Breaking

Why Hong Kong’s OTP ban resets crypto operational security

Why Hong Kong's OTP ban resets crypto operational security

Hong Kong’s Securities and Futures Commission has ordered licensed virtual asset trading platforms and internet brokers to stop using one-time passwords for client login and device binding, with a hard deadline of July 8, 2027 — and, more consequentially, has attached senior-management accountability for client losses arising from control failures. The supervisory frontier for crypto has moved from who holds a licence to how they run the platform.

SFC Circular 26EC35, issued on July 9, 2026, requires internet brokers and virtual asset trading platform (VATP) operators to replace one-time passwords (OTPs) with phishing-resistant authentication for two specific processes: client login and device binding. Passkeys and bound devices are the named examples of acceptable alternatives. Large internet brokers are expected to deploy immediately; the broader population has 12 months, expiring July 8, 2027. Monitoring and incident-response obligations bite now, not next year. This analysis walks through what the circular actually requires, how Hong Kong compares to the European Union, Singapore, the United Kingdom and the United States, the enforcement precedent that gives the accountability language teeth, and what compliance teams need in place before the deadline.

Key Facts

• SFC Circular 26EC35 was issued on July 9, 2026; the compliance deadline is July 8, 2027 — 12 months from issue
• In scope: licensed internet brokers and virtual asset trading platform (VATP) operators in Hong Kong
• OTPs are prohibited for two processes only — client login and device binding; other OTP uses are unaffected, and existing bound devices need not be re-bound
• Monitoring and incident-response controls take effect immediately, not at the 12-month mark
• Firms may be held accountable for client losses where inadequate controls fail to prevent, detect or stop large-scale unauthorised transactions after a hacking incident
• Phishing accounted for 57% of security incidents reported to the Hong Kong Computer Emergency Response Team Coordination Centre in 2025
• The circular follows a June 2, 2026 SFC circular on AI-enabled cyber threats, which placed primary responsibility on senior management

Methodology and sources

This analysis is built on SFC Circular 26EC35 (July 9, 2026) and the SFC’s earlier June 2, 2026 circular on AI-enabled cyberattacks, read alongside the comparable operational-resilience and authentication regimes in four other jurisdictions: the European Union’s Digital Operational Resilience Act (DORA), the Monetary Authority of Singapore’s Notice on Cyber Hygiene, the Financial Conduct Authority’s operational resilience policy statement PS21/3, and the US Securities and Exchange Commission’s amendments to Regulation S-P.

The time window is June 2025 to July 2026. Jurisdictional scope is limited to regimes that impose authentication or operational-resilience obligations on licensed intermediaries handling client assets. Secondary analysis is drawn from law-firm client alerts, including Davis Polk and Timothy Loh LLP. One caveat: the SFC has not published a technical standard specifying which authentication methods qualify as phishing-resistant, so the boundary of compliance is, at the time of writing, a matter of firm-level judgement against a principles-based rule.

What Circular 26EC35 actually requires

The circular is narrower than the headlines suggest, and more demanding than its narrowness implies. It does not ban OTPs across the board. It bans them for two processes — logging a client in, and binding a new device to that account — on the reasoning that both are precisely the points a phishing operator attacks. An OTP that a user can be socially engineered into reading aloud, or typing on a spoofed page, provides no protection at the exact moment protection matters.

The SFC’s remedy is phishing-resistant authentication, with passkeys and bound devices given as examples. Both share a property OTPs lack: the credential is cryptographically bound to the origin, so it cannot be replayed against a fraudulent site. Firms need not re-bind devices clients have already registered, which materially reduces the migration burden.

What is a phishing-resistant authentication requirement? A phishing-resistant authentication requirement obliges a regulated firm to use credentials that cannot be captured and replayed by an attacker who has tricked a client into surrendering them. Under SFC Circular 26EC35, issued July 9, 2026, one-time passwords no longer satisfy this standard for client login or device binding, because a code read out to a fraudster or entered on a spoofed page authenticates the fraudster. Passkeys and bound devices are cited as compliant alternatives because the credential is cryptographically tied to the legitimate domain and cannot be transferred. Licensed Hong Kong internet brokers and virtual asset trading platforms have until July 8, 2027 to comply, with large brokers expected to move immediately and monitoring duties effective from issue.

