Hong Kong SFC orders crypto platforms, online brokers to phase out OTP logins

Quick Take
- Hong Kong’s SFC ordered licensed crypto platforms and online brokers to phase out one-time passwords for customer login within 12 months following a rise in spoofing attacks.
- Firms must adopt stronger authentication methods, including access keys and device binding, while enhancing monitoring of suspicious login, trading, and withdrawal activity, the regulator said.
We'd love your feedback.
The Hong Kong Securities and Futures Commission issued a circular ordering internet brokerage firms and virtual asset trading platforms to overhaul their security infrastructure by eliminating one-time passwords for user logins and device registration.
The enforcement action comes as part of the regulator's ongoing campaign against account takeovers, fraud, and spoofing operations targeting online financial intermediaries. Data from the Hong Kong Cyber Security Incident Coordination Centre shows that spoofing attacks accounted for 57% of all reported security incidents in 2025, the regulator said in a statement on Thursday.
According to the statement, firms must stop using OTPs for customer login and device binding and adopt alternatives such as passkeys and device binding that can prevent impersonation.
The SFC requires implementation "as soon as practicable," with a deadline of 12 months from the circular's issuance date, and said large internet brokerage firms should adopt the new authentication methods immediately.
"To protect client accounts from increasingly sophisticated and varied phishing attacks, a comprehensive approach combining prevention, detection, response, and education is necessary," said Dr. Yip Chi-hang, Executive Director of the Intermediaries Division of the SFC. "Licensed institutions should strengthen their first line of defense through robust authentication solutions, remain vigilant against suspicious activity, and respond swiftly before damage occurs."
In addition to preventative measures, the SFC said firms must implement detection and surveillance systems to identify suspicious login, trading, and withdrawal activities. The regulator also requires them to promptly notify clients of significant account activity and respond to hacking incidents in a timely manner, while regularly warning customers about emerging impersonation scams and other cybersecurity risks.
The regulator also reminded senior management at licensed internet brokerage firms and virtual asset trading platforms that they bear ultimate responsibility for implementing appropriate controls to protect customer accounts and assets. The SFC said it will hold firms accountable for customer losses resulting from deficiencies in their internal controls.
Disclaimer: The Block is an independent media outlet that delivers news, research, and data. As of November 2023, Foresight Ventures is a majority investor of The Block. Foresight Ventures invests in other companies in the crypto space. Crypto exchange Bitget is an anchor LP for Foresight Ventures. The Block continues to operate independently to deliver objective, impactful, and timely information about the crypto industry. Here are our current financial disclosures.
© 2026 The Block. All Rights Reserved. This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.

