More UAE banks now tighten security with biometrics logins, AI fraud checks

Dubai:  More UAE banks are eliminating SMS and email-based one-time passwords (OTPs), as new rules from the Central Bank of the UAE tighten digital security and fraud controls across the financial system.

By the end of next month, all licensed financial institutions must stop using SMS and email OTPs, replacing them with in-app approvals, biometrics and risk-based authentication systems.

The shift forms part of a broader regulatory push in 2026 aimed at strengthening fraud detection, artificial intelligence governance and operational resilience in the banking sector.

“As per the directives issued by the UAE Central Bank, the practice of receiving OTPs via SMS or email are being phased out. Customers can now complete online transactions easily by selecting the ‘Authentication via App’ feature in their bank’s smart application,” a Dubai bank spokesperson said.

Under the new system, customers approve transactions directly within their mobile banking apps, typically using fingerprint recognition, facial authentication or a secure PIN.

The move affects routine activities for residents, including online shopping, fund transfers and card payments, which have long relied on six-digit codes delivered by text message.

“As new regulations from the CBUAE come into force at the end of March, fraud prevention is currently a top priority for banks and financial institutions,” said Rob Woods, senior director, fraud and identity at LexisNexis Risk Solutions.

“The rules require key capabilities, such as active call detection and screen sharing detection, and encourage the use of behavioural intelligence to disrupt real-time scams,” he said.

Woods added that while larger banks are generally further along, “many smaller institutions are only now beginning to address these requirements,” as impersonation fraud continues to surge across the Middle East.

“Impersonation fraud continues to surge across the Middle East, with criminals posing as government officials or bank staff, and social media-driven phishing scams increasingly target younger users,” Woods said.

“Romance scams also remain a threat, underscoring the need for stronger, technology-led solutions.”

Regulators and industry executives say SMS-based authentication has been repeatedly exploited in SIM-swap and social engineering attacks, where victims are tricked into sharing OTP codes.

Alongside authentication reforms, the central bank has issued new guidance on the use of artificial intelligence and machine learning in financial services.

The framework sets accountability standards for banks deploying AI tools in areas such as risk monitoring, fraud detection and customer profiling, requiring oversight mechanisms and safeguards around automated decision-making.

“The guidance note aims to establish a clear framework for the responsible use of artificial intelligence and machine learning in the financial sector, in a way that enhances consumer protection, reinforces governance and transparency principles, and emphasises the importance of human oversight and data protection requirements,” said Khaled Mohamed Balama, Governor of the Central Bank of the UAE.

For UAE residents, the immediate impact is practical. Online transactions will increasingly require biometric or in-app approval rather than an SMS code, as banks move to meet the March 2026 deadline and align with tighter digital safeguards.