FEDERAL COURT OF AUSTRALIA
Australian Securities and Investments Commission v HSBC Bank Australia Limited [2026] FCA 847
File number(s): | VID 1368 of 2024 |
Judgment of: | BENNETT J |
Date of judgment: | 18 June 2026 |
Date of publication of reasons: | 30 June 2026 |
Catchwords: | CORPORATIONS LAW – where financial services licensee and credit licensee contravened s 912A(1)(a) and (5A) of the Corporations Act 2001 (Cth) and s 47(1)(a) and (4) of the National Consumer Credit Protection Act 2009 (Cth) (Credit Act) by failing to have adequate prevention and detection controls to manage the risk that customers are exposed to, of falling victim to unauthorised payments via HSBC’s internal account transfer payment rail - where financial services licensee and credit licensee contravened s 912A(1)(a) and (5A) of the Corporations Act and s 47(1)(a) and (4) of the Credit Act by failing to have adequate systems and processes in place to ensure that widespread and/or systemic non-compliance with requirements of the ePayments Code relating to investigating and responding to unauthorised transactions did not occur – where financial services licensee and credit licensee contravened s 912A(1)(a) and (5A) of the Corporations Act and s 47(1)(a) and (4) of the Credit Act by failing to have an adequate system or process to ensure that customers were advised of the process to reinstate full access or use of their accounts within a reasonable time after account restrictions had been applied following a report of unauthorised transaction - where the parties proceeded by way of a Statement of Agreed Facts and Admissions – where the Defendant admitted to contraventions over a period of almost five years – where the parties jointly proposed declarations and pecuniary penalties totalling $35,000,000 – agreed declaration made and agreed penalty imposed |
Legislation: | Corporations Act 2001 (Cth) Federal Court of Australia Act 1976 (Cth) National Consumer Credit Protection Act 2009 (Cth) |
Cases cited: | Australian Building and Construction Commissioner v Construction, Forestry, Mining and Energy Union [2018] HCA 3; 262 CLR 157 Australian Building and Construction Commissioner v Pattinson [2022] HCA 13; 274 CLR 450 Australian Competition and Consumer Commission v Woolworths Ltd [2016] FCA 44 Australian Securities and Investments Commission v AGM Markets Pty Ltd (in liq) (No 3) [2020] FCA 208; 275 FCR 57 Australian Securities and Investments Commission v AMP Financial Planning Pty Ltd [2020] FCA 69; 377 ALR 55 Australian Securities and Investments Commission v Australia and New Zealand Banking Group Ltd [2023] FCA 256 Australian Securities and Investments Commission v Australia and New Zealand Banking Group Ltd (No 3) [2020] FCA 1421 Australian Securities and Investments Commission v Australia and New Zealand Banking Group Ltd (Retail Cases Omnibus) [2025] FCA 1593; 176 ACSR 377 Australian Securities and Investments Commission v AustralianSuper Pty Ltd [2025] FCA 102; 172 ACSR 615 Australian Securities and Investments Commission v Camelot Derivatives Pty Ltd (in liq); Re Camelot Derivatives Pty Ltd (in liq) [2012] FCA 414; 88 ACSR 206 Australian Securities and Investments Commission v Commonwealth Bank of Australia [2020] FCA 790 Australian Securities and Investments Commission v Commonwealth Bank of Australia [2022] FCA 1422 Australian Securities and Investments Commission v Diversa Trustees Ltd [2023] FCA 1267 Australian Securities and Investments Commission v Macquarie Bank Ltd [2024] FCA 416 Australian Securities and Investments Commission v MLC Nominees Pty Ltd [2020] FCA 1306; 147 ACSR 266 Australian Securities and Investments Commission v National Australia Bank [2025] FCA 947 Australian Securities and Investments Commission v Telstra Super Pty Ltd [2026] FCA 527 Australian Securities and Investments Commission v Westpac Banking Corporation (No 2) [2018] FCA 751; 266 FCR 147 Australian Securities and Investments Commission v Westpac Banking Corporation [2026] FCA 651 Australian Securities and Investments Commission v Westpac Securities Administration Limited, in the matter of Westpac Securities Administration Limited [2021] FCA 1008; 156 ACSR 614 Commonwealth of Australia v Director, Fair Work Building Industry Inspectorate and Ors [2015] HCA 46; 258 CLR 482 Construction, Forestry, Mining and Energy Union v Cahill [2010] FCAFC 39; 269 ALR 1 Hili v The Queen [2010] HCA 45; 242 CLR 520 Minister for Immigration, Citizenship, Migrant Services and Multicultural Affairs v AAM17 [2021] HCA 6; 272 CLR 329 Trade Practices Commission v CSR Ltd [1990] FCA 521; [1991] ATPR ¶41-076 |
Division: | General Division |
Registry: | Victoria |
National Practice Area: | Commercial and Corporations |
Sub-area: | Economic Regulator, Competition and Access |
Number of paragraphs: | 118 |
Date of last submission/s: | 18 June 2026 |
Date of hearing: | 18 June 2026 |
Counsel for the Plaintiff: | P G Liondas KC, F Shand, P Annabell and L Hamzi |
Solicitors for the Plaintiff: | Clayton Utz |
Counsel for the Defendant: | K Loxley KC and A Chowdhury |
Solicitors for the Defendant: | MinterEllison |
ORDERS
VID 1368 of 2024 | ||
| ||
BETWEEN: | AUSTRALIAN SECURITIES AND INVESTMENTS COMMISSION Plaintiff | |
AND: | HSBC BANK AUSTRALIA LIMITED ACN 006 434 162 Defendant | |
order made by: | BENNETT J |
DATE OF ORDER: | 18 JUNE 2026 |
THE COURT NOTES THAT:
A. In this Order, the following definitions apply:
(a) 2016 ePayments Code means the ePayments Code effective 1 July 2012 and amended 29 March 2016.
(b) 2022 ePayments Code means the ePayments Code effective 2 June 2022, with a transitional period requiring subscribers to comply with its provisions by 2 June 2023.
(c) Account Restrictions means the application by HSBC Australia of certain restrictions to some or all accounts after a Customer lodged a report of an unauthorised transaction.
(d) ACL means HSBC Australia’s Australian Credit Licence Number 232595.
(e) AFSL means HSBC Australia’s Australian Financial Services Licence Number 232595.
(f) ASIC means the plaintiff, the Australian Securities and Investments Commission.
(g) Corporations Act means the Corporations Act 2001 (Cth).
(h) Credit Act means the National Consumer Credit Protection Act 2009 (Cth).
(i) Customers means account holders in HSBC Australia’s Wealth and Personal Banking business.
(j) Deposit Accounts means deposit accounts, including an Everyday Savings account (re-branded from a Serious Saver account around about November 2021), Bonus Saving Account (rebranded from a Flexi Savings Account in November 2021), Everyday Global Account, Day to Day Account, Children’s Premier Saver account, Premier Cash Management Account and Term Deposits.
(k) Digital Access means Mobile Banking and Online Banking.
(l) Digital Blocks means the placing by HSBC Australia of certain blocks on some or all facilities available to a Customer including through Online Banking and/or Mobile Banking after a Customer lodged a report of an unauthorised transaction.
(m) ePayments Code means the 2016 ePayments Code and the 2022 ePayments Code.
(n) Fraud Rules means rules contained in HSBC Australia's transaction monitoring platform known as the SAS enterprise fraud management (or SAS EFM) system.
(o) HSBC Australia means the defendant, HSBC Bank Australia Limited (ACN 006 434 162).
(p) IAT payment rail means HSBC Australia’s internal account transfer payment rail for transactions between HSBC Australia bank accounts using HSBC’s HUB core banking system.
(q) Loan Accounts means secured lending products, including a Variable Home Loan, Home Value Loan, Fixed Home Loan, Home Smart Loan, and Home Equity Loan; and unsecured lending products, including a Personal Loan and credit card products.
(r) Mobile Banking means banking through a mobile banking platform which could be accessed by a HSBC-branded application on a mobile device.
(s) Online Banking means banking through an internet browser-based banking platform.
(t) a report of an unauthorised transaction means:
(i) a ‘complaint about an unauthorised transaction’ within the meaning of the 2016 ePayments Code; and
(ii) a ‘report of an unauthorised transaction’ within the meaning of the 2022 ePayments Code.
(u) UAR Customers means each of the Customers who lodged a report of an unauthorised transaction with HSNC Australia listed in Annexure B to these orders.
(v) Unauthorised Payments means third-parties, through forgery or account compromise (including by social engineering) obtaining Digital Access to a Customer’s Deposit Accounts or Loan Accounts; and making payments from the Customer’s Deposit Accounts or Loan Accounts (or both) without the Customer’s authority.
