ASIC sues HSBC Australia - lessons for General Insurance - the importance of industry Codes

ASIC has commenced legal proceedings against HSBC alleging a failure to adequately protect customers from scammers. Refer ASIC media release 24-280MR

ASIC allege that,

HSBC failed to have adequate systems and processes to prevent widespread non-compliance with its obligations under the 2016 and 2022 ePayments Code (which were part of its contractual terms with its Customers), under which it was required to investigate reports of unauthorised transactions and respond to Customers within prescribed timeframes and by providing prescribed information;

The ePayment Code

In the Concise Statement filed with the federal Court, ASIC states:

HSBC Australia is subject to certain obligations as a subscriber to the ePayments Code and a signatory to the Banking Code of Practice. HSBC Australia issued the HSBC Personal Banking Booklet, which formed part of its agreement with Customers. In the Booklet, HSBC Australia warranted that it would comply with the ePayments Code and that, if the Banking Code applies to a customer, the relevant provisions of that Code apply when the Customer uses one of HSBC Australia’s products or services.

The ePayments Code plays an important role in the regulation of electronic payment facilities in Australia. It applies to consumer electronic payment transactions, including ATM, EFTPOS and credit card transactions, online payments, internet and mobile banking, and BPAY. It complements other regulatory requirements, including financial services and consumer credit licensing, advice, training and disclosure obligations under the Corporations Act 2001 and the National Consumer Credit Protection Act 2009.

HSBC Australia has obligations as a subscriber to the ePayments Code to complete an investigation into a report of an unauthorised transaction (Report) and advise the customer in writing of the outcome. An unauthorised transaction is a transaction that is not authorised by a customer. Under the ePayments Code, HSBC Australia is required to:

• within 21 days of receiving a Report, either complete its investigation and advise the customer of the outcome or advise the customer more time is required to complete the investigation;
• within 45 days of receiving a Report, complete its investigation, unless there are exceptional circumstances. Exceptional circumstances may include delays caused by other banks or foreign merchants involved with the transaction.

Breach of AFSL obligations

ASIC is arguing that a breach of the ePayments Code is a breach of HSBC's general obligation as an AFS Licensee to provide financial services 'efficiently, honestly and fairly'. There are additional legal grounds for relief under the Credit Act.

Why is this case important for General Insurance?

There are 2 interesting aspects to these proceedings; the obligation of an AFS Licensee to protect customers from the activities of hackers and an Industry Code being part of the contractual terms with customers.

The Parliamentary Flood Inquiry report and the GI Code Committee review report both recommend that the GI Code of Practice should be incoporated into customer contracts (PDS) so that commitments are contractually enforceable.

A breach of the general obligation to provide financial services 'efficiently, honestly and fairly' is a civil penalty provision.

Protecting customers data

This case will be watched with interest however it is clear that insurers and their service providers (underwriting agencies, TPAs and other service providers) and insurance brokers must have adequate systems and processes (& training) to protect customers data.

This obligation arises under numerous regulatory sources and industry Codes:

• the Privacy Act, including recent amendments
• APRA Prudential Standard CPS 234
• APRA Prudential Standard CPS 230
• the GI Code of Practice and the Insurance Brokers Code of Practice
• AFSL general obligations