In May 2025, the UAE Central Bank released Notice No. CBUAE/FCMCP/2025/3057.This decision marked a turning point for the entire financial system of the country. From that moment, banks, insurance companies, fintechs, and exchange houses were required to redesign their approach to customer authentication. The goal was simple but strict: to eliminate SMS and email OTP from circulation completely. The deadline was clearly marked March 31, 2026.
The transformation began on July 25, 2025, when banks started transferring customers to app-based authentication. Push notifications inside mobile applications replaced SMS codes. Transaction confirmation became possible through biometrics fingerprint, facial recognition, or PIN code. These methods not only speed up the process but also provide more reliable protection for financial transactions.
Why the Move Was Urgent
The weakness of outdated technologies was evident. Phishing attacks, SIM swap, and SS7 protocol exploitation made SMS OTP highly vulnerable. Criminals learned to intercept messages and bypass security layers. Under these conditions, the regulator had no choice but to impose strict deadlines and shift the responsibility for vulnerable operations directly onto banks.
Step-up authentication became mandatory for critical actions. Changes to card limits, customer data, security parameters, or issuing a new card must now be confirmed via secure mechanisms. SMS OTP is no longer acceptable for 3D Secure transactions. Instead, banks must use in-app verification, soft tokens, tap to authenticate, or biometric verification. This represents a fundamental shift: the responsibility for every transaction lies with the bank, while the client benefits from greater transparency and stronger security.
Financial institutions were also required to implement real-time transaction analysis. Systems must detect unusual activity, instantly block suspicious transactions, and assign risk scores to every event. Special monitoring applies to dormant accounts and mule accounts, ensuring that even rare or unusual activity cannot slip through undetected.
Another key reform element is confirmation of payee. Before completing a transfer, the client must see the recipient’s name, account number, and bank details. For instant payments, this step has become mandatory, significantly lowering the risk of fraud-related transfers.
Advanced security controls extend the protection layer further. In mobile apps, sessions must immediately terminate if screen sharing, malware, or remote access tools are detected. For web banking, any active third-party application is prohibited during a session. These measures directly address the persistent threats of social engineering, which remains a favorite tactic among attackers.
Broader Context and Global Implications
The urgency of these reforms is supported by data. Internet penetration in the UAE exceeds 96 percent, among the highest in the world. A wealthy, digitally active population and massive transaction volumes make the country a magnet for cybercriminals. It is no surprise the regulator has chosen to act decisively and without compromise.
The new directives are part of the larger Financial Infrastructure Transformation Program. This program includes not only authentication upgrades but also the planned launch of a retail central bank digital currency (CBDC) , the digital dirham in late 2025. Security and innovation are moving hand in hand, positioning the UAE’s financial ecosystem as a benchmark for others.
For banks and fintech companies, compliance is both a challenge and an opportunity. Modernization now means upgrading mobile apps, integrating passkeys, implementing device-bound credentials, and moving toward passwordless authentication. Clients, meanwhile, gain greater convenience approving transactions with a fingerprint or Face ID instead of waiting for slow SMS codes.
The outcome is clear. By March 2026, weak verification channels will be phased out entirely. The system will rely on biometrics, cryptographic methods, and risk-based monitoring. For the international community, the signal is unmistakable: the SMS OTP era is over, and the future belongs to phishing-resistant technologies tied securely to individual devices and users.
Data Protection and Cloud Services in Dubai
The demand for stronger financial security intersects with the growth of enterprise technology solutions. Organizations across the UAE are looking to cloud solutions in Dubai to back up sensitive financial data and ensure compliance with new security mandates. From advanced data backup services to risk-based monitoring, integrating cloud services strengthens both business resilience and consumer trust.
IT Managed Services and Security Expansion
Alongside banking reforms, companies are also seeking professional support to maintain operational stability. Many rely on it managed services dubai providers who deliver end-to-end monitoring, cybersecurity, and system maintenance. These services align with the regulatory push for advanced fraud detection, ensuring that both financial institutions and corporate clients benefit from secure, scalable, and well-maintained digital infrastructure.
I am a Web Developer. I like to hike, crochet and play video games with my son.
