Published: 14 days ago
Updated: 13 days ago
3 min read

Banking giant HSBC sued by Australian regulator for allegedly failing to protect customers from $23 million in scams

The corporate watchdog says the bank was aware of the scams but failed to take action quickly enough to protect customers.
Demi HuangBy Demi Huang
ASIC is taking action against HSBC, alleging it failed to safeguard 950 Australian customers who collectively lost millions of dollars to scams.

Banking giant HSBC sued by Australian regulator for allegedly failing to protect customers from $23 million in scams

The corporate watchdog says the bank was aware of the scams but failed to take action quickly enough to protect customers.
Demi HuangBy Demi Huang

The Australian Securities and Investments Commission (ASIC) is suing banking giant HSBC, alleging it failed to safeguard 950 Australian customers who collectively lost millions of dollars to scams.

In a statement released on Monday, the corporate watchdog reported the total losses involved amounted to $23 million over a five-year period, from January 2020 to August 2024.

Described as “widespread and systemic” by ASIC Deputy Chair Sarah Court, nearly $16 million of the losses occurred within just six months, between October 2023 and March 2024.

Know the news with the 7NEWS app: Download today Download today

“We allege that from at least January 2023, HSBC Australia was aware of the risks of unauthorised transactions occurring and that there were gaps in their fraud controls. This resulted in some customers getting scammed out of $90,000 or more,” Court said.

ASIC alleges HSBC failed to prevent and detect unauthorised payments or promptly investigate customer reports of unauthorised transactions.

This marks the first time in Australia that a bank has been sued for its handling of customers being swindled out of their own money.

How scams occur

An ASIC statement released earlier in the year alleges that HSBC Australia customers were exposed to the risk of third parties gaining access to their online or mobile banking accounts — and making unauthorised payments — because of the banking products provided by the bank.

Many scams occurred after scammers gained access to accounts by impersonating HSBC Australia staff since mid-2023.

Other common scams included fraudsters requesting login credentials via text message.

Both are categorised as “smishing”, with the fraudsters then using the victims’ accounts to make unauthorised payments.

The scam message, the second in the above screenshot, set off no alarm bells because it appeared in the same thread as legitimate texts Gerald Chin had received from his bank.
The scam message, the second in the above screenshot, set off no alarm bells because it appeared in the same thread as legitimate texts Gerald Chin had received from his bank. Credit: Gerald Chin

There are also “money mule” scams, where fraudsters use victims’ accounts to fraudulently channel funds to other financial institutions, acting as intermediaries in illegal transactions, without the customers realising they are involved in illegal activities.

How HSBC failed customers

ASIC said there were several measures HSBC could have taken, but the bank lacked the necessary controls to implement them.

For example, it could have implemented more robust device identification, such as analysing IP addresses or browser activities.

Additionally, it would have been helpful for them to analyse biometric behaviours of normal transactions compared to criminal or non-human use.

There should have been more real-time fraud payment monitoring, as well as detection systems for potentially fraudulent activity.

Furthermore, after unauthorised payments occurred, HSBC failed to implement adequate controls for prevention and detection.

The bank’s response time was significantly longer than expected, and the process for reinstating blocked customer accounts was also delayed.

On average, the bank took 145 days to complete an investigation, despite being required to do so and inform the customer within 21 days of receiving a report.

Additionally, it took the bank an average of 95 days to fully restore customers’ access to their bank accounts, with one customer waiting as long as 542 days to regain full access.

A man withdraws Australian fifty dollar notes from an ATM machine.
A man withdraws Australian fifty dollar notes from an ATM machine. Credit: s-c-s/Getty Images/iStockphoto

“We know scammers are constantly looking for new ways to exploit people. Customers can lose their life savings in an instant. Scammers do not discriminate,” Court said.

“All banks need to pull their weight in the fight against scams. We will not hesitate to take court action where we consider banks fail to comply with their obligations to protect their customers.”

The announcement follows an ASIC investigation, which found that HSBC had delayed its response to scammers.

ASIC said in the announcement that it is “seeking declarations of contraventions, pecuniary penalties, adverse publicity orders, and costs” against the bank.

Stream free on

7plus logo