Hong Kong's Securities and Futures Commission (HKSFC) has ordered internet brokers and virtual asset trading platform (VATP) operators to stop using one-time passwords (OTP) for client logins and device binding. The regulator, acting on 9 Jul as losses from increasingly sophisticated online fraud climb, told firms to adopt more robust methods instead.
Hong Kong Orders Crypto Platforms, Online Brokers To Drop One-Time Passwords
The HKSFC warned it will hold firms accountable for client losses where weak controls allow large-scale unauthorised trades following a hack, shifting the cost of prevention onto brokers and platforms rather than their customers. Senior management carries ultimate responsibility for account security, it said.
12-month deadline
The city's main markets regulator said the measures must be implemented "as soon as practicable," and no later than 12 months from the date of the circular, or 8 Jul 2027. It ordered large online brokers to adopt the stronger alternatives immediately. An OTP is a single-use security code generated to verify a user's identity for one login session or transaction.
Phishing is a cyberattack in which criminals impersonate trustworthy organizations or individuals to trick users into revealing sensitive information, sending money or downloading malware. The SFC said phishing accounted for 57% of the cybersecurity incidents reported to the Hong Kong Computer Emergency Response Team Coordination Centre (HKCERT) in 2025.
The SFC said firms should instead use methods including passkeys and bound devices, which are specific phones or computers digitally locked to a user's account.
More sophisticated phishing
"Protecting client accounts from increasingly sophisticated and elusive phishing attacks requires holistic measures combining prevention, detection, response and education," said Dr Eric Yip, the SFC's executive director of intermediaries. "Licensed firms should strengthen their first line of defence with robust authentication solutions, stay alert to suspicious activities and respond swiftly before harm is done."
“Hong Kong is taking one of the most decisive positions among major Asia regulators,” a global digital assets security firm told Sandmark. “We expect this to accelerate security spending and gap assessments across both the online brokerage and licensed Virtual Asset Trading Platform (VATP) segments.”
Fraud losses
Hong Kong, one of the world's major financial hubs and an active developer of Web3 products including cryptocurrencies and stablecoins, recorded 9,427 fraud cases and HK$1.85bn ($236mn) in losses in the first quarter, according to The Standard, citing police data.
While there was no breakdown of online or phishing-related losses for the quarter, a single victim lost HK$84.8mn ($10.8mn) to an investment scheme, police data showed.
Online scams
Deception cases totalled 43,212 in 2025 and losses reached HK$8.1bn ($1.03bn), down from HK$9.2bn ($1.17bn) the previous year, with online investment scams accounting for HK$3.58bn ($457mn).
Phishing cases fell to 1,093 in 2025 while losses rose 113% to HK$110mn ($14mn), according to RTHK, citing police data. Although cases fell, the jump in losses points to more sophisticated scams, larger transfers and more account-takeover attacks.
The data also suggest social platforms remain a major channel, especially Meta-owned apps such as Facebook, WhatsApp and Instagram.
Weak link
"The SFC's move reflects a broader global regulatory shift. OTPs are a known weak link against phishing, and as fraudsters raise their game, brokers and VATPs need to do the same," said Musheer Ahmed, founder of regulatory and policy advisory firm Finstep Asia. He noted that in-app authentication and device binding are already being adopted in other major jurisdictions.
"This direction is fully consistent with the HKMA's e-banking security requirements introduced last year," he added.
HKMA guidelines
The Hong Kong Monetary Authority (HKMA) updated its E-Banking Security ABCD framework on 25 Aug 2025, requiring banks to phase out SMS OTPs for app-based authentication and to add real-time, AI-powered liveness detection to counter deepfake attacks. The framework also requires banks to give customers controls to deactivate high-risk functions and to send real-time alerts for transactions to flagged accounts.
Hong Kong's move mirrors action elsewhere in Asia. Singapore has progressively removed SMS OTPs for bank logins in favour of encrypted, app-based digital tokens, while Japan encourages a hybrid approach in which major brokers voluntarily adopt biometric passkeys while still allowing legacy password fallbacks. South Korea relies on hardware-centric security, requiring physical Smart OTP cards tapped against phones via NFC alongside a blockchain-backed Mobile ID network.