CBUAE SMS OTP Phase-Out March 2026: What UAE Banks Must Do Before the Deadline

On July 25, 2025, the Central Bank of the UAE began rolling implementation of the most significant authentication change in UAE financial history. By March 31, 2026, every licensed UAE bank and financial institution must phase out SMS and email OTP authentication for customer transactions, replacing them with biometric verification (Emirates Face Recognition), FIDO2 cryptographic passkeys, secure in-app push approvals, or behavioral biometrics. UAE is the first country in the world to mandate this transition. The CBUAE 3057 standard also imposes an explicit fraud liability shift: banks are now fully accountable for any losses traced to OTP-based authentication compromise.

This guide breaks down the CBUAE directive in operational depth: the full timeline, approved replacement methods, what each major UAE bank has actually deployed so far, the explicit liability framework, edge cases (basic feature phone customers, expat residents, customers without UAE residency, foreign cards), and logical predictions on which other GCC regulators follow next. For broader UAE SMS OTP context outside banking, see our SMS OTP Service for UAE page and the UAE SMS OTP Complete Guide.

Quick Answer: What Is the CBUAE SMS OTP Phase-Out?

CBUAE 3057 is the Central Bank of the UAE directive mandating all UAE-licensed banks and financial institutions to phase out SMS and email OTP authentication by March 31, 2026. Rolling implementation started July 25, 2025. Approved replacements: Emirates Face Recognition (state biometric infrastructure), FIDO2 cryptographic passkeys (industry standard), secure in-app push approvals with biometric or PIN confirmation, behavioral biometrics. UAE is the first country in the world to take this step. Banks are now fully liable for any fraud linked to SMS OTP; if a customer loses funds to SIM swap or phishing, the bank reimburses. The mandate applies only to licensed banks and FIs, not to BNPL, ecommerce, ride-hailing, government services, or non-bank fintech.

The Full CBUAE 3057 Timeline

• March 2025: CBUAE communicated the upcoming directive to all UAE-licensed banks and financial institutions.
• July 25, 2025: Rolling implementation began. UAE banks began transitioning customers to app-based authentication for domestic and international financial transactions.
• January 6, 2026: UAE banks began discontinuing SMS OTPs for online card payments, the first hard cutoff for a specific transaction category.
• March 31, 2026: Full effect. SMS and email OTP authentication no longer permitted for any banking customer transaction. Banks fully liable for SMS-fraud losses.

Reference: Gulf News coverage of the January 6 cutoff. NewsOnAir on the March 2026 deadline.

Why CBUAE Acted (and Why UAE Is First)

UAE's banking sector experienced a sharp rise in SMS OTP fraud through 2023-2024, with documented SIM swap attacks costing UAE bank customers tens of millions of AED. The CBUAE response combines several factors:

• SIM swap fraud growth: Reported SIM swap incidents in UAE rose materially through 2023-2024. With Emirates Face Recognition deployed nationally (UAE PASS, Emirates ID) and FIDO2 passkey adoption available, the cost-benefit shifted decisively away from SMS OTP.
• Phishing and social engineering: Sophisticated phishing operations targeting UAE bank customers, often with TDRA-approved sender ID spoofing, made the SMS-as-trust-anchor model untenable.
• State-of-the-art alternatives in place: UAE has invested heavily in Emirates Face Recognition (UAE PASS, Federal Authority for Identity, Citizenship, Customs and Port Security) creating a national biometric infrastructure unavailable in most other markets. FIDO2 passkeys are now mainstream across iOS and Android.
• First-mover regulatory advantage: By being first to mandate the change, UAE positions Dubai as a global fintech innovation hub.

Analysis from BioCatch and Sardine.ai provides detailed background on the CBUAE rationale.

Approved Replacement Methods

1. Emirates Face Recognition

State-issued biometric matching against the Emirates ID Federal Authority database. Highest trust level. Used today for UAE PASS authentication, certain bank onboarding flows. Integration via UAE PASS API or direct FA-ICP API for licensed banks. Best fit for: high-value transaction approval, account opening, dispute resolution.

2. FIDO2 Cryptographic Passkeys

Industry-standard public-key cryptography with hardware-bound private keys. Apple, Google, Microsoft all support passkeys natively. Best fit for: routine login, transaction approval up to a customer-defined threshold. Lower friction than face recognition. See Corbado's CBUAE passkey deployment analysis for implementation depth.

3. Secure In-App Push Approval

Bank's mobile app receives push notification, customer opens app, reviews transaction details, confirms with biometric (fingerprint or face) or PIN. The dominant UX pattern most banks are deploying. Best fit for: card-not-present transactions, online purchases, internal transfers.

4. Behavioral Biometrics

Continuous authentication based on behavior patterns (typing rhythm, navigation patterns, device handling). Operates as a background trust score that reduces friction for known-good customers and triggers step-up for suspicious patterns. Best fit for: continuous risk-based authentication, fraud signal layered on top of explicit authentication factors.

What Each Major UAE Bank Has Deployed (Status as of Q1 2026)

Among UAE banks, deployment progress varies materially:

Ahead of deadline

• Emirates NBD: Full app-based authentication for retail and SME banking. FIDO2 passkey rollout completed Q4 2025. Emirates Face Recognition integrated for high-value transactions. SMS OTP retained only for elderly customer segments with explicit opt-in.
• First Abu Dhabi Bank (FAB): Comparable position. App-based push approval dominant; passkey support added Q4 2025.
• Abu Dhabi Commercial Bank (ADCB): App-based auth standard; passkey rollout in progress.

On track

• Mashreq, ADIB, RAK Bank: App-based auth available; expanding passkey support; expected to meet March 31 deadline.

Behind but expected to close gap

• Mid-tier and smaller UAE banks: Some are still building app-based auth infrastructure. Risk of post-deadline non-compliance penalties.

Note: positioning above reflects publicly available information and analyst assessments as of Q1 2026. Banks may have additional deployments not publicly disclosed.

The Explicit Fraud Liability Shift

Among the most consequential elements of CBUAE 3057: banks are now fully liable for any fraud traced to OTP-based authentication compromise. The implications:

• Customer reimbursement. If a customer loses funds because their SMS OTP was intercepted (SIM swap, phishing, SS7), the bank must reimburse the customer for the loss.
• Fraud insurance changes. Bank fraud insurance underwriting is being recalibrated. Expect 15-25 percent premium increases for banks still on SMS OTP past Q2 2026.
• Reserve requirement implications. Banks are recalculating operational risk reserves to account for the new liability exposure.
• SIM swap insurance market. A nascent insurance market for SIM-swap-specific protection is emerging in MENA. Major underwriters (Allianz, Marsh, Aon) are building UAE-specific products.

Edge Cases: Who Cannot Move (and How to Serve Them)

1. Basic feature-phone customers (estimated 3-5 percent of UAE bank customers)

Customers using basic feature phones without smartphone capability cannot install bank apps, scan QR codes, or use FIDO2 passkeys. CBUAE acknowledges this segment exists. Practical solution: bank-branch in-person authentication, IVR voice biometric, or hardware token (small population).

2. Expat residents with limited UAE presence (2-3 percent)

Customers who use UAE bank accounts but spend significant time outside UAE may have limited Emirates ID access, intermittent UAE PASS use, and cross-border phone-roaming complications. Solution: pre-issued FIDO2 hardware keys (YubiKey), Apple Watch/iPhone passkeys synced via iCloud across countries.

3. Customers without UAE residency (foreign cardholders, GCC residents using UAE banks)

Tourists with UAE-issued payment cards, GCC residents banking with UAE institutions, expats temporarily out of UAE. Solution: cross-border FIDO2 passkey portability (works internationally), behavioral biometrics + additional manual review.

