The Hong Kong Securities and Futures Commission has issued a circular requiring internet brokers and virtual asset trading platform operators to adopt phishing-resistant authentication for client login and device binding and to stop using one-time passwords for those functions. The measure responds to rising phishing and account-takeover risks and must be implemented as soon as practicable and no later than 12 months after the circular was issued. Large internet brokers are expected to move immediately. The circular points firms toward stronger methods such as passkeys and bound devices, reflecting the Securities and Futures Commission's view that more robust alternatives to OTPs are available. It also requires broader account-protection controls, including monitoring and surveillance for suspicious login, trading and withdrawal activity, prompt client notifications of key account events, timely response to hacking incidents, and regular alerts to clients on phishing and other cybersecurity risks. Senior management remains responsible for putting appropriate controls in place to protect client accounts and assets, and the regulator said it will hold them accountable for client losses arising from control failures.
Hong Kong Securities & Futures Commission2026-07-09
Hong Kong Securities and Futures Commission requires internet brokers and virtual asset trading platform operators to replace OTP logins with phishing resistant authentication within 12 months
The Hong Kong Securities and Futures Commission has ordered internet brokers and virtual asset trading platform operators to replace OTP-based client login and device binding with phishing-resistant authentication. Firms must implement the change as soon as practicable and within 12 months, while large internet brokers are expected to act immediately. The circular also requires stronger monitoring, incident response and client alert measures, with senior management accountable for control lapses.