THE COURT DECLARES THAT:
1. In the period 29 May 2023 to 29 May 2024, in failing to have adequate prevention and detection controls to manage the risk that Customers were exposed to, of falling victim to Unauthorised Payments, to a reasonable standard, by reason of:
(a) in respect of Online Banking:
(i) in the period 29 May 2023 to 13 December 2023, failing to implement real-time interception capabilities in respect of the transactions made on the IAT payment rail; and
(ii) in the period 29 May 2023 to 13 December 2023, failing to create Fraud Rules which used information of a kind provided by BioCatch and ThreatMetrix to enhance HSBC Australia’s ability to detect and reduce the risk that Customers were exposed to of falling victim to, Unauthorised Payments using the IAT payment rail; and
(b) in respect of Mobile Banking:
(i) in the period 29 May 2023 to 29 May 2024, failing to implement real-time interception capabilities in respect of the transactions made on the IAT payment rail; and
(ii) in the period 29 May 2023 to 13 March 2024, failing to create Fraud Rules which used information of a kind provided by BioCatch and ThreatMetrix to enhance HSBC Australia’s ability to detect and reduce the risk that Customers were exposed to of falling victim to, Unauthorised Payments using the IAT payment rail,
HSBC Australia failed to do all things necessary to ensure that:
(c) the financial services covered by its AFSL (being the provision of the Deposit Accounts) were provided efficiently, honestly and fairly, in contravention of ss 912A(1)(a) and (5A) of the Corporations Act; and
(d) the credit activities covered by its ACL (being the provision of the Loan Accounts) were engaged in efficiently, honestly and fairly, in contravention of ss 47(1)(a) and (4) of the Credit Act.
2. By each of the following failures:
(a) between January 2020 and August 2023, failing to have adequate systems and processes to ensure that widespread and/or systemic non-compliance with the prescribed timeframes in:
(i) clauses 38.4 and 38.5 of the 2016 ePayments Code; and
(ii) clauses 18.1 and 18.2 of the 2022 ePayments Code,
did not occur, or otherwise prevent such non-compliance occurring;
(b) between January 2020 and August 2023, failing to have adequate systems and processes to ensure that there was not widespread and/or systemic failures to:
(i) refer to the Liability Rules contained at clauses 9 to 15 of the ePayments Code in conducting and finalising its investigation into reports of unauthorised transactions;
(ii) adequately consider or apply the Liability Rules in relation to unauthorised transactions; and
(iii) refer to the relevant clauses of the ePayments Code when reporting the outcome of investigations to Customers, as required by clause 38.7 of the 2016 ePayments Code and clause 18.4 of the 2022 ePayments Code; and
(c) between January 2020 and November 2024, failing to have adequate systems and processes to identify, track and report the extent to which HSBC Australia was complying with the requirements in clauses 38.4 and 38.5 of the 2016 ePayments Code and clauses 18.1 and 18.2 of the 2022 ePayments Code,
HSBC Australia failed to do all things necessary to ensure that:
(d) the financial services covered by its AFSL (being the provision of the Deposit Accounts) were provided efficiently, honestly and fairly, in contravention of ss 912A(1)(a) and (5A) of the Corporations Act; and
(e) the credit activities covered by its ACL (being the provision of the Loan Accounts) were engaged in efficiently, honestly and fairly, in contravention of ss 47(1)(a) and (4) of the Credit Act.
3. Between January 2020 and April 2024, in failing to have in place an adequate system or process to ensure that Customers were advised of the process to reinstate full access or use of their accounts, within a reasonable time after Account Restrictions or Digital Blocks had been applied following a report of an unauthorised transaction, having regard to the facts in each case, including the appropriateness of reinstating full access in all the circumstances, HSBC Australia failed to do all things necessary to ensure that:
(a) the financial services covered by its AFSL (being the provision of the Deposit Accounts) were provided efficiently, honestly and fairly, in contravention of ss 912A(1)(a) and (5A) of the Corporations Act; and
(b) the credit activities covered by its ACL (being the provision of the Loan Accounts) were engaged in efficiently, honestly and fairly, in contravention of ss 47(1)(a) and (4) of the Credit Act.
THE COURT ORDERS THAT:
Pecuniary penalty
4. Within 30 days of the date of these orders, HSBC Australia pay to the Commonwealth of Australia a pecuniary penalty of $35 million in respect of HSBC Australia’s contraventions of ss 912A(1)(a) and (5A) of the Corporations Act and ss 47(1)(a) and (4) of the Credit Act the subject of declarations 1 to 3 above, being:
(a) $10 million in respect of the conduct detailed in declaration 1 above;
(b) $22.5 million in respect of the conduct detailed in declaration 2 above; and
(c) $2.5 million in respect of the conduct detailed in declaration 3 above.
Adverse publicity order
5. Pursuant to s 1101B(1)(a)(i) of the Corporations Act and s 182(1) of the Credit Act, HSBC Australia publish, at its own expense, a written adverse publicity notice in the terms set out in Annexure A to these Orders (Written Notice), according to the following procedure:
(a) HSBC Australia will within 30 days of the date of these orders cause the Written Notice to be prominently displayed on its website https://www.hsbc.com.au for a period of no less than 90 days.
(b) HSBC Australia will within 30 days of the date of these orders cause the Written Notice to be prominently displayed on a Customer's landing page of their Mobile Banking application until the earlier of the Customer clicking on or dismissing the notification, or a period of 45 days elapses.
(c) HSBC Australia will within 30 business days of the date of these orders send a copy of the Written Notice to the last known email or postal address of each of the UAR Customers.
Costs
6. HSBC Australia pay ASIC’s costs of and incidental to this proceeding in the sum of $2,300,000 within 30 days of the date of these orders.
Note: Entry of orders is dealt with in Rule 39.32 of the Federal Court Rules 2011.
ANNEXURE A
Notice ordered by the Federal Court of Australia
On 18 June 2026, the Federal Court of Australia ordered HSBC Bank Australia Limited
(HSBC Australia) to pay penalties totalling $35 million to the Commonwealth in
proceedings brought by the Australian Securities and Investments Commission (ASIC) for
failures by HSBC Australia relating to its systems, processes and controls to prevent, detect,
investigate and respond to unauthorised transactions.
In the proceedings the Court found that HSBC Australia:
a) in the period 29 May 2023 to 29 May 2024, failed to have adequate prevention and detection controls on an internal payment rail for transactions between HSBC Australia bank accounts to manage the risk that mobile and online banking customers were exposed to, of falling victim to, unauthorised payments, to a reasonable standard;
b) in the period January 2020 to August 2023, failed to have adequate systems and processes to ensure there was not widespread and/or systemic non-compliance with the timeframes in the ePayments Code for investigating customer reports of unauthorised transactions and advising customers of the outcome of those investigations;
c) in the period January 2020 to August 2023, failed to have adequate systems and processes to ensure there was not a widespread and/or systemic failure to apply the rules prescribed in the ePayments Code for attributing liability as between the customer and HSBC Australia for losses arising from unauthorised transactions;
d) in the period January 2020 to November 2024, failed to have adequate systems and processes to identify, track and report the extent to which HSBC Australia was complying with the requirements in the ePayments Code described in paragraph (b) above; and
e) in the period January 2020 to April 2024, failed to have adequate systems or processes to ensure customers were advised how to reinstate full access or use of their accounts within a reasonable time after blocks or restrictions being applied following a customer's report of an unauthorised transaction.
HSBC Australia made admissions of contravention in the proceeding and agreed to the
financial penalty. HSBC Australia also cooperated with ASIC in the investigation and during
the proceeding.
In addition to paying a financial penalty, HSBC Australia is undertaking a comprehensive
remediation program for affected customers in which eligible customers have been, or will
be, compensated for their loss including for lost investment earnings.
HSBC Australia has taken steps to significantly enhance its capabilities for responding to
fraud, including:
a) enhancements to its fraud detection and prevention capabilities, including through the integration of new technology;
b) improvements to processes for investigating and responding to reports of unauthorised transactions in accordance with the ePayments Code; and
c) improvements to the process by which customers are able to get back to banking following an account restriction or block.
For further information, see the following links:
• Federal Court of Australia judgment [link].
• ASIC media release (which includes links to the judgment and the statements of facts and admissions agreed between the parties) [link].
ANNEXURE B
LIST OF UAR CUSTOMERS WHO LODGED A REPORT OF AN UNAUTHORISED TRANSACTION
[The Order entered is available on the Commonwealth Courts Portal, which attaches the List].
REASONS FOR JUDGMENT
(Delivered ex tempore, revised from transcript)
BENNETT J:
1 HSBC Bank Australia Limited (ACN 006 434 162) (HSBC) is a large financial services institution that holds an Australian Financial Services Licence (AFSL) and an Australian Credit Licence (ACL). It is the subsidiary of one of the world’s largest banking groups. Its various licences require, among other things, that HSBC do “all things reasonably necessary” to ensure it provided financial services and credit activities efficiently, honestly and fairly under the Corporations Act 2001 (Cth) (Corporations Act) and National Consumer Credit Protection Act 2009 (Cth) (Credit Act).
2 This case concerns failures by HSBC to meet those standards.
3 ASIC commenced proceedings against HSBC alleging contraventions of s 912A of the Corporations Act and s 47 of the Credit Act. The contraventions are said to have occurred between 1 January 2020 and 30 November 2024 (the Relevant Period).