4. Elderly or accessibility-needs customers

Customers who struggle with biometric scanning (visual impairment, motor difficulty), or with smartphone interfaces. Solution: assisted authentication via branch staff, simplified passkey enrollment flows, dedicated support hotline.

Migration Playbook for UAE Banks (6-Month Timeline)

Month 1-2: Architecture decision and vendor selection

Choose your authentication stack mix: FIDO2 passkey provider, in-app push infrastructure, biometric vendor (or build on Emirates Face Recognition via FA-ICP API), behavioral biometrics layer. Common vendor combinations: Auth0 + Veriff + UAE PASS; Okta + Daon + FA-ICP; custom build on top of WebAuthn + Apple App Attest + Google Play Integrity.

Month 3: Customer-segment-aware rollout planning

Segment customer base by smartphone adoption, biometric capability, transaction value tier, and geography (UAE-residing vs cross-border). Plan rollout in stages: high-trust customers (early adopters), mass market, edge-case segments last.

Month 4: Soft launch with parallel SMS

Deploy new authentication alongside SMS for a 4-6 week parallel period. Customers see both methods; biometric/passkey/in-app push is offered as primary; SMS remains as fallback. Collect adoption metrics and friction signals.

Month 5: Sunset SMS OTP for transactions

Disable SMS OTP for primary authentication. SMS retained only for documented edge-case customers per the 3-5 percent estimate above. Customer communications campaign explaining the change.

Month 6: Compliance verification and CBUAE reporting

Document the migration completeness, edge-case handling, customer communications, and ongoing monitoring framework. Submit CBUAE compliance reports.

What Does NOT Apply to the CBUAE Mandate

The CBUAE 3057 directive applies specifically to UAE-licensed banks and financial institutions for customer-facing transactional authentication. It does NOT apply to:

• BNPL platforms (Tabby, Tamara, Postpay, NymCard) — operate under DFSA, SCA, or free-zone frameworks. SMS OTP continues.
• Non-bank fintech (crypto exchanges, insurance aggregators, wealth platforms) — continue using SMS OTP under their respective regulatory frameworks.
• E-commerce (Noon, Carrefour UAE, Amazon UAE, Talabat) — SMS OTP continues for checkout, COD, account recovery.
• Government services (DubaiNow, MOHRE, RTA, KHDA) — SMS OTP continues as part of UAE PASS or direct flows.
• Healthcare appointment reminders (DHA, DoH providers) — SMS continues (not for PHI).
• Ride-hailing and gig economy (Careem, Uber UAE) — SMS OTP continues.
• Real estate (Property Finder, Bayut, RERA flows) — SMS OTP continues.
• Education (KHDA schools, private universities) — SMS OTP continues.

Predictions: Which GCC Regulators Follow Next

Logical-deduction analysis based on regulatory patterns:

Saudi Arabia (SAMA) — 12-24 months

SAMA historically follows CBUAE on consumer financial regulation within 12-24 months. Saudi banks have moderate biometric infrastructure (Absher, Tawakkalna). Expect SAMA to mandate banking SMS OTP phase-out by Q1-Q4 2027. Saudi market is ~3x UAE by banking volume.

Bahrain (CBB) — 18 months

CBB historically aligns with CBUAE for cross-GCC banking policy. Bahrain market is small but innovative. Expect comparable directive within 18 months.

Qatar (QCB) — 24-36 months

QCB is more conservative on consumer-facing change. Qatar 2030 vision aligns with digital transformation but banking-specific moves lag. Expect 24-36 month timeline.

Kuwait (CBK) — 24-36 months

CBK has been more focused on Islamic banking reform; consumer authentication may not be near-term priority. Expect 24-36 months.

Oman (CBO) — 36-48 months

CBO is the most measured GCC regulator. Banking authentication change likely follows GCC consensus rather than leading. Expect 36-48 months.

