HSBC's Australian unit faces A$24.6 million penalty over scam protection failures, in a significant bank liability ruling
The Australian unit of HSBC — one of the world's largest banking groups, headquartered in London — faces a A$24.6 million (approximately £12.5 million) penalty over failures in its scam protection systems. The action was brought against HSBC Australia and relates to the bank's alleged failure to adequately protect customers from scams. The penalty reflects a growing global regulatory trend of holding financial institutions directly liable for losses suffered by customers who fall victim to authorised push payment (APP) fraud — where customers are deceived into authorising transfers to fraudsters — rather than treating such losses as solely the customer's responsibility. While this enforcement action is in Australia, it carries direct relevance for UK-domiciled banks and their London legal teams: HSBC's group-level compliance and regulatory functions are centred in London, and UK regulators including the Financial Conduct Authority (FCA) and the Payment Systems Regulator (PSR) have introduced parallel frameworks requiring UK payment service providers to reimburse APP fraud victims. The Australian penalty will sharpen internal scrutiny at HSBC and peer institutions regarding the adequacy of their anti-scam controls globally, with group legal and compliance teams likely to conduct cross-jurisdictional gap analyses in response.
Why this matters
Bank liability for customer scam losses is an area of active regulatory development in both Australia and the UK: the UK's Payment Systems Regulator introduced mandatory reimbursement obligations for APP fraud from October 2023, and this Australian enforcement action demonstrates that regulators are prepared to impose substantial financial penalties — not merely require remediation — where banks fall short. For disputes lawyers, the HSBC Australia case illustrates the litigation risk that follows regulatory enforcement: customer group actions alleging inadequate scam protection are a credible follow-on risk, as has already been seen in other jurisdictions. HSBC's London-based group legal team will be monitoring this case closely, and peer banks will be stress-testing their own anti-scam frameworks. The cross-jurisdictional dimension — Australian enforcement against a UK-headquartered bank — also raises questions about how group-level governance and compliance sign-off processes are structured.
On the Ground
A trainee supporting a disputes team on a bank regulatory enforcement matter would assist with disclosure review and categorisation of internal compliance documents, prepare a chronology of the bank's scam-protection system changes, and help compile the costs schedule for any litigation response.
Interview prep
Soundbite
Australian enforcement against HSBC previews the group-wide liability exposure UK banks face as APP fraud reimbursement rules tighten globally.
Question you might get
“How does the UK's Payment Systems Regulator's APP fraud reimbursement framework create litigation risk for UK retail banks, and how would you advise a bank client seeking to manage that risk?”
Full answer
HSBC's Australian unit faces an A$24.6 million penalty for scam protection failures — a significant enforcement action against a major bank's retail division that will reverberate through HSBC's London-based group legal and compliance teams. The case matters because it reflects a regulatory consensus hardening across multiple jurisdictions: banks are increasingly expected to bear financial responsibility for customer scam losses where their controls were inadequate. In the UK, the Payment Systems Regulator already mandates APP fraud reimbursement, meaning domestic banks face similar exposure. For law firms, this creates a dual advisory opportunity — helping banks build defensible scam-protection frameworks proactively, and representing institutions or claimants in the group litigation that typically follows major enforcement actions.
My notes
saved