The Central Bank of the UAE has set March 31, 2026 as the hard deadline to eliminate SMS and email OTPs across all licensed financial institutions. Most conversations focus on the AED 250,000 administrative penalty for non-compliance. That fine is real — but it’s the smallest number on your risk register.
There’s a sentence in the CBUAE Notice 2025/3057 that doesn’t get enough attention:
Banks are fully liable to reimburse any 3D Secure fraud that occurs while SMS OTP authentication remains in use.
That liability didn’t start on March 31, 2026. It started in July 2025.
Which means every single fraudulent transaction that has passed through an SMS OTP flow since then — every SIM-swap, every SS7 exploit, every social engineering call that ended with a customer reading a six-digit code out loud — has been your bank’s financial loss to absorb. Not the customer’s. Not the card scheme’s. Yours.
The AED 250,000 administrative fine is a one-time event. The fraud reimbursement exposure is a running meter. And it doesn’t stop until your authentication stack does.
Why SMS OTP Was Always a Borrowed solution
Let’s be direct: SMS OTP was never designed for financial authentication. It was designed for convenience at a time when the alternative was a hardware token in a drawer. The infrastructure it rides on — SS7, the global telecoms signalling protocol — was built in 1975 and was never updated for an era of organised cybercrime.
The attack vectors are well-documented and actively exploited in the UAE market:
- SIM-swap fraud: criminals convince telecom operators to transfer your customer’s number to a SIM they control. From that moment, every SMS OTP goes to them.
- SS7 interception: nation-state-level attacks and sophisticated criminal groups can intercept SMS messages in transit without physical access to the device.
- Social engineering: a fraudster calls your customer, impersonates your bank, and asks them to “confirm” the OTP they just received. It works because people have been trained to expect OTPs.
None of these attacks require the criminal to break any encryption. They bypass security entirely. And every time one succeeds, your institution pays twice: the fraudulent transaction, and the reputational damage of a customer who trusted you.
The Numbers Behind the Pain
The Global Anti-Scam Alliance documented over 40,000 fraud victims in the UAE in 2023 alone, with average losses of $2,194 per victim — approximately $87 million in total. Those figures pre-date the current wave of AI-generated deepfakes and synthetic identity attacks, which have industrialised fraud at a scale that manual controls cannot match.
The CBUAE acted because the data was unambiguous: the authentication layer was the weakest point in the entire banking security chain. And the weakest point was SMS.
For institutions that have delayed compliance, the arithmetic is straightforward. If your bank processes 50,000 online card transactions per day and even 0.1% are fraudulent through the OTP channel, you’re absorbing the cost of 50 fraudulent transactions daily. At average ticket sizes typical of UAE banking, that’s not a compliance budget problem. That’s a P&L problem.
What CBUAE Actually Requires (And Why It’s an Opportunity)
Notice 2025/3057 mandates that all licensed financial institutions replace SMS and email OTP with:
- Biometric authentication (facial recognition, fingerprint) integrated into mobile banking apps
- FIDO2 passkeys and device-bound cryptographic authentication
- In-app push approvals with strong cryptographic binding
- Risk-based, behavioural authentication for continuous session monitoring
- Integration with UAE Pass and Emirates ID where applicable
Read that list again. It’s not just a security upgrade — it’s the architecture of a modern digital banking experience. The banks that have moved fastest aren’t just compliant. They’ve eliminated per-SMS fees, reduced call-centre fraud queries, and improved transaction approval rates because legitimate customers no longer fail authentication due to delayed or missing SMS messages.
Compliance and competitive advantage are, for once, pointing in the same direction.
How Facephi Makes This Transition in Weeks, Not Months
Facephi is a platform built for exactly this moment. Not as a reactive adjustment — as an architecture designed from day one around continuous risk management across the full customer lifecycle.
At the session layer (KYC/pKYC): Our multibiometric engine replaces SMS OTP at the authentication point with passive liveness detection that completes in under 0.5 seconds. No friction. No code to copy. The customer looks at their device; the platform verifies their identity against a NIST-evaluated model that is continuously updated to defend against deepfake and presentation attacks. Emirates ID and UAE Pass integration are supported natively.
At the account layer (KYAC): Authentication doesn’t stop at login. Our behavioural biometrics engine monitors device signals, interaction patterns, and contextual anomalies throughout the session. If a session that started as legitimate shows signs of account takeover — unusual navigation, device changes, velocity anomalies — the platform flags it in real time, before a fraudulent transaction is authorised.
At the transaction layer (KYT/AML): Our proprietary ML engine correlates signals from onboarding through to post-login behaviour. By the time a transaction is submitted, the platform has already classified the risk of that account, that session, and that transaction together — not in isolation. Suspicious Activity Reports are automated, with explainable AI that gives your compliance team an auditable rationale for every decision.
This is the architecture the CBUAE Notice is pointing toward. Not a bolted-on biometric module. An integrated platform where the authentication decision at login, the behavioural monitoring mid-session, and the fraud classification at transaction time are all connected — because fraud doesn’t operate in silos, and your defences shouldn’t either.
Explainable AI: The Detail That Will Matter at Your Next Regulatory Audit
One specification in the CBUAE framework that banks often underestimate: the requirement for audit trail and evidence capture at every decision point.
An authentication system that uses a black-box ML model can tell you that it blocked a transaction. It cannot tell a regulator why. Under the CBUAE’s fraud risk management framework — and under the broader trajectory of UAE financial regulation — that gap is a liability.
Facephi’s explainable AI layer means that every authentication decision, every risk score, every flag raised by the behavioural engine comes with a machine-readable, human-legible justification. Your MLRO can produce it in one click. Your regulator can audit it without a specialist data science team. Your Head of Fraud can use it to train better models next quarter.
This isn’t a feature. It’s infrastructure for a world where the regulator will eventually ask: show me how your system made that decision.
The Path to Compliance Is Shorter Than You Think
We’ve supported over 300 financial institutions across 30 countries through authentication modernisation programmes. The consistent finding: the implementation timeline is shorter than institutions expect, and the operational benefits appear faster than they plan for.
Our modular, no/low-code orchestration layer allows your technical team to configure authentication flows by segment, channel, and risk level without heavy integration projects. Go-live in weeks is not a marketing claim — it’s the architecture.
For UAE institutions facing the March 31 deadline today: it is still possible to be compliant before enforcement begins. The question is not whether you have time. The question is whether you move now or continue absorbing fraud losses through every transaction that passes through an SMS OTP while your team finalises a procurement cycle.
Every day of delay has a cost. It’s just not labelled “fine” on your balance sheet.
Ready to Move
If you’re a licensed financial institution in the UAE and need to understand your fastest path to CBUAE Notice 2025/3057 compliance, our team is available for a focused 20-minute conversation — no slides, no pitch deck, just a clear assessment of your current stack and what it takes to get compliant.
Facephi is an AI-native digital identity and fraud prevention platform serving 300+ financial institutions across 30 countries. Recognised in Gartner’s Hype Cycle for Digital Identity and Innovation Insight for Biometric Authentication. Available on AWS Marketplace. ISO 27001 certified. NIST-evaluated liveness detection.