Powered by
MOMENTUM
MEDIA
The Federal Court has accepted a $35 million penalty to HSBC for its failure to protect customers from scammers, but it did not escape Justice Elizabeth Bennett’s notice that there was no direct evidence as to how much, and for how long, senior management were aware.
The Australian Securities and Investments Commission (ASIC) and HSBC Bank Australia together submitted that a $35 million penalty would be sufficient to penalise the major financial institution for its failure to protect customers from threat actors or scammers.
Two months before the hearing was due to begin, HSBC admitted to a failure between May 2023 and May 2024 to have adequate controls on its internal account transfer (IAT) rail, which operates only when an account holder transfers funds quickly to another HSBC account.
In Thursday’s (18 June) hearing, ASIC’s counsel Paul Liondas KC explained the money could be transferred on this rail to a “mule account” – opened under a false name – to allow the threat actor to then transfer the money to an offshore account.
Two other fast payment rails were given key controls in May 2023.
Justice Elizabeth Bennett questioned why the IAT rail was not given the same controls at that time, but was told there was no “direct explanation”, other than that IAT operated as an internal rail only.
“I’m left with a pretty irresistible inference they could have but didn’t,” Justice Bennett said during Liondas’ submissions.
The breaches were made more significant by the fact that 5 per cent, or more than 450,000 transactions, took place on the IAT rail during the May 2023 to May 2024 contravention period.
HSBC also admitted to being aware from May 2021 of the growing risk of impersonation scams, and had reports that unauthorised transactions surged about 30 per cent in 2023 and 2024.
It then breached its financial services licence obligations due to major delays and had inadequate systems to inform customers how to regain access to their accounts after scam blocks were initiated.
Justice Bennett questioned why there was no direct evidence as to the seniority of the people who knew about the breaches, where the knowledge level stopped, or of the duration they were aware.
She said she was concerned about the penalty being sufficient “in circumstances where I need to be sure that HSBC is specifically deterred and other banks are generally deterred”.
The senior justice also mentioned there had been no apology in the written submissions, and only “bland assertions” that senior management were “aware of various things”.
“People’s hair should be on fire if they were aware they were in breach of their obligations,” Justice Bennett said.
“I am left with nothing but a bland statement, [and] that does cause me concern. I need to be satisfied the penalty does the job.”
Kane Loxley KC, counsel for HSBC, opened his submissions by stating HSBC does “seriously apologise” to impacted customers.
He added it was the approach of both ASIC and HSBC to refer to the knowledge of senior management in a “rolled up way” and requested that, should any findings be made in that respect, his client be given the time to provide the court with further information.
Referring to the statement of claim, Loxley drew Her Honour’s attention to submissions that referred to the knowledge of people who were “principally in operational roles, specifically in the fraud team”. While he accepted that those people were senior, it was not alleged that senior executives or the board of HSBC “turned a blind eye”.
Justice Bennett accepted these submissions.
On penalty, Loxley did not try to dissuade the court from considering the time HSBC spent defending the litigation, but explained it began cooperating only after ASIC’s particular allegations were narrowed.
Loxley said the cooperation should be considered “on a spectrum”, particularly given HSBC voluntarily produced documents to ASIC and provided staff members to assist in its investigation.
In addition to the $35 million penalty, HSBC has paid about $21.5 million in compensation, with further payments to come. HSBC has also recovered $6.5 million and returned this to customers.
In a statement shortly before the hearing, ASIC chair Sarah Court said she was pleased with the compensation, particularly for those customers “who were left waiting months for answers, and delays in investigating and resolving their reports made the harm worse”.
Some of the customers who reported being scammed included a 51-year-old dental technician who lost $47,000; a 25-year-old part-time architectural assistant who lost his life savings of $50,000; a couple in their 50s who lost $48,000; and a father who lost $50,000.
The dental technician said the scam took a “severe emotional toll” and meant she and her daughter were required to undertake additional shifts at work to make up for the lost funds, while the father reported feeling “shame” for losing his family’s money.
On the urging of Justice Bennett to read out the other two victim statements, Liondas shared feelings of “guilt” and being “embarrassed”; and concerns that one impacted customer was unable to pay off the interest that had been accruing on her home loan as a result.
“HSBC’s alleged failures left customers more vulnerable to scams, tens of millions of dollars out of pocket and waiting months to find out what had happened to their money,” the court said.
“Individual customers lost tens of thousands of dollars, which, for some, were their life savings, causing them real stress and uncertainty.”
