The Securities and Futures Commission (SFC) issued a circular on 9 July 2026 requiring licensed corporations engaged in electronic trading and SFC-licensed virtual asset trading platform operators (VATPs) to replace one-time password (OTP) authentication with phishing-resistant methods. The SFC classified OTPs as insufficient against the current threat profile, which includes AI-enabled phishing, SIM-swapping, and deepfake social engineering attacks. Large internet brokers must act immediately. All other in-scope firms have up to 12 months to comply.
The circular grounds the obligation in General Principle 2 (diligence) and General Principle 5 (information security) of the Code of Conduct for Persons Licensed by or Registered with the SFC, issued under the Securities and Futures Ordinance (Cap. 571). Required replacement methods include passkeys and bound-device recognition mechanisms that do not rely on interceptable one-time codes. The circular's Appendix sets out detailed technical controls for firms subject to enhanced expectations.
Three categories of firms face enhanced expectations and must implement the full Appendix control set: licensed corporations engaged in electronic trading, specifically large retail brokers; depositaries of SFC-authorised collective investment schemes holding Type 13 licences; and VATPs licensed under the Anti-Money Laundering and Counter-Terrorist Financing Ordinance (Cap. 615). All other licensed corporations with internet-facing client systems must upgrade authentication but have a 12-month compliance window.
The circular accompanies earlier June 2026 SFC guidance on AI-enabled cyber threats addressing broader cybersecurity governance at the firm level. The authentication mandate converts that guidance into a concrete technical obligation. Open questions include how VATPs operating through omnibus account arrangements with linked overseas platforms must apply the authentication standard, and whether hardware security keys already deployed by some firms satisfy the phishing-resistant threshold.
Licentium advises VATPs, licensed brokers, and digital asset intermediaries on SFC regulatory compliance, including licensing applications, circular implementation, and cybersecurity governance in Hong Kong. We maintain a partner network with Hong Kong regulatory counsel for VATP licensing and compliance reviews. Work we undertake includes VATP SFC licensing, circular gap analysis, cybersecurity control design, AML/CTF programme implementation, and cross-border digital asset regulatory strategy.