Australian Securities and Investments Commission v Westpac Banking Corporation [2026] FCA 651

This case was about a basic legal obligation in consumer credit and a major failure in the systems meant to support it. When a customer in financial hardship gives a hardship notice, the credit provider must respond in writing within the required timeframe. Westpac allowed customers of Westpac, St George, BankSA and Bank of Melbourne to submit hardship notices through online forms on public websites. Those requests were supposed to move through automated systems and then to Westpac’s Customer Assist team for assessment and response.

The Court found that this process failed. Some online hardship notices were not received by the right team, some were not processed properly, and some were not processed at all. The result was that Westpac failed to give written decision notices within time, or at all, in response to hundreds of online hardship notices. The customers affected were people who said they could not meet repayment obligations under their credit contracts. The reasons for hardship included serious health issues, unemployment during the COVID-19 pandemic and family violence.

The commercial story matters. This was not a dispute about whether a customer qualified for hardship assistance on the merits. It was about whether a large licensed lender had systems and controls that reliably turned customer hardship submissions into legally compliant action. Westpac substantially admitted the conduct and admitted that it had contravened the relevant provisions. It also accepted that the conduct was serious.

The remaining fight was narrower but still important. The Court had to decide the proper form of declarations, especially whether some failures amounted to continuing contraventions under s 175A of the Credit Act, and what penalty and additional orders should be made. Justice McEvoy ultimately made declarations and orders substantially in the form sought by ASIC and imposed a total penalty of $26 million.

The Court’s reasons explain that the National Credit Code gives debtors a formal mechanism to seek changes to credit contracts on the basis of financial hardship. Under s 72, a debtor who considers they are unable to meet obligations under a credit contract may give notice to the credit provider. After receiving a hardship notice, the credit provider must give written notice advising the debtor of the outcome in accordance with the content and timing requirements in s 72(4) and (5). The credit provider may request further information under s 72(2). The reasons also note that s 89A can prevent enforcement action in certain circumstances unless a written decision notice has been given and 14 days has passed.

ASIC alleged that Westpac contravened s 72(4) of the Code by failing to give written decision notices in response to online hardship notices within the prescribed timeframe or at all. ASIC also alleged that Westpac contravened s 47(1)(a) and (4) of the Credit Act by failing to do all things necessary to ensure that the credit activities authorised by its licence were engaged in efficiently, honestly and fairly. Westpac substantially admitted both categories of contravention.

The first live dispute concerned declarations and the effect of s 175A. ASIC argued that the proper construction of s 175A meant Westpac’s obligation to respond to certain earlier hardship notices continued over time, so that each day of non-response amounted to a separate contravention. That issue mattered because it expanded the period relevant to declarations beyond the agreed contravention period. The Court accepted ASIC’s position and made declarations reflecting a continuing obligation for certain earlier notices.

The second live dispute was penalty. ASIC sought a total pecuniary penalty of $30 million, made up of $20 million for the Code contraventions and $10 million for the licence obligation contraventions. Westpac argued that a total penalty in the order of $10 million would be more appropriate. The Court had to assess seriousness, the impact on vulnerable customers, the continuing nature of some contraventions, and Westpac’s remediation, contrition and cooperation.

The reasons give useful detail about the operational setting. Westpac held the Australian credit licence. St George, BankSA and Bank of Melbourne operated under that licence and were trading brands of Westpac. Westpac’s hardship policies described financial hardship as a situation where a customer was willing but unable to meet existing financial obligations for a period of time. The policies listed examples such as unemployment, reduced income, injury or illness, death of a family member, natural disaster, over-commitment or indebtedness and vulnerability. They also recognised extreme hardship, including severe or terminal illness, disablement, long-term unemployment and long-term loss of contract or supplier.

The policies described forms of assistance that might be offered, including loan extensions, short-term reduced payments, short-term moratoriums, interest rate reductions, debt settlement, debt waiver and other contractual rearrangements. During the relevant period, the policies stated that Westpac would respond to a hardship notice where no further information was required within 21 days of receipt. Once assessed, Westpac was to provide a written decision notice and reasons. The policies also said Westpac would not take enforcement action in circumstances where it had or had cause to issue a default notice unless it had given a written decision notice and 14 days had elapsed. The Court said this mirrored s 89A of the Code.

