Hong Kong's Securities and Futures Commission (SFC) has ordered licensed crypto exchanges and online brokers to stop using one-time passwords (OTPs) for client logins, in one of the most dire
Hong Kong's Securities and Futures Commission (SFC) has ordered licensed crypto exchanges and online brokers to stop using one-time passwords (OTPs) for client logins, in one of the most direct regulatory moves yet against phishing-driven account takeovers.
According to Finance Magnates, the SFC issued a circular instructing virtual asset trading platforms (VATPs) and internet brokers to replace SMS, email, and app-based OTPs with phishing-resistant alternatives. The regulator said OTPs carry risks that stronger options can now eliminate.
What firms must do
The SFC has directed platforms to adopt methods such as passkeys, cryptographically verified registered devices, and hardware security keys. OTPs sent by text or app can be relayed to an attacker on a fake login page in real time, whereas passkeys and bound devices close that gap by tying access to a specific device or hardware credential.
Licensed firms are expected to implement the new authentication framework as soon as practicable, with full compliance required within 12 months. The SFC said larger online brokerages should begin adopting the stronger methods immediately.
The SFC also reminded senior management of online brokers and VATPs that they are ultimately responsible for implementing appropriate controls to protect client accounts and assets, and will be held accountable for any client losses that arise from lapses in those controls.
Beyond authentication, the SFC told firms to monitor for suspicious login, trading and withdrawal activity, alert clients to key account events, and respond quickly to breaches.
Why the SFC is acting now
The scale of phishing losses provides the clearest justification. Hong Kong's cybersecurity standards are being raised as the global crypto industry saw an increase in phishing attacks and social engineering scams in the first quarter of 2026, with those incidents accounting for $306 million of the industry's total losses of $482 million in the period.
Counterfeiting and fraud attacks accounted for 57% of the security incidents reported to the Hong Kong Cyber Security Accident Coordination Center in 2025.
Earlier steps by the SFC tried to shore up existing channels rather than replace them, including pushing brokers to enroll in an SMS Sender Registration scheme and banning embedded links in text messages. The commission had encouraged firms to abandon OTPs in a cybersecurity circular dated February 2025, guidance the new order now makes mandatory.
The direction Hong Kong is taking is likely to draw attention from regulators elsewhere. SMS-based two-factor authentication has long been considered the weakest link in account security, and this move signals that voluntary guidance is giving way to binding rules. Whether other major financial centres follow suit remains to be seen.
Sources:Finance Magnates: Hong Kong Just Told Brokers Their Security Codes Aren't EnoughCoinTelegraph: Hong Kong Regulator Orders New Anti-Phishing Measures for Crypto PlatformsFX News Group: HK Watchdog Mandates Phishing-Resistant Authentication Methods