Hong Kong SFC Orders Crypto Platforms to Phase Out OTP Logins by 2027

2 hour ago 4 sources positive

Key takeaways:

  • Hong Kong's OTP ban signals a structural shift toward institutional-grade security, boosting long-term capital inflows into regulated platforms.
  • Enhanced authentication may concentrate trading volumes on compliant exchanges like OSL and HashKey, benefiting tokens listed there.
  • Investors should monitor platform consolidation risks as smaller brokers struggle with immediate compliance costs.

The Hong Kong Securities and Futures Commission (SFC) issued a circular on Thursday, July 9, 2026, ordering all internet brokerage firms and licensed virtual asset trading platforms (VATPs) to eliminate one-time passwords (OTPs) for customer logins and device registration. The directive is part of a broader campaign against rising account takeovers, phishing scams, and spoofing operations targeting online financial intermediaries.

Data from the Hong Kong Cyber Security Incident Coordination Centre showed that spoofing attacks accounted for 57% of all reported security incidents in 2025. The SFC stated that firms must stop using SMS-, email-, and app-generated OTPs for login and device binding, and instead adopt phishing-resistant authentication methods such as passkeys, hardware security keys, and cryptographic device binding that can prevent impersonation.

The regulator set a compliance deadline of 12 months from the circular’s issuance, while large internet brokerage firms should implement the new controls immediately. “Licensed institutions should strengthen their first line of defense through robust authentication solutions, remain vigilant against suspicious activity, and respond swiftly before damage occurs,” said Dr. Yip Chi-hang, Executive Director of the Intermediaries Division of the SFC.

In addition to authentication upgrades, the SFC requires firms to deploy detection and surveillance systems that monitor suspicious login, trading, and withdrawal activities. Platforms must promptly notify clients of significant account events and respond to hacking incidents without delay. The circular also reminded senior management that they bear ultimate responsibility for protecting customer accounts and assets, and the SFC will hold firms accountable for client losses caused by internal control failures.

Disclaimer

The content on this website is provided for information purposes only and does not constitute investment advice, an offer, or professional consultation. Crypto assets are high-risk and volatile — you may lose all funds. Some materials may include summaries and links to third-party sources; we are not responsible for their content or accuracy. Any decisions you make are at your own risk. Coinalertnews recommends independently verifying information and consulting with a professional before making any financial decisions based on this content.