HSBC's $35M Scam Fine: Why It Won't Change Anything

The short answer

On 18 June 2026 the Federal Court ordered HSBC Bank Australia to pay an A$35 million penalty after ASIC's case over "widespread and systemic" scam-protection failures: more than 1,000 unauthorised-transaction reports worth A$34.6M, a 144-day average to investigate them, and a failure to properly apply the ePayments Code — the rules that decide when the bank, not the customer, must wear an unauthorised loss. Set against HSBC Holdings' US$32.3bn 2024 profit, A$35M is about 0.07% of a year — roughly six hours of profit. The useful part, below: the ePayments Code is your leverage, and if your bank stalls a scam claim you can escalate free to the financial ombudsman.

If your bank is sitting on a scam claim right now, skip to what to do when your bank stalls. The rest of this explains why the headline number is smaller than it looks — and why that matters to you, not just to HSBC.

Do the math

Take the fine at face value and run it against the only number that gives it scale — the profit of the bank that paid it.

The penaltyordered by the Federal Court

A$35,000,000

HSBC Holdings 2024 profit (before tax)≈ A$49.7 billion at ~0.65 AUD/USD

US$32.3 billion

That profit, per hourevery hour, all year

≈ A$5.7 million

So the fine is

≈ 0.07% of one year — about six hours of profit

That is the whole sleight of hand in a regulator's media release. "A$35 million penalty" reads as a punishment. Measured against the balance sheet it landed on, it reads closer to a rounding error — a cost the institution can absorb between morning tea and lunch. None of this is to minimise what HSBC admitted; it is to be honest about what a fine of this size can and cannot do.

A ledger-style graphic showing the HSBC scam fine arithmetic: an A$35 million penalty set against HSBC Holdings' US$32.3 billion 2024 profit before tax, which is about A$49.7 billion, or roughly A$5.7 million of profit per hour — making the A$35 million fine about 0.07 percent of a single year's profit, on the order of six hours of it. — The fine, against the profit it was levied on. A$35M is roughly six hours of HSBC group profit — about 0.07% of a single year. Figures: ASIC (penalty), HSBC Holdings 2024 results (profit before tax); hourly figure is our calculation.

A note on the numbers, because precision matters here: the A$35M penalty and the 144-day figure are ASIC's. HSBC Holdings' US$32.3bn is group profit before tax for 2024, as the bank reported it; the per-hour and percentage figures are ours, converting at roughly 0.65 AUD/USD. The 2024 result included a one-off gain on the sale of HSBC's Canada business — strip that out and the fine is still well under a day of profit. The order of magnitude does not change: this is hours, not weeks.

The part the headline skipped: 144 days

The fine is the story everyone ran. The number that should have led is 144.

That is the average number of days HSBC took to investigate a scam report, according to ASIC. Sit with that from the customer's side. Your money is gone. You did the right thing and reported it. And then, on average, you wait the better part of five months — often without access to your own banking restored — to find out whether the bank will treat the loss as yours or its own.

A timeline graphic contrasting two clocks over the same 144 days. The customer's side: money gone on day zero, banking access disrupted, waiting nearly five months for a decision. The bank's side over the identical span: roughly A$19.6 billion of profit earned, because at about A$5.7 million per hour, 144 days is a very large number. — The same 144 days, two clocks. The customer waits nearly five months for a decision on money already gone. Over that identical span, the group earns on the order of A$19 billion in profit. The wait costs one side everything and the other side nothing.

This is where the small fine stops being an abstraction. A penalty that does not hurt does not change the thing that produced the 144 days — the under-resourcing, the systems that did not restore access, the liability calls that went the bank's way. Which brings us to the part the headlines skipped: what happens to the next person who reports a scam and gets told to wait. If the cost of stalling is six hours of profit, stalling is not a habit a fine like this breaks. It is a habit it prices in.

Let me be clear about what's opinion here. The facts — A$35M, 144 days, the ePayments Code findings — are ASIC's, and HSBC admitted them. The view that a fine this small won't change behaviour is mine, and I've shown you the arithmetic it rests on. You can disagree with the conclusion. The 0.07% is not up for debate.

What the fine was actually for — and why it's your leverage

Strip away the headline number and the case is about something more useful to you than a penalty: it is about the rules that decide who pays when money leaves your account without your say-so.

ASIC's case centred on the ePayments Code — the code it administers that governs electronic payments and, critically, sets out when a customer is not liable for an unauthorised transaction. HSBC, ASIC found, did not apply those rules properly when deciding whether the bank or the customer should bear a loss. In plain terms: people who may not have legally owed the money were treated as if they did.

—"Unauthorised" is a legal category, not a feeling. If a transaction left your account without your authority, the ePayments Code can place the loss on the bank. That is a rule you can point to — not a favour you have to ask for.

—Slow is now a finding, not just bad service. A 144-day average was central to why ASIC acted. The regulator has effectively put a number on 'too slow'. A bank dragging your claim is no longer just frustrating; it is the behaviour a court has penalised.

