Circular to licensed corporations and SFC-licensed virtual asset service providers Implementing (i) robust authentication methods to reduce and mitigate hacking risks from phishing attacks and (ii) adequate monitoring and surveillance measures to identify suspicious activities
Action requiredTechnologyConduct
What the SFC said
Following large-scale SMS phishing and man-in-the-middle attacks in 2025, the SFC expects internet brokers and VASPs to adopt phishing-resistant authentication and device binding, effective transaction monitoring and client notifications, prompt incident response and reporting, and enhanced client awareness of phishing risks.
This page is our summary and commentary, not the circular itself — always read the original before acting.
Same month in the Record
26EC39Circular to Licensed Corporations, SFC-licensed Virtual Asset Service Providers and Associated Entities - Anti…26EC41Circular to Intermediaries ─ Over-the-counter Derivatives Regulatory Regime – Industry Webinar26EC40Circular to Licensed Corporations, SFC-licensed Virtual Asset Service Providers and Associated Entities - Cybe…
Get circulars like this explained every Monday.
The 5-minute briefing for Hong Kong’s small licensed firms — free, 7:30am HKT.