Sign up
Subscribe
Home / news / Hong Kong SFC orders new anti-phishing authentication rules for crypto platforms and online brokers
news

Hong Kong SFC orders new anti-phishing authentication rules for crypto platforms and online brokers

Hong Kong SFC orders new anti-phishing authentication rules for crypto platforms and online brokers

The Hong Kong Securities and Futures Commission (SFC) has told virtual asset trading platforms (VATPs) and online brokers in the special administrative region to replace weak login methods with phishing-resistant authentication. For high-risk payment and crypto operators, the point is simple: account takeover risk is now a compliance issue, not just an ops headache.

  1. The new rules prohibit one-time passwords via SMS, email, or app-based logins for VATPs and online brokers. Instead, the SFC wants stronger phishing-resistant methods such as passkeys, registered devices with cryptographic verification, and hardware security keys.
  2. Platforms have 12 months to implement the changes. The regulator also requires device binding, which ties access to specific registered devices rather than treating any freshly entered code as good enough.
  3. The SFC said the move is part of a broader effort to raise Hong Kong’s cybersecurity standards after the global crypto industry saw more phishing attacks and social engineering scams in the first quarter of 2026. Those incidents accounted for $306 million of the industry’s total losses of $482 million in the period.
  4. The announcement also pointed to local incident data: counterfeiting and fraud attacks made up 57% of the security incidents reported to the Hong Kong Cyber Security Accident Coordination Center in 2025.
  5. Dr. Ye Zhiheng, executive director of the Intermediaries Department of the China Securities Regulatory Commission, said that protecting customer accounts from increasingly complex and changing counterfeiting and fraud attacks requires “comprehensive measures” covering prevention, detection, response, and education.

For crypto platforms and brokers that rely on card acquiring, payouts, or custody-linked payment flows, the practical message is that the regulator now expects authentication design to do part of the fraud-prevention work. In other words, SMS OTP is no longer the comforting little checkbox it used to be.

Weekly high-risk digest

Regulation, sanctions and payment news across your verticals — once a week, free.

Please check your inbox and click the link to confirm your subscription.

Please enter a valid email address!