ASIC brings civil penalty proceedings against HSBC Australia alleging failures to adequately protect customers from scams

In the first case of its kind in Australia, ASIC alleges systemic failings by HSBC Bank Australia Limited to implement adequate controls to detect and prevent scams and to properly respond to customers on their reporting to the bank that they had been scammed. ASIC says that HSBC Australia has contravened the efficiently, honestly and fairly obligations in section 912A(1)(a) of the Corporations Act 2001 (Cth) and section 47(1)(a) of the National Consumer Credit Protection Act 2009 (Cth). Clayton Utz is acting for ASIC.

In its media release, ASIC said:

"Between January 2020 and August 2024, HSBC received approximately 950 reports of unauthorised transactions, resulting in customer losses of about $23 million. Almost $16 million of this occurred in the six months from October 2023 to March 2024."

ASIC Deputy Chair Sarah Court said, "We allege HSBC Australia's failings were widespread and systemic, and the bank failed to protect its customers". In the concise statement filed to commence the proceedings, ASIC noted that:

• Customers were exposed to the risk of third parties, through forgery or account compromise, obtaining access to their online or mobile banking and making payments from the customers' loan or deposit accounts without the customer's authority (Unauthorised Payments). The risk of Unauthorised Payments occurring was evident from external fraud activity that posed a risk to customers, which was reported internally within the bank; and
• Materially before January 2023, HSBC Australia was aware of the risk of Unauthorised Payments. The functionality to make real-time or near real-time payments to third parties including from May 2023 increased the risk.

In these circumstances, ASIC points to three failings by HSBC Australia in particular.

Failure to have adequate controls for the detection and prevention of Unauthorised Payments

ASIC alleges that HSBC Australia failed to have adequate controls for the prevention and detection of Unauthorised Payments made by third parties from accounts held by customers within its Wealth and Personal Banking business. Specifically, it did not have:

• Digital behavioural biometrics (to analyse biometric behaviours of transaction processes to distinguish between normal, criminal and non-human use);
• Digital fraud device identification capabilities for transactions (to assess device data, and digital identity from browser activity and digital footprint and true location through an IP address to define patterns of trusted user behaviour);
• Transaction interception capabilities to identify and block suspicious activities; and
• Adequate or sufficient rules to detect potentially fraudulent activity.

Investigating and responding to unauthorised transaction reports

ASIC also says that HSBC Australia failed to have in place adequate systems and processes to prevent widespread non-compliance with its obligations under the 2016 and 2022 ePayments Code (which were incorporated as contractual terms with its customers), under which it was required to investigate reports of unauthorised transactions and respond to customers within prescribed timeframes and by providing prescribed information. As a subscriber to the Code, HSBC Australia was required to (amongst other things):

• Within 21 days of receiving a report of an unauthorised transaction, (a) complete the investigation and advise the user, in writing of the outcome, or (b) advise the user in writing of the need for more time to complete its investigation; and
• Unless there were exceptional circumstances, inform the customer in writing of the outcome of the report and the reasons for it within 45 days of receiving the report.

ASIC alleges that between January 2020 and 31 August 2024, HSBC Australia received 950 reports of unauthorised transactions and failed to comply with the prescribed timeframes for 78% of them (743 reports).

Delay in reinstating blocked customers' bank accounts

ASIC also alleges that HSBC Australia failed to have in place adequate systems and processes to ensure that customers who had their access to banking services restricted or blocked following a report of a suspected unauthorised transaction were allowed to get "back to banking" promptly or in a reasonable timeframe. It says that between 1 January 2020 to 31 August 2020, HSBC Australia applied restrictions to customers' accounts or blocked their access to online or mobile banking following a report of an unauthorised transaction. For 90% of these 872 customers, it took HSBC Australia more than 21 days to either advise them of the process to reinstate full use and access of their accounts or to reinstate full use and access.

Legal contraventions

By the conduct described above, ASIC says that HSBC Australia failed to do all things necessary to ensure that:

• The financial services covered by its Australian financial services licence (AFSL) were provided efficiently, honestly and fairly, in contravention of its obligations under section 912A(1)(a) of the Corporations Act; and
• The credit activities authorised by its credit licence (ACL) were engaged in efficiently, honestly and fairly, in contravention of its obligations under section 47(1)(a) of the Credit Act.