Hong Kong Orders Crypto Firms to Replace OTPs
Hong Kong’s Securities and Futures Commission has ordered licensed crypto trading platforms and online brokers to replace one-time passwords with phishing-resistant authentication.
The regulator said the controls are needed to protect client accounts from credential theft, fake login pages and account takeover attacks.
Platforms Get 12 Months to Replace OTPs
The SFC issued the circular on July 9, covering internet brokers and virtual asset trading platform operators licensed in Hong Kong. Firms must stop using one-time passwords for client login and device binding.
The requirement covers OTPs sent by SMS, email and app-generated or app-delivered codes where attackers can steal or relay the code. The regulator said firms should adopt phishing-resistant methods as soon as possible and no later than 12 months from the circular. Large internet brokers are expected to move immediately.
Passkeys and bound devices were named as examples of phishing-resistant authentication methods. These tools use cryptographic checks tied to a device or credential, making it harder for phishing sites to capture reusable login details.
Monitoring Must Cover Trades and Withdrawals
The SFC also told firms to strengthen monitoring beyond login controls. Licensed platforms must have systems that can detect suspicious logins, trading activity and withdrawals. They must also notify clients quickly about key account events and respond to hacking incidents without delay.
That matters for crypto platforms because virtual asset withdrawals can be difficult to reverse once funds leave a customer account. The regulator also told firms to keep warning clients about phishing threats and other cyber risks.
Management May Face Client-Loss Accountability
The circular puts responsibility on senior management. The SFC said management at online brokers and virtual asset trading platforms is ultimately responsible for the controls used to protect client accounts and assets.
It also said firms may be held accountable for client losses caused by control failures. The warning frames phishing protection as a compliance and governance issue for licensed firms.
Platforms Face New Login and Alert Checks
Licensed crypto platforms in Hong Kong already face requirements around custody, client protection and operational controls.
The new authentication rules add another layer to that framework as phishing remains a common way attackers gain access to user accounts.
Platforms now have 12 months to replace OTP-based login and device-binding controls, improve suspicious-activity monitoring and strengthen account alerts for clients.