Hong Kong · SFC + HKMA · Free, every Monday
The 5-minute Monday briefing for Hong Kong’s small licensed firms.
Every SFC and HKMA development from last week — summarized in plain English, with the “so what” for a firm that runs compliance on a small team. Free, every Monday, 7:30am HKT.
Written by a practitioner with 20 years in Hong Kong compliance. No spam, unsubscribe anytime.

One beam over the harbour — every Monday
Inside every issue

This Week's One Thing
The single development you can't ignore — who's in scope, what to actually do, and by when. Never more than one.

The Sweep
Everything else from the week, one line each, tagged by licence type — so you skip what doesn't apply in seconds.

Enforcement Corner
What a real firm did, what it cost, and the control that would have caught it. The section people forward.
From the latest issue
Nº 001 · 13 July 2026The SFC's phishing patience has run out: harden logins, bind devices, watch the accounts
On Thursday the SFC issued Circular 26EC35, setting out its expected standards for internet brokers and SFC-licensed VASPs: robust authentication methods for client account logins, device binding, and effective monitoring and surveillance to spot suspicious account activity. The trigger is blunt — phishing is still Hong Kong’s most reported cybersecurity incident type, and in 2025 fraudsters ran large-scale SMS campaigns impersonating brokers, harvested credentials (one-time passwords included) on fake sites, and are suspected to have executed man-in-the-middle attacks to take over client accounts and push through unauthorised transactions.
- Who's in scope: internet brokers and SFC-licensed virtual asset service providers — in practice, any firm whose clients log in to trade
- What to do: put your current login flow next to the circular's examples of acceptable authentication methods, confirm device binding is on (not optional), and check someone actually reviews the account-activity alerts
- By when: no transition period is stated — read it as a current supervisory expectation, not a future one
The Record
Twelve months of SFC circulars — every one summarized, tagged, and linked to the official text.
Free with your subscription
The 2026 Hong Kong Compliance Calendar — every FRR, BRMQ, CPT and annual-return deadline on one page.

Built for the RO wearing three MIC hats: boutique asset managers, hedge funds, family offices, and brokers — and the consultants who serve them.
Join the Monday list
One email a week. Written for the person who owns the risk, not the person selling the software.