Hong Kong SFC Bans OTPs for Crypto Platforms Amid Phishing Surge

The Hong Kong Securities and Futures Commission issued a circular requiring virtual asset trading platforms and internet brokerages to replace one-time password authentication with more robust security methods. The regulator cited phishing and spoofing attacks accounting for 57% of all security incidents reported to the Hong Kong Cybersecurity Incident Response Centre in 2025 as the trigger for the mandate. Firms must adopt stronger alternatives such as passkeys and bound-device authentication within 12 months, with large internet brokerages required to implement the measures immediately. The circular represents an escalation of regulatory oversight in Hong Kong's digital asset sector, where legacy authentication methods are now deemed inadequate against sophisticated cyber threats.

The SFC is mandating that platforms phase out OTPs for both customer login and device binding processes. Covered entities must comply within 12 months of the circular's issuance, while large internet brokerages are expected to implement the new measures immediately. The regulator describes passkeys and bound-device authentication as offering more resilient and fraud-resistant verification compared to OTPs.

SFC Mandates Enhanced Security and Management Accountability

The circular outlines obligations spanning detection, response, and client education. Virtual asset trading platforms and brokerages must implement surveillance systems capable of identifying suspicious login, trading, and withdrawal activity. Firms are required to notify clients promptly of significant account events and respond swiftly to any hacking incidents. Ongoing client warnings about emerging cyber threats and impersonation scams are expected.

The SFC stated that senior management at these firms bears ultimate responsibility for the adequacy of account protection controls. Institutions found to have inadequate internal safeguards will be held accountable for any resulting client losses.

Regulatory Timeline From Monitoring to Mandate

The SFC had been monitoring OTP-related risks since late 2024. In a February 2025 circular, the regulator strongly encouraged licensed corporations to move away from OTPs. The current circular converts that encouragement into a firm regulatory deadline, making today's mandate a binding requirement rather than a voluntary recommendation.

FAQ

What did the Hong Kong SFC require crypto platforms to do?

The Hong Kong Securities and Futures Commission issued a circular requiring virtual asset trading platforms and internet brokerages to replace one-time password authentication with more robust security methods such as passkeys and bound-device authentication.

Why did the SFC ban OTPs for crypto platforms?

The regulator cited phishing and spoofing attacks accounting for 57% of all security incidents reported to the Hong Kong Cybersecurity Incident Response Centre in 2025, noting that OTP authentication has become inadequate against sophisticated modern attacks.

What is the deadline for crypto platforms to comply with the new authentication requirements?

Covered entities must comply within 12 months of the circular's issuance, while large internet brokerages are expected to implement the new measures immediately.

Disclaimer: The information on this page may come from third-party sources and is for reference only. It does not represent the views or opinions of Gate and does not constitute any financial, investment, or legal advice. Virtual asset trading involves high risk. Please do not rely solely on the information on this page when making decisions. For details, see the Disclaimer.
Comment
0/400
No comments