The timing asymmetry deserves attention. The 12-month runway applies to the authentication change — a genuine engineering project. The monitoring and incident-response obligations apply immediately. A firm suffering a large-scale account-takeover event in November 2026 cannot point to the July 2027 deadline as a shield: the duty it will be measured against is the duty to detect and contain, which is already live.

How five jurisdictions compare

Jurisdiction / Regulator Instrument Effective date Key requirement Accountability mechanism
Hong Kong (SFC) Circular 26EC35 Issued July 9, 2026; compliance July 8, 2027 Phishing-resistant authentication for client login and device binding; OTPs prohibited for those two processes Firms accountable for client losses where controls fail to prevent, detect or stop unauthorised transactions; senior management primary responsibility
EU (ESAs under DORA) Regulation (EU) 2022/2554 Applies from January 17, 2025 ICT risk management framework, incident classification and reporting, digital operational resilience testing, third-party ICT oversight Management body of the financial entity bears ultimate responsibility for ICT risk (Article 5)
Singapore (MAS) Notice on Cyber Hygiene August 6, 2020 Multi-factor authentication for administrative accounts on critical systems; security patching; malware protection; network perimeter defence Binding notice — breach is a regulatory contravention, not guidance
UK (FCA / PRA) PS21/3 operational resilience Rules from March 31, 2022; impact tolerances by March 31, 2025 Identify important business services, set impact tolerances, test ability to remain within them under severe but plausible scenarios Senior Managers and Certification Regime allocates individual accountability
US (SEC) Regulation S-P amendments Adopted May 16, 2024; compliance December 3, 2025 (larger entities) / June 3, 2026 (smaller) Written incident response programme; customer notification within 30 days of determining unauthorised access to sensitive customer information Enforcement via SEC examination and civil money penalties

Sources: SFC Circular 26EC35 (July 9, 2026); Regulation (EU) 2022/2554 (DORA); MAS Notice on Cyber Hygiene; FCA PS21/3; SEC Regulation S-P adopting release. Last updated: July 13, 2026.

Read across the table and a divergence appears that matters commercially. DORA, PS21/3 and Regulation S-P are all outcome regimes: they tell a firm to be resilient, to set tolerances, to have a plan, and they leave the technical means to the firm. The SFC has done something different. It has prescribed a control — a specific authentication property, for two specific processes, with a date.

That prescriptiveness is unusual for a principles-based regulator, and it is a deliberate response to a threat that outcome-based rules were not catching. Singapore’s Notice on Cyber Hygiene is the closest analogue, but its multi-factor authentication mandate reaches administrative accounts on critical systems — the firm’s own staff — rather than the retail client’s login. Hong Kong has extended the prescriptive perimeter to the customer-facing edge, which is where the money actually leaves.

Does the EU require phishing-resistant login for crypto platforms? Not explicitly. DORA, Regulation (EU) 2022/2554, has applied to EU financial entities including crypto-asset service providers since January 17, 2025, and it requires a comprehensive information and communication technology risk-management framework, incident classification and reporting, and resilience testing. But DORA is outcome-based: Article 5 places ultimate responsibility for ICT risk on the management body without mandating a specific authentication technology. A European crypto-asset service provider could, in principle, remain DORA-compliant while still using one-time passwords for client login, provided it could evidence that its overall ICT risk framework was adequate. Hong Kong’s Circular 26EC35 removes that discretion for its licensees. This is the sharpest point of divergence between the two regimes.

“Cybersecurity risk is one of the major challenges facing the financial industry and remains a top supervisory focus of the SFC in its oversight of licensed firms. As frontier AI models become more powerful and accessible, AI-enabled cyber threats are set to accelerate and complicate the tasks to detect and contain them. Senior management of licensed firms should shoulder primary responsibilities in gatekeeping firms’ cyber resilience and the security of client assets.”

Dr Eric Yip, Executive Director of Intermediaries, Securities and Futures Commission (The Standard)

Enforcement context: why the accountability language is not decorative

The provision that should concentrate minds is not the OTP ban. It is the statement that a firm can be held accountable for client losses where inadequate measures fail to prevent, detect and stop large-scale unauthorised transactions after a hacking incident. That converts a security control into a liability allocation, and there is precedent for regulators enforcing exactly that.

