The Securities and Futures Commission says Circular 26EC35, issued July 9, closes a phishing gap. HKCERT recorded 15,877 cybersecurity incidents in Hong Kong last year, up 27 percent, with phishing and spoofing behind 57 percent of cases, and the circular bans SMS, email, and app-based one-time passwords for every SFC-licensed internet broker and virtual asset trading platform. Only three replacements are approved: passkeys, cryptographically bound registered devices, and hardware security keys. Read as a technical mandate, that is defensible; a static six-digit code sent to a phone has been beatable by a convincing help desk call for years. But the circular does not give every licensee the same runway. Large internet brokerages must comply 'as soon as practicable,' which the industry is reading as immediately. Everyone else, smaller brokers and newer virtual asset platforms, gets 12 months. Dr. Yip Chi-hang, the SFC's Executive Director of the Intermediaries Division, is the named official on the announcement, and the circular also ties senior management personally to client losses traced to inadequate authentication.
Only 13 virtual asset trading platforms hold an SFC licence, a roster the regulator has spent two years trying to grow, not shrink. Passkey infrastructure, device-binding, real-time anomaly detection, and a compliance function willing to accept personal liability for authentication failures are not free, and they are considerably less free for a platform still building out its back office than for an incumbent like OSL Digital Securities or HashKey Exchange. The 12-month clock is not generous, it is a triage sort: firms that clear the bar keep their licence, firms that cannot afford the build face a choice between under-provisioning security controls their own executives are now personally on the hook for, or exiting. A regulation written to stop phishing losses will also, as a side effect nobody in the circular's text acknowledges, force smaller brokers and newer platforms to fund passkey infrastructure, device-binding, and real-time anomaly detection within the same 12 months, or exit. Every consolidation wave in a licensed industry looks like a safety measure right up until the smaller players are gone.
MAS's own Technology Risk Management consultation stays open until July 31 with no equivalent OTP clause yet on the table. If the 12-month cohort thins out, that will be evidence a licensed market of 13 can become a licensed market of nine or ten. At the 12-month mark, whether the 13 licensed platforms retained their licences, and how many client-loss cases were traced to inadequate authentication under the new rules, will be worth watching.