Hong Kong SFC Orders Brokers and Crypto Platforms to Replace OTPs Within 12 Months on July 9

According to the Securities and Futures Commission's circular published on July 9, internet brokers and licensed virtual asset trading platforms must replace one-time passwords with phishing-resistant authentication methods such as passkeys and device binding within 12 months, with larger brokers expected to implement the measures immediately. Senior management will remain responsible for protecting client assets, and firms must introduce monitoring systems to detect suspicious login attempts and respond rapidly to hacking incidents.

The directive follows growing concern that traditional OTPs no longer provide sufficient protection against increasingly sophisticated phishing campaigns. Phishing attacks accounted for 57% of all cybersecurity incidents reported to Hong Kong's Computer Emergency Response Team Coordination Centre during 2025, according to the SFC.

Disclaimer: The information on this page may come from third-party sources and is for reference only. It does not represent the views or opinions of Gate and does not constitute any financial, investment, or legal advice. Virtual asset trading involves high risk. Please do not rely solely on the information on this page when making decisions. For details, see the Disclaimer.
Comment
0/400
No comments