Hong Kong orders crypto platforms to replace OTP logins by 2027

Hong Kong is tightening login security for licensed crypto platforms, and the change carries real liability for firms. The Securities and Futures Commission said virtual asset service providers and internet brokers must stop using one-time passwords for client logins and new device registration by July 8, 2027, replacing them with phishing-resistant authentication.
The rule targets two high-risk points: logging in and binding a new device. Other OTP uses can remain. Firms also do not need to make existing customers rebind devices that are already linked. Large internet brokers are expected to move right away, while the wider group has 12 months to comply.
The SFC said the shift follows phishing campaigns reported in 2025, when attackers used fake text messages and spoofed websites to collect login details and passcodes, then accessed accounts and moved funds. It wants firms to watch for unusual logins, new-device activity, trading that falls outside a client's usual pattern, and withdrawals of funds or virtual assets.
Platforms must also improve alerts, surveillance, and incident response now. Clients should receive prompt notices for successful logins and higher-risk account changes, including new devices and passkey updates. If weak controls fail to prevent or stop large-scale unauthorized transactions after an incident, the firm can be held responsible for client losses.
◆ Source
Originally published by CryptoSlate on July 10, 2026.
◆ Build with us
Every event, verified and scored. One API call away.