4 There are three categories of contravention which have been admitted by HSBC.
(1) Failing to have adequate prevention and detection controls to manage the risk that customers are exposed to, of falling victim to unauthorised payments via HSBC’s internal account transfer (IAT) IAT payment rail:
(a) in respect of mobile banking, in the period 29 May 2023 to 29 May 2024 (the FC relevant period); and
(b) in respect of Online Banking, in the period 29 May 2023 to 13 December 2024,
(the Fraud Controls Contraventions).
(2) Failing to have adequate systems and processes in place between January 2020 and August 2023 to ensure that widespread and/or systemic non-compliance with requirements of the ePayments Code relating to investigating and responding to unauthorised transactions did not occur (the ePayments Code Contraventions).
(3) Failing to have in place an adequate system or process between January 2020 and April 2024 to ensure that customers were advised of the process to reinstate full access or use of their accounts within a reasonable time after Account Restrictions or Digital Blocks had been applied, following a report of unauthorised transaction. These are known as the Back to Banking Contraventions.
5 For the reasons that I have explained in further detail below, I consider the contraventions to be serious and that the agreed penalty is within the range of what is appropriate. I am otherwise satisfied it is appropriate to make the declarations and to impose the penalties that have been jointly proposed by the parties.
RELEVANT FACTUAL BACKGROUND
6 The parties have jointly filed a Statement of Agreed Facts and Admissions as to liability and a Supplementary Statement of Agreed Facts and Admissions as to penalty, the substance of which is summarised below insofar as they are relevant to the contraventions that I am satisfied have been appropriately agreed. The parties have also filed joint submissions, and I am indebted in these reasons to those helpful joint submissions.
7 During the Relevant Period, HSBC offered account holders in its wealth and personal banking business (Customers) various financial products, including:
(1) deposit accounts, including an Everyday Savings account (rebranded from a Serious Saver account around about November 2021), Bonus Saving Account (rebranded from a Flexi Savings Account in November 2021), Everyday Global Account, Day to Day Account, Children’s Premier Saver account, Premier Cash Management Account and Term Deposits (Deposit Accounts);
(2) secured lending products, including a Variable Home Loan, Home Value Loan, Fixed Home Loan, Home Smart Loan, and Home Equity Loan (Secured Lending Products); and
(3) unsecured lending products, including a Personal Loan and credit card products (Unsecured Lending Products, and, together with Secured Lending Products, Lending Products or Loan Accounts).
8 In both the Deposit Accounts and Lending Products, HSBC provided its Customers the functionality to make payments, including to third parties. Customers could do this through online banking on an internet browser banking platform (Online Banking) or through a mobile banking platform that could be accessed by a HSBC-branded application on a mobile device (Mobile Banking and, together, Digital Access).
9 The underlying network or architecture by which payment to or from a bank account to another bank account is facilitated is referred to as a “payment rail”. HSBC had a number of different payment rails, including what was referred to as a “fast payment rail”, which had the capacity to transfer a payment to a bank account in near real-time. This resulted in transactions being effected within seconds.
The risk of unauthorised payments
10 It was common ground between the parties that at all times during the period 29 May 2023 to 29 May 2024, Customers of HSBC were exposed through forgery or account compromise to the risk of third parties obtaining Digital Access to Customers’ Deposit Accounts or Loan Accounts or making payments from the Customers’ Deposit Accounts or Loan Accounts without the Customer’s authority (Unauthorised Payments).
11 Generally speaking, these types of fraud involve malicious actors using social engineering to direct, influence, or convince a Customer to perform specific actions, such as revealing sensitive information such as log-in credentials, that are then used by those malicious actors to access the Customer’s account and to make Unauthorised Payments.
12 The parties submit, and I accept, that even with adequate prevention and detection controls in place, the risk of Unauthorised Payments cannot be entirely eliminated.
Elevated risk of Unauthorised Payments on fast payment rails
13 The parties jointly submit that the risk of Unauthorised Payments is elevated when Customers have the ability to transfer a payment from their HSBC bank account to another account in real time or near-real time via fast payment rails.
14 During the period 29 May 2023 to 29 May 2024, the IAT payment rail, for transactions between HSBC bank accounts, was available on Mobile Banking, and for most of that period through Online Banking (although functionality was removed for new payees in the period 14 December 2023 to 1 June 2024).
15 The IAT payment rail accounted for 5.4% of all transactions on Mobile Banking and Online Banking, excluding bill payments, being 452,074 transactions out of a total of 8,296,755 in the period between 1 January 2023 and 31 May 2024, making it the third largest of five payment rails by number of transactions.
16 It is agreed between the parties that prior to 29 May 2023, HSBC, including senior management, was aware that:
(1) there were heightened fraud risks associated with the functionality to send payments through fast payment rails and fast payment rails reduced HSBC’s ability to recover fraudulent payments; and
(2) there were increasing numbers of HSBC accounts being used to facilitate the movement of money obtained through fraudulent transactions.
The obligation to have adequate prevention and detection controls to manage the risk of Unauthorised Payments.
17 By reason of HSBC’s obligations as the holder of its AFSL and ACL during the FC Relevant Period, HSBC was required to have adequate detective and/or preventative fraud controls in place to manage the risk to Customers of Unauthorised Payments, including through fast payment rails.
18 The parties accept that to adequately manage the risk of Unauthorised Payments through fast payment rails, it was necessary for HSBC to implement what are described as “Key Controls” on those fast payment rails (including the IAT payment rail). The Key Controls which HSBC accepts it was required to implement to effectively implement fraud transaction monitoring included:
(1) adequate Fraud Rules (being rules contained in HSBC’s enterprise fraud management system) which were sufficiently supported by appropriate inputs and data, including information provided by behavioural biometrics and device-based identification technology, which could adequately detect potential Unauthorised Payments, including those made as a result of sophisticated social engineering tactics and typologies; and
(2) real-time interception capabilities for the Fraud Rules for fast payment rails.
19 Behavioural biometrics are a detective technology which monitors whether patterns of use of a device are consistent with those previously detected for the Customer, such as mouse activity, keystroke and touchscreen behaviours. A technology of this kind will build a profile for each user and look for behavioural, device and activity anomalies in the current banking session compared to previous sessions.
20 Device-based identification is detective technology which confirms whether the digital identity used for Digital Access (including the device details and location) matches the details that are known for the Customer. Key data points are evaluated against Customer-established profiles or digital identities, and trend information to provide a risk assessment. It can also detect if an account is being accessed by multiple devices at the same time, or if an account is being accessed from multiple locations at the same time. The relevance of these protections is obvious.
21 Despite implementing some of the Key Controls on some of the payment rails during the Relevant Period, HSBC did not implement the key controls on the IAT payment rail until the end of the FC relevant period.
22 The parties join in submitting, and I accept, that the Key Controls would have increased protection for Customers when used in conjunction with HSBC’s existing controls to manage the risk of Unauthorised Payments on the IAT payment rail. Thus, in the absence of those Key Controls, Customers were at greater risk of suffering both financial loss and non-financial harm from Unauthorised Payments. Some Customers did suffer those harms.
23 Prior to 29 May 2023, HSBC, including senior management, was aware that:
(1) prior to 2020, there had been a lack of investment in fraud controls and modernisation of fraud controls was required to address evolving and emerging fraud risks and to more efficiently prevent and detect fraud. A book of work had been established to introduce new technology capabilities, enhance existing systems and refresh current models by the end of 2021 / early 2022; and
(2) there were gaps in HSBC’s controls to detect and prevent Unauthorised Payments on the IAT payment rail, which could be addressed by one or more of the Key Controls.
24 Importantly, HSBC had identified the Key Controls were available and would have enhanced its ability to manage the risk of Unauthorised Payments.
HSBC failed to implement the Key Controls
25 HSBC implemented the Key Controls on some payment rails during the FC relevant period. However, it did not implement any of them on the IAT payment rail on the Mobile Banking and Online Banking platforms.
26 In addition, HSBC failed to implement real-time interception capabilities on the IAT payment rail for payments made through Mobile Banking and Online Banking until May 2024 (although the functionality to make payments to new payees on the IAT payment rail through online banking was decommissioned in December 2023).
27 Further, HSBC failed to implement adequate Fraud Rules that were able to use the information obtained from the Key Controls to the IAT payment rail until:
(1) 14 March 2024 on Mobile Banking; and
(2) 24 May 2024 on Online Banking (although Customers could not make payments to new payees until 1 June 2024).
28 As a result of HSBC’s conduct, Customers who used Online Banking in the period 29 May 2023 to 13 December 2023, or Mobile Banking in the period 29 May 2023 to 29 May 2024, were exposed to an increased risk of Unauthorised Payments in circumstances where the fast IAT payment rail was used for transactions between two HSBC accounts, and that posed a higher risk of fraud.
HSBC’s response to investigating and responding to reports of unauthorised transactions according to the ePayments Code
29 The ePayments Code regulates electronic payments. ASIC is responsible for the administration of the ePayments Code, and it complements other regulatory requirements under the Corporations Act and the Credit Act. HSBC subscribed to the ePayments Code on 18 March 2023, and its subscription commenced on 20 March 2023.
