UAE Banks Must Drop SMS OTPs by 31 March: What the CBUAE Mandate Means for Private Banking Clients

Q: Is the UAE the first country to ban SMS OTPs for banking?

Multiple international analyses, including commentary from Gulf News and IDTechWire, describe the UAE as the first country to mandate a complete ban on SMS and email OTPs across the entire banking sector, with a fixed compliance deadline. Other jurisdictions such as the EU and UK have issued guidance discouraging OTP reliance, but have not imposed an outright prohibition with a hard deadline. The UAE model is being watched by regulators globally as a benchmark for prescriptive authentication reform.

UAE Banks Must Drop SMS OTPs by 31 March: What the CBUAE Mandate Means for Private Banking Clients

{getToc} $title={Table of Contents}

Goodbye SMS OTPs: UAE Central Bank mandates in-app authentication for all banks by March 2026.

The CBUAE has ordered all retail and private banks to retire SMS and email OTPs by 31 March 2026 under Notice 2025/3057.
From 6 January 2026, several major UAE lenders stopped issuing SMS codes for online card transactions, requiring in-app biometric approvals instead.
Approved replacement methods include FIDO2-compliant passkeys, cryptographic soft tokens, device-binding technology, and behavioural biometrics.
High-net-worth clients must now use in-app authentication for transfers, card payments, and account-setting changes.
Any SMS OTP fraud on 3-D Secure card transactions must be fully refunded to the customer under the new rules.
The UAE is considered the first country to mandate a complete ban on SMS OTPs across the entire banking sector.

CBUAE Notice 2025/3057: Redefining Digital Identity in UAE Banking

The Central Bank of the UAE (CBUAE) has set a firm 31 March 2026 deadline for all licensed banks to eliminate SMS and email one-time passwords (OTPs). The regulatory overhaul, formalised under CBUAE Notice 2025/3057, applies to retail banks, card issuers, payment service providers, and stored-value facility operators. For private banking and wealth management clients with high digital transaction volumes, the implications are immediate and significant.

The mandate draws on the UAE's national digital identity infrastructure - including the UAE PASS platform and the biometric-enabled Emirates ID - to provide the foundation for high-assurance in-app biometric authentication. Banks must integrate these tools into workflows for high-risk events such as new device registration, large transfers, and digital wallet provisioning. The directive also reflects an urgent regulatory response to SIM-swap fraud prevention, as AI-driven account-takeover attempts accelerate across the region.

Why the CBUAE is Retiring SMS OTPs

SMS and email OTPs have proven vulnerable to a range of fraud techniques, including SIM-swap attacks, phishing schemes, man-in-the-middle exploits, and weaknesses in legacy SS7 telecom protocols. The CBUAE cites a reported 38% rise in SIM-swap and phishing incidents across the UAE during 2024-2025 as a key driver of the new regulation. Industry analysis identifies OTPs as the single weakest link in most account-takeover and card-not-present fraud chains.

The mandate also responds to intensifying AI-driven attacks on UAE financial networks, with the UAE Cybersecurity Council reportedly detecting around 200,000 attacks daily. According to earlier reporting on UAE Advisor Guide, AI-driven campaigns now operate at machine speed, compressing attack timelines far beyond what human monitoring can track. High-net-worth clients are prime targets given the value of their portfolios and the sensitivity of their KYC files.

The New Authentication Framework

Under Notice 2025/3057, approved replacement methods include FIDO2 (Fast Identity Online 2)-compliant authenticators, cryptographic passkeys, soft tokens, device-binding technology, and behavioural biometrics. SMS OTPs and static passwords are explicitly prohibited as stand-alone verification for any transaction, user enrolment, or account access. Strong authentication is also required for new device registration, adding cards to digital wallets, and enrolling in instant payment services.

Step-up authentication is additionally required when clients initiate payments, change transaction limits, update personal data, or request card replacements. Banks must display the beneficiary's full name and account details to the sender before any fund transfer is confirmed. Where malware, remote-access tools, or signs of a live social-engineering call are detected on a client session, banks must suspend the transaction immediately.