The reasons also note that Westpac’s hardship policies incorporated commitments under the Banking Code of Practice, and that ASIC submitted, and the Court accepted, that each relevant credit contract incorporated the Banking Code of Practice. That did not change the statutory contraventions being determined, but it helps explain the broader compliance setting in which Westpac was operating.

From 2 October 2015, customers could submit hardship notices online through the public websites of Westpac and the other Westpac brands. Westpac intended those notices to be processed first by an automated system called OneClick, then transferred through other automated systems and then to the Customer Assist team. Which system handled the notice depended on the credit product involved. The Court recorded that at least 1,013 online hardship applications submitted by 1,003 customers were either not sent to the Customer Assist team, or were not processed properly, or at all. Westpac failed to give a written decision notice in response to 277 online hardship notices within the statutory timeframe or at all.

This is the part of the case many businesses should focus on. The Court’s declarations did not simply say Westpac missed deadlines. They identified the underlying operational failures. Westpac did not maintain adequate systems, controls and processes to ensure online hardship notices were received by the Customer Assist team and that written decision notices were given within time. Westpac also did not conduct adequate risk reviews, investigations, monitoring and analysis of its online hardship notice systems and processes. In other words, the problem was not just the missed responses. It was the absence of a control environment capable of detecting and preventing the missed responses.

That distinction matters because many businesses still think of compliance as a policy document plus staff training. This case shows that, in a regulated environment, compliance can also be a workflow design issue. If the legal obligation starts when a customer submits a form, then the business needs a process that can prove receipt, routing, ownership, timing and response. If the process breaks, the business may still be liable even if the failure happened inside an automated handoff.

Justice McEvoy made declarations that Westpac contravened s 72(4) of the National Credit Code by failing to give a written decision notice in response to customers’ online hardship notices within the timeframe required by s 72(4) and (5), or at all. The declarations recorded 223 online hardship notices submitted during the agreed contravention period of 4 September 2017 to 8 May 2023, and 277 online hardship notices submitted during the broader relevant period of 2 October 2015 to 7 June 2023.

The Court also made a separate declaration dealing with continuing contraventions. For each customer who submitted an online hardship notice before 4 September 2017 and who did not receive a written decision on or after 13 March 2019, the Court declared that s 175A(1) meant Westpac was under a continuing obligation to respond by giving a written decision notice. The Court further declared that Westpac committed a separate contravention of s 72(4) on each day it failed to give that written decision notice and was deemed to have contravened s 72(4) on and after 13 March 2019 in relation to each relevant customer.

An example helps explain the point. If a customer submitted an online hardship notice before 4 September 2017 and Westpac still had not given the required written decision by 13 March 2019, the Court treated the obligation as continuing from that date. So the issue was not limited to one missed deadline in the past. Each day the written decision remained outstanding counted as a separate contravention. That is why unresolved compliance failures can become much more serious over time.

The Court also declared that from 13 March 2019 to 7 June 2023 Westpac contravened s 47(1)(a) and (4) of the Credit Act by failing to do all things necessary to ensure that the credit activities authorised by its credit licence were engaged in efficiently, honestly and fairly. The declared failures included not maintaining adequate systems, controls and processes to ensure online hardship notices were received by the Customer Assist team and that written decision notices were given within time, and not conducting adequate risk reviews, investigations, monitoring and analysis.

On penalty, the Court ordered Westpac to pay $26 million to the Commonwealth within 30 days. The catchwords state that the contraventions were serious and grossly negligent, that they impacted vulnerable customers and that some caused irreparable harm. The Court also took into account that Westpac had remediated customers and demonstrated contrition and cooperation. The final penalty sat between ASIC’s proposed $30 million and Westpac’s proposed $10 million.

