A new SFC circular gives internet brokers and licensed virtual-asset platforms 12 months to replace OTP logins with phishing-resistant authentication such as passkeys, and warns firms they will be held accountable for client losses from preventable hacks.
Posted July 9, 2026 at 6:43 pm EST.
Hong Kong’s markets regulator has told internet brokers and licensed crypto platforms to stop using one-time passwords to log customers in, ordering them to switch to phishing-resistant methods such as passkeys within a year.
The Securities and Futures Commission set out the requirement in a circular published on 9 July, addressed to internet brokers and SFC-licensed virtual asset service providers, or VASPs. It gives firms until 8 July 2027 to adopt robust authentication for account logins and device binding, while telling “large internet brokers” to make the change “immediately.”
The instruction is blunt about the technology most trading apps still lean on. “The SFC does not consider OTP to be a phishing-resistant authentication solution”, the regulator said in the circular, and told firms they “should not use it” for logins or for registering the devices tied to an account.
The move follows a wave of account takeovers. In 2025, the SFC said in the circular, fraudsters ran large-scale SMS phishing campaigns that impersonated brokers and referred to purported requests from regulators, luring clients into entering credentials — including OTPs — on fake websites. The attackers are suspected to have used “a man-in-the-middle attack” to intercept the codes, reach the accounts and place unauthorised trades, the SFC said in the circular. Phishing made up 57% of the cybersecurity incidents reported to Hong Kong’s computer emergency response centre in 2025 — a share the SFC flagged in the circular.
In OTP’s place, the SFC pointed to passkeys — password-less credentials based on public-key cryptography that, it said in the circular, are “recognised internationally as a phishing-resistant authentication method” — and to bound devices linked to a client’s account through verified device attributes. Firms generally should not let a client register more than three passkeys or three devices, the SFC said.
The regulator also put senior managers on the hook. It said in the circular that responsibility for the overhaul rests with each firm’s “Manager-in-Charge of Overall Management and Oversight” and its equivalent for information technology. And it set out direct consequences: where a broker or platform fails to stop large-scale unauthorised transactions following a hack, the SFC wrote that it “will hold the relevant firm accountable for the losses suffered by its clients.”
Alongside the login change, the circular tells firms to alert clients to high-risk events such as new-device logins and passkey changes, to monitor accounts for abnormal trading, and to report hacking incidents to the SFC immediately. It builds on cybersecurity circulars the regulator issued in September 2020 and February 2025, and gives firms a 12-month window it calls “the 12-month implementation period” to comply.
Related Listen: DEX in the City: Is Now the ‘Perfect Time to Launch a Crypto Scam’?
AI-assisted content: This article was produced with the assistance of AI tools and was reviewed, edited, and fact-checked by a member of the Unchained editorial team before publication.
Regulation,hong kong,Passkeys,Phishing,SFChong kong,Passkeys,Phishing,SFC#Hong #Kong #Orders #Brokers #Crypto #Platforms #Scrap #OneTime #Password #Logins1783638933

