HSBC Bank Australia failed to adequately protect its customers from scams, resulting in losses of more than $20 million to fraudsters who were able to spoof customers and hack their bank accounts virtually unchecked, financial services regulator ASIC detailed in its submission to the Federal Court.

The Australian Securities and Investments Commission (ASIC) is pursuing civil action against the global banking giant for its alleged failure to maintain adequate controls to prevent and detect unauthorised payments.

As well, the regulator alleges HSBC Australia failed to comply with its obligations to investigate customer reports of unauthorised transactions within reasonable and required timeframes, and to promptly reinstate their banking services in a timely fashion.

ASIC deputy chair Sarah Court labelled the bank’s failings as “widespread and systemic”, as well as being in breach of multiple obligations, including its Australian Financial Services licence and ePayments code.

Between January 2020 and August 2024, HSBC received approximately 950 reports of unauthorised transactions from local customers, which collectively resulted in the loss of around $23 million.

Almost $16 million of this occurred in the six months from October 2023 to March 2024.

From around mid-2023, ASIC observed “a significantly increased volume of unauthorised payment activity, continuing until about June 2024”.

These losses were primarily the result of fraudsters gaining access to customers’ accounts through spoofing (impersonating HSBC Australia staff through phone calls), and smishing (SMS phishing) activities.

As well, fraudsters exploited captured HSBC Australia accounts as ‘money mules’ to channel illicit funds to other financial institutions.

“By virtue of the digital functionality provided by HSBC Australia, customers were exposed to the risk of third-parties, through forgery or account compromise, obtaining access to their online banking or mobile banking (or both) and making payments from the customer’s deposit accounts or loan accounts (or both) to unintended parties, without the customer’s authority (UnauthorisedPayments),” ASIC submitted in its court filings.

ASIC alleges that HSBC Australia was aware of the risks of unauthorised transactions occurring, as well as gaps in their fraud controls, from at least January 2023.

In some cases, individual customers lost more than $90,000 to scammers.

ASIC further alleges HSBC Australia “compounded the problem” with its laggard response, taking an average of 145 days to investigate customers’ reports that they had been scammed – in breach of its ePayments Code obligations.

The regulator found that HSBC also failed to promptly restore customers’ full access to their bank accounts (with the bank triggering a block on accounts after customers reported the unauthorised transactions), on average taking 95 days to do so.

In one case, a customer waited 542 days to regain full access to their account.

More than 870 customers were blocked from their accounts, with 90 per cent of these customers waiting more than 21 days for HSBC to either advise them of the process to reinstate full use and access of their accounts or to reinstate full use and access to their accounts.

As a result of HSBC Australia’s failures, ASIC alleges customers suffered financial harm, incurring losses as a result of falling victim to unauthorised payments, and being unable to make payments as a result of having account restrictions or digital access blocks placed on their accounts for inordinate periods after reporting unauthorised transactions to HSBC Australia.

Customers, the regulator said, also suffered non-financial harm, including emotional distress and inconvenience, as a result of the unauthorised payments and significant delays in receiving HSBC Australia’s report into the outcome of its investigatiob.

Critical anti-scam controls absent

A key charge levelled by ASIC against HSBC is that the bank, during the alleged offences, had no adequate controls in place to prevent and detect unauthorised payments.

Among these include the lack of digital fraud behavioural biometrics (to analyse biometric behaviours of transaction processes to distinguish between normal, criminal, and non-human use) and digital fraud device identification capabilities for transactions (to assess device data, and digital identity from browser activity and digital footprint and true location through an IP address to define patterns of trusted user behaviour).

ASIC found that these critical controls were absent across HSBC Australia’s mobile banking and online banking services until June 2024.

As well, HSBC lacked adequate real-time fraud payment monitoring, including transaction interception capabilities to identify and block suspicious activity – a feature that was only implemented in May this year.

The bank was also without adequate or sufficient rules to detect potentially fraudulent activity, including critical rules within its enterprise fraud management transaction monitoring software system, until at least 5 June 2023 at the earliest.

HSBC in response to ASIC court action has stated that it has made multiple reforms and upgrades to its scam and fraud management systems, as well as compensating customers affected by the financial losses, where it was required to do so.

More than 300 individuals took their complaints to the AFCA for resolution.

The bank has also added itself to Australia’s Do No Originate list, a means of preventing the bank’s number from being spoofed by fraudsters.

ASIC deputy chair Sarah Court noted that, if successful in its civil action against the bank, the regulator would “be seeking very significant penalties, firstly to send a message to HSBC and [secondly] to send a broader message to the banking sector”.

ASIC confirmed in its submission that it will seek declarations of contraventions, pecuniary penalties, adverse publicity orders, and costs from HSBC Australia.