More banks across the United Arab Emirates are tightening digital security by phasing out SMS and email based one time passwords and replacing them with biometric logins, in app approvals and advanced fraud monitoring tools, as new regulatory requirements from Central Bank of the UAE come into effect.
Dubai: By the end of March 2026, all licensed financial institutions operating in the country must discontinue the use of OTPs delivered through text messages or email and transition to more secure authentication methods embedded within mobile banking applications. The move is part of a broader regulatory drive aimed at strengthening fraud prevention, enhancing artificial intelligence governance and reinforcing operational resilience across the banking sector. Under the updated framework, customers will increasingly be required to approve transactions directly within their bank’s official app using fingerprint recognition, facial authentication or a secure personal identification number. A spokesperson from a Dubai based bank confirmed that, in line with directives issued by Central Bank of the UAE, customers can now complete online transactions by selecting the authentication via app feature available in their smart banking applications.
The shift will directly affect routine banking activities for residents, including online shopping, fund transfers and card payments, which have traditionally relied on six digit codes sent through SMS. Regulators and banking executives have indicated that SMS based authentication has been repeatedly targeted in SIM swap and social engineering attacks, where fraudsters trick victims into sharing OTP codes or manipulate telecom services to gain access to accounts. Rob Woods, senior director for fraud and identity at LexisNexis Risk Solutions, said that as the new regulations take effect at the end of March, fraud prevention has become a central priority for financial institutions. He noted that the rules require capabilities such as active call detection and screen sharing detection, while encouraging the adoption of behavioural intelligence systems designed to identify and disrupt scams in real time. According to Woods, larger banks are generally more advanced in implementing these controls, while some smaller institutions are still in the process of addressing the new requirements amid a regional surge in impersonation fraud.
Impersonation schemes across the Middle East have seen criminals posing as government officials or bank representatives, with social media driven phishing attempts increasingly targeting younger users. Romance scams also continue to present risks, underscoring the need for stronger technology led safeguards. Alongside authentication reforms, Central Bank of the UAE has issued updated guidance on the responsible use of artificial intelligence and machine learning in financial services. The framework establishes accountability standards for institutions deploying AI in areas such as fraud detection, risk monitoring and customer profiling, requiring oversight mechanisms, governance controls and data protection measures. Khaled Mohamed Balama, Governor of Central Bank of the UAE, said the guidance aims to set a clear structure for responsible AI use in a manner that enhances consumer protection, reinforces transparency principles and emphasises human oversight. For residents, the practical implication is that online transactions will increasingly require biometric or in app approval rather than SMS codes, as banks align with tighter digital safeguards and comply with the March 2026 deadline.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.
