The Briefing.
SFC cybersecurity webinar — enrol by 24 Jul (26EC40)OTC derivatives webinar 14 Aug — enrol by 27 Jul (26EC41)FRR — monthly return due 21st, WINGS onlyCPT — ROs 12 hrs by 31 Dec, incl. 2 hrs ethicsAnnual return — within 1 month of licensing anniversaryMIC changes — notify within 7 business daysNext briefing — Monday 7:30am HKT

Hong Kong · SFC + HKMA · Free, every Monday

The 5-minute Monday briefing for Hong Kong’s small licensed firms.

Every SFC and HKMA development from last week — summarized in plain English, with the “so what” for a firm that runs compliance on a small team. Free, every Monday, 7:30am HKT.

Written by a practitioner with 20 years in Hong Kong compliance. No spam, unsubscribe anytime.

Etching of a lighthouse sweeping a yellow beam across Victoria Harbour, lighting up small junk boats against the Hong Kong skyline

One beam over the harbour — every Monday

Inside every issue

EVERYTHING, MON–FRIONE FILTER0102035 MIN
Everything published Monday to Friday is filtered once into three fixed sections, read in five minutes.
01Etching of a magnifying glass highlighting one document in yellow

This Week's One Thing

The single development you can't ignore — who's in scope, what to actually do, and by when. Never more than one.

02Etching of a broom sweeping scattered papers into one tidy stack

The Sweep

Everything else from the week, one line each, tagged by licence type — so you skip what doesn't apply in seconds.

03Etching of a balance scale weighed down by a stack of gold coins

Enforcement Corner

What a real firm did, what it cost, and the control that would have caught it. The section people forward.

From the latest issue

Nº 001 · 13 July 2026
01This Week's One Thing

The SFC's phishing patience has run out: harden logins, bind devices, watch the accounts

On Thursday the SFC issued Circular 26EC35, setting out its expected standards for internet brokers and SFC-licensed VASPs: robust authentication methods for client account logins, device binding, and effective monitoring and surveillance to spot suspicious account activity. The trigger is blunt — phishing is still Hong Kong’s most reported cybersecurity incident type, and in 2025 fraudsters ran large-scale SMS campaigns impersonating brokers, harvested credentials (one-time passwords included) on fake sites, and are suspected to have executed man-in-the-middle attacks to take over client accounts and push through unauthorised transactions.

  • Who's in scope: internet brokers and SFC-licensed virtual asset service providers — in practice, any firm whose clients log in to trade
  • What to do: put your current login flow next to the circular's examples of acceptable authentication methods, confirm device binding is on (not optional), and check someone actually reviews the account-activity alerts
  • By when: no transition period is stated — read it as a current supervisory expectation, not a future one
TechnologyType 1VAAll licences
Read the full issue →

The Record

Twelve months of SFC circulars — every one summarized, tagged, and linked to the official text.

Open the Record →

Free with your subscription

The 2026 Hong Kong Compliance Calendar — every FRR, BRMQ, CPT and annual-return deadline on one page.

Get the calendar →
Etching of three different professional hats on a wall rack, one with a yellow band

Built for the RO wearing three MIC hats: boutique asset managers, hedge funds, family offices, and brokers — and the consultants who serve them.

Join the Monday list

One email a week. Written for the person who owns the risk, not the person selling the software.