HSBC Bank Australia is being sued by the corporate watchdog after customers lost $23 million in unauthorised transactions.
The Australian Securities and Investments Commission (ASIC) has filed documents in the Federal Court accusing the financial service company of failing to adequately protect customers scammed out of millions of dollars.
ASIC Deputy Chair Sarah Court said they allege HSBC Australia failed to have adequate controls in place to prevent and detect unauthorised payments and failed to comply with its obligations to investigate customer reports of unauthorised transactions within the specified timeframes required, and to promptly reinstate their banking services in a timely manner.
Ms Court said ASIC alleges that there were a significant escalation in reports of unauthorised transactions by HSBC Australia customers from mid-2023 which often occurred after scammers had obtained access to their accounts by impersonating HSBC Australia staff.
“Between January 2020 and August 2024, HSBC received approximately 950 reports of unauthorised transactions, resulting in customer losses of about $23 million. Almost $16 million of this occurred in the six months from October 2023 to March 2024,” she said.
“We allege HSBC Australia’s failings were widespread and systemic, and the bank failed to protect its customers.”
Ms Court said they allege that from at least January 2023, HSBC Australia was aware of the risks of unauthorised transactions occurring and that there were gaps in their fraud controls.
“This resulted in some customers getting scammed out of $90,000 or more.
“We allege HSBC Australia compounded the problem by failing to comply with its obligations under the ePayments Code and let its customers down when they needed their help the most, on average taking 145 days to investigate customers’ reports that they had been scammed.”
She said ASIC was also concerned that HSBC Australia failed to promptly restore customers’ full access to their bank accounts, on average taking 95 days to do so.
“One customer did not have full access restored for 542 days.”