The Hong Kong Securities and Futures Commission (SFC) issued a circular on Thursday, July 9, 2026, ordering all internet brokerage firms and licensed virtual asset trading platforms (VATPs) to eliminate one-time passwords (OTPs) for customer logins and device registration. The directive is part of a broader campaign against rising account takeovers, phishing scams, and spoofing operations targeting online financial intermediaries.
Data from the Hong Kong Cyber Security Incident Coordination Centre showed that spoofing attacks accounted for 57% of all reported security incidents in 2025. The SFC stated that firms must stop using SMS-, email-, and app-generated OTPs for login and device binding, and instead adopt phishing-resistant authentication methods such as passkeys, hardware security keys, and cryptographic device binding that can prevent impersonation.
The regulator set a compliance deadline of 12 months from the circular’s issuance, while large internet brokerage firms should implement the new controls immediately. “Licensed institutions should strengthen their first line of defense through robust authentication solutions, remain vigilant against suspicious activity, and respond swiftly before damage occurs,” said Dr. Yip Chi-hang, Executive Director of the Intermediaries Division of the SFC.
In addition to authentication upgrades, the SFC requires firms to deploy detection and surveillance systems that monitor suspicious login, trading, and withdrawal activities. Platforms must promptly notify clients of significant account events and respond to hacking incidents without delay. The circular also reminded senior management that they bear ultimate responsibility for protecting customer accounts and assets, and the SFC will hold firms accountable for client losses caused by internal control failures.