EOFY Sale · Save up to $750 off your legals · Ends 30 June

Claim offer
Selected cases

Federal Court of Australia · [2026] FCA 651

ASIC v Westpac

A Federal Court case about Westpac's online hardship notice failures, credit compliance systems and a $26 million penalty.

Federal Court of Australia26 May 2026

Plain-English explainers, not legal advice. Check the linked official source before you rely on a specific section, and get advice for your situation.

Get legal help

Start here

Quick read

  • Regulated customer requests only count if the operational system actually catches them, routes them and answers them on time.
  • A Federal Court case about Westpac's online hardship notice failures, credit compliance systems and a $26 million penalty.

Use this to check

  • Hardship and complaint obligations need system controls, not only policy wording.
  • Online forms should have end-to-end monitoring from submission to final response.
  • Ignored complaints and internal tickets can become evidence that a systems issue was known.

Decision snapshot

  1. 1

    What happened

    • Westpac and its St George, BankSA and Bank of Melbourne brands allowed customers to submit hardship notices through online forms.
    • Between 2 October 2015 and 7 June 2023, Westpac failed to give written responses to 277 customers' online hardship notices within the required timeframe or at all.
    • The failures came from deficient systems, including OneClick transfer problems, batch configuration issues, data formatting problems and human errors.
    • The Court accepted that affected customers included people dealing with serious illness, family violence, natural disasters, unemployment and other financial hardship.
  2. 2

    What the court had to decide

    • The Federal Court had to decide penalty and relief for admitted contraventions of section 72 of the National Credit Code and section 47 of the National Consumer Credit Protection Act, including how continuing contraventions, systems failures, vulnerable customer harm, remediation and deterrence should be treated.
  3. 3

    What the court decided

    • The Federal Court imposed a $26 million civil penalty and made an adverse publicity order.
    • Westpac had admitted contraventions, cooperated with ASIC and paid more than $1.7 million in remediation, but the Court still described the conduct as serious and grossly negligent because the systems were not fit for purpose and vulnerable customers were affected.

Practical impact

Practical read

  • Regulated customer requests only count if the operational system actually catches them, routes them and answers them on time.
  • Credit providers, fintechs and payment businesses need complaint and hardship processes that are tested like core infrastructure.

Useful next steps

  • Hardship and complaint obligations need system controls, not only policy wording.
  • Online forms should have end-to-end monitoring from submission to final response.
  • Ignored complaints and internal tickets can become evidence that a systems issue was known.
  • Remediation after the fact may help, but it will not erase customer harm or penalty risk.
  • Map every legal response deadline to a system owner and backup owner.

Practical read

This is a big-bank case, but the lesson is not limited to big banks. Westpac had policies saying hardship requests would be handled, but the online pathway broke in ways that meant some requests were not properly received, routed or answered. Customers who had asked for help were left waiting, and some experienced credit reporting, debt sale or recovery consequences while their hardship position had not been properly dealt with.

The Court treated the failures as serious systems and operational failures. The point for regulated businesses is direct: a customer-facing legal obligation is not satisfied by having a policy, template or web form. The business needs working systems, monitoring, exception reports, complaint escalation and root-cause review.

For smaller credit providers, fintechs and payment platforms, this is a warning against letting compliance sit away from product and operations. If the legal deadline is 21 days, the system needs to prove each request was captured, assigned, actioned and answered before that deadline.

Checks to run

Key points

  • Map every legal response deadline to a system owner and backup owner.
  • Test that web forms, email queues, CRM tasks and case management workflows all reconcile.
  • Monitor missed responses, stale tickets, customer complaints and manual workarounds.
  • Document root-cause reviews when any regulated request goes missing.
  • Keep remediation records separate from the process fixes that stop repeat failures.

Key takeaways

  • Hardship and complaint obligations need system controls, not only policy wording.
  • Online forms should have end-to-end monitoring from submission to final response.
  • Ignored complaints and internal tickets can become evidence that a systems issue was known.
  • Remediation after the fact may help, but it will not erase customer harm or penalty risk.

Related topics

Finance, Payments & SecurityConsumer Law & TradingDigital & Ecommerce

How Sprintlaw can help

Regulatory ComplianceContract Review