HSBC sets out fraud response after $35m penalty

By Julian Barnes
16 July 2026
Share this article
HSBC sets out fraud response after $35m penalty

HSBC has revealed the steps it is taking to strengthen its fraud controls and compensate affected customers after being hit with a $35 million fraud penalty.

On 18 June, the Federal Court found that HSBC Australia failed to maintain adequate controls to prevent unauthorised transactions, took too long to investigate scam reports, and had inadequate systems to assist customers whose accounts had been locked following a scam.

It’s alleged that HSBC’s inadequacies led to customers collectively losing tens of millions of dollars.

In addition to paying the financial penalty, HSBC said it is “undertaking a comprehensive remediation program for affected customers, with eligible customers having been, or set to be, compensated for their losses, including lost investment earnings”.

 
 

The bank has already paid around $21.5 million, with further payments expected before the end of July 2026. The bank has also recovered and returned a further $6.5 million to affected customers.

HSBC said it has also taken steps to enhance its capabilities for responding to fraud, including:

  • Enhancements to its fraud detection and prevention capabilities, including through the integration of new technology.
  • Improvements to processes for investigating and responding to reports of unauthorised transactions in accordance with the ePayments Code.
  • Improvements to the process by which customers are able to get back to banking following an account restriction or block.

What happened?

The case against HSBC stems from more than 1,000 reports of unauthorised transactions received by the bank between January 2020 and August 2024, with a total transaction value of $34.6 million.

It was alleged that some customers who were scammed lost their life savings.

md discover

ASIC commenced civil penalty proceedings against HSBC in December 2024, alleging the bank failed to adequately protect customers from scams and breached its financial services licence obligations.

As part of the resolution, HSBC admitted:

  • Between May 2023 and May 2024, it failed to maintain adequate controls on its internal transfer system, exposing customers to a greater risk of unauthorised payments.
  • It was aware from May 2021 of the growing risk of impersonation scams, where scammers posed as HSBC representatives.
  • Reports of unauthorised transactions surged by approximately 380 per cent in 2023 and 2024, largely driven by impersonation scams.
  • Customers were exposed to greater financial and non-financial harm as a result of those failures.
  • It breached its financial services licence obligations due to major delays in investigating scam reports, which took an average of 144 days to finalise.
  • It had inadequate systems in place to help customers regain access to accounts that had been locked after a scam was reported.

In her reasoning, Justice Bennett considered HSBC’s contraventions to be serious and found the agreed penalty was within the appropriate range.

The court also found HSBC had implemented scam controls on some of its payment systems, but failed to implement key controls on its internal transfer payment rail, where the majority of customer losses occurred.

Justice Bennett further held that HSBC’s failures in relation to the ePayments Code were widespread and systemic.

Following the ruling, ASIC chair Sarah Court said: “Today’s outcome is one of the first of its kind globally and the $35 million penalty ordered against HSBC is the strongest scam wake-up call yet to the banking industry.

“Banks have been well on notice about the risks of scams for some time. They have now been given a clear message to have adequate controls and ensure their interactions with scam victims help – not hinder.”

[Related: HSBC faces $35m penalty after admitting scam failures]

Broker DailyWant to see more stories from trusted news sources?
Make Broker Daily a preferred news source on Google.

Tags: