HomeMarket News

Hong Kong Orders Crypto Platforms to Replace OTP Logins With Stronger Security Measures

Hong Kong Orders Crypto Platforms to Replace OTP Logins With Stronger Security Measures

  • Hong Kong ordered crypto platforms and brokerages to replace one-time password logins with stronger authentication within twelve months immediately nationwide.
  • Regulators also require firms to monitor suspicious logins, trades and withdrawals while notifying customers about significant account activity without delay.
  • Senior management will remain accountable for cybersecurity failures as authorities warn weak internal controls could leave firms liable for losses.

 


Hong Kong’s Securities and Futures Commission has instructed licensed virtual asset trading platforms and internet brokerage firms to phase out one-time password logins and adopt stronger authentication methods under new cybersecurity requirements. The move aims to strengthen customer account protection as financial institutions face increasingly sophisticated cyber threats.


The regulator announced the new requirements in a circular issued on Thursday. Under the directive, firms must stop using one-time passwords for customer logins and device registration. Instead, they should implement authentication methods such as passkeys and device binding, which offer stronger protection against impersonation attacks.


Moreover, the Securities and Futures Commission said affected firms should introduce the changes as soon as practicable. While all licensed institutions have up to 12 months to comply, the regulator urged larger internet brokerage firms to begin implementing the new authentication systems immediately.


Also Read: Shiba Eternity Comeback Nears as SHIB Veteran Teases Major Updates for Ecosystem


New Measures Extend Beyond Login Security

Besides replacing one-time passwords, the regulator directed firms to improve their ability to detect suspicious account activity. Licensed institutions must deploy monitoring systems that can identify unusual login attempts, trading patterns, and withdrawal requests before customer assets are put at risk.


Additionally, firms must notify customers promptly whenever significant account activity occurs. They must also respond quickly to suspected hacking incidents and continue educating users about phishing campaigns, spoofing schemes, and other emerging cybersecurity threats.


The Securities and Futures Commission said the measures respond to the growing number of cyber incidents targeting online financial services. Data from the Hong Kong Cyber Security Incident Coordination Centre showed that spoofing attacks represented 57% of all reported cybersecurity incidents during 2025.


Dr. Yip Chi-hang, Executive Director of the SFC’s Intermediaries Division, said licensed institutions need a comprehensive approach that combines prevention, detection, response, and customer education to counter increasingly sophisticated phishing attacks. He added that firms should strengthen authentication systems, remain alert to suspicious activity, and respond before financial losses occur.


Senior Management Faces Greater Accountability

Furthermore, the regulator reminded senior management that responsibility for protecting customer accounts ultimately rests with company leadership. Executives must ensure their organizations maintain effective internal controls and adequate cybersecurity safeguards.


Consequently, the Securities and Futures Commission warned it will hold licensed firms accountable if customers suffer losses because of weaknesses in their internal security controls. The regulator expects institutions to strengthen governance alongside technical defenses as cyber threats continue to evolve.


The latest directive highlights Hong Kong’s continued effort to raise cybersecurity standards across its regulated financial sector while strengthening trust in its digital asset ecosystem.


Also Read: Stellar Trading Volume Jumps 303% as XLM Protocol 27 Upgrade Drives Activity