The Court made several additional orders. Westpac had to publish an adverse publicity notice within 14 days on the websites of Westpac, St George, Bank of Melbourne and BankSA for at least 90 days in an immediately visible area. Westpac also had to implement adequate system, operational and process changes within one month to ensure online hardship notices were responded to within the statutory time limits. Within one month after implementing those changes, Westpac had to appoint a suitably qualified independent expert agreed with ASIC, or determined by the Court if there was no agreement. The expert had to report to ASIC on whether the changes had been fully and effectively implemented and make recommendations to remedy any remaining issues. Within six months after appointing the expert, Westpac had to provide ASIC with the report and state what steps it had taken to give effect to the expert’s recommendations. Westpac was also ordered to pay ASIC’s costs.

The legal obligations in this case are specific to consumer credit hardship notices, but the operational lesson is much broader. Many businesses now accept legally significant requests through online forms, portals and automated workflows. Examples include complaints, cancellation requests, privacy requests, warranty claims, refund claims, safety reports and employee disclosures. In each of those areas, the legal or contractual clock may start when the customer presses submit, not when your team eventually notices the request. If the request disappears into a broken workflow, the business may still be responsible.

This case also shows the difference between remediation and compliance. Westpac had remediated customers, apologised and cooperated with ASIC. The adverse publicity notice states that Westpac paid $1,735,126.81 in remediation to impacted customers and that the remediation program was broader than the 277 customers who were the subject of the proceeding. Those matters were relevant, but they did not prevent declarations, a very large penalty, adverse publicity and mandatory operational changes. Fixing the problem after regulator involvement can help, but it is not a substitute for having a compliant process from the start.

The independent expert order is also important. The Court did not simply tell Westpac to improve. It required an external expert to assess whether the changes had been fully and effectively implemented and to recommend further remediation if needed. For business owners, that underlines a practical point: where compliance depends on technology and process design, internal assurances may not be enough. Independent testing and review can be critical, especially after a serious incident or where a regulator is involved.

For directors, founders and managers, this is a governance issue. Ask whether your business has any customer-facing or user-facing channels that trigger legal obligations. If it does, identify the trigger point, the deadline, the responsible team, the escalation path and the evidence trail. Make sure someone senior receives reporting on failed submissions, overdue matters and recurring exceptions. A process that works most of the time may still be legally dangerous if failures are not visible and unresolved items can sit in the system indefinitely.

The Court’s orders define several important periods. The relevant period ran from 2 October 2015 to 7 June 2023. That is the broader period used for the declarations concerning online hardship notices and the factual operation of the systems. The agreed contravention period ran from 4 September 2017 to 8 May 2023. The declaration concerning Westpac’s failure to do all things necessary to ensure its credit activities were engaged in efficiently, honestly and fairly covered the period from 13 March 2019 to 7 June 2023.

The continuing contravention issue also turned on dates. For customers who submitted online hardship notices before 4 September 2017 and who did not receive a written decision on or after 13 March 2019, the Court held that Westpac was under a continuing obligation to respond and committed a separate contravention on each day of non-response. The hearing took place on 26 May 2025, and judgment and orders were delivered on 26 May 2026.

The orders then imposed specific compliance deadlines. Westpac had 30 days to pay the penalty. It had 14 days to publish the adverse publicity notice and keep it visible for at least 90 days. It had one month to implement adequate system, operational and process changes. Within one month after implementing those changes, it had to appoint the independent expert and instruct the expert to report to ASIC. Within six months after appointing the expert, Westpac had to provide ASIC with the report and explain what steps it had taken in response to the expert’s recommendations.

Those deadlines matter because they show the Court was focused on both punishment and operational correction. The case was not treated as a historical compliance failure that could be resolved by a fine alone.

This page is based on the Federal Court judgment in Australian Securities and Investments Commission v Westpac Banking Corporation [2026] FCA 651, including the published orders, annexed adverse publicity notice and reasons extract. The published material clearly identifies the parties, the relevant periods, the statutory provisions, the corrected figures for online hardship applications and notices, the declarations made, the penalty and the compliance orders.

The reasons extract is sufficient to explain the commercial story and the Court’s orders in a practical way. Some finer detail from the full reasons and annexed agreed facts is not reproduced here, so this page does not go beyond what is clearly supported by the published judgment material. It is general information, not legal advice.