Hong Kong’s SFC, under Eric Yip’s leadership, has banned SMS or email OTPs for client logins and device binding on licensed crypto platforms. Dr.
Eric Yip, the SFC’s Executive Director of Intermediaries, issued a circular on Thursday, July 9, 2026, ordering firms to transition toward phishing-resistant authentication methods. Large internet brokers are expected to adopt the new protocols immediately, while other operators have a 12-month deadline from the circular’s issuance date to comply.
Record cybersecurity incidents fuel regulatory action
This directive follows concerns first flagged by the SFC in February 2025 regarding the vulnerability of traditional OTPs. Under the new rules, internet brokers and virtual asset trading platform operators (VATPs) must drop SMS, email, and app-generated codes.
Instead, they must implement stronger alternatives such as passkeys, hardware security keys, or device binding secured through cryptographic verification. The shift targets the rising threat of account takeovers and the exploitation of stolen client credentials that have plagued the digital asset sector.
Dr. Eric Yip emphasized that protecting client accounts from sophisticated attacks requires holistic measures that combine prevention, detection, and rapid response. While firms enhance their security, many investors are concurrently evaluating their exposure to various digital assets, as noted in recent crypto market liquidation analysis.
The SFC move ensures that regulated platforms provide a higher standard of security to maintain investor confidence in the region.
The SFC’s decision is a direct response to a surge in cybersecurity threats within the region. Hong Kong logged 15,877 cybersecurity incidents in 2025, a figure that represents a significant volume of reports to the Hong Kong Cyber Security Incident Coordination Centre.
Phishing attacks were the primary driver of these reports, accounting for 57% of all recorded incidents during that year. This data underscores that attackers are increasingly targeting the human element rather than technical exploits.
The financial impact of phishing has reached historic levels. Global phishing-related losses in the crypto sector reached $366 million during the first half of 2026. In the first quarter of 2026 alone, crypto wallet-related phishing losses hit approximately $306 million, while total security losses for the crypto sector reached $482 million in that same window.
These figures highlight the scale of the threat facing investors who rely on traditional, non-phishing-resistant authentication methods.
Individual losses have been devastatingly high in recent months. One crypto user reportedly lost $999,999 in USDT after approving a single malicious phishing signature on the Ethereum network. Such incidents prove that one-time passwords are no longer enough to protect high-value assets.
While some traders continue to look for high-yield opportunities, such as those discussed in reports on altcoin market trends, the fundamental security of the platforms they use remains the most critical factor for capital preservation.
Mandatory authentication standards and firm accountability
To adhere to the new mandate, platforms must enhance their monitoring of login, trading, and withdrawal activities to detect suspicious patterns. Firms are also required to promptly notify clients of key account events and respond swiftly to any hacking incidents.
In a significant shift in regulatory oversight, the SFC has stated that senior management will be held directly accountable for any control failures that lead to client losses, creating a new standard for corporate liability in the crypto space.
The move toward phishing-resistant methods like device binding ensures that a user’s account is tied to a specific, cryptographically verified piece of hardware. This renders stolen passwords or intercepted SMS codes useless for attackers operating from unauthorized devices. Similar shifts are occurring across the industry as developers seek to build more transparent systems.
For instance, transparency is becoming a hallmark of newer institutions, a trend visible in the ranking of top crypto casinos that emphasize blockchain-based verification.
Regulators outside of Hong Kong are facing similar pressures to address credentials theft. The FBI recently engaged in a global cybercrime crackdown, while Tether has worked with TRON’s T3 unit to freeze assets tied to crypto crime.
While Singapore implemented a Shared Responsibility Framework on December 16, 2024, to manage scam-loss duties, Hong Kong’s ban on specific OTP delivery methods represents one of the most direct technical interventions to date. Industry observers now wait to see if other major financial hubs will follow with their own phishing-resistant mandates.