30 As a subscriber, HSBC was required during the Relevant Period to comply with the ePayments Code’s rules, including with respect to unauthorised transactions and reports of unauthorised transactions. It was also required to warrant that it would comply with the ePayments Code in the terms and conditions that it gave to each of its Customers and account holders.
31 HSBC warranted to its Customers that it would comply with the ePayments Code by referring to it in its Personal Banking Booklet (Booklet) that was issued to Customers and formed part of its agreement with Customers in respect of Deposit Accounts and Lending Products.
32 Clause 2.6 of the 2022 ePayments Code defined “unauthorised transaction” as:
a transaction that is not authorised by a user. It does not include any transaction that is performed by a user themselves or by anyone who performs a transaction with the knowledge and consent of a user.
33 At all times during the Relevant Period, the ePayments Code contained rules for the allocation of liability for losses arising from unauthorised transactions (Liability Rules).
34 Under the ePayments Code, HSBC was required to have an effective and convenient process for users to report unauthorised transactions. Whether an unauthorised transaction was in fact such a transaction for the purposes of the ePayments Code was only able to be determined after HSBC had completed its investigation into the report in accordance with the ePayments Code.
35 Under the 2022 ePayments Code (and the predecessor 2016 ePayments Code), following the receipt of a report of an unauthorised transaction, HSBC was required:
(1) within 21 days to:
(a) complete the investigation of the report of an unauthorised transaction (Investigation) and advise the user in writing of the outcome (Investigation Outcome); or
(b) advise the user in writing of the need for more time to complete its Investigation (Extra Time Request);
(2) within 45 days, to complete its Investigation unless there are exceptional circumstances; and
(3) to tell a user who reports an unauthorised transaction the Investigation Outcome and the reasons for the Investigation Outcome, including references to the relevant Liability Rules.
36 HSBC was also required to consider and apply the relevant Liability Rules in conducting an Investigation of a report of an unauthorised transaction made by its Customers.
37 By reason of HSBC’s obligations as the holder of its AFSL and ACL, and the obligations arising under s 912A of the Corporations Act and s 47(1) of the Credit Act, HSBC was required during the Relevant Period to have adequate systems and processes to:
(1) ensure that widespread and/or systemic non-compliance with prescribed timeframes in the ePayments Code did not occur, or otherwise prevent such non-compliance from occurring;
(2) to ensure that there was not a widespread and/or systemic failure to adequately consider, apply or refer to the Liability Rules in conducting and finalising investigations and reporting outcomes; and
(3) to identify, track and report the extent to which HSBC was complying with the above requirements in the ePayments Code.
38 It was incumbent on HSBC to do each of these things in order to ensure that it did “all things reasonably necessary” to ensure it provided financial services and credit activities efficiently, honestly and fairly under the Corporations Act and Credit Act.
HSBC’s conduct in investigating and responding to reports of unauthorised transactions
39 During the Relevant Period, HSBC received reports from Customers, including reports of unauthorised transactions (UARs) for the purposes of the ePayments Code.
40 HSBC’s internal systems and processes did not refer to or have regard to the timeframes or processes referred to in the ePayments Code, or attempt to apply the Liability Rules set out in the ePayments Code for the allocation of liability for losses arising from unauthorised transactions.
41 Those internal guidelines for investigating reported unauthorised transactions generally exceeded the timeframes required by the ePayments Code. It follows that during the Relevant Period until August 2024, a significant portion of the investigations of UARs undertaken by HSBC did not comply with the timeframes in the ePayments Code or the Booklet. Accordingly, during the Relevant Period until August 2023, HSBC did not:
(1) refer to the Liability Rules in conducting and finalising its investigations of UARs;
(2) consistently consider or apply the Liability Rules in relation to UARs; or
(3) refer to relevant clauses in the ePayments Code, including the Liability Rules, in reporting on the outcome of its investigation of UARs to Customers.
42 These are important timeframes for people who have been subject to scam events and who are trying to understand what will happen to them and to their funds. The evidence of various example Customers was provided in the Supplementary Statement of Agreed Facts, and that was to the effect that they found the process to be stressful and shameful. Those feelings can only have been exemplified and exacerbated by the failure to comply with the timelines set out in the ePayments Code. The Supplementary Statement of Agreed Facts, as it concerns those example Customers, is found at Annexure 1 to these reasons.
HSBC’s failure to have adequate systems and processes to track compliance with ePayments Code requirements
43 From March 2021 until January 2024, HSBC’s financial crime major investigations (FCMI) team reported the number of “open payment fraud”, “account takeover” and “scam” cases under investigation, which included reports of unauthorised transactions to HSBC’s Wealth and Personal Banking Fraud Steering Committee. The reports were made by reference to the number of cases which had been open and under investigation for zero to 89, 90 to 180 and over 180 days. They did not refer to the investigation timeframes of 21 and 45 days required by the ePayments Code. No explanation for this failure was proffered.
44 The fraud investigation management (FIM) team also periodically reported the volume of received, open and completed “scam” and “payment and cheque” cases it managed (which included reports of unauthorised transactions as well as other fraud typologies) to the Wealth and Personal Banking Fraud Steering Committee (and to the Risk Ops and Compliance meetings between around May and September 2023).
45 It was not until November 2024 that the FIM team implemented a process of tracking and reporting HSBC’s compliance with the time-frame requirements in the ePayments Code. This process involved a weekly reconciliation of communications to Customers who had reported an unauthorised transaction.
46 Prior to November 2024 (i.e. in the course of the Relevant Period), HSBC did not have in place systems or processes to track and report the extent to which HSBC was complying with the timeframe requirements in the ePayments Code.
HSBC’s failures to comply with the ePayments Code
47 Between 8 January 2020 and 30 August 2024, HSBC received 1,022 unauthorised transaction reports.
48 It failed to comply with the timeframe requirements in the ePayments Code in a significant proportion of the investigation of those UARs.
49 In each instance that HSBC did not comply the ePayments Code timeframe requirements, it breached the Booklet terms.
50 Of the 1,022 reports of unauthorised transactions received by HSBC during the Relevant Period:
(1) for 749 unauthorised transactions (being 73% of the total), HSBC took more than 21 days to advise the UAR Customer of the Investigation Outcome or the Extra Time Request;
(2) for 888 unauthorised transactions (being 87% of the total), HSBC took more than 45 days to complete its Investigation, where there were no exceptional circumstances;
(3) for 862 unauthorised transactions, HSBC produced the Investigation Outcome relating to those UARs to ASIC. There were 160 unauthorised transactions for which HSBC could not locate, and therefore did not provide, the investigation reports to ASIC. In 439 (51%) of the investigation reports produced to ASIC, HSBC did not refer to the Liability Rules. HSBC did not refer to the relevant clauses of the ePayments Code, including the Liability Rules, in any investigation reports before August 2023;
(4) for 800 unauthorised transactions, HSBC produced the Investigation Outcomes relating to those UARs to ASIC. There were 222 UARs for which HSBC could not locate, and therefore did not provide, Investigation Outcomes to ASIC. In 242 (30%) of the Investigation Outcomes which were provided to ASIC, HSBC did not refer to relevant clauses of the ePayments Code, including the Liability Rules. HSBC did not refer to the relevant clauses of the ePayments Code, including the Liability Rules, in any Investigation Outcomes before August 2023; and
(5) for 997 UARs (97%), HSBC did not comply with one or more of the obligations to which I have referred in subparagraphs (1) to (4) above.
HSBC’s conduct in the Back to Banking Contraventions
51 At all times during the Relevant Period, after a Customer made a report of an unauthorised transaction, HSBC would review the nature of the reported unauthorised transaction and, where it considered it necessary, apply certain restrictions to some or all accounts (Account Restrictions). Those Account Restrictions put in place certain blocks on some or all facilities available to Customers, including through Online Banking and/or Mobile Banking (Digital Block) or applied a combination of both measures. This could include:
(1) suspending access to one or more payment channels; or
(2) restricting transactions on one or more accounts.
52 While an investigation of an unauthorised payment was underway, HSBC’s usual practice was for certain Account Restrictions or Digital Blocks to remain in place. HSBC adopted this practice to protect the Customer accounts the subject of the reported unauthorised transaction.
53 At all times during the Relevant Period until April 2024, HSBC did not have in place an adequate system or process for advising Customers of the process to reinstate full access or use of their accounts within a reasonable time having regard to the facts in each case, including the appropriateness of reinstating full access in all the circumstances.
54 From no later than December 2023, HSBC, including senior management, was aware that HSBC’s systems and processes for advising Customers of the process to reinstate access or use of their accounts were inadequate and that this could adversely impact Customers who were the subject of Account Restrictions or Digital Blocks. During the Relevant Period, 585 Customers had some form of Account Restriction or Digital Block applied to one or more payment channels after making an unauthorised transaction report to prevent further unauthorised transactions.
55 The date on which an account was restricted or blocked, and the date access was restored, varied widely between Customers.
