Hong Kong SFC Orders Brokers And Crypto Platforms To…

Hong Kong’s Securities and Futures Commission has ordered internet brokers and licensed virtual asset trading platforms to replace one-time passwords with phishing-resistant authentication methods, marking one of the strongest regulatory moves yet against cybercrime such as account takeover attacks targeting online trading accounts. Under new requirements published on July 9, firms must implement stronger login and device binding controls within 12 months, while larger brokers are expected to begin adopting the measures immediately.

The directive reflects growing concern among financial regulators that traditional one-time passwords are no longer sufficient to protect trading accounts from increasingly sophisticated phishing campaigns. The SFC said phishing attacks accounted for 57% of all cybersecurity incidents reported to the Hong Kong Computer Emergency Response Team Coordination Centre during 2025, highlighting the scale of the threat facing investors and financial institutions.

OTPs No Longer Considered Sufficient

The SFC said internet brokers and virtual asset trading platform operators should stop using one-time passwords for both client login and device binding because more secure authentication technologies are now widely available.

The regulator pointed to passkeys and device binding as examples of phishing-resistant authentication methods capable of preventing attackers from gaining access even when clients are tricked into revealing their credentials.

Device binding links a customer’s trading account to a securely registered computer or mobile device using unique device characteristics, making it significantly harder for criminals to log in from unauthorised hardware.

The SFC first warned firms about weaknesses associated with OTP-based authentication in February 2025 following a cybersecurity review. The latest circular turns that guidance into a regulatory requirement.

Crypto Platforms Face The Same Standards As Brokers

The new requirements apply equally to licensed securities brokers and virtual asset trading platform operators, reinforcing Hong Kong’s approach of holding digital asset firms to regulatory standards similar to those imposed on traditional financial institutions.

Beyond stronger authentication, firms must introduce effective monitoring systems capable of detecting suspicious login attempts, unusual trading activity and abnormal withdrawal requests. They are also expected to notify clients promptly of significant account events, respond rapidly to hacking incidents and regularly warn customers about emerging phishing campaigns and other cyber threats.

The SFC said senior management will remain ultimately responsible for protecting client assets and warned that firms could be held accountable for losses resulting from inadequate cybersecurity controls.

“Protecting client accounts from increasingly sophisticated and elusive phishing attacks requires holistic measures combining prevention, detection, response and education,” said Dr Eric Yip, the SFC’s Executive Director of Intermediaries. “Licensed firms should strengthen their first line of defence with robust authentication solutions, stay alert to suspicious activities, and respond swiftly before harm is done.”

Passkeys Gain Regulatory Support

The circular adds to growing global momentum behind passkeys as financial institutions move away from passwords and SMS-based authentication.

Unlike traditional credentials, passkeys rely on cryptographic authentication tied to a user’s device and cannot easily be intercepted or reused through phishing websites. Technology companies including Apple, Google and Microsoft have already incorporated passkey support into their operating systems, while banks and fintech firms have begun deploying the technology for customer authentication.

For brokers and crypto exchanges, stronger authentication has become increasingly important as cybercriminals target trading accounts that can provide immediate access to cash, securities and digital assets.

Investor Education Remains Part Of The Strategy

Alongside technical controls, the SFC urged investors to continue following basic cybersecurity practices, including using strong and unique passwords, keeping devices updated, accessing accounts only through official websites and applications, and reviewing account statements for unauthorised activity.

The regulator advised investors who suspect their credentials have been compromised to contact their broker or virtual asset platform immediately, secure their accounts and report the incident to the relevant authorities.

Takeaway

The SFC’s decision signals that one-time passwords are rapidly losing their status as an acceptable security control for financial services. By requiring phishing-resistant authentication across both traditional brokers and crypto trading platforms, Hong Kong is raising the cybersecurity baseline for online investing and placing greater accountability on firms to prevent account takeover attacks before client assets are compromised.

Post navigation

Stay updated with the latest news, exclusive offers, and special promotions. Sign up now and be the first to know! As a member, you'll receive curated content, insider tips, and invitations to exclusive events. Don't miss out on being part of something special.

By opting in you agree to receive emails from us and our affiliates. Your information is secure and your privacy is protected.