In an era where digital convenience often intersects with cyber vulnerability, the story of a scam victim's triumph over a banking giant serves as a beacon of hope for many Australians, particularly those who have grown more reliant on online banking services.

The ruling marks a pivotal moment in the ongoing battle between financial institutions and customers seeking justice for fraud.

This outcome highlights the challenges banks face in addressing and resolving disputes related to scams, as well as the growing demands for greater accountability and consumer protection in the financial sector.

The tale of ‘Mr T*’, as he's been referred to, is not just a personal victory but a landmark moment that could reshape the way banks handle scam cases and customer liability.

In a landmark decision, the Australian Financial Complaints Authority dismissed HSBC's argument that it was not responsible when a sophisticated scammer posed as a bank employee to empty the victim’s account worth $47,000.

The bank had previously used this argument to deny compensation to other victims.

HSBC may need to compensate customers scammed after the Australian Financial Complaints Authority ruled that a victim shouldn't be liable for a $47,000 loss. Credit: Facebook / HSBC

The authority also condemned HSBC’s customer service and its confrontational stance on the case.

The ‘lead decision’ in one of the cases marks a shift in the financial services complaints body's approach, now favouring victims.

This change came after an investigation revealed significant shortcomings in HSBC’s handling of the signature scam.

For at least 10 months in 2023 and 2024, fraudsters managed to infiltrate legitimate text message chains from HSBC, convincing victims that their accounts were at risk and coercing them into providing passcodes to a fake bank employee.

Even when customers realised they were being scammed while still on the phone with the fraudster, HSBC was unable to recover their funds.

The criminals swiftly altered the victims’ daily transfer limits and transferred the money into new accounts and cryptocurrency.

This investigation uncovered that, in some instances, consecutive logins to HSBC accounts were occurring from different countries, making it impossible for the same person to have made them.

In the case closely examined by the Australian Financial Complaints Authority, Mr T* received a text message in June last year that was part of a legitimate thread of previous messages from HSBC.

The message warned him that a $740 transaction was being attempted by Amazon and instructed him to call a 1300 number if he did not authorise it.

When the man dialled the 1300 number, he encountered an interactive voice response system that closely resembled the one used by the bank, and the scammer had access to his personal information, including his bank username.

The fraudster then requested that he verify his identity by providing two banking passcodes, which were subsequently used to steal more than $47,178 from his account.

In Mr T*'s case, HSBC contended that the victim was not entitled to reimbursement for the stolen funds because they had violated a clause of the ePayments code stating that users must not ‘voluntarily disclose one or more passcodes to anyone’.

However, this argument was dismissed by the Australian Financial Complaints Authority, which determined that the scammer's manipulative tactics forced the victim to reveal the passcodes, meaning the disclosure was not voluntary.

‘The panel is satisfied the scammer created a sense the complainant needed to act urgently to prevent the loss of his funds and the overall impression he was dealing with the bank, and it would therefore not be fair in all the circumstances to find the disclosure of the passcodes was voluntary,’ the decision stated.

This finding is significant because, as a lead decision, it addresses fundamental issues and principles that can be applied to a group of similar cases, even though each will still be evaluated based on its specific circumstances.

‘If another case were to revolve around very similar facts, a similar decision would be likely,’ AFCA Lead Ombudsman for Transactions Suanne Russell explained.

‘In this particular lead decision, regarding an HSBC impersonation scam case, the focus was on the disclosure of passwords that were necessary to carry out the transaction and whether this was voluntary.’

HSBC was ordered to pay the complainant $47,028, along with $5,000 in legal fees and $1,000 in compensation for not adhering to the Banking Code of Practice regarding customer service.

Stephanie Tonkin, Chief Executive of the Consumer Action Law Centre, stated that the authority's decision was unexpected for several reasons, particularly because the panel characterised the bank's behaviour as ‘adversarial’.

‘This isn’t the first time a bank has been aggressive at AFCA. We’ve seen plenty of times, but for it to be publicly called out like that, in a determination, that is significant,’ she stated.

