
Hong Kong's Securities and Futures Commission (SFC) has directed internet brokers and licensed virtual asset trading platform operators (VATPs) to adopt phishing-resistant authentication methods for client login and device binding, strengthening cybersecurity as phishing attacks continue to target investor accounts.
Under a circular issued on 9 July, firms must phase out the use of one-time passwords (OTPs) for login and device binding, replacing them with stronger authentication methods such as passkeys and bound devices. The SFC said all licensed firms should implement the new measures as soon as practicable and no later than 12 months after the circular's issuance, while large internet brokers are expected to adopt them immediately.
Beyond stronger authentication, the regulator expects firms to enhance monitoring systems capable of detecting suspicious login attempts, trading activity and withdrawals, promptly notify clients of significant account events, respond quickly to hacking incidents, and regularly educate clients about emerging phishing and cybersecurity threats.
The SFC also reminded senior management that they are ultimately responsible for safeguarding client accounts and assets, warning that firms may be held accountable for client losses resulting from inadequate cybersecurity controls.
The move follows growing concerns over phishing attacks, which accounted for 57% of all security incidents reported to the Hong Kong Computer Emergency Response Team Coordination Centre in 2025. It also builds on the SFC's February 2025 guidance encouraging licensed firms to move away from OTP-based authentication.