Mondo Visione Worldwide Financial Markets Intelligence

FTSE Mondo Visione Exchanges Index:

Hong Kong Securities And Futures Commission Mandates Phishing-Resistant Authentication Methods For Internet Brokers And VATPs To Protect Client Accounts

Date 09/07/2026

The Securities and Futures Commission (SFC) today issued a circular requiring internet brokers and virtual asset trading platform operators (VATPs) to adopt phishing-resistant authentication methods for client login and device binding (Notes 1 and 2), amid the growing threat of phishing attacks involving stolen client credentials.

As part of its continued efforts to combat phishing attacks and account takeover incidents targeting clients of internet brokers and VATPs (Note 3), the SFC is requiring them to cease using one-time passwords (OTPs) for client login and device binding, given the associated risks and the availability of stronger authentication alternatives (Note 4). Passkeys and bound devices are examples of more robust, phishing-resistant authentication methods.

The SFC requires these phishing-resistant authentication measures for login and device binding to be implemented as soon as practicable but no later than 12 months from the issue of its circular. Large internet brokers are expected to adopt them immediately.

In addition to robust prevention controls, internet brokers and VATPs should implement effective monitoring and surveillance measures to detect suspicious login, trading and withdrawal activities, promptly notify clients of key account events, and respond to hacking incidents in a timely manner. They should also regularly alert and remind clients of emerging phishing and other cybersecurity risks.

"Protecting client accounts from increasingly sophisticated and elusive phishing attacks requires holistic measures combining prevention, detection, response and education," said Dr Eric Yip, the SFC’s Executive Director of Intermediaries. “Licensed firms should strengthen their first line of defence with robust authentication solutions, stay alert to suspicious activities, and respond swiftly before harm is done.”

The SFC reminds senior management of internet brokers and VATPs that they are ultimately responsible for implementing appropriate controls to protect client accounts and assets. The SFC will hold them accountable for any client losses that arise from lapses in their controls.

The SFC also reminds investors to stay vigilant in safeguarding their securities trading accounts and credentials. They should adopt prudent security measures, such as using strong and unique passwords, keeping their credentials and devices secure and up to date, and accessing their accounts only through official websites or mobile applications of their licensed corporations (LCs) and VATPs. They should also monitor their accounts regularly and promptly review account statements, transaction records and notifications for suspicious activities. If they suspect their credentials have been compromised or identify any unauthorised transactions, they should contact their LCs or VATPs immediately, secure their accounts, and report the matter to the relevant authorities.

Notes:

  1. Internet brokers refer to licensed corporations which are engaged in internet trading and are licensed for (i) Type 1 regulated activity (dealing in securities); (ii) Type 2 regulated activity (dealing in futures contracts); (iii) Type 3 regulated activity (leveraged foreign exchange trading); and/or (iv) Type 9 regulated activity (asset management) to the extent that they distribute funds under their management through their internet-based trading facilities.
  2. Device binding is used as one of the authentication methods, where the client binds or registers and links a mobile device/a computer with the internet brokers’/VATPs’ trading system and the mobile device/computer is recognised by its securely enrolled device attributes.
  3. Phishing attacks accounted for 57% of the security incidents reported to the Hong Kong Computer Emergency Response Team Coordination Centre in 2025.
  4. Since late 2024, the SFC has been closely monitoring the risks associated with OTPs and the development of alternative authentication methods for client login and device binding. The SFC strongly encouraged licensed corporations to stop using OTPs for these purposes in its Circular to licensed corporations - Cybersecurity review of licensed corporations dated 6 February 2025.