The Hong Kong Securities and Futures Commission (SFC) has issued a circular requiring virtual asset trading platforms and internet brokerages to replace one-time password (OTP) authentication with more robust security methods, as spoofing and fraud attacks on customer accounts continue to intensify.
The regulator cited growing threats from impersonation scams, noting that phishing and spoofing attacks accounted for 57% of all security incidents reported to the Hong Kong Cybersecurity Incident Response Centre in 2025. In response, the SFC is now mandating that platforms phase out OTPs for both customer login and device binding processes — practices it has flagged as increasingly inadequate against sophisticated modern attacks.
Firms are required to adopt stronger alternatives, such as passkeys and bound-device authentication, which the SFC describes as offering more resilient and fraud-resistant verification. While all covered entities must comply within 12 months of the circular’s issuance, large internet brokerages are expected to implement the new measures immediately.
Beyond authentication upgrades, the circular outlines a wider set of obligations spanning detection, response, and client education. Virtual asset trading platforms and brokerages must implement surveillance systems capable of identifying suspicious login, trading, and withdrawal activity. Firms are also required to notify clients promptly of significant account events and respond swiftly to any hacking incidents. Ongoing client warnings about emerging cyber threats and impersonation scams are expected as well.
The SFC made clear that senior management at these firms bears ultimate responsibility for the adequacy of account protection controls. Institutions found to have inadequate internal safeguards will be held accountable for any resulting client losses — a pointed signal to compliance teams across Hong Kong’s digital asset sector.
The circular builds on earlier regulatory signals. The SFC had been monitoring OTP-related risks since late 2024 and, in a February 2025 circular, strongly encouraged licensed corporations to move away from OTPs — making today’s mandate a firm regulatory deadline rather than a voluntary recommendation. For crypto platforms operating in Hong Kong, the message is unambiguous: legacy authentication methods are no longer acceptable.
The post Hong Kong SFC Bans One-Time Passwords For Crypto Platforms To Combat Rising Phishing Threats appeared first on Metaverse Post.


