HSBC's Australian unit has admitted to serious failures in protecting customers from scams and faces a proposed penalty of A$35 million (US$24.6 million), which the bank and Australia's corporate regulator are jointly asking the Federal Court to approve. Announced by the Australian Securities and Investments Commission on 18 June 2026, the case is one of the first of its kind globally to target a bank's handling of scam risk, and it adds a further regulatory burden for the FTSE 100 parent, HSBC Holdings.
The admissions point to systemic weaknesses in the unit's defences. ASIC found that HSBC Australia failed to maintain adequate controls over its internal transfer systems between May 2023 and May 2024, exposing customers to a heightened risk of unauthorised transactions, and that the bank had been aware since at least May 2021 of a growing threat from impersonation scams in which fraudsters posed as HSBC representatives. The regulator also found the bank breached its financial-services licence obligations through major delays in handling cases, taking an average of 144 days to investigate customer reports of suspected scams, with inadequate systems to help customers regain access to their accounts.
The figures behind the action underline the customer harm involved. ASIC's case covers roughly 950 scam incidents between January 2020 and August 2024, resulting in about A$23 million in losses, including A$16 million in just six months from October 2023 to March 2024. The regulator characterised the failings as widespread and systemic, noting the absence of key fraud controls such as behavioural biometrics and real-time monitoring until mid-2024. Sarah Court, ASIC's chair, framed the case as a clear message that protecting customers from scams is a core responsibility of banks. HSBC, which has apologised to affected customers and says it has already paid refunds and compensation, said the agreement recognises its customer-redress programme and the significant enhancements it has made to its fraud and scam prevention, detection and response.
The action carries weight beyond a single market because of what it establishes about regulatory expectations. Treating scam-protection failures as a licence-breach matter, rather than leaving losses to be resolved between customer and bank, marks a step toward holding institutions directly accountable for fraud prevention — a principle UK readers will recognise from the mandatory authorised push payment reimbursement regime introduced by the Payment Systems Regulator. The read-across for any retail bank is that fraud controls, investigation timelines and customer-redress processes are moving firmly into the regulated, enforceable sphere.
The broader context is a global tightening of scrutiny around financial crime and consumer protection, with regulators increasingly willing to penalise the adequacy of a bank's systems rather than only individual misconduct. For HSBC, the proposed penalty is modest against group earnings — the bank reported pretax profit of $9.4 billion in the first quarter of 2026 — but it lands as the latest in a run of regulatory matters, following a cum-cum tax-trading scandal in France earlier in the year. The reputational cost of being named in an early, precedent-setting scam case may outweigh the financial one.
The penalty still requires Federal Court approval, so the final outcome and any additional orders remain to be confirmed. The case is likely to inform how regulators in other jurisdictions frame their own scam-liability expectations, and banks operating across multiple markets now confront a clear direction of travel toward enforceable standards on fraud prevention and timely redress. Whether the A$35 million figure is approved as proposed or adjusted by the court, the precedent it sets — that a bank's scam-risk management is itself a supervised obligation — is the more consequential development for the sector.
More From Finance Monthly: KPMG Audit-Leak Scandal Deepens Big Four Pressure as Australian Government Contracts Halve
