HSBC Risks AU$35 Million Court Penalty Over 1,000 Scam Complaints

Australia’s corporate watchdog is taking HSBC to Federal Court, pushing for a AU$35 million fine over what it says was a prolonged failure to protect customers from impersonation scams. The joint penalty proposal from ASIC and HSBC is still waiting on a judge’s sign-off — and that judge has already questioned whether the number is big enough.

HSBC knew about the problem years before it did anything meaningful. The bank spotted impersonation scams as early as May 2021 but didn’t put adequate controls over internal transfers in place until after May 2024. That’s a three-year window where the bank basically watched the threat grow and didn’t act. Between May 2023 and May 2024 alone, reports of unauthorized transactions jumped 380%. Zoom out further — from January 2020 to August 2024 — and more than 1,000 unauthorized transaction reports piled up, covering AU$34.6 million in losses. And it wasn’t just the missing controls. HSBC’s scam investigations dragged on for an average of 144 days, and customers who lost account access after being scammed got little to no support getting back in.

Not really a minor oversight.

Real People, Real Losses

ASIC’s court filings put names — or at least faces — to the damage. A 51-year-old dental technician. A 25-year-old architectural assistant. A Victorian couple. A 41-year-old father. Each of them lost somewhere between AU$47,000 and AU$50,000. These weren’t abstract figures on a spreadsheet. Several victims had to borrow money to cover the gap. Others faced serious financial stress that probably didn’t go away quickly.

HSBC has since launched a remediation program. The bank compensated AU$21.5 million to affected customers and recovered AU$6.5 million on their behalf. That’s meaningful — but it’s also a response that came after the losses happened, not before.

The gap between what was lost (AU$34.6 million) and what’s been compensated and recovered (roughly AU$28 million combined) is still pretty significant. And none of that money gives back the time and stress those customers went through.

ASIC’s Wider Push Against Bank Misconduct

HSBC’s case sits inside a much larger regulatory sweep. ASIC pulled in AU$349.8 million in civil penalties in the second half of 2025 alone. ANZ took a AU$250 million hit for systemic failures. Cbus faced AU$23.5 million in fines tied to problems with death benefit processing. RAMS Financial Group and NAB were also caught up in ASIC’s enforcement push during that stretch.

Related: GAO Pushes FDIC to Fix Blockchain Oversight Before Cracks Widen

And ASIC Chair Sarah Court has been direct about what the HSBC case means beyond Australia. She’s framed it as a global precedent — a signal to banks everywhere that they carry a duty to protect customers from scams, not just a duty to process transactions. Per Court, the case is meant to put that responsibility front and center for the international banking sector.

It’s worth noting this is ASIC’s first court action specifically alleging a bank failed to protect customers from scams. First of its kind. That alone makes the Federal Court’s final decision significant, whatever number the judge lands on.

The AU$35 million figure is still pending court approval. A judge has already flagged concerns about whether it’s sufficient — so there’s a real chance the final penalty comes in higher. Unclear yet exactly when the court will rule.

HSBC’s Troubles Aren’t Limited to Australia

HSBC was dealing with regulators on the other side of the world at the same time. In the UK in 2024, the Prudential Regulation Authority handed the bank a £57.4 million fine for failures around safeguarding customer deposits. The Financial Conduct Authority added another £6.28 million penalty on top of that, tied to how HSBC handled customers going through financial difficulty. Combined, that’s over £63 million in UK fines in a single year.

So HSBC’s regulatory headaches aren’t a one-country story. The bank’s facing scrutiny across multiple jurisdictions for what looks like a pattern — slow responses, gaps in controls, customers left to absorb losses that better systems might have prevented.

Related: Wise Payments Hit with £33 Million Fine Over Russian Sanctions Failures

Back in Australia, ASIC has also been busy outside the courtroom. By mid-2025, the regulator had taken down 6,900 investment scam and phishing websites. That’s a lot of ground-level fraud prevention running parallel to the big-ticket court cases.

The broader picture is banks operating in an environment where regulators are clearly done being patient. ASIC’s AU$349.8 million in penalties from just six months of 2025 isn’t a fluke — it’s a posture. And HSBC’s case, as the first of its kind for scam-related failures, is probably the one other banks are watching most closely right now.

The dental technician lost AU$47,000 to AU$50,000. So did the architectural assistant. So did the father. The bank knew impersonation scams were a problem in 2021.