Australian Securities and Investments Commission (ASIC) said on Thursday that it and HSBC will jointly seek Federal Court approval for the settlement - one of the early global enforcement actions concentrated on a bank's alleged failures in scam prevention.
ASIC's statement said HSBC admitted that between May 2023 and May 2024 it did not keep adequate controls in place for its internal transfer system, a deficiency that left customers more exposed to unauthorised transactions. The bank also recognised it had been aware since 2021 of an increasing risk from impersonation scams, where fraudsters posed as HSBC representatives.
According to the regulator, HSBC received more than 1,000 reports of unauthorised transactions valued at A$34.6 million between January 2020 and August 2024. ASIC noted that reports rose sharply - by roughly 380% - across 2023 and 2024, with impersonation scams being a primary driver of the increase.
ASIC also found that HSBC breached licence obligations by taking extended periods to investigate scam reports, recording an average resolution time of 144 days, and that customers who were locked out of their accounts did not have access to adequate systems to address the issue promptly.
In response to the regulator's findings, HSBC has put in place a remediation programme. The bank has paid approximately A$21.5 million in compensation to affected customers and has recovered and returned a further A$6.5 million. The proposed A$35 million settlement with ASIC remains subject to approval by the Federal Court.
This matter highlights the regulator's focus on financial institutions' responsibilities to prevent and respond to scams, and it represents a notable enforcement step in the oversight of banks' consumer protections.