More UAE banks are eliminating SMS and email-based one-time passwords (OTPs), as new rules from the Central Bank of the UAE tighten digital security and fraud controls across the financial system. By the end of next month, all licensed financial institutions must stop using SMS and email OTPs, replacing them with in-app approvals, biometrics and risk-based authentication systems.
The shift forms part of a broader regulatory push in 2026 aimed at strengthening fraud detection, artificial intelligence governance and operational resilience in the banking sector.
“As per the directives issued by the UAE Central Bank, the practice of receiving OTPs via SMS or email are being phased out. Customers can now complete online transactions easily by selecting the ‘Authentication via App’ feature in their bank’s smart application,” a Dubai bank spokesperson said.
Under the new system, customers approve transactions directly within their mobile banking apps, typically using fingerprint recognition, facial authentication or a secure PIN.
The move affects routine activities for residents, including online shopping, fund transfers and card payments, which have long relied on six-digit codes delivered by text message.
“As new regulations from the CBUAE come into force at the end of March, fraud prevention is currently a top priority for banks and financial institutions,” said Rob Woods, senior director, fraud and identity at LexisNexis Risk Solutions.
“The rules require key capabilities, such as active call detection and screen sharing detection, and encourage the use of behavioural intelligence to disrupt real-time scams,” he said.
Woods added that while larger banks are generally further along, “many smaller institutions are only now beginning to address these requirements,” as impersonation fraud continues to surge across the Middle East. “Impersonation fraud continues to surge across the Middle East, with criminals posing as government officials or bank staff, and social media-driven phishing scams increasingly target younger users,” Woods said. “Romance scams also remain a threat, underscoring the need for stronger, technology-led solutions.”
Regulators and industry executives say SMS-based authentication has been repeatedly exploited in SIM-swap and social engineering attacks, where victims are tricked into sharing OTP codes.