The clearest is the Financial Conduct Authority’s Final Notice against Tesco Personal Finance plc, dated October 1, 2018, which imposed a penalty of £16,400,000 following the November 2016 cyber attack on Tesco Bank’s debit card base. The FCA’s finding was not that Tesco Bank had been attacked — being attacked is not a breach. It was that the bank had failed to exercise due skill, care and diligence in designing and distributing its debit card, in configuring its authorisation system, and in responding to the incident once it was under way. The fraud ran for roughly 48 hours. The FCA’s case rested substantially on the detection-and-response failure, not merely the initial vulnerability.

That is precisely the shape of the duty the SFC has now made immediate. A Hong Kong VATP that suffers an account-takeover wave and cannot show that it detected the pattern and moved to contain it is exposed on the same reasoning, regardless of whether its authentication migration is still inside the 12-month window.

The SFC’s supervisory posture supports the reading. Its June 2, 2026 circular on AI-enabled cyberattacks already placed primary responsibility on senior management for cyber resilience and client-asset security. Circular 26EC35 is the second instrument in five weeks pointing at the same accountable persons — a supervisory programme, not two isolated notices.

What this means for brokers, VATPs and compliance teams

For internet brokers and VATP operators. The engineering task is a passkey or bound-device rollout across the login and device-binding flows, scoped and funded now: a 12-month deadline for a change touching every retail customer’s authentication journey is not generous. Large brokers should assume the SFC expects material progress well before July 2027. Existing bound devices do not need re-binding — the single largest cost concession in the document, and one to reflect in the migration plan rather than gold-plate away.

For legal and compliance teams. The immediate obligations are the monitoring and incident-response controls, and these need documentary evidence today. That means: a written incident-response plan naming decision-makers and escalation thresholds; documented detection logic for large-scale unauthorised transaction patterns; a tested ability to suspend affected accounts at speed; and board or senior-management minutes recording that the accountability position under 26EC35 has been considered. The Tesco Bank notice is instructive on what a regulator looks for after the fact — the question will be what you detected, when, and what you did in the hours that followed.

For fund managers and custodians. Counterparty diligence should now include the authentication posture of any Hong Kong platform holding assets. A platform without a committed migration plan carries a regulatory liability that could crystallise into an operational one.

For firms operating cross-border. The compliance ceiling is now Hong Kong’s. A group running a single authentication stack across EU, UK, Singapore and Hong Kong entities will find that meeting 26EC35 satisfies DORA, PS21/3 and the MAS notice on this specific control, while the reverse is not true. The rational architecture is to build to the strictest rule once, rather than maintain a Hong Kong exception.

“Our principle is same business, same risks, same rules.”

Julia Leung, Chief Executive Officer, Securities and Futures Commission (Bloomingbit)

Leung’s formulation is the honest defence of the circular, and also its most contestable claim. Applying the same rules to VATPs as to internet brokers is coherent. But the SFC has gone beyond parity — it has imposed a control that neither DORA nor Regulation S-P imposes on European or American competitors. The industry-side objection is that this is not “same rules” but a unilateral raising of the local bar, borne only by Hong Kong licensees. The SFC’s answer is that a 57% phishing share of reported incidents is not hypothetical, and that outcome-based regimes have had five years to solve this and have not.

What’s next: the forward view

Three things are worth watching before July 8, 2027.

First, whether the SFC publishes a technical standard defining phishing-resistant authentication. The circular names passkeys and bound devices as examples, not an exhaustive list. Firms deploying alternatives — hardware security keys, or app-based cryptographic attestation — are making a compliance judgement without a safe harbour. Expect industry pressure for clarification, and expect the SFC to resist over-specifying.

Second, Hong Kong’s broader virtual-asset legislative programme. The SFC and the Financial Services and the Treasury Bureau have signalled that proposals to regulate virtual asset dealers and custodians will go to the Legislative Council during 2026, after a consultation that drew more than 190 responses. Authentication and client-asset security are likely to appear there as statutory obligations rather than circular-level expectations — changing the enforcement toolkit from supervisory action to statutory penalty.

Third, whether other regulators follow. The interesting test is the EU. DORA’s outcome-based architecture is philosophically committed to technology neutrality, and mandating a specific authentication property cuts against that. But if Hong Kong’s licensees demonstrate that the migration is achievable inside 12 months, the “too prescriptive” objection loses force. The FCA has already shown it is willing to diverge from EU templates where it thinks the EU has under-reached, and operational security is a plausible next site of divergence.

