Key Highlights
- Hong Kong’s Securities and Futures Commission (SFC) has introduced new cybersecurity requirements for licensed crypto platforms.
- Virtual asset trading platforms must replace one-time password (OTP) logins with stronger anti-phishing authentication methods.
- The regulator cited rising spoofing attacks and crypto account takeover incidents.
Hong Kong’s Securities and Futures Commission (SFC) has introduced stricter cybersecurity requirements for licensed cryptocurrency trading platforms, requiring exchanges to strengthen customer authentication as phishing attacks and account takeover scams become increasingly sophisticated.
In a circular issued on Thursday, the regulator instructed licensed virtual asset trading platforms (VATPs) and online brokerages to adopt authentication methods that are more resistant to spoofing and fraud, marking another step in Hong Kong’s expanding regulatory framework for digital assets.
The move comes as the city continues strengthening oversight of licensed crypto businesses following the rollout of its virtual asset licensing regime.
SFC moves away from one-time passwords
The regulator said one-time password (OTP) authentication for customer login and device binding no longer provides sufficient protection against modern phishing campaigns. Instead, the SFC directed firms to adopt stronger alternatives such as passkeys and device binding, which are designed to prevent attackers from impersonating legitimate users.
According to the regulator, the changes are necessary because spoofing attacks targeting customer login credentials have become increasingly common. Licensed firms are expected to implement the new authentication framework as soon as practicable, with full compliance required within 12 months. The SFC said larger online brokerages should begin adopting the stronger authentication methods immediately.
Exchanges must improve fraud detection
Beyond login security, the SFC also instructed crypto platforms to strengthen monitoring of suspicious account activity.
The regulator expects firms to monitor unusual login attempts, trading behavior, and withdrawal requests while notifying customers of significant account activity and responding promptly to suspected hacking incidents. Licensed firms should also regularly educate customers about phishing scams and emerging cybersecurity risks.
Commenting on the new requirements, Dr. Eric Yip, Executive Director of the SFC’s Intermediaries Division, said protecting customer accounts requires more than stronger authentication alone.
“To protect client accounts from increasingly sophisticated and varied phishing attacks, a comprehensive approach combining prevention, detection, response, and education is necessary.” He added that firms should strengthen their first line of defense while remaining vigilant against suspicious activity.
The SFC also warned that senior management remains responsible for ensuring adequate safeguards are in place. According to the regulator, licensed firms could be held accountable if customers suffer losses because of deficiencies in internal controls.
The warning underscores the regulator’s growing focus on operational resilience as crypto platforms become increasingly integrated into Hong Kong’s regulated financial system.
Part of Hong Kong’s broader crypto regulatory push
The cybersecurity measures are the latest in a series of regulatory initiatives aimed at expanding oversight of the city’s digital asset sector. Earlier this year, the SFC proposed new licensing requirements for firms providing crypto advisory and dealing services, seeking to align crypto regulation more closely with the standards governing traditional financial institutions.
The latest guidance shifts that focus toward cybersecurity and investor protection, reflecting growing concern over phishing attacks and digital asset theft as licensed crypto platforms continue expanding their operations.
The SFC also urged investors to strengthen their account security by using strong passwords, accessing trading platforms only through official websites and apps, regularly monitoring account activity, and promptly reporting any unauthorized transactions.
The regulator said stronger authentication measures, enhanced monitoring, and greater user awareness will be key to mitigating the evolving cyber threats facing digital asset investors.
Also read: Kresus Launches Crypto Inheritance Tool for Self-Custody Wallets
