Hong Kong Bans SMS Login Codes: What Brokers Need to Know

Tuesday, 14/07/2026 | 14:48 GMT by Sylwester Majewski
  • Regulated firms must replace SMS login codes with cryptographically secure passkeys, forcing immediate compliance from the market's largest online brokerages.
  • The strict cybersecurity mandate establishes a new regulatory precedent that peer watchdogs in Europe and Singapore may soon replicate.
SFC Hong Kong
SFC's Hong Kong Office

Recently, the Hong Kong Securities and Futures Commission (SFC) issued new regulatory directives requiring significant upgrades to customer authentication systems. The measures require all licensed internet brokers and Virtual Asset Trading Platform (VATP) operators to stop using One-Time Passwords (OTPs) delivered via SMS or email for customer login and device binding.

Instead, regulated firms must adopt phishing-resistant authentication methods, specifically Passkeys based on the FIDO2/WebAuthn standards or secure hardware-based device binding. Most firms have been given 12 months to implement the new requirements, while large internet brokers are expected to comply immediately.

Which That Must Comply

The new SFC requirements apply to intermediaries licensed under Hong Kong's Securities and Futures Ordinance (SFO) and cover two main categories:

  • Licensed Internet Brokers: Firms providing online trading services under regulated activities including:
  • Type 1 (Dealing in Securities),
  • Type 2 (Dealing in Futures Contracts),
  • Type 3 (Leveraged Foreign Exchange Trading), and
  • Type 9 (Asset Management).
  • Virtual Asset Trading Platforms (VATPs): SFC-licensed operators providing trading and custody services for digital assets.
SFC Intelligence portal

Could Other Regulators Follow?

The SFC's proactive approach could influence the direction of cybersecurity regulation well beyond Hong Kong. Financial regulators, including CySEC in Cyprus, the Financial Conduct Authority (FCA) in the United Kingdom, and the Monetary Authority of Singapore (MAS), often monitor developments in other leading financial centres when shaping their own supervisory expectations. If Hong Kong's transition away from SMS-based OTPs proves successful, it could provide a practical model for other regulators seeking to reduce the growing number of retail account takeover attacks.

The move is also likely to accelerate the adoption of common authentication standards across the financial industry. Large international firms operating across multiple jurisdictions face increasing costs when maintaining different authentication systems for different markets.

More on this topic, together with additional insights and practical takeaways, can be found in our full analysis on the Finance Magnates Intelligence Portal.

Recently, the Hong Kong Securities and Futures Commission (SFC) issued new regulatory directives requiring significant upgrades to customer authentication systems. The measures require all licensed internet brokers and Virtual Asset Trading Platform (VATP) operators to stop using One-Time Passwords (OTPs) delivered via SMS or email for customer login and device binding.

Instead, regulated firms must adopt phishing-resistant authentication methods, specifically Passkeys based on the FIDO2/WebAuthn standards or secure hardware-based device binding. Most firms have been given 12 months to implement the new requirements, while large internet brokers are expected to comply immediately.

Which That Must Comply

The new SFC requirements apply to intermediaries licensed under Hong Kong's Securities and Futures Ordinance (SFO) and cover two main categories:

  • Licensed Internet Brokers: Firms providing online trading services under regulated activities including:
  • Type 1 (Dealing in Securities),
  • Type 2 (Dealing in Futures Contracts),
  • Type 3 (Leveraged Foreign Exchange Trading), and
  • Type 9 (Asset Management).
  • Virtual Asset Trading Platforms (VATPs): SFC-licensed operators providing trading and custody services for digital assets.
SFC Intelligence portal

Could Other Regulators Follow?

The SFC's proactive approach could influence the direction of cybersecurity regulation well beyond Hong Kong. Financial regulators, including CySEC in Cyprus, the Financial Conduct Authority (FCA) in the United Kingdom, and the Monetary Authority of Singapore (MAS), often monitor developments in other leading financial centres when shaping their own supervisory expectations. If Hong Kong's transition away from SMS-based OTPs proves successful, it could provide a practical model for other regulators seeking to reduce the growing number of retail account takeover attacks.

The move is also likely to accelerate the adoption of common authentication standards across the financial industry. Large international firms operating across multiple jurisdictions face increasing costs when maintaining different authentication systems for different markets.

More on this topic, together with additional insights and practical takeaways, can be found in our full analysis on the Finance Magnates Intelligence Portal.

About the Author: Sylwester Majewski
Sylwester Majewski
  • 160 Articles
  • 21 Followers
About the Author: Sylwester Majewski
Sylwester is a graduate of the Warsaw School of Economics, holding an MA in Finance and Banking. He currently serves as Head of the Insights & Reporting Hub at Finance Magnates. He is also a former minority partner in an NFA-registered US forex broker and has been involved in numerous forex and trading industry projects since 2003. Privately, Sylwester is a husband and father to a 7-year-old daughter, as well as an enthusiast of trading and Formula 1.
  • 160 Articles
  • 21 Followers

More from the Author

Retail FX

!"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|} !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}