HSBC hit with “first of its kind” multimillion-dollar fine

HSBC has been ordered to pay a A$35 million (£18.5 million) penalty after admitting it failed to protect customers from scammers - including a couple who had A$48,000 stolen from their home loan account and a dental technician who lost almost every penny of her savings.

The settlement between the bank and the Australian Securities and Investments Commission (ASIC), approved by Federal Court judge Elizabeth Bennett in Sydney on Thursday, marks one of the first times a financial institution anywhere in the world has been held legally accountable for its failures in scam prevention rather than simply for losses incurred.

"I consider the contraventions to be serious, and that the agreed penalty is within the range of what is appropriate," Bennett said on approving the agreement.

What HSBC admitted

The bank's admissions are detailed and damaging. HSBC acknowledged that between May 2023 and May 2024 it failed to maintain adequate controls on its internal transfer system, leaving customers exposed to a materially elevated risk of unauthorised payments. More troublingly, it admitted it had been aware of scammers impersonating HSBC staff since May 2021 - meaning the bank sat on that knowledge for two years before controls were improved.

During that period, reports of unauthorised transactions surged 380% in 2023 and 2024, driven overwhelmingly by impersonation scams in which criminals contacted customers by text or phone, purporting to be from HSBC, and extracted account credentials. ASIC's investigation found that between January 2020 and August 2024 the bank received more than 1,000 reports of unauthorised transactions with a total value of A$34.6 million - roughly £18.2 million. Nearly half of that, approximately A$16 million, was lost in just six months between October 2023 and March 2024.

When customers did report being scammed, the bank's response was, by its own admission, inadequate. HSBC acknowledged that investigations took an average of 144 days to complete - against a 21-day target under the Australian ePayments Code - and that it had insufficient systems to help customers regain access to accounts that had been locked after they reported fraud. In 749 cases, the bank failed to meet even the extended 45-day deadline for completing investigations.

The human cost

ASIC's chair Sarah Court set out the human consequences of those failures in terms that a mortgage intermediary audience will understand viscerally.

Among those affected was a couple in their fifties who had A$48,000 taken directly from their home loan account. A 51-year-old dental technician lost A$47,000 - almost her entire savings. A 25-year-old architectural assistant lost A$50,000. A 41-year-old lost the same amount. In each case, the ASIC said the harm was compounded not just by the initial loss but by the bank's failure to respond adequately once customers reported what had happened.

Court said affected customers reported "distress, guilt and panic" after being scammed. Some had to borrow money from friends or family. Some took on extra work to keep up with loan repayments. Some were locked out of their own accounts after reporting the fraud - meaning the bank's response to being told a customer had been victimised was, in some cases, to make that customer's situation materially worse.

ASIC's barrister Paul Liondas KC told the Federal Court: "Customer A said it felt like no one at HSBC Australia could help her. She had to repeatedly visit branches and call for updates. She said she felt extremely frustrated and stressed by the experience. Customer B said he felt hopeless and powerless throughout what he considered to be a prolonged investigation process."

"One of the first of its kind globally"

ASIC was explicit about the significance of the case. Court described it as "one of the first of its kind globally" - a landmark in holding banks to account not merely for the existence of fraud but for the adequacy of their systems to prevent it, detect it, and respond to it when customers report it.

"Banks have been well on notice about the risks of scams for some time," Court said. "They have now been given a clear message to have adequate controls and ensure their interactions with scam victims help - not hinder."

HSBC has paid approximately A$21.5 million (£11.3 million) in compensation to affected customers and recovered A$6.5 million of stolen funds, which have been returned. Further payments are expected before the end of July 2026.

In a statement, the bank said: "We apologise to our customers who were impacted by these events. We are pleased to have reached an agreement to resolve the proceedings with ASIC, which recognises our customer redress programme and the significant enhancements made to our fraud and scam prevention, detection and response."

A pattern of regulatory failures

The Australian settlement is the latest in a sequence of significant regulatory actions against HSBC across multiple jurisdictions. The Bank of England fined HSBC £57.4 million in January 2024 for failing to protect customers' deposits. The FCA fined HSBC £6.28 million in May 2024 for failures in the treatment of customers who were in arrears or experiencing financial difficulty - including taking disproportionate action against mortgage borrowers who had fallen behind on payments. Before that, the FCA handed the bank a £63.9 million fine for weaknesses in its anti-money laundering controls.

Earlier this year, HSBC disclosed a $400 million fraud-related exposure in its UK private credit business, linked to a secondary securitisation involving an unidentified private equity sponsor, which weighed on its first-quarter 2026 results.

The scale of HSBC's investment in cybersecurity has been acknowledged by its own UK chief executive. Ian Stuart told a House of Commons Treasury Committee hearing last year that cybersecurity had become HSBC UK's largest single operational cost, with spending in the hundreds of millions. "We are being attacked all the time," he said. "The amount of money that banks, all of us, will be spending on our systems is enormous today - and it has to be."

Why UK mortgage intermediaries should pay attention

The Australian case concerns HSBC's local subsidiary and Australian regulatory obligations. It does not directly bind HSBC UK or create new obligations for UK mortgage brokers. But the underlying failure it exposes - a bank aware of a growing fraud threat for years before taking adequate action, and then responding badly when customers reported losses - is not a uniquely Australian problem.

In the UK, bank impersonation scams of the kind described in the ASIC case are well-documented. The FCA has previously warned about clone firms operating under HSBC branding, and HSBC UK has issued its own alerts about impersonation scams targeting customers via phone and text. Mortgage borrowers are a particularly attractive target for scammers: they are asset-holders with known bank relationships, often managing multiple financial products simultaneously, and in some cases under financial stress.

The broader principle the Australian case establishes - that a bank has a positive obligation to have adequate systems in place to prevent, detect and respond to scam losses, not merely to process complaints after the fact - is one that the UK regulatory framework, particularly under the Consumer Duty, is pushing in the same direction. The FCA's Consumer Duty requires firms to deliver good outcomes for retail customers, including at the point where something goes wrong.

For intermediaries, the case is a reminder that clients who manage their mortgage account with a high street bank are not insulated from fraud risk by virtue of dealing with a recognised name - and that when fraud occurs, the bank's response can be as damaging as the fraud itself.