The Hong Kong Securities and Futures Commission (SFC) has issued Circular 26EC35, and the Hong Kong SFC OTP ban it contains is now on a firm legal footing: from 9 July 2026, licensed internet brokers and virtual asset platforms must replace one-time password (OTP) logins with phishing-resistant alternatives, with a hard compliance deadline of 8 July 2027.
For UK investors who trade or hold assets on platforms with Hong Kong operations, or who simply want to understand where global authentication rules are heading, the detail matters.
What the Hong Kong SFC OTP Ban Actually Covers
An OTP is the six-digit code sent to your phone or email when you log in. It has been a standard security layer for years. The SFC’s circular is blunt: according to Unchained Crypto, the regulator states that ‘The SFC does not consider OTP to be a phishing-resistant authentication solution’ and told firms they ‘should not use it’ for logins or for registering devices tied to an account.
The ban covers all three delivery routes: SMS codes, email codes, and app-generated OTP codes are all prohibited for client login and device binding, according to crypto.news. The reason is straightforward: all three can be intercepted or spoofed by a phishing attack.
In their place, firms must adopt either Passkeys based on the FIDO2/WebAuthn standard (a cryptographic method where your device holds a private key that never leaves it, making remote interception near-impossible) or secure hardware-based device binding. Large internet brokers face immediate compliance; smaller licensed firms have until the July 2027 deadline.
The rules apply to two categories of regulated firm. Licensed internet brokers holding Type 1 (Dealing in Securities), Type 2 (Dealing in Futures Contracts), Type 3 (Leveraged Foreign Exchange Trading), or Type 9 (Asset Management) licences under Hong Kong’s Securities and Futures Ordinance are all in scope. So are Virtual Asset Trading Platforms (VATPs), the SFC-licensed operators that provide trading and custody services for digital assets such as Bitcoin and Ether.
The Scale of the Problem Behind the Rule
The SFC’s timing reflects a rapidly worsening threat picture. Cryptonomist reports that Hong Kong recorded 15,877 cybersecurity incidents in 2025, a 27% jump from the prior year, with phishing accounting for 57% of those cases.
The crypto sector globally paints an even sharper picture. Industry data cited by crypto.news shows phishing attacks and social engineering scams accounted for $306 million of the crypto sector’s $482 million in total security losses during the first quarter of 2026 alone.
Beyond fines on firms, the SFC circular introduces a layer of accountability that goes directly to the top. Cryptonomist reports that senior management at licensed platforms now face direct personal liability for client losses tied to weak authentication controls. That is a meaningful shift: compliance becomes a board-level concern, not just a technical one for the IT team.
Could the FCA Follow Hong Kong’s Lead?
For UK retail investors and ISA holders, the question is whether similar rules arrive here. The Financial Conduct Authority (FCA) has not announced equivalent measures, but regulators including the FCA, CySEC in Cyprus, and the Monetary Authority of Singapore frequently monitor peer jurisdictions when updating their own supervisory expectations.
If Hong Kong’s rollout reduces account takeover attacks, it creates a template. Large international brokers already operating across multiple markets will also have a commercial incentive to standardise on FIDO2/WebAuthn globally rather than maintain separate authentication architectures per jurisdiction. That could mean UK platforms adopt passkey logins ahead of any FCA mandate, simply because rebuilding once is cheaper than rebuilding twice.
Corbado’s analysis of Circular 26EC35 notes the technical requirements in detail for firms assessing their own implementation path.
For retail investors, the practical takeaway is straightforward: if a broker or crypto platform you use still sends you a six-digit SMS code to log in, that mechanism is now officially classified by a major financial regulator as insufficient. Whether that prompts the FCA to act, or whether your platform upgrades voluntarily to stay competitive with Hong Kong-compliant rivals, watch for passkey login options appearing in app settings over the next 12 to 18 months. The first platforms to offer them will be signalling where the industry is going.