TL;DR

SFC Circular 26EC35, issued July 9, 2026, bars Hong Kong internet brokers and virtual asset trading platforms from using one-time passwords for client login and device binding, requiring phishing-resistant methods such as passkeys or bound devices by July 8, 2027. Large brokers are expected to move immediately. Critically, monitoring and incident-response duties apply now, and firms may be held accountable for client losses where controls fail to detect or contain large-scale unauthorised transactions — the same reasoning the FCA used to fine Tesco Bank £16.4 million in 2018. Phishing represented 57% of incidents reported to Hong Kong’s CERT coordination centre in 2025. The compliance ceiling for cross-border groups is now Hong Kong’s.

FAQ

What does SFC Circular 26EC35 require?

It requires licensed internet brokers and virtual asset trading platform operators in Hong Kong to stop using one-time passwords for client login and device binding, and to adopt phishing-resistant authentication such as passkeys or bound devices. The circular was issued on July 9, 2026, with compliance required by July 8, 2027. Large internet brokers are expected to deploy immediately. Monitoring and incident-response obligations take effect from issue.

Are one-time passwords banned entirely in Hong Kong?

No. The prohibition applies to two processes only: client login and device binding or registration. Other uses of one-time passwords are unaffected by the circular. The SFC’s reasoning is that login and device binding are the specific points at which phishing attacks succeed, because a code surrendered to a fraudster or entered on a spoofed page authenticates the attacker rather than the client.

Do existing bound devices need to be re-registered?

No. The circular does not require firms to re-bind devices that clients have already linked to their accounts. This is a significant scoping concession, because a mandatory re-binding exercise across an entire retail client base would have been the most expensive element of compliance. Firms should reflect this in migration planning rather than voluntarily re-binding.

Can a firm be liable for client losses after a hack?

Under the circular, yes — where inadequate measures fail to prevent, detect and stop large-scale unauthorised transactions following a hacking incident. Being attacked is not itself a breach; failing to detect and contain is. The Financial Conduct Authority applied the same logic when it fined Tesco Personal Finance plc £16,400,000 on October 1, 2018 over the November 2016 debit card attack, where the detection-and-response failure was central to the finding.

How does Hong Kong compare with the EU under DORA?

DORA, Regulation (EU) 2022/2554, has applied since January 17, 2025 and requires a comprehensive ICT risk-management framework, incident reporting and resilience testing, with ultimate responsibility resting on the management body under Article 5. But it is outcome-based and does not mandate a specific authentication technology. Hong Kong has prescribed the control itself. A cross-border group meeting 26EC35 will satisfy DORA on this point; the reverse does not hold.

What should compliance teams do before the deadline?

Two workstreams run in parallel. The authentication migration to passkeys or bound devices is a 12-month engineering project and should be scoped and funded now. Separately, the monitoring and incident-response obligations are already live: firms need a documented incident-response plan with named decision-makers, detection logic for large-scale unauthorised transaction patterns, a tested account-suspension capability, and senior-management records showing the accountability position has been considered.

For related coverage, see our analysis of ASIC’s $300m CFD penalty and diverging retail rules, the SEC’s Regulation Crypto agenda, and the CFTC’s no-deny reversal on enforcement settlements. Primary reporting on the circular is available from CryptoSlate and FX News Group.

This article is informational analysis only and does not constitute legal, regulatory, tax, or investment advice. Regulatory frameworks change frequently and interpretation depends on facts and circumstances; primary documents and official regulator guidance always supersede summaries. Firms should consult qualified legal counsel and their relevant supervisory authority before taking any action based on the analysis above.

Rick Steves has seen business and economics through many lenses. He joined the financial services industry in 2009, and has been a financial journalist since 2011. He holds a degree in Business Administration and has experience producing real-time news, from both buy-side and sell-side, as well as for retail traders, brokers and service providers. Steves' work has appeared in a variety of online publications including FX Street, NewsBTC, FinanceFeeds, and The Industry Spread. Rick has great interest in the dynamics of the trading industry. The never-ending clash between technology, economics, regulation, and more importantly, the people.

Most Read

Related Posts

Imdustry insights

Stay Ahead

Get the latest news, insights, and market updates delivered to your inbox every day.

Enter your email address