The Australian Financial Complaints Authority has logged 329 complaints concerning the HSBC impersonation scam, with 121 of those still pending.

‘As always, we encourage all financial firms to think about whether they should be resolving consumer complaints without the need for intervention by AFCA,’ Ms Russell said.

HSBC was inquired about whether it would reassess its liability determinations for customers affected by the scam following the authority's ruling, but a spokesperson did not respond to the question.

Instead, they stated that the bank recognised the decision, which they referred to as pertaining to a ‘historic and specific type of bank impersonation scam’.

‘The outcome has been accepted by the customer and is now resolved,’ they said.

‘Falling victim to a fraud is a distressing situation. We remain committed to working with industry and government to disrupt scams and protect customers, and will continue to work hard to support victims of scams.’

Sunni Wan, who heads a support group for approximately 70 victims of the scam, is among those whose case is still pending before the AFCA.

In December, she had nearly $50,000 stolen after receiving a message that seemed to come from the bank.

Wan had been saving this money as a cushion against interest rate hikes and to pay for her mother’s knee surgery.

Even though she hung up on the scammer during the call and contacted HSBC immediately, the bank was unable to recover Wan’s funds.

Instead, the bank's fraud team deemed her responsible for the losses because she had ‘voluntarily’ disclosed her banking passcodes.

The Sydney woman noted that following the lead decision, about half a dozen individuals had received reimbursement offers from the bank, but most members of the support group had not yet been offered any compensation.

‘They’re [HSBC] being dragged kicking and screaming to this,’ Wan said. ‘It’s pretty poor.’

The recent ruling by the Australian Financial Complaints Authority highlights the ongoing struggles faced by scam victims when dealing with major banks.

This decision underscores the importance of financial institutions taking accountability for their responses to fraudulent activities.

Similarly, another alarming case illustrates how a different scam left an individual out of pocket to the tune of $120,000, revealing a troubling trend in which banks often fail to support their customers effectively in the aftermath of such scams.

As these incidents unfold, it becomes increasingly clear that consumers need better protection and accountability from their banks.

Key Takeaways

• HSBC may have to compensate customers scammed after the Australian Financial Complaints Authority found a victim should not be held responsible for a $47,000 loss.
• A landmark ruling rejected HSBC's claim that they were not liable when a scammer impersonated a bank worker and raided accounts, setting a precedent for similar cases in the future.
• The authority criticised HSBC's customer service and adversarial approach, requiring them to compensate the victim $47,028 plus additional costs.
• The ruling encourages financial firms to resolve consumer complaints without needing authoritative intervention, highlighting the bank's responsibility in supporting victims of scams.

What are your thoughts on this landmark decision? How do you think banks should handle similar issues to this? We encourage our members to share their thoughts and experiences with online banking and scams in the comments below. Your insights could help others navigate these treacherous digital waters and perhaps even prevent future losses.

*Names with asterisk have been changed for privacy purposes.

 

[Annna]

The conversion of banking from personal branch attendance to online has been orchestrated by banks.

Having done so, all of these organisations have a duty of care to bulletproof their systems.

If banks are unable to do this, they:

1. Should offer those who seek it, personal banking via a reintroduced branch network; and

2. Should offer those who have adopted online banking as their manner of interacting with the bank compensation for losses sustained.

 

[Squizzy1]

I find the system appalling, it encourages fraud, and I cannot believe how easy it clearly must be to money launder, when the Bank has no idea where the money went or can do nothing about retrieving it, it's a laughing stock and imo regressive of the Financial Industry. If I want to withdraw my own money face to face, I am challenged as to what I want the money for, yet a digital withdrawal is processed in an instant with little to no regard as to where it's going or why, particularly with the large sums being stolen. The sheer number of scams and volume which is growing year on year is a clear indication of how easy it is. This industry imo needs to clean up it's act.

 

[Dynamo]

AFCA assisted me to recover funds stolen from my account
The bank gave me forms to fill out to recoup funds. However, they really didn't care neither did police. AFCA are doing good work to assist defrauded clients.