SFC bans OTP login and mandates phishing-resistant authentication for internet brokers and VASPs by 8 July 2027
Internet brokers and SFC-licensed VASPs must stop using OTP for login and device binding and adopt phishing-resistant authentication (e.g. passkeys, bound devices) no later than 8 July 2027, with monitoring, incident-reporting and client-awareness measures required sooner
- — Internet brokers and SFC-licensed VASPs must replace OTP-based client login and device binding with phishing-resistant authentication such as passkeys or bound devices as soon as practicable and no later than 8 July 2027 — large internet brokers are expected to implement immediately, and OTP is not accepted as a phishing-resistant solution for these processes.
- — Internet brokers and VASPs must implement effective detection and surveillance during and after the transition — transaction monitoring against client-profile thresholds and red flags, login and device-binding monitoring, prompt multi-channel client notifications of key account events, and immediate suspension or restriction of accounts on detecting suspicious activity.
- — Internet brokers and VASPs must establish prompt hacking-incident response and report incidents to the SFC immediately, conducting root-cause analysis and remedial action; senior management (Managers-in-Charge of Overall Management and of IT) are accountable, and the SFC will hold firms liable for client losses where inadequate controls permit large-scale unauthorised transactions.
- — Firms anticipating difficulty meeting the 12-month implementation deadline must notify their SFC case officer-in-charge immediately.
- — Internet brokers (SFC-licensed corporations in Type 1, 2, 3 and certain Type 9 activities engaged in internet trading)
- — SFC-licensed virtual asset service providers (virtual asset trading platform operators)
- — Senior management of these firms, in particular the Managers-in-Charge of Overall Management and of Information Technology
- — 8 July 2027 — deadline (12 months from the circular) by which internet brokers and VASPs must implement phishing-resistant authentication for login and device binding; large internet brokers are expected to implement immediately.
- — During the 12-month implementation period — firms continuing to use OTP must apply enhanced monitoring for irregular logins and unauthorised trading, and immediately suspend or restrict accounts on detecting suspicious activity.