Hong Kong SFC Orders Brokers and Crypto Platforms to Replace OTP Logins Within 12 Months

According to the Securities and Futures Commission, Hong Kong's licensed virtual asset trading platforms and internet brokers must phase out one-time password (OTP) authentication for customer logins and device registration within 12 months, replacing it with stronger methods such as passkeys and device binding.

The directive follows a sharp rise in spoofing attacks and account takeovers. The SFC noted that spoofing attacks accounted for 57% of all reported security incidents in 2025, based on data from the Hong Kong Cyber Security Incident Coordination Centre. Firms must also strengthen fraud monitoring systems, notify customers of suspicious activity promptly, and implement customer education programs on phishing and impersonation risks. Large internet brokerage firms were told to adopt the new authentication methods immediately, while the 12-month timeline applies to other licensed entities.

Disclaimer: The information on this page may come from third-party sources and is for reference only. It does not represent the views or opinions of Gate and does not constitute any financial, investment, or legal advice. Virtual asset trading involves high risk. Please do not rely solely on the information on this page when making decisions. For details, see the Disclaimer.
Comment
0/400
No comments