HSBC’S OBLIGATIONS UNDER THE CORPORATIONS ACT AND THE CREDIT ACT
56 At all material times, as the holder of an AFSL, HSBC was required, under s 912A(1)(a) of the Corporations Act, to “do all things necessary to ensure that the financial services covered by the [AFSL] are provided efficiently, honestly and fairly”. A similar obligation arose pursuant to section 47(1)(a) of the Credit Act, which required HSBC to “do all things necessary to ensure that the credit activities authorised by the [ACL] are engaged in efficiently, honestly and fairly”.
Relevant principles
57 In Australian Securities and Investments Commission v Camelot Derivatives Pty Ltd (in liq); Re Camelot Derivatives Pty Ltd (in liq) [2012] FCA 414; 88 ACSR 206, Foster J at [69]-[70] accepted the following principles on the interpretation of s 912A(1)(a):
(1) The words “efficiently, honestly and fairly” must be read as a compendious indication meaning a person who goes about their duties efficiently having regard to the dictates of honesty and fairness, honestly having regard to the dictates of efficiency and fairness, and fairly having regard to the dictates of efficiency and honesty.
(2) The words “efficiently, honestly and fairly” connote a requirement of competence in providing advice and in complying with relevant statutory obligations. They also connote an element not just of even handedness in dealing with clients but a less readily defined concept of sound ethical values and judgment in matters relevant to a client’s affairs.
(3) The word “efficient” refers to a person who performs his [or her] duties efficiently, requiring that the licensee is adequate in performance, produces the desired effect, is capable, competent and adequate. Inefficiency may be established by demonstrating the performance of a licensee’s functions falls short of the reasonable standard of performance that the public is entitled to expect.
58 These principles have subsequently been considered in a range of authorities. The following propositions emerge from a consideration of those authorities:
(1) Section 912A(1)(a) is part of the statute’s legislative policy to require social and commercial norms or standards of behaviours to be adhered to by a licensee (Australian Securities and Investments Commission v Telstra Super Pty Ltd [2026] FCA 527 at [421(a)] (Neskovcin J), citing Australian Securities and Investments Commission v Commonwealth Bank of Australia [2022] FCA 1422 (ASIC v CBA) at [144] (Downes J)).
(2) A contravention of the “efficiently, honestly and fairly” standard does not require a contravention or breach of a separately existing legal duty or obligation, whether statutory, fiduciary, common law or otherwise. The statutory standard itself is the source of the obligation (Australian Securities and Investments Commission v Westpac Banking Corporation (No 2) [2018] FCA 751; 266 FCR 147 at [2350] (Beach J); Australian Securities and Investments Commission v AGM Markets Pty Ltd (in liq) (No 3) [2020] FCA 208; 275 FCR 57 (ASIC v AGM) at [512] (Beach J); Australian Securities and Investments Commission v Macquarie Bank Ltd [2024] FCA 416 at [49] (Wigney J)).
(3) It is not necessary to establish dishonesty in the criminal sense. The word “honestly” may comprehend conduct which is not criminal, but which is morally wrong in a commercial sense (ASIC v AGM at [509] (Beach J)).
(4) It is not necessary to rely on any proof or finding of intent. Rather, it is determined by reference to objective circumstances. Therefore, a finding of contravention of s 912A(1)(a) and/or s 47(1)(a) can be made even though it is not shown that the contravener engaged in intentional wrongdoing (Australian Securities and Investments Commission v MLC Nominees Pty Ltd [2020] FCA 1306; 147 ACSR 266 at [51] (Yates J), in the context of s 912A of the Corporations Act).
(5) The word “ensure” imports a forward-looking element into the obligation (ASIC v CBA at [146] (Downes J)). It is directed to the taking of steps to achieve compliance with certain statutory norms (including the relevant best interests obligations) before any particular instance of non-compliance has arisen (Australian Securities and Investments Commission v AMP Financial Planning Pty Ltd [2020] FCA 69; 377 ALR 55 at [105] (Lee J)).
(6) The obligation is primarily directed to the systems and procedures of licensees by which their standard of conduct in the provision of their services are assured (Australian Securities and Investments Commission v Australia and New Zealand Banking Group Ltd (Retail Cases Omnibus) [2025] FCA 1593; 176 ACSR 377 (ASIC v ANZ) at [29] (Beach J)).
(7) Establishing that a licensee has contravened s 912A(1)(a) requires the identification of the “things” that it was necessary for the licensee to do, but which it omitted to do. Contraventions arise from the failure to do those distinct “things” to ensure that the financial services or credit activities are provided efficiently, honestly and fairly (Australian Securities and Investments Commission v AustralianSuper Pty Ltd [2025] FCA 102; 172 ACSR 615 at [144] (Hespe J)).
(8) Licensees are required to look ahead to how they will be providing the financial services in question, assess what issues may arise that could result in those services not being provided efficiently, honestly and fairly, and design and adopt measures to address the risk of those matters occurring and (depending on the context) their consequences (Australian Securities and Investments Commission v Diversa Trustees Ltd [2023] FCA 1267 (ASIC v Diversa) at [152] (Button J)).
(9) The obligation is, however, not static. A licensee cannot establish a procedure at the outset, and hold doggedly to it, no matter the flaws that experience may reveal (ASIC v Diversa at [152] (Button J)).
(10) The obligation imposed by s 912A and s 47(1)(a) does not require standards of absolute perfection whereby any possibility of error or mistake is eliminated. Rather, it is a reasonable standard of performance (ASIC v Diversa at [149] (Button J)).
59 To the extent that different views have been expressed as to whether “efficiently, honestly and fairly” is a compendious expression, it is unnecessary to resolve that issue for present purposes. Whether the phrase is to be construed compendiously or not does not affect whether HSBC in this instance contravened the relevant provisions.
CONTRAVENING CONDUCT
60 I turn now to consider the conduct that the parties submit contravened the provisions at issue. In doing so, I proceed on the basis that multiple contraventions may be treated as one or more “courses of conduct” where there is an interrelationship between the legal and factual elements of each offence (Construction, Forestry, Mining and Energy Union v Cahill [2010] FCAFC 39; 269 ALR 1 at [39] (Middleton and Gordon JJ)). Whether separate contraventions should be treated as a course of conduct is a question of fact having regard to the circumstances of the case.
61 The parties submit, and I accept, that there are three courses of conduct that were engaged in by HSBC by which it failed to do all things necessary to ensure that it provided financial services and credit activities efficiently, honestly and fairly as required by ss 912A(1)(a) and 912A(5A) of the Corporations Act and ss 47(1)(a) and 47(4) of the Credit Act. They are:
(1) the Fraud Controls Contraventions, in particular HSBC’s failure to have adequate prevention and detection controls to manage the risk that Customers were exposed to of falling victim to Unauthorised Payments;
(2) HSBC’s failures in respect of the ePayments Code. Although HSBC’s conduct constituted three distinct contraventions, I accept that each of those failures is properly characterised as a single course of conduct, ultimately resulting from HSBC’s failure to have adequate systems and processes to ensure widespread and systemic non-compliance with the requirements the ePayments Code did not occur; and
(3) HSBC’s failure to have in place an adequate system or process to ensure that Customers were advised of the process to reinstate full access or use of their account within a reasonable time after the Account Restrictions or Digital Blocks had been applied following the report of an unauthorised transaction.
62 There are also then the specific contraventions of the Corporations Act and the Credit Act, which HSBC admit occurred in the period 29 May 2023 to 29 May 2024 insofar as it failed to have adequate prevention and detection controls to manage the risk Customers were exposed to:
(1) in respect of Online Banking:
(a) in the period 29 May 2023 to 13 December 2023, failing to implement real-time interception capabilities in respect of the transactions made on the IAT payment rail; and
(b) in the period 29 May 2023 to 13 December 2023, failing to create Fraud Rules which used information provided or information of a kind provided by BioCatch and ThreatMetrix to enhance HSBC’s ability to detect and reduce the risk that Customers are exposed to of falling victim to Unauthorised Payments using the IAT payment rail; and
(2) in respect of Mobile Banking,
(a) in the period 29 May 2023 to 29 May 2024, failing to implement real-time interception capabilities in respect of the transactions made on the IAT payment rail; and
(b) in the period 29 May 2023 to 13 March 2024, failing to create Fraud Rules which used information provided by systems like BioCatch and ThreatMetrix to enhance HSBC’s ability to detect and reduce the risk that Customers were exposed to of falling victim to Unauthorised Payments using the IAT payment rail.
63 In respect of the ePayments Code, HSBC admits it failed to do all things necessary to ensure that it provided financial services and credit activities efficiently, honestly and fairly insofar as:
(1) between January 2020 and August 2023, it failed to have adequate systems and processes to ensure that widespread or systemic non-compliance with prescribed timeframes in the ePayments Code that I have explained earlier in these reasons did not occur, or otherwise prevent such non-compliance occurring.
