Crypto Brief

Hong Kong SFC passkeys push reshapes crypto platform account security

Two security/compliance signals stand out for executives. Hong Kong’s SFC has ordered crypto platforms and online brokers to phase out OTP logins and replace them with passkeys within 12 months, explicitly citing a large spoofing surge. Separately, Ethereum’s security posture is shifting from vulnerability discovery toward more systematic validation using AI agents, with reporting noting most findings may be false positives—still, the process change suggests a move toward higher-automation security testing.

On the market-structure and policy side, multiple items point to tightening or evolving regulatory frameworks rather than laissez-faire adoption. A potential new draft of the crypto “Clarity Act” could re-enter momentum quickly, while EU policymakers are reportedly considering revisions to MiCA to cover non-EU stablecoin issuers in response to US stablecoin rules and tokenized payments/deposits. Meanwhile, stablecoin infrastructure adoption is continuing through traditional payments ecosystems (e.g., PYUSD increasing via native Polygon issuance) and official banking approaches (e.g., bank-led won stablecoin push in South Korea). Executives should view these as interacting pressures: identity security, compliance readiness, and stablecoin governance are converging into near-term operational requirements.

Top Signals

1. Hong Kong mandates passkeys, phasing out OTP logins for crypto platforms

Signal strength: Early

This is an enforceable account-security compliance change with direct implementation and audit implications (identity, authentication flows, customer migration timelines, and vendor/security controls). Firms that cannot replace OTP quickly may face regulatory friction, increased fraud exposure, and higher support/incident costs.

Supporting evidence

2. Ethereum accelerates AI agent security testing to validate real bugs

Signal strength: Strong

Automating security testing can improve time-to-detection and resilience of critical infrastructure, but it also changes how teams triage findings (e.g., managing false positives) and how assurance is documented for governance, audits, and incident response. Protocol stakeholders should expect more continuous, agent-driven security processes.

Supporting evidence

3. Stablecoin regulation tightens: EU moves to cover non-EU issuers

Signal strength: Early

Cross-border stablecoin governance directly affects issuers, exchange listings, and compliance processes (licensing, marketing, reserve and operational controls). If EU frameworks expand to non-EU issuers, firms handling stablecoin distribution and custody may face new onboarding, reporting, and risk-management requirements.

Supporting evidence

4. US crypto policy momentum: new Clarity Act draft may surface next week

Signal strength: Early

A renewed drafting timeline can rapidly change compliance expectations for platforms, custody, and stablecoin/tokenized product offerings. Executives should anticipate accelerated regulatory engagement and prepare for shifting definitions, categorization, and market-structure requirements.

Supporting evidence

5. Bank-led stablecoin push persists as deposit token pilots advance

Signal strength: Early

Bank-led stablecoin issuance and deposit token pilots signal a route to adoption that favors regulated intermediaries and deposit-linked models. This affects partnerships (banks vs. issuers), technology choices, compliance requirements, and competitive positioning versus purely crypto-native stablecoin models.

Supporting evidence

6. Institutionalization continues: Ethereum nonprofit targets Wall Street education

Signal strength: Early

Professionalization of Ethereum access for financial institutions can lower adoption friction (education, integration guidance, governance alignment). Over time, this can improve liquidity, custody/investment workflows, and ecosystem legitimacy—particularly where regulatory clarity is still evolving.

Supporting evidence

Supporting Stories

Sources