The Hong Kong Securities and Futures Commission has issued a circular requiring internet brokers and virtual asset trading platform operators to adopt phishing-resistant authentication for client login and device binding and to stop using one-time passwords for those functions. The measure responds to rising phishing and account-takeover risks and must be implemented as soon as practicable and no later than 12 months after the circular was issued. Large internet brokers are expected to move immediately. The circular points firms toward stronger methods such as passkeys and bound devices, reflecting the Securities and Futures Commission's view that more robust alternatives to OTPs are available. It also requires broader account-protection controls, including monitoring and surveillance for suspicious login, trading and withdrawal activity, prompt client notifications of key account events, timely response to hacking incidents, and regular alerts to clients on phishing and other cybersecurity risks. Senior management remains responsible for putting appropriate controls in place to protect client accounts and assets, and the regulator said it will hold them accountable for client losses arising from control failures.