The Briefing.

Circular to licensed corporations and SFC-licensed virtual asset service providers Implementing (i) robust authentication methods to reduce and mitigate hacking risks from phishing attacks and (ii) adequate monitoring and surveillance measures to identify suspicious activities

Action requiredTechnologyConduct

What the SFC said

Following large-scale SMS phishing and man-in-the-middle attacks in 2025, the SFC expects internet brokers and VASPs to adopt phishing-resistant authentication and device binding, effective transaction monitoring and client notifications, prompt incident response and reporting, and enhanced client awareness of phishing risks.

Read the official circular on sfc.hk ↗

This page is our summary and commentary, not the circular itself — always read the original before acting.

Same month in the Record

Get circulars like this explained every Monday.

The 5-minute briefing for Hong Kong’s small licensed firms — free, 7:30am HKT.