CyberEdBoard
,
CyberEdBoard Insights
,
Finance & Banking
Banking Sector Faces Challenges in Meeting March 2026 Compliance Deadline
The Central Bank of UAE has issued a directive asking financial institutions to eliminate weak authentication methods including SMS and email one-time passwords.
See Also: AI, Cloud, and Cyber Threats: A Financial Sector Survival Guide
The directive requires the adoption of robust, risk-based user authentication technologies including Emirates Face Recognition, soft tokens and biometrics. Banks are also expected to implement real-time fraud monitoring, suspend sessions when malicious activity is detected and equip consumers with tools to manage their accounts securely.
But meeting the compliance deadline of March 2026 poses significant challenges. Many banks still rely on legacy systems built around OTP infrastructure that will require a fundamental overhaul to support cryptographic tokens, biometric authentication and secure app-based verification.
Educating and transitioning customers to new authentication methods poses another major hurdle for customers who are less savvy with using digital tools, said Anis Ahmed, chair of the Association of Certified Financial Crime Specialists, MENA Chapter.
For example, when Emirates NBD launched Smart Pass, some customers needed real tokens as a workaround, which made the implementation more difficult for scaling and logistics.
Adding to this complexity are mobile banking applications that will need to be modified to include secure digital tokens or biometric layers that are tied to the user, said Mohammad Barakat, global managing director, Consilium Advisory. “This change will take a lot of work to build, test and integrate with identity verification systems such as Emirates ID and UAE Pass,” he said.
So far, only a few banks in the UAE have completely eliminated SMS-based OTPs, although a few leading institutions are actively transitioning toward more secure authentication methods such as biometric verification including Emirates Facial Recognition and mobile-based soft tokens. Banks including Emirates NBD, ADIB and FAB have switched from SMS OTPs to biometric or in-app solutions for most online banking transactions.
The announcement by the Central Bank comes at a time when scams and fraud in UAE are growing by 43% year on year. A report by the Global Anti-Scam Alliance, found that in 2023, more than 40,000 people in the UAE fell for scams, losing an average of $2,194.
The market is also moving in tandem to keep pace with regulatory demands. There is a “wave of innovation in authentication, driven by the need to fight fraud and deliver seamless user experiences,” Ahmed said. Major tech players such as Apple, Google, Microsoft and Samsung are investing heavily in the authentication space.
Over the next two to three years, several emerging technologies are expected to become standard in banking authentication, said Barakat. “Passkeys, based on FIDO2 standards, will replace traditional passwords with phishing-resistant logins that rely on biometrics or cryptographic keys tied to a user’s device,” Barakat said. Behavioral biometrics, which analyze patterns in how users type, swipe or hold their devices, will offer an invisible layer of continuous authentication, added Barakat.
Still, innovation alone is not enough. Continued progress will depend on strengthening public-private collaboration, Ahmed stressed. “That includes integrating fintech and cybersecurity innovations into the national digital ecosystem, driving multilingual consumer awareness campaigns and enhancing coordination between banks and telecom providers to counter threats like SIM swap fraud,” he said.
Many countries globally are phasing out SMS-based OTPs. Last year, the Monetary Authority of Singapore asked banks to phase out SMS-based authentication for banking activities such as adding payees or changing fund transfer limits.