Hong Kong Securities and Futures Commission (SFC) tightened login rules for crypto platforms and online brokers on Thursday, raising security obligations across licensed firms. The regulator ordered firms to replace one-time passwords for logins and device registration with phishing-resistant authentication systems across client access. The directive targets account takeovers, spoofing, and fraud as attackers test online financial platforms under the Hong Kong SFC framework.
Hong Kong SFC orders stronger platform logins
Hong Kong SFC issued the circular to licensed virtual asset trading platforms and internet brokerage firms operating in Hong Kong. The order covers customer login authentication and device binding, which attackers often exploit during account compromise attempts in real attacks. Firms must stop using one-time passwords sent by SMS, email, or app-based systems for these key functions during account access.
The regulator said platforms should adopt passkeys, registered devices with cryptographic verification, and hardware security keys for access control systems. These tools reduce impersonation risk because attackers cannot easily steal, copy, or relay login credentials during active phishing attacks. Hong Kong SFC said firms must implement the measures as soon as practicable within the next 12 months from issuance.
Large internet brokerage firms face a faster timetable because the regulator expects immediate adoption of stronger authentication systems. The circular therefore creates one baseline for all covered firms and higher urgency for larger online brokers and platforms. It also links login security with wider controls for client account protection, asset safety, and operational resilience.
Licensed firms face tougher fraud controls
SFC also told firms to strengthen surveillance for suspicious logins, trading instructions, withdrawal requests, and related activity. The regulator expects systems that detect unusual account behavior before losses spread across customer accounts and connected platform functions. Firms must also notify clients promptly when significant account activity occurs on accounts, registered devices, or linked trading profiles.
The circular places responsibility on senior management at licensed firms and virtual asset trading platforms under the new requirements. Executives must ensure proper controls protect customer accounts, client data, customer assets, and platform access across daily operations. Hong Kong SFC said it will hold firms accountable for customer losses caused by internal control deficiencies or security failures.
The regulator connected the rules with a wider campaign against fraud, spoofing, and account takeover threats across online channels. It cited security data showing spoofing attacks dominated reported Hong Kong cybersecurity incidents during 2025. Spoofing represented 57% of reported security incidents that year, according to the regulator’s public statement on Thursday.
Crypto platforms face new security deadline
Global crypto platforms have faced major phishing losses, and Hong Kong’s rules address the same risk channel for customers. Industry reports linked phishing and social engineering scams to large losses across digital assets during early 2026. Hong Kong SFC framed stronger authentication as part of prevention, detection, response, and customer education across regulated firms.
Doctor Yip Chi-hang said licensed institutions should “remain vigilant against suspicious activity” under the strengthened framework for online firms. He serves as Executive Director of the Intermediaries Division at the Securities and Futures Commission, which oversees licensed intermediaries. He also said firms need prevention, detection, response, and education to protect client accounts and customer assets on platforms.
The requirements follow an earlier June circular on AI-enabled cyber threats and reflect tighter supervisory attention. Hong Kong SFC now wants technical safeguards that reduce dependence on customers spotting fake websites or messages. The latest order also gives platforms a clear deadline for replacing older login and device-binding methods.
Hong Kong SFC said the new requirements will change how users access licensed brokers and crypto platforms. Customers may need passkeys, hardware keys, or registered devices when platforms complete system upgrades. SFC ended the circular by stressing management responsibility for protecting customer accounts and assets.