(2) between January 2020 and August 2023, it failed to have adequate systems and processes to ensure that there was not a widespread failure to
(a) refer to the Liability Rules in conducting and finalising its investigations or reports of unauthorised transactions;
(b) adequately consider or apply the Liability Rules in relation to unauthorised transactions; and
(c) refer to the relevant clauses of the ePayments Code when reporting the Investigation Outcomes to Customers; and
(3) between January 2020 and November 2024, it failed to have adequate systems and processes to identify, track and report the extent to which HSBC was complying with the requirements of the ePayments Code.
64 In addition, HSBC admits that between January 2020 and April 2024, it failed to have in place adequate systems or processes to ensure that Customers were advised of the process to reinstate full access or use of their accounts within a reasonable timeframe after Account Restrictions or Digital Blocks had been applied following a report of unauthorised transaction, having regard to the facts in each case including the appropriateness of reinstating full access in all the circumstances.
65 These matters, taken together and having regard to HSBC’s admitted conduct, result in:
(1) five contraventions of s 912A(1)(a) and (5A) of the Corporations Act; and
(2) five contraventions of s 47(1)(a) and (4) of the Credit Act,
being a total of 10 contraventions.
THE APPROACH TO AGREED RELIEF
66 The principles surrounding the approach to civil regulatory orders that are sought on an agreed basis are not controversial. They were explained by the High Court in Commonwealth of Australia v Director, Fair Work Building Industry Inspectorate and Ors [2015] HCA 46; 258 CLR 482 (FWBII).
67 The plurality in FWBII at [46] emphasised the “important public policy involved in promoting predictability of outcome in civil penalty proceedings” which “assists in avoiding lengthy and complex litigation and thus tends to free the courts to deal with other matters and free investigating officers to turn to other areas of investigation that await their attention”. Their Honours also said at [58]:
Subject to the court being sufficiently persuaded of the accuracy of the parties’ agreement as to facts and consequences, and that the penalty which the parties propose is an appropriate remedy in the circumstances thus revealed, it is consistent with principle and … highly desirable in practice for the court to accept the parties’ proposal and therefore impose the proposed penalty.
68 In the circumstances of this case, it is clear that various agreed fact documents have been carefully and thoroughly considered and negotiated. They are logical and detailed. The parties are to be commended for the efforts that they have gone to in reaching the proposed resolution of the matter. It involves some relatively complex issues of fact.
DECLARATIONS
69 Section 1317E(1) of Corporations Acts provides (and provided during the Relevant Period) that if the Court is satisfied that a person has contravened a “civil penalty provision”, the Court must make a declaration of contravention. Section 1317E(2) relevantly provides:
(2) The declaration must specify the following:
(a) the Court that made the declaration;
(b) the civil penalty provision that was contravened;
(c) the person who contravened the provision;
(d) the conduct that constituted the contravention;
(e) the corporation or registered scheme to which the conduct related.
70 Similarly, s 166 of the Credit Act relevantly provides (and provided during the Relevant Period):
Declaration of contravention
(2) The court must make the declaration if it is satisfied that the person has contravened the provision.
(3) The declaration must specify the following:
(a) the court that made the declaration;
(b) the civil penalty provision that was contravened;
(c) the person who contravened the provision;
(d) the conduct that constituted the contravention.
Declaration of contravention conclusive evidence
(4) The declaration is conclusive evidence of the matters referred to in subsection (3).
71 The language of ss 1317E and 166(2) is mandatory. The Court is required to make a declaration of contravention if satisfied that a person has contravened a civil penalty provision (Australian Securities and Investments Commission v Australia and New Zealand Banking Group Ltd [2023] FCA 256 at [41] (O’Bryan J)).
72 On the basis of the agreed facts and reasons that I have set out above, I am satisfied that HSBC has contravened ss 912A(1)(a) and (5A) of the Corporations Act and ss 47(1)(a) and (4) of the Credit Act. It is therefore appropriate and necessary that I make declarations of contravention under each of those Acts, corresponding to the Fraud Controls Contraventions, the ePayments Code Contraventions and the Back to Banking Contraventions.
CIVIL PENALTIES
Applicable principles
73 Section 1317G(1) of the Corporations Act provides that the Court may make an order that a person pay to the Commonwealth a pecuniary penalty if, inter alia, a declaration of contravention of a civil penalty provision by the person has been made under s 1317E. Section 167(2) of the Credit Act is in substantially the same terms.
74 The primary purpose of civil penalties is to secure deterrence, both specific and general. They are “primarily, if not wholly protective in promoting the public interest in compliance” (Australian Building and Construction Commissioner v Pattinson [2022] HCA 13; 274 CLR 450 (Pattinson) at [15] (Kiefel CJ, Gageler, Keane, Gordon, Steward and Gleeson JJ), citing FWBII at [55] (French CJ, Kiefel, Bell, Nettle and Gordon JJ). See also Pattison at [16], [43], [45], [55]).
75 I am conscious that these are significant contraventions and important matters of public protection. The authorities make clear that a penalty must have the necessary “sting or burden” to secure “the specific and general deterrent effects that are the raison d’être of its imposition” (Australian Building and Construction Commissioner v Construction, Forestry, Mining and Energy Union [2018] HCA 3; 262 CLR 157 at [116] (Keane, Nettle and Gordon JJ)).
76 The French factors, as they are called, are well known and were affirmed by the plurality in Pattinson. They are not a “rigid catalogue of matters for attention”, and the Court’s task remains to determine what is an appropriate penalty in the circumstance of the particular case (Pattinson at [19] (Kiefel CJ, Gageler, Keane, Gordon, Steward and Gleeson JJ)). The factors identified by French J in Trade Practices Commission v CSR Ltd [1990] FCA 521; (1991) ATPR ¶41-076 were as follows (at [42]):
The assessment of a penalty of appropriate deterrent value will have regard to a number of factors which have been canvassed in the cases. These include the following:
1. The nature and extent of the contravening conduct.
2. The amount of loss or damage caused.
3. The circumstances in which the conduct took place.
4. The size of the contravening company.
5. The degree of power it has, as evidenced by its market share and ease of entry into the market.
6. The deliberateness of the contravention and the period over which it extended.
7. Whether the contravention arose out of the conduct of senior management or at a lower level.
8. Whether the company has a corporate culture conducive to compliance with the Act, as evidenced by educational programs and disciplinary or other corrective measures in response to an acknowledged contravention.
9. Whether the company has shown a disposition to co-operate with the authorities responsible for the enforcement of the Act in relation to the contravention.
77 The plurality in Pattinson made clear that the statutory maximum is “but one yardstick that ordinarily must be applied” and should be treated “as one of a number of relevant factors to inform the assessment of a penalty of appropriate deterrent value” (at [53]-[54]). Of course, there should be “some reasonable relationship between the theoretical maximum and the final penalty imposed”, the relationship of reasonableness being established by reference to a need for deterrence having regard to the circumstances of the contravener and the circumstances of the contravention (Pattinson at [10], [53]-[55] (Kiefel CJ, Gageler, Keane, Gordon, Steward and Gleeson JJ)).
78 Further, where multiple separate penalties are to be imposed upon a particular wrongdoer, the totality principle requires the Court to make a “final check” of the penalties to be imposed on a wrongdoer, considered as a whole. It will not necessarily result in a reduction. However, in cases where the Court believes that the cumulative total of penalties to be imposed would be too high, the Court should alter the final penalty to ensure they are just and appropriate.
79 In determining the appropriate penalty, it is relevant to consider steps taken to ameliorate loss or damage, such as payment of compensation, as potentially mitigatory considerations (Australian Competition and Consumer Commission v Woolworths Ltd [2016] FCA 44 at [166]-[167] (Edelman J)).
80 Cooperation with authorities in the course of investigations and subsequent proceedings can properly reduce the penalty that would otherwise be imposed. The reduction reflects the fact that such cooperation increases the likelihood of cooperation in future cases in a way that furthers the object of the legislation, frees up the regulator’s resources, thereby increasing the likelihood that other contraveners will be detected and brought to justice, and facilitates the course of justice.
81 Differences in the facts and circumstances which underlie different cases mean there is often no substantial assistance to be gained in comparing the penalties imposed in other cases where the facts differ. As Beach J explained in Australian Securities and Investments Commission v Commonwealth Bank of Australia [2020] FCA 790:
…it is conceptually problematic to look at penalties in other cases to calibrate a figure in the present case when all that one has from the other cases are single point determinations produced by opaque intuitive synthesis. Deconvolution analysis of the single point determinations in order to work out the causative contribution of any particular factor is unrealistic.
82 Ultimately, the consistency that is sought is “consistency in the application of the relevant legal principles, not some numerical or mathematical equivalence” (Hili v The Queen [2010] HCA 45; 242 CLR 520 at [18] (French CJ, Gummow, Hayne, Crennan, Kiefel and Bell JJ)).
