From the journal

Hong Kong SFC mandates phishing-resistant authentication for internet brokers and VATPs, July 2026

The Hong Kong Securities and Futures Commission issued a circular on 9 July 2026 requiring licensed corporations engaged in electronic trading and SFC-licensed virtual asset trading platform operators to replace one-time passwords with phishing-resistant authentication methods. Covered firms must implement passkeys or bound-device recognition for client login and device binding. Large internet brokers must act immediately. All other in-scope firms have up to 12 months to comply.

2 min read

The Securities and Futures Commission (SFC) issued a circular on 9 July 2026 requiring licensed corporations engaged in electronic trading and SFC-licensed virtual asset trading platform operators (VATPs) to replace one-time password (OTP) authentication with phishing-resistant methods. The SFC classified OTPs as insufficient against the current threat profile, which includes AI-enabled phishing, SIM-swapping, and deepfake social engineering attacks. Large internet brokers must act immediately. All other in-scope firms have up to 12 months to comply.

The circular grounds the obligation in General Principle 2 (diligence) and General Principle 5 (information security) of the Code of Conduct for Persons Licensed by or Registered with the SFC, issued under the Securities and Futures Ordinance (Cap. 571). Required replacement methods include passkeys and bound-device recognition mechanisms that do not rely on interceptable one-time codes. The circular's Appendix sets out detailed technical controls for firms subject to enhanced expectations.

Three categories of firms face enhanced expectations and must implement the full Appendix control set: licensed corporations engaged in electronic trading, specifically large retail brokers; depositaries of SFC-authorised collective investment schemes holding Type 13 licences; and VATPs licensed under the Anti-Money Laundering and Counter-Terrorist Financing Ordinance (Cap. 615). All other licensed corporations with internet-facing client systems must upgrade authentication but have a 12-month compliance window.

The circular accompanies earlier June 2026 SFC guidance on AI-enabled cyber threats addressing broader cybersecurity governance at the firm level. The authentication mandate converts that guidance into a concrete technical obligation. Open questions include how VATPs operating through omnibus account arrangements with linked overseas platforms must apply the authentication standard, and whether hardware security keys already deployed by some firms satisfy the phishing-resistant threshold.

Licentium advises VATPs, licensed brokers, and digital asset intermediaries on SFC regulatory compliance, including licensing applications, circular implementation, and cybersecurity governance in Hong Kong. We maintain a partner network with Hong Kong regulatory counsel for VATP licensing and compliance reviews. Work we undertake includes VATP SFC licensing, circular gap analysis, cybersecurity control design, AML/CTF programme implementation, and cross-border digital asset regulatory strategy.

Source: Securities and Futures Commission of Hong Kong, Circular to Licensed Corporations and SFC-Licensed Virtual Asset Service Providers: Enhanced Cybersecurity Measures, July 2026

Crypto Regulatory

More from the journal

See all

Illinois signs Artificial Intelligence Safety Measures Act into law, effective January 2027

Governor JB Pritzker signed the Illinois Artificial Intelligence Safety Measures Act on 6 July 2026, making Illinois the first US state to require mandatory annual third-party audits of frontier AI model developers. The Act applies to large frontier developers operating or deploying models in Illinois, requires transparency reports before each new or substantially modified frontier model deployment, and establishes civil penalties. Core obligations take effect 1 January 2027.

UK consults on modernising payment services regulation covering stablecoins and AI agents, 2026

HM Treasury launched a consultation on modernising the UK payment services regulatory regime, with responses due by 6 October 2026. The consultation addresses how to adapt regulation for tokenised payments including qualifying stablecoins, Open Banking expansion, and agentic AI systems authorised to conduct payments. It follows the February 2026 Payments Forward Plan and the government's decision to transfer Payment Systems Regulator functions to the Financial Conduct Authority.

EU AI Act Article 50 transparency obligations enter application on 2 August 2026

Article 50 of Regulation (EU) 2024/1689 takes effect across all EU member states on 2 August 2026, requiring providers and deployers of AI systems to disclose AI interactions, label AI-generated content, and implement machine-readable detection marks in generative AI outputs. The obligations cover providers of general-purpose AI models, deployers of emotion recognition and biometric categorisation systems, and entities producing AI-generated content on matters of public interest.