The United Arab Emirates (UAE) has become one of the most active and digitalized financial markets in the world, and also one of the most attacked. According to data from the UAE Cyber Security Council, the country’s financial sector receives the equivalent of 14,000 cyberattacks per day, with accumulated losses exceeding $2.5 billion since 2020. Faced with this landscape, the regulator has decided not to wait: Emirati banks and fintechs are required to redesign their authentication and identity verification systems from the ground up. Secure digital identity has ceased to be a competitive advantage and has become a licensing condition.
The problem: sophisticated fraud in a highly digitalized ecosystem
The growth of digital banking in the UAE has been extraordinary. But that acceleration has also amplified the attack surface. A BioCatch study published in April 2026, based on surveys of 100 Emirati banking executives, reveals a concerning reality: 66% of institutions reported an increase in fraud attempts, 58% observed an increase in associated losses, and 62% estimate annual fraud losses exceeding $5 million.
Fraud is not only more frequent; it is qualitatively different. Deepfakes have gone from being a technological curiosity to an operational tool of financial crime. Synthetic identities represented approximately one third of fraud cases in fintechs in 2025 globally. Deepfake fraud attempts during digital onboarding processes increased by more than 300% in the same period. Forrester has characterized 2026 as “the year of the trust collapse,” referring to the inability of traditional verification systems to distinguish the real from the synthetic.
In the UAE, where a large part of business is conducted via video call and the rate of digital adoption is among the highest in the world, this threat is not theoretical. There have already been recorded cases of fraudulent bank transfers executed after impersonating a senior executive’s voice using audio cloning techniques.
The regulatory mandate: the CBUAE sets the new global standard
Faced with this scenario, the Central Bank of the UAE (CBUAE) has made an unprecedented decision on a global scale: the complete elimination of SMS and email OTPs as an authentication method in financial transactions. CBUAE Notice 2025/3057 establishes that all financial entities — banks, finance companies, exchange houses, insurers, and payment service providers — were required to complete the transition before March 31, 2026.
The UAE thus becomes the first country in the world to formally eliminate SMS-based OTPs from the financial system. The measure is not symbolic: OTP fraud cost Emirati victims approximately $87 million in 2023 alone, and SIM swapping attacks grew 38% in 2025.
The now-required authentication methods include:
- Biometric facial recognition, including Emirates Face Recognition
- Cryptographic tokens based on FIDO2 standards (passkeys)
- In-app approvals with active user verification
- Behavioral biometrics as a passive risk layer
Reference institutions such as Emirates NBD, ADIB, and FAB had already completed the transition in autumn 2025, ahead of schedule. The general regulatory framework rests on Federal Decree-Law No. (6) of 2025, the primary banking law that codifies the Digital Dirham as legal tender and extends the CBUAE’s supervisory perimeter to fintechs and technology payment service providers.
Digital identity as regulatory infrastructure
Strengthened authentication is only one piece. The fundamental change is conceptual: digital identity has become regulatory infrastructure, not a user experience tool.
Federal Decree-Law No. (30) of 2024 established the mandatory National Digital KYC Platform. This platform centralizes and standardizes the identity verification process for the entire financial sector, with the goal of eliminating duplications and elevating the due diligence standard to the level required by the current AML/CFT framework.
Under Federal Decree-Law No. (10) of 2025 — the new AML law — and Cabinet Resolution 134/2025 that develops it, financial entities must be able to demonstrate that “the person claiming to be a customer is, in reality, that person.” This requirement has direct technical implications:
- Biometrics with passive liveness detection and protection against deepfake injection attacks in the capture flow
- One-to-N (1:N) identification to detect whether the same person attempts to open multiple accounts under different identities
- Verification of synthetic identities through a combination of documentary analysis, biometrics, and device profiling
The internal threat: account takeover and post-login behavior
One of the most underestimated vectors in digital banking is account takeover (ATO) that occurs after a legitimate login: device theft, social engineering, or physical coercion. Here, point-in-time authentication systems are insufficient, because the attacker has already overcome the first barrier.
The response lies in behavioral biometrics: systems that build profiles based on typing patterns, screen dwell times, habitual navigation routes, device context, and geolocation. The CBUAE addresses this explicitly: fraud monitoring systems must operate 24/7/365, with integrated device, location, and behavior analysis. Sessions must be suspended if active remote control software is detected or if the user is on the phone during a high-risk transaction.
The protection technology stack: four layers operating simultaneously
To comply with the new framework, Emirati institutions are deploying layered security architectures. Facephi structures this protection across four complementary levels:
First layer — Secure onboarding and embedded KYC
Advanced document verification, passive liveness detection, protection against deepfake injection attacks, and 1:N biometric matching. All integrated into the customer onboarding flow, without unnecessary friction, and aligned with the National KYC Platform. More information on our identity verification page for banking.
Second layer — Continuous authentication without OTP
Phishing-resistant biometric authentication (facial, fingerprint, voice) that eliminates dependence on SMS OTPs, in direct compliance with circular 2025/3057. With the fraud liability transfer established in July 2025 for entities that retained OTPs, migration ceased to be optional. Learn about our biometric authentication solution.
Third layer — Behavioral intelligence and ATO prevention
Dynamic behavior profiles, device and network context analysis, and continuous session-level risk scoring. When anomalies are detected, the system can escalate to biometric re-authentication or issue real-time alerts before a suspicious transaction is completed.
Fourth layer — AML, mule detection, and network defense
AML checks during onboarding, continuous evaluation of the customer base, and transaction monitoring on both sender and receiver. The criminalization of the facilitation of financial mules under Decree-Law 10/2025 means this layer has direct legal implications for the institution.
The 2026–2030 horizon: supervised AI and continuous oversight
The UAE’s regulatory framework does not stop in 2026. According to the trend analysis published by Chambers and Partners on cybersecurity in the UAE, the direction for the next five years is clear:
- AI becomes a regulated entity. Models that make decisions on fraud scoring, credit, or AML must be auditable, explainable, and free of hidden biases.
- Supervision will be in real time. The periodic reporting model is on its way out. Direct transactional feeds to regulators’ APIs are expected.
- Identities will be continuously verified. The document scanned at onboarding will not be sufficient: identity will be confirmed through liveness-detected biometrics and behavioral signatures at every relevant session.
Conclusion: compliance and security are now the same thing
In the UAE of 2026, the distinction between regulatory compliance and cybersecurity has disappeared. Decree-Law No. (6) of 2025 mandates the implementation of “robust fraud prevention and detection mechanisms” and the reporting of incidents to the CBUAE under direct management responsibility, with the possibility of criminal liability in cases of gross negligence regarding customer funds.
For banks and fintechs operating in the Emirati market, the question is no longer whether to adopt these technologies. The question is whether their identity and authentication stack is up to the standard of a regulator that has decided to lead the global benchmark.
Facephi offers identity verification and biometric authentication solutions designed to comply with the requirements of the UAE regulatory framework, including the National KYC Platform, the requirements of CBUAE circular 2025/3057, and the AML framework of Decree-Law 10/2025.