A Federal Court in Sydney has ordered HSBC to pay a AU$35 million (£18.5 million) penalty after the bank admitted it failed to protect customers from impersonation scammers - including a couple who had AU$48,000 stolen directly from their home loan account, a dental technician who lost almost all of her AU$47,000 in savings, and a 25-year-old who lost AU$50,000. The settlement with the Australian Securities and Investments Commission, approved on Thursday, is being described by regulators as one of the first cases of its kind globally.
What makes it significant is not the fine itself - large as it is. It is what HSBC admitted, and what ASIC established as the standard against which a financial institution's conduct will be judged.
HSBC admitted it had been aware of impersonation scammers posing as its staff since May 2021. It admitted it failed to maintain adequate controls on its internal transfer system until May 2024 - a period of three years in which it knew the threat existed. It admitted that when customers reported being scammed, it took an average of 144 days to investigate, against a 21-day code requirement. It admitted it had insufficient systems to help customers regain access to accounts locked after they had reported fraud. Reports of unauthorised transactions surged 380% in 2023 and 2024.
"Banks have been well on notice about the risks of scams for some time," said ASIC chair Sarah Court. "They have now been given a clear message to have adequate controls and ensure their interactions with scam victims help - not hinder."
The HSBC case concerns banking. But the underlying question it answers - does a financial services firm have a positive, enforceable obligation to have adequate systems in place to prevent, detect and respond to fraud against its customers, rather than simply to process complaints? - is one that the insurance industry is confronting with increasing urgency from several directions simultaneously.
Since October 2024, UK banks have been operating under the Payment Systems Regulator's mandatory Authorised Push Payment fraud reimbursement requirement. Victims of APP fraud - where criminals persuade victims to transfer money voluntarily - are now entitled to reimbursement of up to £85,000, with liability split 50/50 between the sending and receiving payment service providers. Banks can no longer treat scam losses as the customer's problem. They are now financially accountable for the adequacy of their detection and prevention systems.
The insurance industry is not a payment service provider, but it is a financial services firm operating under comparable regulatory expectations. The FCA's Consumer Duty requires insurers and brokers to deliver good outcomes for retail customers - including, explicitly, at the point where things go wrong. As Insurance Business has reported, Consumer Duty requires firms to provide customer support that helps people "switch or exit their cover without unreasonable barriers." The parallel with HSBC's failure to help customers regain access to locked accounts is not exact, but it is instructive.
The broader direction of travel in UK financial services regulation is towards holding firms accountable for systemic failures in customer protection - not just for individual poor outcomes. The HSBC case is the clearest international signal yet of where that travel ends up.
The context for the Australian ruling is a UK insurance sector already under severe pressure from fraud on multiple fronts. The ABI reported £1.16 billion in detected fraudulent general insurance claims in 2024 - a 2% increase year on year, with 98,400 cases identified. As Insurance Business has reported, motor insurance remains the most targeted line, accounting for 53% of detected fraud, but property fraud is rising rapidly, with cases up 11%.
More strikingly, a recent analysis of Cifas data found that identity fraud cases in insurance surged 290.5% between 2017 and 2025 - against a 38.7% rise across all sectors. Insurance now accounts for 6.8% of all UK identity fraud cases. Aviva detected a record £233 million in fraud in 2025. Allianz UK detected £92.6 million in fraudulent activity in the first half of 2025 alone - a 34% year-on-year increase.
The HSBC case adds a dimension that goes beyond detection. It asks what happens when firms know a fraud vector exists and fail to act on that knowledge with adequate speed and rigour.
The specific scam at the heart of the HSBC case - impersonation fraud, in which criminals contact customers claiming to be from their bank - is not a banking-only problem. Insurance customers are targeted by the same mechanism. Clone firms using HSBC branding have been flagged by the FCA. Fraudsters posing as insurance providers or brokers to extract policy details or payment information are a documented and growing threat.
Insurance Business reported in June on the growing question of whether insurers are next to face structured regulatory and legal accountability for scam exposure - particularly as social media platforms, through which 72% of APP scams originate according to UK Finance, resist bearing liability for the fraud their platforms generate. That piece noted that Lloyds data showed British consumers losing £66 million a year through fraud originated on Meta platforms alone. If platforms continue to resist liability, the pressure will fall elsewhere - and the HSBC precedent suggests regulators are willing to push financial firms hard on their systemic responsibilities.
Published in March 2026 and backed by £250 million of investment, the government's Fraud Strategy explicitly positions insurers not merely as compensators but as "active fraud risk partners." The strategy's emphasis on cross-sector data sharing, coordinated intelligence, and disruption of criminal networks expects more from the industry than detection after the fact. For insurance professionals, the ASIC-HSBC settlement is a preview of what regulatory enforcement against inadequate systemic controls looks like in practice - before it arrives in a UK context.
The HSBC settlement draws a line that the insurance industry should note carefully. It is not enough to investigate fraud reports when they arrive. A firm that knows a fraud vector is operating against its customers has an obligation to act with adequate speed and systemic rigour to address it - not to wait until the volume of complaints forces the issue.
HSBC was aware of impersonation scammers since 2021. It had over 1,000 reports of unauthorised transactions worth AU$34.6 million by August 2024. It had seen a 380% surge in reports. It still took until mid-2024 to implement adequate controls. The court found that gap between knowledge and action - and the harm it caused to people who lost home loan funds and life savings - was the serious contravention.
The FCA has not yet brought a comparable case in the UK against a bank or insurer specifically for scam prevention failures. The ASIC action establishes that regulators elsewhere are prepared to do so, and to win. UK insurers operating under Consumer Duty, in a regulatory environment that is explicitly moving towards systemic accountability, should treat that as a live signal rather than a distant one.