Maximum Penalty
83 Sections 1317G(4) of the Corporations Act and 167B(2) of the Credit Act set out the relevant formula for the calculation of the applicable maximum. At all relevant times, s 1317G(4) of the Corporations Act has provided as follows:
Pecuniary penalty applicable to the contravention of a civil penalty provision—by a body corporate
(4) The pecuniary penalty applicable to the contravention of a civil penalty provision by a body corporate is the greatest of:
(a) 50,000 penalty units; and
(b) if the Court can determine the benefit derived and detriment avoided because of the contravention — that amount multiplied by 3; and
(c) either:
(i) 10% of the annual turnover of the body corporate for the 12-month period ending at the end of the month in which the body corporate contravened, or began to contravene, the civil penalty provision; or
(ii) if the amount worked out under subparagraph (i) is greater than the amount equal to 2.5 million penalty units – 2.5 million penalty units.
84 Similarly, at all relevant times, s 167B(2) of the Credit Act provided as follows:
Pecuniary penalty applicable to the contravention of a civil penalty provision—by a body corporate
(2) The pecuniary penalty applicable to the contravention of a civil penalty provision by a body corporate is the greatest of:
(a) the penalty specified for the civil penalty provision, multiplied by 10; and
(b) if the court can determine the benefit derived and detriment avoided because of the contravention – that amount multiplied by 3; and
(c) either:
(i) 10% of the annual turnover of the body corporate for the 12-month period ending at the end of the month in which the body corporate contravened, or began to contravene, the civil penalty provision; or
(ii) if the amount worked out under subparagraph (i) is greater than an amount equal to 2.5 million penalty units – 2.5 million penalty units.
85 The meaning of “annual turnover” of a body corporate during a 12-month period is defined in s 9 of the Corporations Act and s 5 of the Credit Act. Relevantly, for the purposes of each of those enactments, the definition of “annual turnover” includes the sum of the values of all supplies (as defined) made, or likely to be made, by any body corporate related to the body corporate, subject to the applicable legislative exclusions.
86 During the Relevant Period, the value of a penalty unit was between $210 and $330. Where a single contravention extends over a period of time during which the value of a penalty unit has changed, the maximum penalty may be calculated by reference to the highest penalty unit value during that period. The fact that a lower penalty amount was applicable at some time during the contravention may be a relevant factor to be taken into account when fixing the penalty (ASIC v ANZ at [106] (Beach J)).
87 In respect of HSBC’s contraventions of s 912A of the Corporations Act and section 47 of the Credit Act, the maximum penalty per contravention is as follows:
(1) Fraud Controls Contraventions: $782,500,000;
(2) ePayments Code Contraventions: $111,527,441.30; and
(3) Back to Banking Contraventions: $111,527,441.30.
88 As explained above, the parties submit, and I accept, that there are 10 contraventions which are divided into three courses of conduct, being:
(1) two contraventions which concern the Fraud Controls Contraventions as identified above;
(2) six contraventions (three of each of s 912(1)(a) of the Corporations Act and s 47 of the Credit Act) that result from HSBC’s failures in respect of the ePayments Code Contraventions that I have identified above; and
(3) two contraventions as a result of HSBC’s failure to have in place an adequate system or process to advise Customers of reinstatement as identified above, being referred to as the Back to Banking Contraventions.
89 In considering whether the proposed penalty of $35 million is appropriate to achieve the objectives of specific and general deterrence, I have had particular regard to the nature of the contravening conduct set out above.
90 In respect of the Fraud Controls Contravention, I consider it particularly relevant that:
(1) HSBC failed to implement the Key Controls in the IAT payment rail for a period of 12 months, despite having implemented the Key Controls in other payment rails, and notwithstanding the awareness of both HSBC and its senior management that fast payment rails posed a heightened fraud risk because they reduced HSBC’s ability to recover fraudulent payments;
(2) the failure affected a reasonably high proportion of Customers transacting through both Online Banking and Mobile Banking; and
(3) Customers were exposed to a greater risk of direct loss as a result of unauthorised transactions using the IAT payment rail.
91 In respect of the ePayments Code Contraventions:
(1) The failures were widespread and systemic, spanning a period of up to 59 months, and affected a significant number of the 1,022 customers who made UARs between 8 January 2022 and 30 August 2024.
(2) The failure to comply with the time period for response and investigation is a matter that can be of some significance because it goes to the ability to proactively identify potentially systemic risks and allows Customers to have timely feedback as to the outcome of their issue.
(3) The scale of HSBC’s non-compliance was significant and persistent. Prior to November 2024, it did not have in place any systems or processes to track and report the extent to which it was complying with the prescribed requirements in the ePayments Code. Such systems and processes were necessary to ensure HSBC could provide the authorised services under its AFSL and ACL in accordance with the ePayments Code and the Booklet by which it had contracted with Customers.
(4) HSBC, including senior management, was aware, during the Relevant Period, that there was a significant and growing backlog of fraud cases under investigation and, for at least some of the Relevant Period, that HSBC was not complying with certain provisions of the ePayments Code for all Customers.
(5) HSBC’s breaches of the ePayments Code contributed to some of the Customers who made unauthorised reports suffering non-financial harm, including emotional distress and inconvenience, over an extended period. The parties proffered the circumstance of five Customers as an example of the impact of the conduct in these cases, and I have considered their circumstances carefully. They reported experiencing feelings of frustration and stress as a result of HSBC’s conduct. Delays in investigation and failures to apply the Liability Rules also compounded the initial financial harm suffered by some Customers as a result of scams, including loss of interest as a result of the delay.
92 In respect of the Back to Banking Contraventions, HSBC had no adequate systems or processes to advise Customers of the steps available to them to reinstate access to their accounts following the application of Account Restrictions or Digital Blocks for a period of some 52 months. This conduct affected up to 585 customers who had some form of Account Restriction or Digital Block applied during that period. Importantly, HSBC was aware, during at least some of the Relevant Period, of risks and shortcomings in its systems but failed to address them. The Back to Banking Contraventions contributed to Customers experiencing both financial harm-for example, by being unable to make payments and incurring interest charges or loss of earnings- and other non-financial harm, including inconvenience from having to set up accounts with other banks and redirect payments.
93 I accept that as a result of the contravening conduct, Customers were exposed to a greater risk of suffering both financial loss and non-financial harm from the Unauthorised Payments. Further, some Customers did in fact suffer such harm. There is, of course, an interrelationship between the harm suffered in respect of each contravention, and it cannot be precisely quantified. In part, that is because even if adequate prevention and detection protocols are in place, the risk of Unauthorised Payments cannot be entirely eliminated.
Benefit to HSBC
94 The parties submit, and I accept, that the benefit to HSBC of its contravening conduct cannot be quantified precisely. However, as a matter of logic, it must be the case that HSBC made certain cost savings and delayed capital expenditure as a result of the conduct which formed the basis for the contraventions.
The size and financial position of HSBC and the industry in which it operates
95 During the Relevant Period, HSBC was Australia’s tenth largest retail bank by total resident assets, with a share of total assets of $61.223 billion, representing approximately 1.2% of the Australian banking sector. By cash and deposit, it was Australia’s seventh largest retail bank, with deposits of $4.288 billion.
96 HSBC was and is a wholly owned subsidiary of HSBC Holdings Plc, one of the largest banks in the world by total assets. HSBC Holdings’ profit before tax for FY2025 was approximately $30 billion. The size of the corporate group, of which the contravener forms part, has been found to be relevant to the issue of penalty (Australian Securities and Investments Commission v Westpac Securities Administration Limited, in the matter of Westpac Securities Administration Limited [2021] FCA 1008; 156 ACSR 614 at [80]-[84] (O’Bryan J)).
97 The industry in which HSBC operates is a relevant factor when considering the matter of deterrence and determining the appropriate pecuniary penalty (Australian Securities and Investments Commission v Westpac Banking Corporation [2026] FCA 651 at [118] (McEvoy J)).
98 In Australian Securities and Investments Commission v Australia and New Zealand Banking Group Ltd (No 3) [2020] FCA 1421, Allsop CJ made the observations in the context of the banking industry at [74]:
The deterrent nature of the penal response is the central, if not the sole, purpose of an object of the penalty. A number of matters need to be stated about that here. The banking industry is large and involves consumer choices. There should be, and is, by the agreed penalty, a strong deterrent as to conduct which risks the rights of consumers and customers, by reference to any approach which risks their interests against the interests of the Bank. The considerations of the contract of adhesion and its administration, to which I have referred, are central in this regard. Put in economic terms, the market efficiency upon which consumer confidence rests, relies on reliability, good faith, fairness and honesty of conduct. It should be made clear to all businesses – here, banks, but all businesses – that the consumer should be dealt with in a way that accords with the Australian business conscience for which Parliament has legislated, and here, banks should be, as the submissions make clear, left in no doubt of the need for proper and strong compliance programs, sufficient to detect and address conduct of the present kind.
99 The obligations to which Allsop CJ referred (being reliability, good faith, fairness and honesty of conduct) are of fundamental importance and underpin the functioning of the Australian economy (Australian Securities and Investments Commission v Westpac Banking Corporation [2026] FCA 651 at [120] (McEvoy J)).
