The Briefing.
Nº 00113 July 2026 · 5 min read

Phishing-resistant logins are now the SFC's baseline

TechnologyType 1VAAll licences

Welcome to the first issue of The CompliAI Briefing: one thing that matters, everything else in a line each, and one cautionary tale worth retelling. Five minutes, every Monday. This issue covers the week of 6–12 July 2026.

01This Week's One Thing

The SFC's phishing patience has run out: harden logins, bind devices, watch the accounts

On Thursday the SFC issued Circular 26EC35, setting out its expected standards for internet brokers and SFC-licensed VASPs: robust authentication methods for client account logins, device binding, and effective monitoring and surveillance to spot suspicious account activity. The trigger is blunt — phishing is still Hong Kong’s most reported cybersecurity incident type, and in 2025 fraudsters ran large-scale SMS campaigns impersonating brokers, harvested credentials (one-time passwords included) on fake sites, and are suspected to have executed man-in-the-middle attacks to take over client accounts and push through unauthorised transactions.

  • Who's in scope: internet brokers and SFC-licensed virtual asset service providers — in practice, any firm whose clients log in to trade
  • What to do: put your current login flow next to the circular's examples of acceptable authentication methods, confirm device binding is on (not optional), and check someone actually reviews the account-activity alerts
  • By when: no transition period is stated — read it as a current supervisory expectation, not a future one
02The Sweep
  • TechnologyThe SFC will run two sessions of a cybersecurity webinar on 30 July on AI-enabled cyberattacks (Circular 26EC40) — one enrolment form per firm, max three people, by 24 July.
  • All licencesHKEX's third optional market rehearsal for its backbone network upgrade ran Saturday 11 July (Circular 26EC34) — if you submit BCAN-CID files over SFTP and skipped it, verify your connectivity before the cutover.
  • TechnologyCatch-up: June's Circular 26EC32 on AI-era cybersecurity expects firms to assess their preparedness — and names the MIC-IT as ultimately responsible. Pair that review with Thursday's authentication circular.
  • VAStill open from May: the SFC's expected standards for Relevant Stablecoin activities (26EC26) and the revised VA-funds authorisation circular (26EC31) — relevant if virtual assets are anywhere near your product shelf.
03Enforcement Corner

Twelve brokers, forged documents, and accounts that never traded

Not a fine this week, but the review the SFC keeps pointing back to: its May circular (26EC29) reported findings from a review of twelve licensed brokers’ account opening practices. Some accepted questionable or forged documents at onboarding, and due diligence on cross-border correspondent relationships was found seriously deficient. Some of those accounts were later involved in suspicious fund transfers — with no trading activity at all.

The control that would have caught it: treat "money in, no trades, money out" as a named red flag with an owner, and verify account-opening documents against independent sources before the account can receive funds. The SFC's red-flag list in the circular — dormant depositories, frequent bank-account changes, unrelated clients sharing addresses — is ready-made for your monitoring rules.

That's issue one — built from the same week the Record now tracks in full. Forward it to the RO who does this job alone. See you next Monday.

Get next Monday’s briefing in your inbox.

Five minutes, every Monday, 7:30am HKT. Free, unsubscribe anytime.