Hong Kong brokerages rush to comply with new SFC rules on cyber risks
As the deadline for implementing 2FA approaches, brokers rush to inform their clients of the changes.
A growing number of Hong Kong online trading companies are seeking to comply with the new rules outlined by the Securities and Futures Commission (SFC) on cyber risks.
Brokers like Monex Boom and Z.com have informed their clients of the coming changes that wil make “Two-factor authentication” (2FA) mandatory.
Monex Boom Securities (H.K.) Ltd., a part of Monex Group, Inc. (TYO:8698), said on its website that “Two-factor authentication” account login will be launched on April 21, 2018. All clients will need to provide the One-time Password (OTP) along with the current login password for account login. Clients can set up the “MONEX BOOM Authenticator” App to get their OTP.
Guotai Junan International Hold. Limited (HKG:1788) has also informed its customers about the new requirements. Starting from 23 April 2018, the clients of the broker are required to receive “One-Time Password (OTP)” through registered mobile phone number or email address for the implementation of two-factor authentication, in response to the guidelines of cybersecurity announced by the Securities and Futures Commission of Hong Kong. Clients must enter valid account number, login password and OTP when login to an account.
Phillip Securities (HK) Ltd is also complying with the new rules by offering its clients to make use of PHK Key, a security code generator developed by the company to provide two-factor authentication for online trading. The PHK Key further enhances security and fulfills mandatory requirement by regulators on 2FA.
GMO-Z.com Forex HK Limited has also published a notice on its website about the changes. The company will implement 2FA from April 21, 2018. In order to enforce preventive measures against hackers, 2FA token generated by Google Authenticator app installed on one’s smartphone (i.e., “what you have” factor) is required when logging in to the broker’s FX trading platform.
Other Hong Kong-focused brokers like Rakuten Securities have also informed their clients of the pending changes.
The mandatory requirement for 2FA applies to companies engaged in:
- Type 1 regulated activity (dealing in securities);
- Type 2 regulated activity (dealing in futures contracts);
- Type 3 regulated activity (leveraged foreign exchange trading);
- Type 9 regulated activity (asset management).
The 2FA requirement is set to come into effect on April 27, 2018. There are other rules too but they will be implemented a bit later – on July 27, 2018.
The new rules concern data encryption of sensitive information such as client login credentials (ie, user ID and password) and trade data during transmission between internal networks and client devices.
A licensed or registered person should also establish and implement effective policies and procedures to ensure that a client login password is generated and delivered to a client in a secure manner during the account activation and password reset processes. The entities should have in place stringent password policies and session timeout controls and should deploy a secure network infrastructure.
The rules also require from online trading companies to outline contingency plans for cyber incidents. The companies should make all reasonable efforts to cover possible cyber-attack scenarios such as DDoS attacks and total loss of business records and client data resulting from cyber-attacks (eg, ransomware) in the contingency plan and crisis management procedures.