What Changed from 6 January 2026

Several major UAE lenders stopped issuing SMS codes for online card purchases from 6 January 2026, ahead of the final March deadline. These banks required customers to update their mobile apps, activate biometrics, and enable push-notification approvals before they could continue making secure payments online. Khaleej Times and Biometric Update both reported on the scale of the operational switchover across the market.

Banks have been running public education campaigns, with particular attention given to elderly customers and less tech-savvy users who may need hands-on guidance. Employers managing mobile workforces and expatriate staff are urged to ensure employees update their banking apps and activate biometrics without delay, to avoid disruption to salary payments or international remittances.

Fraud Controls and Consumer Protections

The directive requires banks to operate 24/7 real-time fraud monitoring across all channels, incorporating device, location, and behavioural analytics into their detection systems. Any fraud involving SMS OTPs on 3-D Secure (3DS) transactions - a standard protocol used to authenticate online card payments - must be fully refunded to the customer. This rule effectively removes any remaining commercial incentive for banks to retain OTPs within their card authentication stack.

Banks must also provide instant in-app channels for reporting suspected fraud, blocking cards, managing transfer limits, and handling tokenised cards, without requiring branch visits. Brand-protection obligations include scanning for phishing sites, spoofed domains, and e-skimming risks, alongside compliance with PCI DSS and SWIFT's Customer Security Controls Framework.

What This Means for Private Banking and Compliance Teams

Private banks and wealth managers must confirm that all client-facing authentication flows now use biometric or cryptographic methods, covering large transfers, limit changes, and new device registrations. Compliance teams should audit third-party technology integrations, confirm FIDO2 or equivalent certifications, and update client communications to reflect the new authentication journey. The CBUAE also expects institutions to maintain clear audit trails and documentation of all authentication policies.

Governance requirements are demanding, with institutions expected to document authentication policies, conduct independent cybersecurity audits, and monitor high-risk accounts for anomalous activity. Failure to meet the 31 March 2026 deadline can result in elevated supervisory-risk ratings on Central Bank dashboards and, potentially, formal enforcement action.

For relationship managers, the priority is proactive client outreach. High-net-worth clients who have not updated their banking apps or registered their primary devices may find transactions blocked after the deadline. Early guided onboarding and direct communication will help prevent disruption to time-sensitive payments or investment activities.

What Clients are Asking their Advisors

What is replacing SMS OTPs in UAE banks from March 2026?

UAE banks are replacing SMS one-time passwords with in-app biometric approvals, FIDO2-compliant passkeys, cryptographic soft tokens, and device-binding technology. These methods are mandated under CBUAE Notice 2025/3057 and provide significantly stronger protection against phishing and SIM-swap fraud. Most major UAE banks have already introduced facial recognition and fingerprint scan approvals within their mobile apps.

How do I activate biometric banking approval on my UAE bank app?

Download or update your bank's mobile app and follow the in-app prompts to register your device and enable Face ID, fingerprint, or a bank-specific secure PIN. Most UAE banks have published step-by-step guides in their help centres and can assist by phone or in-branch with device registration. Once activated, you will receive push notifications to approve transactions directly in the app rather than waiting for an SMS code.

Is the UAE the first country to ban SMS OTPs for banking?

Multiple international analyses describe the UAE as the first country to mandate a complete ban on SMS and email OTPs across the banking sector, with a fixed compliance deadline. Other jurisdictions such as the EU and UK have issued guidance discouraging OTP reliance, but have not imposed an outright prohibition with a hard deadline. The UAE model is being watched by regulators worldwide as a benchmark for prescriptive authentication reform.

What happens if my UAE bank account is still using SMS OTPs after 31 March 2026?

After the compliance deadline, banks that continue to issue SMS OTPs face elevated supervisory-risk ratings on CBUAE dashboards and potential enforcement or remedial action. For individual clients, this means banks may block or suspend transactions that cannot be authenticated through approved biometric or cryptographic methods. Clients who have not updated their apps and enabled biometrics before the deadline risk disruption to online payments, transfers, and card-not-present purchases.