Hong Kong orders crypto firms to drop OTPs by July 2027

Hong Kong’s SFC ordered licensed crypto platforms and internet brokers to stop using OTPs for logins and device binding by July 8, 2027; firms can be held liable for client losses.

The Securities and Futures Commission ordered licensed virtual asset trading platforms and internet brokers in Hong Kong to stop using one-time passwords for customer logins and for registering or binding new devices by July 8, 2027. The regulator set that date as a firm deadline for switching to authentication methods that resist phishing.

The circular notes that OTPs do not provide adequate protection against phishing attacks and should not be used at those access points. Firms may continue to use OTPs for other functions. Clients do not need to rebind devices that are already linked.

The requirement covers licensed virtual asset service providers and internet brokers operating in Hong Kong. Large internet brokers are expected to deploy stronger authentication immediately, while other covered firms have a 12-month window to meet the standard before the July 8, 2027 cutoff.

Monitoring and incident-response duties take effect immediately. Firms must strengthen client notifications, account monitoring and surveillance now and suspend or restrict accounts at the first signs of fraud. The regulator highlighted indicators such as irregular login attempts, new-device activity, trading that departs from a client’s history, and withdrawals of funds or virtual assets.

Acceptable alternatives include passkeys based on public-key cryptography, which keep a private key on the user’s device or in a passkey manager and prevent the credential from being entered on a phishing site. The regulator also allows device binding that uses robust verification along with an additional factor, such as a biometric check or an account password.

Platforms must notify clients promptly of successful logins and higher-risk account changes, including registration or revocation of passkeys and the addition of new devices. Firms are expected to detect and respond quickly to breaches and anomalies during the transition away from OTPs.

The directive follows phishing campaigns in 2025 in which attackers sent text messages with links that impersonated brokers or regulators. Customers who entered credentials and one-time passcodes on fake websites enabled attackers to hijack sessions and transfer assets.

The regulator linked the technical requirements to firms’ duty to protect clients from theft and fraud, warning that inadequate controls that fail to prevent, detect or halt large-scale unauthorized transactions could leave firms responsible for client losses. Senior managers responsible for operations and information technology are accountable for implementing and maintaining the new measures.

Articles by this author