Key Point
The Hong Kong SFC issued a circular requiring internet brokerage firms and virtual asset trading platforms to stop using OTPs for customer login and device binding. Firms must adopt alternatives such as passkeys and device binding that can prevent impersonation. The SFC set a deadline of 12 months from the circular's issuance date and said large internet brokerage firms should adopt the new authentication methods immediately. Hong Kong Cyber Security Incident Coordination Centre data shows spoofing attacks accounted for 57% of all reported security incidents in 2025. The SFC also said firms must monitor suspicious login, trading, and withdrawal activity and notify clients of significant account activity.
Why it matters: Stronger login controls could reduce account-takeover risk and raise compliance expectations for regulated crypto access channels.
Market Sentiment
Neutral, Regulatory-driven.
Reason: The Hong Kong SFC's OTP phaseout changes platform compliance obligations rather than creating a direct liquidity or demand catalyst.
Similar Past Cases
Singapore's MAS and IMDA announced that the Shared Responsibility Framework for phishing scams would be implemented on 16 December 2024, shifting compliance accountability for scam-loss duties across financial institutions and telcos. (IMDA) The difference is that the Hong Kong measure targets authentication infrastructure at internet brokers and virtual asset trading platforms.
Ripple Effect
Mandatory authentication upgrades could raise compliance costs and reduce account-takeover risk for regulated platforms. If firms disclose faster rollout plans, then the market may read the circular as contained operational tightening. If account-takeover incidents continue after stronger authentication is deployed, then scrutiny could shift toward surveillance systems and loss responsibility.
Opportunities & Risks
Opportunities: If firms publish passkey and device-binding rollout schedules before the 12-month deadline, then stronger security controls can become a venue-quality filter. When large internet brokerage firms adopt the new methods immediately, then lower login-risk perception may support user confidence in regulated channels.
Risks: If a platform misses the 12-month deadline or reports hacking losses tied to weak controls, then reducing venue exposure limits custody and access risk. If new authentication creates login friction, then users may shift activity toward platforms with smoother compliance execution.
