The Federal Court has ordered HSBC Bank Australia Limited (HSBC) to pay a $35 million penalty after the bank admitted to serious failures in protecting customers from scams.
Following a hearing earlier today in Melbourne, her Honour Justice Bennett ordered HSBC to pay a $35 million penalty and to publish adverse publicity orders on its website, its app and in letters to impacted customers.
The case is one of the first of its kind globally and reinforces the core responsibility of banks to protect their customers from scams.
ASIC Chair Sarah Court said, 'Today's outcome is one of the first of its kind globally and the $35 million penalty ordered against HSBC is the strongest scam wake-up call yet to the banking industry.
'Banks have been well on notice about the risks of scams for some time. They have now been given a clear message to have adequate controls and ensure their interactions with scam victims help - not hinder.'
In her reasons, her Honour Justice Bennett considered HSBC's contraventions to be serious, and that the agreed penalty is within the range of what is appropriate.
Her Honour also found that HSBC had implemented scam controls on some of its payment systems but did not implement the key controls on the IAT (internal) payment rail, where the majority of customer losses occurred.
HSBC admitted to failures in relation to the ePayments Code because it took too long to investigate customer scam reports - 144 days on average - and it did not apply rules in the Code for determining when customers or the bank should bear the losses from scams. HSBC also admitted that it did not have adequate systems in place to help customers get back into their banking after they had been scammed.
Her Honour held that HSBC's failures in respect of the ePayments code were widespread and systemic.
HSBC has admitted some impacted customers found the process of dealing with HSBC stressful and frustrating and her Honour held that those feelings were worsened by the failure to comply with the timeline set out in the ePayments code.
Following ASIC's investigation, HSBC has established a large-scale remediation program that, to date, has paid around $21.5 million in compensation, with further payments to come before the end of July 2026. HSBC has also recovered $6.5 million and returned those funds to customers.
ASIC has an enduring enforcement priority targeted at systemic compliance failures by large financial institutions which result in widespread consumer harm.
Background
ASIC issued a media release on 18 June 2026 outlining HSBC's admissions, the Statements of Agreed Facts and Admissions, and the penalty sought (26-126MR).
The matter was heard in the Federal Court today.
ASIC commenced civil penalty proceedings against HSBC Bank Australia Limited on 13 December 2024.
ASIC's proceedings concern payments which are 'unauthorised transactions' as defined in the ePayments Code, which is administered by ASIC.
Further information related to ASIC's role administrating the ePayments Code is available.
HSBC has established a remediation program to assess affected customers and compensate those who were not liable for losses under the ePayments Code, including for lost earnings as a result of delays in accessing funds. Further information for affected customers is available from HSBC: https://www.hsbc.com.au/help/important-notices/
