Key Highlights
- Financial regulator mandates elimination of OTP-based authentication systems within one year.
- Platforms must transition to passkeys and physical security keys instead of SMS or email codes.
- Major internet brokers expected to implement enhanced security protocols without delay.
- Enhanced surveillance requirements for login attempts, transaction patterns, and fund withdrawals.
- Executive leadership held directly responsible for security breaches affecting customer assets.
Hong Kong’s financial regulator has mandated that digital asset exchanges and internet-based brokers eliminate one-time password systems in favor of advanced security mechanisms. The directive addresses escalating threats from credential theft, account hijacking, and sophisticated phishing operations. Financial institutions have one year to complete the transition.
Regulatory Authority Introduces Stricter Authentication Requirements
The SFC distributed the directive to online brokerage firms and virtual asset platform operators this Thursday. The mandate specifies phishing-resistant authentication mechanisms for user access and device authorization procedures. The framework encompasses enhanced safeguards for account entry points and verification of trusted hardware.
The financial watchdog explicitly prohibited continued reliance on temporary password systems for access control and device registration. This prohibition encompasses verification codes delivered via text message, electronic mail, and application-generated authentication sequences. The authority cited increasing phishing vulnerabilities and the availability of superior security technologies.
Passkey technology, physical authentication tokens, and cryptographic device verification satisfy the updated requirements. These approaches minimize exposure to compromised credentials and intercepted authentication codes. Exchanges must migrate from code-dependent verification to cryptographically-secure authentication frameworks.
One-Year Implementation Window Established for Compliance
The regulatory body instructed affected organizations to execute these transitions at the earliest opportunity. Complete compliance across all covered entities must occur within twelve months following the circular’s publication date. Larger internet brokerage operations should proceed with immediate adoption given their substantial user bases.
The authority additionally requires enhanced monitoring capabilities across all account operations. Brokerage platforms and virtual asset operators must identify anomalous login behaviors, unusual trading activity, and suspicious withdrawal requests. Organizations must also provide prompt notification to account holders when significant events affect their profiles.
The SFC emphasized that executive leadership bears ultimate responsibility for safeguarding client accounts. Management teams will face direct accountability when security deficiencies result in customer financial losses. Consequently, organizations face mounting pressure to enhance prevention strategies, incident response capabilities, and governance frameworks.
Territory Elevates Digital Security Protocols
This regulatory action follows a sustained increase in phishing campaigns and social manipulation tactics targeting digital currency markets. Throughout early 2026, such attacks inflicted substantial financial damage across the international cryptocurrency ecosystem. This pattern prompted regulatory bodies to intensify focus on access control mechanisms.
Hong Kong documented significant fraudulent activity and counterfeiting operations in recent cybersecurity assessments. These threats represented a considerable portion of documented security breaches during 2025. The financial regulator positioned strengthened authentication as a component of comprehensive market safeguards.
The watchdog also encouraged users to maintain robust security practices for passwords, hardware devices, and account access methods. Customers should exclusively access their accounts through verified official websites and authorized platform applications. Users should immediately report any suspected unauthorized access or questionable transaction activity.



