HSBC Hit With $22.8 Million Penalty Over Scam Protection Failures

Key Takeaways

• The Court Treated Scam Failures as a Governance Issue: The judgment makes clear that scam prevention is no longer viewed as a customer education problem alone. Banks are expected to have effective controls in place to prevent losses before they occur.
• Slow Responses Became Part of the Harm: HSBC admitted it took an average of 144 days to investigate scam reports. The court found that delays and poor handling of customer complaints compounded the impact on victims.
• Controls Existed, But Not Where They Were Needed Most: While HSBC had implemented scam protections on some payment systems, the court found critical controls were missing from the internal payment channel where most losses occurred.
• Remediation Did Not Shield the Bank From Enforcement: HSBC has already paid millions in compensation and recovered funds for customers, but regulators still pursued a significant penalty, underscoring that remediation does not erase accountability for systemic failures.

Deep Dive

HSBC Bank has been ordered to pay a penalty of approximately $22.8 million (AUD $35 million) after admitting to serious failures in its handling of scam-related customer losses, in what Australian regulators described as one of the first enforcement actions of its kind globally. The penalty was imposed by the Federal Court on June 18 following proceedings brought by the Australian Securities and Investments Commission (ASIC).

In addition to the financial sanction, the court ordered HSBC to publish adverse publicity notices on its website, mobile application and in correspondence sent to affected customers. The case focuses on HSBC’s handling of customer scam reports and its compliance with Australia’s ePayments Code, which governs liability and dispute resolution for certain electronic payment transactions.

According to the court’s findings, HSBC failed to implement key scam-prevention controls on its internal payment system, known as the IAT payment rail, where most customer losses occurred. While the bank had introduced scam controls on some payment systems, the court found critical protections were absent from the channel responsible for the majority of losses.

Justice Bennett characterized the breaches as serious and concluded that the agreed penalty fell within an appropriate range. The court also found that HSBC’s failures under the ePayments Code were widespread and systemic.

ASIC said HSBC admitted it took an average of 144 days to investigate customer scam reports, significantly delaying outcomes for affected customers. The bank also acknowledged that it failed to apply provisions of the ePayments Code designed to determine whether losses should be borne by customers or the institution. In addition, HSBC admitted it lacked adequate systems to help customers regain access to banking services after falling victim to scams.

The court noted that some customers found their interactions with HSBC stressful and frustrating, with those experiences exacerbated by the bank’s failure to comply with investigation timelines required under the Code.

ASIC Chair Sarah Court said the ruling sends a strong message to the banking sector about its responsibility to protect customers from increasingly sophisticated scams.

“Banks have been well on notice about the risks of scams for some time,” Court said. “They have now been given a clear message to have adequate controls and ensure their interactions with scam victims help—not hinder.”

The regulator described the judgment as one of the first globally to directly address a bank’s obligations in protecting customers from scams, calling the penalty the strongest warning yet to the industry.

Following ASIC’s investigation, HSBC launched a remediation program for affected customers. The bank has so far paid approximately $14 million (AUD $21.5 million) in compensation and expects to make additional payments before the end of July 2026. HSBC has also recovered approximately $4.2 million (AUD $6.5 million) and returned those funds to customers.

ASIC initiated civil penalty proceedings against HSBC in December 2024. The regulator said the case forms part of its ongoing enforcement focus on systemic compliance failures at large financial institutions that result in widespread consumer harm.

The proceedings relate to transactions classified as “unauthorized transactions” under the ePayments Code, which is administered by ASIC. HSBC has established a remediation process to compensate customers who were not liable for scam losses under the Code, including reimbursement for lost earnings resulting from delays in accessing funds.

The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.