Prior contraventions
100 HSBC has not previously been found to have engaged in any contraventions of a similar nature.
Remediation
101 The remediation of affected Customers is relevant to the assessment of penalty (Australian Securities and Investments Commission v Westpac Securities Administration Limited, in the matter of Westpac Securities Administration Limited [2021] FCA 1008; 156 ACSR 614 at [78] (O’Bryan J)).
102 In August 2025, HSBC commenced implementing a large-scale remediation program (Redress Program). That program involves HSBC reassessing the unauthorised transaction reports of 1,045 Customers who had reported an unauthorised transaction in the period January 2020 to November 2024. The Redress Program was designed to ensure adherence with the ePayments Code and ASIC’s Regulatory Guide 277 so that, if eligible, Customers would receive redress as part of the Redress Program.
103 As at 21 May 2026, HSBC has made payments to Customers totalling $27,915,700.56. Some of the reimbursements referred to above were made to redress Customers after they commenced a complaints process against HSBC using HSBC’s internal complaints process and/or a complaint to the Australian Financial Complaints Authority (AFCA).
104 I note that HSBC has taken steps to significantly enhance its capabilities in responding to fraud. However, given that these are a necessary part of doing business, I accord that little weight.
105 I note that HSBC has also taken further steps in addition to the implementation of the Key Controls on the IAT payment rail.
Cooperation
106 HSBC has cooperated during ASIC’s investigation, including by voluntarily providing information and records to assist with its investigations and making staff members available to meet with ASIC on a voluntary basis, both of which resulted in the investigation being completed expeditiously. However, the joint submissions state there were some issues with the quality of notice responses initially provided by HSBC, some of which took a substantial period of time to rectify.
107 HSBC initially contested the proceedings. After evidence was filed by both parties, HSBC admitted the contraventions that I have referred to above and sought a joint penalty of $35 million. While that degree of cooperation was somewhat late, I accept the submissions jointly put by the parties that it nonetheless provides a saving to the Australian public and is of benefit to the community to reach a cooperative settlement. I also take into account the apology proffered by Mr Loxley, senior counsel for HSBC, on behalf of HSBC for the conduct that HSBC engaged in that was in contravention of the relevant provisions.
Conclusion in respect of the agreed penalty
108 Having regard to the principles and facts I have outlined above, I am satisfied that the total pecuniary penalty in this case is within the appropriate range, broken down as follows:
(1) Fraud Controls Contraventions: $10,000,000;
(2) ePayments Code Contraventions: $22,500,000; and
(3) Back to Banking Contraventions: $2,500,000.
109 In reaching that conclusion, I am satisfied that, for the Fraud Controls Contraventions, the proposed figure of $10 million reflects the seriousness of HSBC’s conduct during a substantial period of time.
110 In relation to the ePayments Code Contraventions, the proposed penalty of $22.5 million reflects that the ePayments Code Contraventions comprised three contraventions under each provision, which extended over a longer period than the Fraud Controls Contraventions (up to 59 months), affected a substantial portion of Customers, and resulted in widespread and systemic failures to comply with the ePayments Code in relation to 97% of reported unauthorised transactions. Those failures compounded the harm already suffered by Customers who had fallen victim to Unauthorised Payments, including the financial impact arising from failure to properly apply the Liability Rules, which resulted in some Customers not being reimbursed until HSBC commenced its Redress Program in August 2025.
111 This group of contraventions attracts the most significant penalty, in part because:
(1) HSBC, including its senior management, was aware, during the Relevant Period, that there was a backlog of fraud investigations, an increasing number under investigation which exceeded the timeframes of the ePayments Code, and that it was not complying with certain provisions of the ePayments Code for all Customers; and
(2) notwithstanding that awareness, the conduct forming the first and second ePayments Code Contraventions continued until about August 2023, and HSBC did not implement adequate systems and processes to identify, track and report its compliance with the ePayments Code, which is the subject of the third ePayments Code Contravention, until November 2024.
112 In that context, the higher penalty on account of the ePayments Code Contraventions provides both a measure of specific deterrence against HSBC repeating the conduct and general deterrence against other ePayments Code subscribers treating their voluntary commitments to the code and their contractual warranties to Customers as anything other than binding obligations to be complied with.
113 The Back to Banking Contraventions is the smallest proposed penalty at $2.5 million. Although extending over a period of 52 months, the Back to Banking Contraventions concerned a failure to have an adequate system or process to advise Customers of the process to reinstate access to their accounts. This conduct contributed to some blocked Customers suffering financial and non-financial harm. It was this contravention that led to the payment of funds via the Redress Program.
114 But for the Redress Program and the apology proffered, I might have had further concerns about the size of the penalty in relation to that contravention. Overall, I consider the penalty to be somewhat on the lower side of what is acceptable for conduct of this kind, but it is well within the range of appropriate penalties. Therefore, having regard to the principles concerning agreed penalties and the matters identified by counsel in the course of oral submissions, I consider it appropriate to impose the penalty jointly sought by the parties.
ADVERSE PUBLICITY ORDER
115 Section 182(1) of the Credit Act gives the Court the power to make adverse publicity orders against a person who has contravened a civil penalty provision. Section 1101B(1) of the Corporations Act provides an analogous power. The purpose of the adverse publicity order is both punitive and protective (Australian Securities and Investments Commission v National Australia Bank [2025] FCA 947 at [90] (Neskovcin J)).
116 I have considered the terms of the written notice, which will be annexed to the Court’s orders, and I consider it appropriate to make orders requiring the publication of the adverse publicity notice. In particular, it is appropriate to alert the public, and HSBC’s Customers, to the fact of the contravention.
COSTS
117 The court has power to award costs pursuant to s 43 of the Federal Court of Australia Act 1976 (Cth). The parties jointly seek an order that HSBC pay ASIC’s costs of the proceeding as agreed. I consider it appropriate to make such orders.
118 These reasons were delivered ex tempore and were revised in accordance with Minister for Immigration, Citizenship, Migrant Services and Multicultural Affairs v AAM17 [2021] HCA 6; 272 CLR 329 at [30]-[31] (Steward J, Kiefel CJ, Keane, Gordon and Edelman JJ agreeing).
I certify that the preceding one hundred and eighteen (118) numbered paragraphs are a true copy of the Reasons for Judgment of the Honourable Justice Bennett. |
Associate:
Dated: 30 June 2026
ANNEXURE 1
Relevant extracts from the Supplementary Statement of Agreed Facts (SSAFA) dated 22 May 2026
18. To illustrate the loss and harm suffered by Customers, reference is made to give example Customers of HSBC Australia, who have been de-identified for the purpose of this SSAFA:
18.1 Customer A: Customer A is a 51-year-old Customer based in New South Wales, who worked as a dental technician. Customer A lost approximately $47,000 (representing almost all of her savings at the time) to a scammer masquerading as a HSBC representative in September 2023;
18.2 Customer B: Customer B is a 25-year-old Customer based in New South Wales, who worked as an architectural assistant on a part time and casual basis while completing his Masters’ Degree. He lost a total of approximately $50,000 (representing his life savings at the time) to scammers masquerading as representatives of HSBC and Commonwealth Bank in June 2023;
18.3 Customer C: Customer C is a 57-year-old Customer based in Victoria. Customer C is the husband of Customer D. They live together with their two children. Customers C and D lost approximately $48,000, which was transferred out of their home loan account, to a scammer masquerading as a HSBC representative in October 2023;
18.4 Customer D: Customer D is a 56-year-old Customer based in Victoria. Together with Customer C, she lost approximately $48,000 to a scammer in October 2023; and
18.1 Customer E: Customer E is a 41-year-old Customer based in Victoria. He lives with his wife and two children. He lost approximately $50,000 to a scammer in October 2023.
…
22. In addition to direct losses suffered as a result of Unauthorised Transactions using the IAT payment rail, Customers were also exposed to indirect financial harm. For example, some Customers:
22.10 lost the ability to earn interest that they would otherwise have earned on lost funds;
22.2 were charged additional interest on their loans as a result of losing money from loan or mortgage accounts. For example, Customers C and D were charged interest on their Home Loan Account but could not transfer money into the account to pay down their debt. They subsequently transferred approximately AUD $50,000 from an interest-bearing US savings account to meet home loan repayments (and thereby lost the interest that would have otherwise accrued on those funds); and
22.3 had to borrow money or realise other assets to pay expenses and meet home loan obligations. For example, Customer A had to borrow approximately $20,000 from friends and family to pay solicitor fees associated with a divorce.
23. In addition, some Customers suffered non-financial harm including emotional distress and inconvenience as a consequence of the scam and/or associated financial constraints over the Relevant Period:
23.1 Customer A said that the scam and its aftermath took a severe emotional toll and she experienced shame after the scam happened. Both she and her daughter were required to undertake additional shifts at work to earn money;
23.2 Customer C said that he found being a victim of a scam to be highly stressful and embarrassing. He also experienced feelings of guilt as he had originally taken the call from the scammer;
23.3 Customer D said that she suffered incredible stress and was constantly concerned that she would be unable to pay off the interest accruing on her Home Loan Account; and
23.4 Customer E reported feelings of panic and shame as a result of the scam, as he felt that he had been responsible for losing his family’s money.