Hong Kong SFC Orders 12-Month OTP Phase-Out for Crypto and Brokerage Firms

Hong Kong's Securities and Futures Commission has ordered licensed virtual asset trading platforms and internet brokerage firms to phase out one-time passwords for customer login and device registration within 12 months. The directive follows a rise in spoofing attacks, which accounted for 57% of all reported security incidents in 2025 according to data from the Hong Kong Cyber Security Incident Coordination Centre. The regulator stated that OTP-based authentication is no longer sufficient against phishing, impersonation, and fraud operations that trick users into handing over login codes, allowing attackers to access accounts, register new devices, place trades, or attempt withdrawals before firms detect the compromise.

SFC Mandates Passkeys and Device Binding for Authentication

The circular requires firms to stop using OTPs for customer login and device binding and move to stronger authentication methods such as passkeys and device binding. The regulator said implementation should happen "as soon as practicable," with a final deadline of 12 months from the circular's issuance date. Large internet brokerage firms were told to adopt the new authentication methods immediately. Passkeys reduce reliance on codes that can be stolen through phishing pages, while device binding links account access to trusted devices and makes unauthorized login attempts harder to complete.

Licensed Firms Must Strengthen Surveillance and Client Alerts

Licensed firms must strengthen surveillance systems to detect suspicious login, trading, and withdrawal activity. That means monitoring unusual access patterns, new device activity, abnormal order behavior, and withdrawal requests that may indicate an account has been compromised. The regulator also requires firms to notify clients promptly about significant account activity and respond to hacking incidents in a timely manner. Customer education is part of the mandate, with firms expected to regularly warn users about impersonation scams, phishing attempts, and emerging cybersecurity risks.

Dr. Yip Chi-hang, Executive Director of the Intermediaries Division of the SFC, said, "To protect client accounts from increasingly sophisticated and varied phishing attacks, a comprehensive approach combining prevention, detection, response, and education is necessary. Licensed institutions should strengthen their first line of defense through robust authentication solutions, remain vigilant against suspicious activity, and respond swiftly before damage occurs."

Senior Management Bears Ultimate Responsibility for Account Protection

The SFC reminded senior management at licensed firms that they bear ultimate responsibility for appropriate controls to protect customer accounts and assets. The regulator said firms may be held accountable for customer losses resulting from deficiencies in internal controls. The policy applies to both internet brokers and virtual asset trading platforms, setting a common baseline for online financial access across traditional securities and crypto markets.

FAQ

What authentication methods must Hong Kong crypto platforms and brokers adopt to replace OTPs?

Firms must adopt stronger authentication methods such as passkeys and device binding. Passkeys reduce reliance on codes that can be stolen through phishing pages, while device binding links account access to trusted devices.

Why did the SFC order the phase-out of OTP logins?

The directive follows a rise in spoofing attacks, which accounted for 57% of all reported security incidents in 2025 according to the Hong Kong Cyber Security Incident Coordination Centre. The regulator stated that OTP-based authentication is no longer sufficient against phishing, impersonation, and fraud operations.

What is the deadline for firms to comply with the SFC's new authentication requirements?

Firms have 12 months from the circular's issuance date to phase out OTPs for customer login and device registration. Large internet brokerage firms were told to adopt the new authentication methods immediately.

Disclaimer: The information on this page may come from third-party sources and is for reference only. It does not represent the views or opinions of Gate and does not constitute any financial, investment, or legal advice. Virtual asset trading involves high risk. Please do not rely solely on the information on this page when making decisions. For details, see the Disclaimer.
Comment
0/400
No comments