According to the Securities and Futures Commission's circular published on July 9, internet brokers and licensed virtual asset trading platforms must replace one-time passwords with phishing-resistant authentication methods such as passkeys and device binding within 12 months, with larger brokers expected to implement the measures immediately. Senior management will remain responsible for protecting client assets, and firms must introduce monitoring systems to detect suspicious login attempts and respond rapidly to hacking incidents.
The directive follows growing concern that traditional OTPs no longer provide sufficient protection against increasingly sophisticated phishing campaigns. Phishing attacks accounted for 57% of all cybersecurity incidents reported to Hong Kong's Computer Emergency Response Team Coordination Centre during 2025, according to the SFC.