Hong Kong regulator orders crypto platforms to implement anti-phishing measures within 12 months
Hong Kong's directive enhances crypto security, potentially reducing phishing risks and increasing accountability, impacting global standards. The post Hong Kong regulator orders crypto platforms to implement anti-phishing measures within 12 months appeared first on Crypto Briefi

Hong Kong regulator orders crypto platforms to implement anti-phishing measures within 12 months The SFC wants one-time passwords gone and passkeys in, with senior management personally on the hook for any client losses from cybersecurity failures. Share Add us on Google by Editorial Team Jul. 9, 2026 Hong Kong’s Securities and Futures Commission just told every licensed crypto exchange and online broker in its jurisdiction to ditch one-time passwords and adopt phishing-resistant login systems.
They have 12 months to comply. Large internet brokers don’t even get that grace period, they’re expected to move immediately. The directive, issued as Circular 26EC35 on July 9, arrives at a moment when phishing attacks and account takeovers have become a persistent headache across the digital asset industry.
The SFC isn’t asking nicely. Senior management at affected firms will be held personally accountable for client losses that result from cybersecurity control failures. What the SFC is actually requiring The circular targets two specific areas: client login authentication and device binding.
In plain terms, the SFC wants platforms to make it significantly harder for attackers to impersonate users or hijack sessions, even if they’ve stolen a password. Advertisement The regulator explicitly called out one-time passwords as inadequate. OTPs, those six-digit codes texted to your phone, have long been considered a reasonable second factor of authentication.
But they’re increasingly easy to intercept through SIM-swapping, man-in-the-middle attacks, and sophisticated phishing pages that relay codes in real time. The SFC’s recommended alternatives include passkeys and bound devices. Passkeys use cryptographic key pairs tied to a specific device, meaning there’s nothing for a phisher to steal or relay.
The requirement applies to all SFC-licensed entities serving Hong Kong customers, which includes virtual asset trading platform operators (VATPs) licensed under the regulatory framework that took effect in 2023. Part of a broader cybersecurity push This isn’t a one-off directive. Circular 26EC35 follows another circular issued just five weeks earlier, 26EC32, which was released on June 2 and focused specifically on countering AI-enabled cyber threats.
The SFC is clearly building a layered regulatory response to what it sees as an escalating threat environment. By requiring phishing-resistant authentication at the protocol level, the SFC is essentially saying: stop relying on users to spot fakes and start making the fakes technically unable to work. The accountability clause adds real teeth.
When the SFC says senior management bears responsibility for compliance failures and resulting client losses, that’s not boilerplate language. What this means for investors and the competitive landscape For retail traders using Hong Kong-licensed platforms, the practical impact should be straightforward: expect to set up passkeys or register specific devices for login over the coming year. For the platforms themselves, the compliance costs are real but manageable.
Implementing passkey support requires engineering work, updated user flows, customer education, and likely a parallel transition period where old and new authentication methods coexist. Smaller operators with lean technical teams may feel the squeeze more acutely than larger, well-capitalized exchanges. Disclosure: This article was edited by Editorial Team.
For more information on how we create and review content, see our Editorial Policy. TECHNOLOGY Hong Kong regulator orders crypto platforms to implement anti-phishing measures within 12 months The SFC wants one-time passwords gone and passkeys in, with senior management personally on the hook for any client losses from cybersecurity failures. by Editorial Team Jul.
9, 2026 Share Add us on Google Hong Kong’s Securities and Futures Commission just told every licensed crypto exchange and online broker in its jurisdiction to ditch one-time passwords and adopt phishing-resistant login systems. They have 12 months to comply. Large internet brokers don’t even get that grace period, they’re expected to move immediately.
The directive, issued as Circular 26EC35 on July 9, arrives at a moment when phishing attacks and account takeovers have become a persistent headache across the digital asset industry. The SFC isn’t asking nicely. Senior management at affected firms will be held personally accountable for client losses that result from cybersecurity control failures.
What the SFC is actually requiring The circular targets two specific areas: client login authentication and device binding. In plain terms, the SFC wants platforms to make it significantly harder for attackers to impersonate users or hijack sessions, even if they’ve stolen a password. Advertisement The regulator explicitly called out one-time passwords as inadequate.
OTPs, those six-digit codes texted to your phone, have long been considered a reasonable second factor of
Đọc thêm từ Tiền số / Crypto

Ethena enables free minting and redemption of USDe with USDC
Ethena's fee removal for USDe minting may boost institutional adoption but highlights DeFi's shift towards regulatory compliance. The post Ethena enables free minting and redemption of USDe with USDC appeared first on Crypto Briefing.

Meta unveils Muse Spark AI model with paid developer tier, marking a sharp pivot from open-source roots
Meta's shift to a proprietary AI model with paid access could reshape industry norms, impacting open-source innovation and developer ecosystems. The post Meta unveils Muse Spark AI model with paid developer tier, marking a sharp pivot from open-source roots appeared first on Cryp

Newcastle sells Tonali for £100M, buys 18-year-old replacement for £23M, and the math tells a bigger story
Newcastle's strategic player trading highlights a sustainable model prioritizing youth development and financial prudence over high spending. The post Newcastle sells Tonali for £100M, buys 18-year-old replacement for £23M, and the math tells a bigger story appeared first on Cryp

Chart Data Identifies the Most Reasonable Zone for XRP to Bottom This Cycle
Chart data identifies an area that may represent the most reasonable zone for XRP to find its bottom in the ongoing bear market cycle. The current downtrend has continued to weaken investor sentiment, as XRP records some of its biggest losses in recent times.Visit Website