SFC ·

SFC bans OTP login and mandates phishing-resistant authentication for internet brokers and VASPs by 8 July 2027

Internet brokers and SFC-licensed VASPs must stop using OTP for login and device binding and adopt phishing-resistant authentication (e.g. passkeys, bound devices) no later than 8 July 2027, with monitoring, incident-reporting and client-awareness measures required sooner

Change
On 9 July 2026 the Securities and Futures Commission (SFC) issued a circular requiring internet brokers and SFC-licensed virtual asset service providers to adopt phishing-resistant authentication (such as passkeys or bound devices) for client login and device binding, cease using one-time passwords for those purposes, and implement monitoring, incident-response and client-awareness measures; the authentication requirement must be met as soon as practicable and no later than 8 July 2027, with large internet brokers expected to implement immediately.
Why it matters
The circular sets binding expectations across prevention, detection, response and client education. Internet brokers and VASPs must replace OTP-based login and device binding with phishing-resistant authentication (passkeys or bound devices) by 8 July 2027 — large brokers immediately — while during the transition applying enhanced monitoring for suspicious logins and trades and suspending or restricting accounts on detection. They must notify clients of key account events across multiple channels, run transaction and login/device monitoring against defined thresholds and red flags, report hacking incidents to the SFC immediately, and enhance client phishing awareness as soon as practicable. Senior management (the Managers-in-Charge of Overall Management and of IT) are accountable, and the SFC will hold firms liable for client losses where inadequate controls allow large-scale unauthorised transactions.
Implications
  • Internet brokers and SFC-licensed VASPs must replace OTP-based client login and device binding with phishing-resistant authentication such as passkeys or bound devices as soon as practicable and no later than 8 July 2027 — large internet brokers are expected to implement immediately, and OTP is not accepted as a phishing-resistant solution for these processes.
  • Internet brokers and VASPs must implement effective detection and surveillance during and after the transition — transaction monitoring against client-profile thresholds and red flags, login and device-binding monitoring, prompt multi-channel client notifications of key account events, and immediate suspension or restriction of accounts on detecting suspicious activity.
  • Internet brokers and VASPs must establish prompt hacking-incident response and report incidents to the SFC immediately, conducting root-cause analysis and remedial action; senior management (Managers-in-Charge of Overall Management and of IT) are accountable, and the SFC will hold firms liable for client losses where inadequate controls permit large-scale unauthorised transactions.
  • Firms anticipating difficulty meeting the 12-month implementation deadline must notify their SFC case officer-in-charge immediately.
Who is affected
  • Internet brokers (SFC-licensed corporations in Type 1, 2, 3 and certain Type 9 activities engaged in internet trading)
  • SFC-licensed virtual asset service providers (virtual asset trading platform operators)
  • Senior management of these firms, in particular the Managers-in-Charge of Overall Management and of Information Technology
What to watch
  • 8 July 2027 — deadline (12 months from the circular) by which internet brokers and VASPs must implement phishing-resistant authentication for login and device binding; large internet brokers are expected to implement immediately.
  • During the 12-month implementation period — firms continuing to use OTP must apply enhanced monitoring for irregular logins and unauthorised trading, and immediately suspend or restrict accounts on detecting suspicious activity.
Sources 2
Clarify this change

Grounded in this brief and its source — your questions stay private.

Clarify with AI — Pro only

You asked:

Clarify turns any brief into answers specific to your role and exposure.

Pro includes

Implications — what this change may force you to review
Who is affected — which people, workflows, or obligations are touched
What to watch — dates, deadlines, and triggers that matter next
Real-time alerts — delivered when a decision-forcing change is published
Clarify with AI — ask what this change means for you

$29/month · Founding rate, locked for life. Cancel anytime.

Create a free account to keep clarifying

You asked:

You've used your free guest questions for now. A free account gives you more every month and saves your history — or start a Pro trial for unlimited Clarify and real-time alerts.

Pro includes

Implications — what this change may force you to review
Who is affected — which people, workflows, or obligations are touched
What to watch — dates, deadlines, and triggers that matter next
Real-time alerts — delivered when a decision-forcing change is published
Clarify with AI — ask what this change means for you

Free account: no card, ever. Pro trial: $29/month after 14 days, no card to start, cancel anytime.