The Central Bank of the United Arab Emirates (CBUAE) has issued a comprehensive directive requiring all financial institutions to completely discontinue the use of OTPs sent via SMS and email by 31 March 2026. This is considered one of the most significant shifts in user authentication in the Middle East in the past decade.
Compliance Roadmap and New Authentication Requirements
According to the CBUAE directive, the transition will occur in two phases. Beginning July 2025, banks must gradually phase out SMS/email OTPs and introduce stronger authentication mechanisms for critical transactions and logins. Specifically:
- UAE banks are required to begin shifting to app-based authentication, where users approve transactions directly within the bank’s mobile application through push notifications. When a login or transaction request occurs, customers will receive a prompt and authenticate via Face ID, fingerprint, or a secure PIN. This method is fast and resistant to attacks because authentication occurs within a protected application environment.
- They are also encouraged to implement advanced solutions such as:
+ Passkeys based on global FIDO standards, protected by biometric authentication on smartphones.
+ Fingerprint or facial recognition, some banks, such as United Arab Bank, have partnered with the national facial recognition system to support mobile banking login.
+ Integration with UAE Pass, part of the country’s broader digital identity framework, also supported by private-sector providers.
+ Risk-based authentication: For low-risk actions like balance checks, quick biometric scans may suffice; high-value transactions may require additional verification layers.
+ Behavioral biometrics: For example, monitoring typing patterns, swipe gestures, or how a user holds a device to provide an additional “invisible” security layer.
+ Other modern protection mechanisms may include AI-powered deepfake detection, decentralized identity systems, hardware security keys, post-quantum cryptography (PQC) to prepare for future threats, and real-time fraud monitoring capable of suspending active sessions when suspicious activity is detected.
This decision follows a sharp rise in digital banking fraud across the UAE in early 2025. Complaints related to digital banking scams increased by 73%, largely due to vulnerabilities in SMS/email OTP delivery. Any institution that fails to meet the deadline or cannot demonstrate adequate risk management may face administrative penalties, with fines reaching up to 250,000 AED (approx. 68,000 USD) for serious violations of the regulation.
Benefits of the UAE Directive for Financial Institutions and Banks
For financial institutions and banks, this directive represents one of the most significant technological transformations in UAE banking in decades. Banks will need to make substantial investments in new authentication infrastructure and transition toward passwordless strong authentication, which aligns with global trends.
In the long term, this shift will result in massive cost savings – particularly by eliminating millions of SMS messages sent each month, along with customer support costs tied to OTP issues. Additionally, stronger authentication methods drastically reduce fraud risks through enhanced anti-fraud, anti-spoofing, and anti-SIM-swap mechanisms, thereby reinforcing security. At the same time, providing fast, seamless, and secure authentication experiences helps banks build competitive advantages, increase customer loyalty, and affirm their leadership in the UAE’s digital financial transformation.
For customers, instead of typing OTP codes, they will log in or approve payments using fingerprint scans, facial recognition, or built-in device security features. This results in faster interactions, fewer errors, and greater peace of mind, as users no longer fear OTP interception through fraud or impersonation attacks.
Most importantly, the CBUAE mandate strengthens consumer trust in digital banking and encourages broader adoption of online financial services. Financial experts view this as not merely a regulatory change but a strategic turning point for the entire UAE banking ecosystem.
Savyint – Global Expert in Strong Payment Authentication
Amid increasing security demands, Savyint – a global expert in strong payment authentication, introduces the SAM Auth Server – an all-in-one strong authentication solution.
SAM Auth Server is built on an advanced authentication platform powered by the Cryptographic Security Platform (CSP), featuring SCA/MFA authentication, Passkey/FIDO integration, biometric authentication combined with SmartOTP, PKI-based passwordless authentication, data encryption, Smart Token, Tokenization, transaction signing with E2E2E, mobile cryptography security, post-quantum cryptography (PQC), enabling system authentication, data encryption, transaction encryption, multi-layer authentication, and multi-tier security at the highest level.
SAM Auth Server is also a pioneering solution that simultaneously complies with major global standards (AML, KYC/KYB, PSD2/PSD3, MAS TRM, NIST, CIBA, API security…) as well as regulatory frameworks in multiple countries such as Circular 64 and Circular 50 (Vietnam), BSP 1213 (Philippines), and Malaysia’s regulatory requirements.
Connect with Savyint experts today to build a secure and compliant payment ecosystem.
