Hong Kong SFC Phases Out OTP Logins for Crypto Platforms

Hong Kong SFC Phases Out OTP Logins for Crypto Platforms

Last Updated:
Hong Kong SFC Phases Out OTP Logins for Crypto Platforms
  • Hong Kong’s SFC orders stronger login controls for brokerages and crypto platforms.
  • OTP-based security faces phaseout as phishing and spoofing attacks target accounts.
  • HKCERT recorded 15,877 cyber incidents in 2025, with phishing making up 57%.

Hong Kong’s market regulator has moved against rising account impersonation risks, ordering internet brokerages and licensed virtual asset platforms to strengthen customer authentication.

The Securities and Futures Commission (SFC) said the measure targets spoofing, stolen login data, and fraudulent device binding, all of which can expose customers to fast-moving account takeovers.

SFC Moves Brokerages Beyond OTP-Based Account Security

The directive applies to internet brokerage firms and SFC-licensed virtual asset trading platform operators. It requires firms to stop depending on one-time passwords for customer login and device binding.

The regulator said this shift is necessary as OTPs can be intercepted or manipulated through phishing and spoofing schemes. As a result, firms are expected to adopt stronger controls, including passkeys and device binding.

The SFC also directed firms to implement the new controls as soon as practicable, while full adoption must be completed within 12 months of the circular. However, large internet brokerage firms are expected to act immediately, given that their broad customer bases create greater fraud exposure.

Their high level of online activity also increases the speed at which losses can occur once an account is compromised. As a result, the regulator is pushing faster action from firms that face the highest account takeover risks.

Phishing Surge Raises Pressure on Financial Platforms

The order comes after Hong Kong recorded a sharp increase in cyber incidents. HKCERT reported 15,877 cybersecurity incidents in 2025, marking a record total and a 27% annual increase. Phishing accounted for 57% of all reported cases.

HKCERT also noted that attacks increasingly moved through social media, instant messaging platforms, and cryptocurrency platforms. That shift has made financial accounts more attractive to fraud networks, especially as more customers manage investments and virtual assets online.

Once criminals obtain login data, they can attempt suspicious logins, unauthorized trades, and withdrawals. The SFC therefore also directed firms to strengthen monitoring and surveillance for unusual account activity.

Platforms must also notify clients quickly about major account actions and respond promptly to hacking incidents. In addition, firms are required to warn users regularly about impersonation scams and cybersecurity threats, while senior management remains responsible for internal controls.

The regulator warned that firms may be held accountable if weak controls lead to customer losses. The move also fits Hong Kong’s wider virtual asset framework, which has required licensed platforms to meet rules on custody, client assets, market conduct, and cybersecurity since 2023.

Beyond Hong Kong, cybersecurity agencies have also been pushing financial firms toward phishing-resistant authentication. CISA has described FIDO/WebAuthn as one of the strongest widely available methods, as it reduces reliance on reusable credentials.

Related: Hong Kong’s SFC Steps Up Information Regulation Among VATPs

Disclaimer: The information presented in this article is for informational and educational purposes only. The article does not constitute financial advice or advice of any kind. Coin Edition is not responsible for any losses incurred as a result of the utilization of content, products, or services mentioned. Readers are advised to exercise caution before taking any action related to the company.