Hong Kong SFC to section out OTP login for crypto platforms

  • Hong Kong’s SFC has ordered brokerage companies and digital forex platforms to tighten login controls.
  • OTP-based safety could also be phased out as phishing and spoofing assaults goal accounts.
  • HKCERT recorded 15,877 cyber incidents in 2025, with phishing accounting for 57%.

Hong Kong’s market regulator has ordered web brokerages and licensed digital asset platforms to strengthen buyer authentication to fight the rising threat of account impersonation.

The Securities and Futures Fee (SFC) mentioned the measures goal id theft, theft of login knowledge and unauthorized system binding, all of which may put clients prone to speedy account takeover.

SFC strikes brokerages past OTP-based account safety

This directive applies to web securities firms and digital asset buying and selling platform operators which have obtained an SFC license. This requires companies to cease counting on one-time passwords for buyer login and system binding.

The regulator mentioned the change was essential as a result of OTPs could be intercepted or manipulated by way of phishing and spoofing schemes. Consequently, we count on enterprises to undertake stronger controls comparable to passkeys and system binding.

The SFC additionally directed companies to implement the brand new laws as quickly as attainable, though full implementation should be accomplished inside 12 months of notification. Nonetheless, massive web brokerages are anticipated to take speedy motion as their large buyer bases make the danger of fraud even larger.

Additionally, as a result of they’re extra energetic on-line, losses happen quicker if their accounts are compromised. Consequently, regulators are requiring firms going through the very best threat of account takeover to take quicker motion.

Phishing surge will increase strain on monetary platforms

The order comes within the wake of a pointy improve in cyber incidents in Hong Kong. HKCERT reported 15,877 cybersecurity incidents in 2025, a file complete and a 27% improve over the yr. Phishing accounted for 57% of all reported circumstances.

HKCERT additionally famous that assaults are more and more being carried out through social media, instantaneous messaging platforms, and cryptocurrency platforms. This variation has made monetary accounts extra engaging to fraud networks, particularly as extra clients handle their investments and digital belongings on-line.

As soon as criminals have your login knowledge, they will try suspicious logins, fraudulent transactions, and withdrawals. The SFC has due to this fact directed firms to strengthen their monitoring and monitoring of bizarre account actions.

Platforms should additionally shortly notify purchasers about key account actions and reply shortly to hacking incidents. Moreover, firms are required to commonly warn customers about id fraud and cybersecurity threats, whereas senior administration continues to be liable for inner controls.

The regulator warned that firms could possibly be held liable if poor controls led to buyer losses. The transfer additionally matches into Hong Kong’s broader digital asset framework, which requires licensed platforms to satisfy guidelines on custody, buyer belongings, market conduct and cybersecurity from 2023.

Past Hong Kong, cybersecurity companies are pushing for phishing-resistant certifications for monetary firms. CISA describes FIDO/WebAuthn as one of the crucial highly effective strategies broadly obtainable to cut back reliance on reusable credentials.

Associated: Hong Kong SFC strengthens info laws between VATP

Disclaimer: The knowledge contained on this article is for informational and academic functions solely. This text doesn’t represent monetary recommendation or recommendation of any type. Coin Version shouldn’t be liable for any losses incurred on account of the usage of the content material, merchandise, or companies talked about. We encourage our readers to do their due diligence earlier than taking any motion associated to our firm.