1

Hong Kong tells crypto platforms: ditch OTPs or cover customer losses by July 8, 2027

Hong Kong’s financial regulator has handed crypto platforms a serious memo: one-time passwords (OTPs) are no longer good enough for client logins and device registration. Licensed virtual-asset service providers and internet brokers must switch to phishing-resistant authentication for those two actions by July 8, 2027 — and they need better monitoring and incident-response measures right away.

What’s changing — and why

After a string of phishing attacks in 2025 where scammers spoofed brokers and regulators and tricked users into handing over credentials and one-time codes, the regulator decided OTPs simply don’t cut it for the most sensitive entry points. The new rule targets two specific flows: signing into accounts and linking or registering devices. Other uses of OTPs aren’t banned by this order.

Platforms don’t have to make people rebind devices that are already linked today. Big internet brokers are expected to adopt stronger authentication immediately; the wider group of licensed firms has up to 12 months to finish the switch.

Typical stronger options include passkeys (which use public-key cryptography so the credential only works with the real service and the private key stays on the device or in a secure passkey manager) or device binding paired with an extra factor like a biometric scan or account password.

What firms must do — and what happens if they don’t

The regulator demands immediate upgrades to controls around logins: better client notifications, improved account monitoring and surveillance, and faster incident-response playbooks. Firms must act quickly to suspend or restrict accounts at the first hint of fraud.

Expect to see rules that require platforms to watch for odd logins, new-device activity, trading that breaks a user’s historical patterns, and withdrawals of funds or tokens. Clients should get instant alerts for successful logins and for higher-risk changes like a new device being added or a passkey being created or revoked.

Senior managers in charge of operations and IT are on the hook for getting this done. The regulator also made clear that firms can be held liable for client losses if their protections fail to prevent, detect, or halt large-scale unauthorized transactions after a breach.

The clock’s ticking: platforms must have phishing-resistant authentication at the key login points by July 8, 2027, and they must beef up fraud detection now so customers stay protected during the transition. In short: update your tech, watch accounts like a hawk, and be ready to explain how you kept customers safe.