No, an email OTP does not qualify as a “what a client has” authentication factor. An email OTP is not effective as the person logging in may not be the actual client for the following reasons:

(i) an email OTP can be delivered to multiple devices, eg, both a mobile phone and a computer, and be accessed or read by multiple applications on each of these devices;

(ii) an email OTP may not always be directed to the client as the login credentials for email accounts can be shared with multiple persons; and

(iii) security protection for email accounts is insufficient, eg, the email forwarding function may result in inadvertent sharing of the OTP with other persons.

(Key references: Paragraph 12.12(b) of the VATP Guidelines)

In general, a Platform Operator should not allow clients to bind or register more than three devices. 

(i)  In cases where an individual client requests to bind or register more than three devices, a Platform Operator should understand the reasons and assess the reasonableness of the request; and

(ii) In cases where a corporate client requests to bind or register multiple devices so that they can be operated by its authorised persons, a Platform Operator should advise the corporate client of the creation of sub-accounts (each with its own 2FA) for those authorised persons; and if a sub-account arrangement is not feasible, a Platform Operator should ask its corporate clients about the number of persons authorised to operate their trading accounts and limit concurrent logins accordingly.

(Key references: Paragraph 12.12(b) of the VATP Guidelines)

Platform Operators may, among other things, implement the following controls:

• account lockout;
• exponential back-off between successive failed login attempts; and
• brute-force attacks detection with appropriate responses.

The above list is not exhaustive and Platform Operators can choose to implement any controls they deem appropriate.

(Key references: Paragraph 12.12(d)(v) of the VATP Guidelines)

No. Session timeout should not be disabled.

(Key references: Paragraph 12.12(d)(vi) of the VATP Guidelines)

 A Platform Operator should limit the idle timeout period to no more than 30 minutes subject to prior assessment and ongoing monitoring.

(Key references: Paragraph 12.12(d)(vi) of the VATP Guidelines)

Our requirement is for Platform Operators to notify clients promptly of each system login. But we accept that a Platform Operator could allow clients to opt-out from notifications of each system login provided that:

• the Platform Operator has the capability to identify irregular logins and promptly notify clients of irregular logins;
• the Platform Operator has provided adequate risk disclosures to clients who have acknowledged that they understand the risks involved in opting-out from notifications of each system login; and
• the clients have not opted out from trade execution notifications.

(Key references: Paragraph 12.12(e) of the VATP Guidelines)

A proper network segmentation should be implemented with multi-tiered firewalls. A Platform Operator should:

(i) place trading applications and other critical systems, such as custody system, within an internal network behind a Demilitarized Zone (“DMZ”); and

(ii) host servers with less sensitive data, eg, the web server, within a DMZ.

(Key references: Paragraph 12.12(f)(i) of the VATP Guidelines)

No. A Platform Operator should avoid granting permanent remote access to external parties. Remote access should be granted on a need-to-have basis and disabled after the remote access activities are completed.

(Key references: Paragraph 12.12(f)(ii) of the VATP Guidelines)

Security patches and hotfixes ranked as critical or of high severity should be deployed within one month following the completion of testing.

Non-critical security patches and hotfixes are allowed to be deployed using a batch-implementation approach. They should be deployed at least on a quarterly basis unless, after evaluation, a Platform Operator determines that they may be incompatible with system applications and cannot be implemented.

(Key references: Paragraph 12.12(f)(iii) of the VATP Guidelines)

No, EOL software is not allowed. For close to EOL software, a Platform Operator should monitor the validity of the software and formulate a plan to replace or upgrade it before EOL.

(Key references: Paragraph 12.12(f)(iii) of the VATP Guidelines)

A Platform Operator should review international security standards (eg, the cryptographic standards provided by National Institute of Standards and Technology (NIST)) on an ongoing basis, check the status of their data encryption algorithms and upgrade them as appropriate.

Examples of weak encryption algorithms include:

(i) For data transmission: SSL 3.0, TLS 1.0, TLS 1.1, TLS_RSA_WITH_RC4_128_MD5

(ii) For data storage: DES, 3DES, RC4, RC5, RSA 1024-bit, Blowfish, Twofish, MD5, SHA-1

(Key references: Paragraph 12.12(g) of the VATP Guidelines)

Yes, DMZ is considered as part of an internal network for the said purpose.

(Key references: Paragraph 12.12(g) of the VATP Guidelines)

No, given the automated and round-the-clock nature of the VATP business, manual review is not an effective means of identifying suspicious unauthorised virtual asset trading activities. A Platform Operator should implement effective automated solution to monitor and identify suspicious unauthorised access to clients’ trading accounts, such as automated IP address monitoring tool and behaviour analysis.

(Key references: Paragraph 12.12(h) of the VATP Guidelines)

A Platform Operator should perform monitoring and identification of suspicious unauthorised access to clients’ trading accounts on a real time basis.

(Key references: Paragraph 12.12(h) of the VATP Guidelines)

A Platform Operator may monitor (i) logging into multiple client accounts from the same IP address; and (ii) change of IP address for accessing the same client account from one country to another country in a short period of time.

(Key references: Paragraph 12.12(h) of the VATP Guidelines)

A Platform Operator should implement at minimum the below security controls to protect the mobile trading platform: 

(i) detecting and blocking jailbroken or rooted mobile devices from logging into the mobile trading platform; 

(ii) obfuscating the source codes to better protect them from potential manipulation; 

(iii) purging unused code libraries or modules from its source codes; 

(iv) purging clients’ sensitive information from its mobile trading platform installed on clients’ mobile devices once the clients exit the application or log off their trading account, eg, disabling the “remember password”, “auto fill” and “auto completion” features; and

(v) tightening security controls for biometric authentication, eg, requiring clients to deactivate and re-register their biometric authentication, subject to validation, if clients wish to add or amend the biometric data stored in the records for their mobile device and limiting the number of failed authentication attempts, eg, five consecutive failed attempts.

(Key references: Paragraph 12.12 of the VATP Guidelines)

Yes, the term “off-line medium”¹ refers to tape or any other kind of medium, such as remote backup server, which is securely segregated from the production system.

(Key references: Paragraph 12.16 of the VATP Guidelines)