Skip to content

Hong Kong SFC tightens login rules for crypto platforms

Hong Kong SFC tightens login rules for crypto platforms
Share this article

Hong Kong Securities and Futures Commission (SFC) tightened login rules for crypto platforms and online brokers on Thursday, raising security obligations across licensed firms. The regulator ordered firms to replace one-time passwords for logins and device registration with phishing-resistant authentication systems across client access. The directive targets account takeovers, spoofing, and fraud as attackers test online financial platforms under the Hong Kong SFC framework.

Hong Kong SFC orders stronger platform logins

Hong Kong SFC issued the circular to licensed virtual asset trading platforms and internet brokerage firms operating in Hong Kong. The order covers customer login authentication and device binding, which attackers often exploit during account compromise attempts in real attacks. Firms must stop using one-time passwords sent by SMS, email, or app-based systems for these key functions during account access.

The regulator said platforms should adopt passkeys, registered devices with cryptographic verification, and hardware security keys for access control systems. These tools reduce impersonation risk because attackers cannot easily steal, copy, or relay login credentials during active phishing attacks. Hong Kong SFC said firms must implement the measures as soon as practicable within the next 12 months from issuance.

Large internet brokerage firms face a faster timetable because the regulator expects immediate adoption of stronger authentication systems. The circular therefore creates one baseline for all covered firms and higher urgency for larger online brokers and platforms. It also links login security with wider controls for client account protection, asset safety, and operational resilience.

Licensed firms face tougher fraud controls

SFC also told firms to strengthen surveillance for suspicious logins, trading instructions, withdrawal requests, and related activity. The regulator expects systems that detect unusual account behavior before losses spread across customer accounts and connected platform functions. Firms must also notify clients promptly when significant account activity occurs on accounts, registered devices, or linked trading profiles.

The circular places responsibility on senior management at licensed firms and virtual asset trading platforms under the new requirements. Executives must ensure proper controls protect customer accounts, client data, customer assets, and platform access across daily operations. Hong Kong SFC said it will hold firms accountable for customer losses caused by internal control deficiencies or security failures.

The regulator connected the rules with a wider campaign against fraud, spoofing, and account takeover threats across online channels. It cited security data showing spoofing attacks dominated reported Hong Kong cybersecurity incidents during 2025. Spoofing represented 57% of reported security incidents that year, according to the regulator’s public statement on Thursday.

Crypto platforms face new security deadline

Global crypto platforms have faced major phishing losses, and Hong Kong’s rules address the same risk channel for customers. Industry reports linked phishing and social engineering scams to large losses across digital assets during early 2026. Hong Kong SFC framed stronger authentication as part of prevention, detection, response, and customer education across regulated firms.

Doctor Yip Chi-hang said licensed institutions should “remain vigilant against suspicious activity” under the strengthened framework for online firms. He serves as Executive Director of the Intermediaries Division at the Securities and Futures Commission, which oversees licensed intermediaries. He also said firms need prevention, detection, response, and education to protect client accounts and customer assets on platforms.

The requirements follow an earlier June circular on AI-enabled cyber threats and reflect tighter supervisory attention. Hong Kong SFC now wants technical safeguards that reduce dependence on customers spotting fake websites or messages. The latest order also gives platforms a clear deadline for replacing older login and device-binding methods.

Hong Kong SFC said the new requirements will change how users access licensed brokers and crypto platforms. Customers may need passkeys, hardware keys, or registered devices when platforms complete system upgrades. SFC ended the circular by stressing management responsibility for protecting customer accounts and assets.

About The Coin Headlines

The Coin Headlines strives to bring trust into crypto media. At a time when every soundbite and headline can move the markets from red to green and vice-versa, The Coin Headlines promises to bring verified, credible and timely news and analysis from the world of crypto, blockchain, Web3, tech and markets. Founded in 2026, The Coin Headlines is based in the UAE with a team of experienced journalists and editors covering breaking news and updates from around the world.

From covering the biggest events to interviewing some of the most popular KOLs in the industry, The Coin Headlines keeps you informed of the latest trends and insights.

At The Coin Headlines our focus is clear: Real-time news updates, market movements, whale transfers, macroeconomic trends, tech and AI and geopolitical breaking news. The news we report goes through a strict editorial audit before its published to ensure the readers only get verified and credible information. We realize the world of crypto is dynamic, volatile, and many times, confusing. At The Coin Headlines we break down these complex issues into simple articles which cater to not just the experienced trader but also the student and first-time investor who wants to understand the space before committing to it.