Australian Securities and Investments Commission (ASIC) has filed a lawsuit against HSBC Australia, alleging flaws in its systems to protect customers from financial fraud.
Documents filed in federal court say HSBC failed to implement adequate controls to prevent fraudulent transactions and did not promptly investigate fraud reports or remove access to blocked accounts within a reasonable period of time. failure to fulfill its obligation under the ePayments Code to recover;
ASIC alleges that between January 2020 and August 2024, HSBC received approximately 950 reports of fraudulent transactions, resulting in a total loss of A$23 million to customers.
A significant portion (approximately A$16 million) was lost between October 2023 and March 2024.
The scam often involved fraudsters impersonating HSBC employees to gain access to customer accounts, and often involved smishing attacks in which customers were tricked into divulging confidential information.
Despite being aware of these risks since at least January 2023, ASIC alleges HSBC Australia failed to address significant gaps in its fraud detection and prevention systems.
For example, digital fraud behavioral biometrics and device identification capabilities were first implemented in 2024, leaving customers vulnerable for an extended period of time.
Real-time fraud monitoring was also delayed, with major countermeasures being introduced between June 2023 and June 2024.
Investigations of fraudulent transaction reports were significantly delayed, taking an average of 145 days to complete. This is much more than the 45-day maximum required by the ePayments code.
In 78% of cases, HSBC failed to meet established deadlines, and compliance rates were as low as 0% in 2020 and 4% in 2021.
One customer waited over 500 days for their case to be resolved.
As well as delays in the investigation, ASIC also highlighted failures in restoring access to blocked accounts.
Customers whose accounts were restricted or blocked due to reports of fraud experienced an average delay of 95 days before regaining full access, with the longest delay recorded at 542 days.
ASIC deputy chair Sarah Court said HSBC’s failures were “widespread and systemic” and accused the bank of breaching its obligations under the Corporations Act and the National Consumer Credit Protection Act.
He stressed that “all banks need to commit to fighting fraud” to uphold consumer protection standards.
ASIC is seeking a court order against HSBC Australia for a declaration of breach, financial penalties and adverse publicity measures.
The regulator’s action comes as Australians face increasing financial losses from fraud, totaling A$2.74 billion in 2023, according to the ACCC.
The case also highlights broader regulatory concerns. ASIC enforcement is fraud prevention frameworkwhich aims to impose stricter obligations on financial institutions to combat fraud.
Featured image credit: Edited from unsplash
