Hong Kong SFC Orders Crypto Platforms to Phase Out OTP Logins by 2026

iconNS3
Share
AI summary iconSummary

Key Point

The Hong Kong SFC issued a circular requiring internet brokerage firms and virtual asset trading platforms to stop using OTPs for customer login and device binding. Firms must adopt alternatives such as passkeys and device binding that can prevent impersonation. The SFC set a deadline of 12 months from the circular's issuance date and said large internet brokerage firms should adopt the new authentication methods immediately. Hong Kong Cyber Security Incident Coordination Centre data shows spoofing attacks accounted for 57% of all reported security incidents in 2025. The SFC also said firms must monitor suspicious login, trading, and withdrawal activity and notify clients of significant account activity.

Why it matters: Stronger login controls could reduce account-takeover risk and raise compliance expectations for regulated crypto access channels.

Market Sentiment

Neutral, Regulatory-driven.

Reason: The Hong Kong SFC's OTP phaseout changes platform compliance obligations rather than creating a direct liquidity or demand catalyst.

Similar Past Cases

Singapore's MAS and IMDA announced that the Shared Responsibility Framework for phishing scams would be implemented on 16 December 2024, shifting compliance accountability for scam-loss duties across financial institutions and telcos. (IMDA) The difference is that the Hong Kong measure targets authentication infrastructure at internet brokers and virtual asset trading platforms.

Ripple Effect

Mandatory authentication upgrades could raise compliance costs and reduce account-takeover risk for regulated platforms. If firms disclose faster rollout plans, then the market may read the circular as contained operational tightening. If account-takeover incidents continue after stronger authentication is deployed, then scrutiny could shift toward surveillance systems and loss responsibility.

Opportunities & Risks

Opportunities: If firms publish passkey and device-binding rollout schedules before the 12-month deadline, then stronger security controls can become a venue-quality filter. When large internet brokerage firms adopt the new methods immediately, then lower login-risk perception may support user confidence in regulated channels.

Risks: If a platform misses the 12-month deadline or reports hacking losses tied to weak controls, then reducing venue exposure limits custody and access risk. If new authentication creates login friction, then users may shift activity toward platforms with smoother compliance execution.

Disclaimer: The information on this page may have been obtained from third parties and does not necessarily reflect the views or opinions of KuCoin. This content is provided for general informational purposes only, without any representation or warranty of any kind, nor shall it be construed as financial or investment advice. KuCoin shall not be liable for any errors or omissions, or for any outcomes resulting from the use of this information. Investments in digital assets can be risky. Please carefully evaluate the risks of a product and your risk tolerance based on your own financial circumstances. For more information, please refer to our Terms of Use and Risk Disclosure.