—Restoring your access is part of the duty. ASIC specifically faulted HSBC for lacking systems to restore customers' banking after a scam. Being locked out of your own accounts while you wait is not an acceptable side effect — it is part of what the bank got wrong.

What to do when your bank stalls a scam claim

Use the case. The regulator has handed every bank customer a reference point; here is how to spend it.

1Lodge the claim in writing, not just by phone, and record the date. The timestamp is your clock — the one the bank now knows a regulator cares about.

2Ask the bank, in writing, how it has applied the ePayments Code to your case and why it considers you liable. Forcing that question is precisely the failure ASIC penalised.

3Set a resolution deadline and ask for confirmation in writing. A 144-day silence is not something you have to accept quietly anymore.

4If it stalls, escalate free to the ombudsman. In Australia that is the Australian Financial Complaints Authority (AFCA), at no cost to you. Elsewhere, your national banking ombudsman or regulator. The country-by-country map of who has to refund is in our scam refund rights guide.

5Get the detail on bank liability for scams — when they must refund and when they wriggle out — from our guide to whether banks refund scammed money.

Then watch for the second hit. People who have just lost money — and whose claims are visibly stuck — are exactly who "recovery" scammers target next. Within days, someone may pose as a recovery agent, a lawyer, or even the bank, offering to get your money back for an upfront fee. No legitimate body charges in advance to recover funds. The recovery offer is the same trap, a second time.

So — will it change anything?

The compensation will matter to the people who get it: HSBC has paid around A$21.5 million to affected customers so far, with more due before the end of July 2026. That is real money reaching real victims, and it should be said plainly.

The deterrent is the part I doubt. ASIC called this one of the first cases of its kind globally, and the precedent has value — slow investigations and misapplied liability are now enforceable failures, not just complaints. But precedent only deters if the penalty behind it bites, and six hours of profit does not bite. The honest answer is that this fine punishes what already happened far more than it changes what happens next. The thing that protects the next victim is not the size of this penalty. It is whether they know the ePayments Code exists, and refuse to wait 144 days in silence.

If you take one thing from this piece, take this: a fine is what a bank pays the regulator; your rights are what you can make it pay you. The A$35M was the headline. The ePayments Code, the ombudsman, and the refusal to be stalled are the parts that actually put money back in a customer's account.

Is your bank stalling a scam claim? Let's look at it together.

Tell us what happened and where it's stuck. A real expert reviews every case and replies within 24 hours. Free, confidential, no pressure.

Submit a free case review →Who has to refund you?

Common questions about the HSBC scam fine

Is the $35 million fine in Australian or US dollars?

Australian. On 18 June 2026 the Federal Court ordered HSBC Bank Australia to pay an A$35 million penalty — roughly US$23 million — after ASIC's case over the bank's scam-protection failures. The figure to hold it against is HSBC's group profit: the parent, HSBC Holdings, reported US$32.3 billion in profit before tax for 2024. Measured against that, an A$35M penalty is about 0.07% of a single year's profit — on the order of six hours of it.

What did HSBC actually do wrong?

Per ASIC, between January 2020 and August 2024 HSBC Bank Australia received more than 1,000 reports of unauthorised transactions totalling A$34.6 million, and its response was 'widespread and systemic'. It took an average of 144 days to investigate a scam report, it did not properly apply the ePayments Code — the rules that decide when the bank, not the customer, must wear an unauthorised-transaction loss — and it lacked adequate systems to restore customers' banking access after they were scammed. HSBC admitted these failures.

What is the ePayments Code and why does it matter to me?

The ePayments Code is an ASIC-administered code that governs electronic payments and, crucially, sets out when a customer is not liable for an unauthorised transaction. If money left your account without your authority, the Code can put the loss on the bank rather than on you. ASIC's case against HSBC was, in large part, that the bank failed to apply these rules correctly when deciding who bore the loss. If your bank is treating an unauthorised transaction as your problem, the Code is the document to cite back at it.

My bank is taking months to investigate my scam report. Is that normal?

It should not be, and the HSBC case is the regulator saying so out loud. A 144-day average was central to why ASIC acted. If your claim is dragging, put your complaint in writing, ask specifically how the bank has applied the ePayments Code to your case, and set a deadline. In Australia, if the bank does not resolve it within the required timeframe you can escalate free of charge to the Australian Financial Complaints Authority (AFCA), the external ombudsman. Elsewhere, escalate to your national banking ombudsman or financial regulator.

Will this fine make HSBC — or other banks — treat scam victims better?

That is the open question, and honestly the math invites scepticism. A penalty worth about 0.07% of annual profit is unlikely on its own to change behaviour the way a fine that genuinely hurt would. What may matter more is the precedent: ASIC called this one of the first cases of its kind globally, and it establishes that slow investigations and misapplied liability rules are enforceable failures, not just bad service. The compensation program — around A$21.5 million paid so far, with more due — helps the people already harmed. Whether it deters the next stall is something only the next 144-day wait will answer.

Sources & further reading

Every fact in this piece is drawn from these sources. Click any to verify.

HSBC was fined $35 million. That's about six hours of profit.