The Big Shift: Starting July 25, 2025

In a bold move to combat digital fraud, UAE banks began phasing out one‑time passwords (OTPs) delivered via SMS or email for all digital banking and payment transactions. The Central Bank of the UAE (CBUAE) has mandated full compliance by March 31, 2026.

Why OTPs Are No Longer Enough

Once a straightforward security measure, SMS/email OTPs have become increasingly vulnerable to sophisticated attacks: SIM‑swap fraud, SMS interception via SS7 network flaws, phishing campaigns, and SMS pumping scams. In 2023, over 40,000 people in the UAE were scammed, averaging $2,194 in losses per victim.

What’s Replacing Them

• Banks are transitioning to secure alternatives, including:

• In-app authentication via mobile banking apps

• Biometric verification (e.g. facial recognition via Emirates ID or UAE Pass)

• Soft tokens, passkeys, and cryptographic FIDO2-based methods

• Behavioral biometrics and risk-based adaptive flows

What the UAE Central Bank Requires

Under the CBUAE rules:

SMS/email OTPs, static passwords, and weak methods are prohibited for transaction or access authentication.

Strong authentication is mandated for actions like new device login, payment set‑up, card provisioning, modifying security settings, or sensitive transaction approvals.

3D Secure payments must use in-app confirmation or passkey-style methods; refunds are mandatory for any fraud linked directly to SMS OTP.

Banks must deploy 24/7 real-time fraud monitoring, device/behavioral analysis, session suspension triggers, and click suppression in communications.

What It Means for Banks & For You

For Banks (including FinTechs and PSPs):

High upfront investment in infrastructure, app updates, biometric integration and user migration.

Long‑term reduction in fraud losses and per‑SMS costs.

Competitive edge from smoother, more secure customer experiences.

For Corporate & Retail Customers:

More secure authentication with in-app approval or biometric/passkey logins—resistant to phishing and SIM swap.

A seamless experience: no manual OTP entry, faster transaction journeys.

But customers must update mobile apps, register for new authentication flows, and learn new habits.

What You Should Do

If your organization interacts with UAE banks—whether receiving payments, managing corporate transfers, or guiding clients—prepare by:

Updating and adopting bank mobile applications with app-based authentication.

Registering your devices in-app and setting up biometric or passkey-based authentication ahead of July 25.

Training teams and customers via multilingual education on new authentication workflows.

Reviewing operational and fraud‑risk controls, ensuring beneficiary detail display and session risk management are in place.

Monitoring bank communications for guidance, transitional grace periods, and technical support.

Why This Matters for Your Business

UAE leads globally in secure authentication innovation, adopting these new standards puts your organization ahead in operational resilience and customer trust. This transition is more than just about stopping OTPs. It’s about embracing next-gen authentication, reducing fraud, and shaping a more secure digital banking future. UAE is leading this charge—are you ready to follow?

If you would like detailed guidance on setting up business, employee, or investor bank accounts—or need comprehensive support with compliance management during the account‑opening process—our experts are ready to assist.

Click the Book now button below to Book a free consultation.

To stay informed on regulatory updates, compliance trends, and best practices, subscribe to our newsletter.