Hong Kong regulator tells online trading firms to implement two-factor authentication by April 2018

Maria Nikolova

New guidelines require all licensed or registered entities engaged in online trading to implement 20 baseline requirements to boost their cybersecurity.

stealing leads

Hong Kong’s Securities and Futures Commission (SFC) is apparently taking cybersecurity seriously. Today, the regulatory posted its Guidelines for Reducing and Mitigating Hacking Risks Associated with Internet Trading. The new rules require all licensed or registered entities engaged in online trading to implement 20 baseline requirements to enhance their cybersecurity and to minimize hacking risks.

These Guidelines apply to entities that are engaged in online trading and are licensed by, or registered with, the SFC for:

  • Type 1 regulated activity (dealing in securities);
  • Type 2 regulated activity (dealing in futures contracts);
  • Type 3 regulated activity (leveraged foreign exchange trading);
  • Type 9 regulated activity (asset management).

A key requirement is to implement two-factor authentication for login to clients’ online trading accounts. In addition, the entity should implement monitoring and surveillance mechanisms to detect unauthorised access to clients’ Internet trading accounts. Other requirements concern data encryption of sensitive information such as client login credentials (ie, user ID and password) and trade data during transmission between internal networks and client devices.

A licensed or registered person should also establish and implement effective policies and procedures to ensure that a client login password is generated and delivered to a client in a secure manner during the account activation and password reset processes. The entities should have in place stringent password policies and session timeout controls and should deploy a secure network infrastructure.

The rules also require from online trading companies to outline contingency plans for cyber incidents. The companies should make all reasonable efforts to cover possible cyber-attack scenarios such as DDoS attacks and total loss of business records and client data resulting from cyber-attacks (eg, ransomware) in the contingency plan and crisis management procedures.

Also, the licensed entity should make sure that the officer(s) or executive officer(s) responsible for the overall management and supervision of the online trading system define a cybersecurity risk management framework, and set out key roles and responsibilities. Examples of such responsibilities include reviewing and approving cybersecurity risk management policies and procedures, as well as reviewing and approving the budget and spending on resources for cybersecurity risk management.

The guidelines also stipulate that licensed and/or registered entities should take all reasonable steps to remind clients about and alert them to cybersecurity risks and recommended preventive and protection measures when using the trading system.

The deadline for the implementation of two-factor authentication is April 27, 2018, while all other requirements will take effect on July 27, 2018.

Although the Guidelines do not have the force of law, a failure to follow their spirit may reflect adversely on the person’s fitness and properness.

Read this next

Inside View

Broadridge report finds 27% of firms’ overall IT budget goes to digital transformation

“A new chapter in digital transformation is emerging. In our work with clients across the financial services industry we see leading firms are already reaping the benefits from digitalization and the use of technologies such as AI and blockchain/DLT, as they adapt to economic headwinds and new competitive dynamics”

Executive Moves

Ripple announces Monica Long as President

“I’m incredibly honored to take on the role of President at Ripple as we expand deeper into crypto-enabled services like liquidity, settlement and custody.”

Executive Moves

Arabesque AI appoints Carolina Minio Paluello as CEO

“Arabesque AI is uniquely positioned to service the asset management industry’s need to meet the growing market demand for hyper customised portfolios.”

Industry News

SEC Commissioner Mark T. Uyeda says standardized ESG measures are doomed to fail

“Because ESG ratings may be divorced from matters of financial materiality, they can reflect a particular political or social agenda.”

Industry News

Worldline launches digital payments suite in India

“Our low-cost innovative offering SoftPOS will empower SMBs in a big way to accept digital payments affordably.”


cTrader Web 4.5 Presents Guest Mode, Multiple Charting and Copy Improvements

Spotware has announced the release of its cTrader Web version 4.5, which comes with a whole range of features and improvements for all cTrader users.


SteelEye suggests integrated surveillance as Morgan Stanley fines employees over WhatsApp

“The use of integrated surveillance means firms can avoid unwanted regulatory attention by enabling them to self-report and self-remedy more efficiently when malpractice is flagged.”

Industry News

ASIC bans Gregory William Finerty for unlicensed FX algo trading bot

Bradford AI leased an algorithmic trading program known as ‘Robot 1’ to trade on the FX market, using an Australia-based over the counter contracts for difference (CFD) broker.


With the recent changes to St Vincent licensing, what will the future trends be for licensing in 2023?

New St. Vincent and the Grenadines regulations came as somewhat of a shock for those brokerages that are only regulated in SVG