Hong Kong regulator orders crypto platforms to implement anti-phishing measures within 12 months

Hong Kong regulator orders crypto platforms to implement anti-phishing measures within 12 months

The SFC wants one-time passwords gone and passkeys in, with senior management personally on the hook for any client losses from cybersecurity failures.

Hong Kong’s Securities and Futures Commission just told every licensed crypto exchange and online broker in its jurisdiction to ditch one-time passwords and adopt phishing-resistant login systems. They have 12 months to comply. Large internet brokers don’t even get that grace period, they’re expected to move immediately.

The directive, issued as Circular 26EC35 on July 9, arrives at a moment when phishing attacks and account takeovers have become a persistent headache across the digital asset industry. The SFC isn’t asking nicely. Senior management at affected firms will be held personally accountable for client losses that result from cybersecurity control failures.

What the SFC is actually requiring

The circular targets two specific areas: client login authentication and device binding. In plain terms, the SFC wants platforms to make it significantly harder for attackers to impersonate users or hijack sessions, even if they’ve stolen a password.

Advertisement

The regulator explicitly called out one-time passwords as inadequate. OTPs, those six-digit codes texted to your phone, have long been considered a reasonable second factor of authentication. But they’re increasingly easy to intercept through SIM-swapping, man-in-the-middle attacks, and sophisticated phishing pages that relay codes in real time.

The SFC’s recommended alternatives include passkeys and bound devices. Passkeys use cryptographic key pairs tied to a specific device, meaning there’s nothing for a phisher to steal or relay.

The requirement applies to all SFC-licensed entities serving Hong Kong customers, which includes virtual asset trading platform operators (VATPs) licensed under the regulatory framework that took effect in 2023.

Part of a broader cybersecurity push

This isn’t a one-off directive. Circular 26EC35 follows another circular issued just five weeks earlier, 26EC32, which was released on June 2 and focused specifically on countering AI-enabled cyber threats. The SFC is clearly building a layered regulatory response to what it sees as an escalating threat environment.

By requiring phishing-resistant authentication at the protocol level, the SFC is essentially saying: stop relying on users to spot fakes and start making the fakes technically unable to work. The accountability clause adds real teeth. When the SFC says senior management bears responsibility for compliance failures and resulting client losses, that’s not boilerplate language.

What this means for investors and the competitive landscape

For retail traders using Hong Kong-licensed platforms, the practical impact should be straightforward: expect to set up passkeys or register specific devices for login over the coming year.

For the platforms themselves, the compliance costs are real but manageable. Implementing passkey support requires engineering work, updated user flows, customer education, and likely a parallel transition period where old and new authentication methods coexist. Smaller operators with lean technical teams may feel the squeeze more acutely than larger, well-capitalized exchanges.

Disclosure: This article was edited by Editorial Team. For more information on how we create and review content, see our Editorial Policy.

Hong Kong regulator orders crypto platforms to implement anti-phishing measures within 12 months

Hong Kong regulator orders crypto platforms to implement anti-phishing measures within 12 months

The SFC wants one-time passwords gone and passkeys in, with senior management personally on the hook for any client losses from cybersecurity failures.

Hong Kong’s Securities and Futures Commission just told every licensed crypto exchange and online broker in its jurisdiction to ditch one-time passwords and adopt phishing-resistant login systems. They have 12 months to comply. Large internet brokers don’t even get that grace period, they’re expected to move immediately.

The directive, issued as Circular 26EC35 on July 9, arrives at a moment when phishing attacks and account takeovers have become a persistent headache across the digital asset industry. The SFC isn’t asking nicely. Senior management at affected firms will be held personally accountable for client losses that result from cybersecurity control failures.

What the SFC is actually requiring

The circular targets two specific areas: client login authentication and device binding. In plain terms, the SFC wants platforms to make it significantly harder for attackers to impersonate users or hijack sessions, even if they’ve stolen a password.

Advertisement

The regulator explicitly called out one-time passwords as inadequate. OTPs, those six-digit codes texted to your phone, have long been considered a reasonable second factor of authentication. But they’re increasingly easy to intercept through SIM-swapping, man-in-the-middle attacks, and sophisticated phishing pages that relay codes in real time.

The SFC’s recommended alternatives include passkeys and bound devices. Passkeys use cryptographic key pairs tied to a specific device, meaning there’s nothing for a phisher to steal or relay.

The requirement applies to all SFC-licensed entities serving Hong Kong customers, which includes virtual asset trading platform operators (VATPs) licensed under the regulatory framework that took effect in 2023.

Part of a broader cybersecurity push

This isn’t a one-off directive. Circular 26EC35 follows another circular issued just five weeks earlier, 26EC32, which was released on June 2 and focused specifically on countering AI-enabled cyber threats. The SFC is clearly building a layered regulatory response to what it sees as an escalating threat environment.

By requiring phishing-resistant authentication at the protocol level, the SFC is essentially saying: stop relying on users to spot fakes and start making the fakes technically unable to work. The accountability clause adds real teeth. When the SFC says senior management bears responsibility for compliance failures and resulting client losses, that’s not boilerplate language.

What this means for investors and the competitive landscape

For retail traders using Hong Kong-licensed platforms, the practical impact should be straightforward: expect to set up passkeys or register specific devices for login over the coming year.

For the platforms themselves, the compliance costs are real but manageable. Implementing passkey support requires engineering work, updated user flows, customer education, and likely a parallel transition period where old and new authentication methods coexist. Smaller operators with lean technical teams may feel the squeeze more acutely than larger, well-capitalized exchanges.

Disclosure: This article was edited by Editorial Team. For more information on how we create and review content, see our Editorial Policy.