Hong Kong SFC Mandates Stronger Login Security for Crypto Platforms
Hong Kong's SFC just pulled the rug on SMS and email OTPs. Every virtual asset trading platform and internet broker under its jurisdiction has 12 months to kill these auth methods and roll out phishing-resistant alternatives.

What dies, and what's acceptable
The kill list is specific: SMS OTPs and email OTPs are out. Acceptable replacements include passkeys and hardware security keys - auth methods that don't fold the moment a SIM swap or a phishing redirect lands. Large online brokers are told to implement immediately. Smaller platforms get the full 12-month runway, but that's a ceiling, not a comfort zone.
If you're holding size on a Hong Kong-licensed venue, the question to ask your platform today is simple: when does the passkey rollout ship, and is hardware key support live right now? A vague answer is itself a risk metric.
The clause that should keep compliance officers awake
Beyond the auth upgrade, the SFC tightened the surveillance loop. Firms must now monitor login, trading, and withdrawal patterns more aggressively - flagging anomalies in real time, not after the withdrawal has already cleared into a clean wallet.
Then the line that actually matters: senior management is directly accountable for control failures that lead to client losses. That shifts the cost of a weak internal stack onto the C-suite. It also means sloppy onboarding and lazy withdrawal approvals now carry personal liability, not just a regulatory fine buried in a quarterly report.
For traders, the same threat surface hits platforms that sit outside this rule. A SIM swap on your exchange account looks identical to one on a marketplace where you hold NFT collections and PFP positions - the attacker doesn't care whether the regulator showed up yet.
What I'm tracking next
Mandate is one thing. Enforcement is the real test. I'll be watching for the first public action against a licensed venue still running SMS OTPs past the cutoff - naming names, not quiet warnings. That's the moment this directive turns from a press release into a binding constraint.
Until then, the move is mechanical: turn on whatever hardware or passkey option your platform offers today. SIM swap kits don't wait for regulatory deadlines, and neither should you.