For GCC-wide banking and fintech operations, the strategic implication: your SMS OTP infrastructure for banking has an 18-36 month useful life remaining across GCC. Plan multi-market migration now.

What Banks Should NOT Do

• Wait until February 2026 to begin migration. Even mid-tier banks need 4-6 months for full deployment. Late starts risk post-deadline non-compliance.
• Try to keep SMS OTP as a customer-choice fallback. CBUAE expects SMS OTP to be retired for transactions, with retention only for documented edge-case customer segments. Broad customer-choice fallback is not compliant.
• Replace SMS with email OTP. Email OTP is also covered by the phase-out.
• Build custom passkey infrastructure from scratch. WebAuthn library implementations from Auth0, Okta, FusionAuth, or open-source SimpleWebAuthn deliver enterprise-grade passkey support faster than custom builds.
• Skip the customer communications campaign. The friction signal during transition is real — customers need clear messaging about why and how.

How Message Central Supports UAE Banks Through Transition

VerifyNow offers transitional infrastructure for UAE banks migrating off SMS OTP. WhatsApp OTP can serve as an interim factor (immune to SIM swap, more secure than SMS, free service-window option) for customer segments not yet on app-based auth. For edge-case customers retained on SMS, VerifyNow UAE provides SIM-swap detection, behavioral analytics, fraud monitoring, and the CBUAE-aligned audit logs. Additionally, Message Central provides advisory services for FIDO2 passkey integration, Emirates Face Recognition via FA-ICP API, and behavioral biometrics layering.

For your migration consultation, visit SMS OTP Service for UAE or contact us at Message Central console.

External Authority References

Corbado — UAE Banking SMS OTP Phase-Out 2026 Directive Breakdown. BioCatch — UAE First Nation to Begin Phasing Out SMS and Email OTPs. Sardine.ai — CBUAE 3057 What FIs Need to Know. Gulf News — UAE Banks End SMS OTPs January 6. NewsOnAir — UAE Central Bank Mandates March 2026 Deadline. Biometric Update — Biometrics Replacing SMS OTPs in UAE. CBUAE Official.

Frequently Asked Questions

What is CBUAE 3057 and when does it take effect?

CBUAE 3057 is the Central Bank of the UAE directive mandating all UAE-licensed banks and financial institutions to phase out SMS and email OTP authentication for customer transactions by March 31, 2026. Rolling implementation began July 25, 2025. The first hard cutoff (online card payments) took effect January 6, 2026. Full effect with no SMS or email OTP for any banking transaction takes effect March 31, 2026. Approved replacements are biometric (Emirates Face Recognition), FIDO2 passkeys, in-app push approval with biometric confirmation, and behavioral biometrics.

Who is liable for SMS OTP fraud after March 31, 2026?

UAE banks are now fully liable for any fraud traced to OTP-based authentication compromise. If a customer's SMS OTP is intercepted via SIM swap, phishing, or SS7 attack and funds are lost, the bank must reimburse the customer. This explicit liability shift is one of the strongest enforcement mechanisms in the directive.

Does the CBUAE phase-out affect BNPL, ecommerce, or non-bank fintech?

No. The CBUAE 3057 directive applies only to UAE-licensed banks and financial institutions. BNPL platforms (Tabby, Tamara, Postpay, NymCard), ecommerce, ride-hailing, government services, healthcare, real estate, education, and non-bank fintech can continue using SMS OTP under their respective regulatory frameworks. See our SMS OTP UAE Complete Guide for what still works.

Which UAE banks have already migrated off SMS OTP?

As of Q1 2026, Emirates NBD, FAB, and ADCB are ahead of deadline with full app-based authentication, FIDO2 passkey rollout, and Emirates Face Recognition integration. Mashreq, ADIB, and RAK Bank are on track. Mid-tier and smaller UAE banks are still building infrastructure and risk post-deadline non-compliance penalties.

What about customers who cannot use smartphones?

CBUAE acknowledges the estimated 3-5 percent of customers on basic feature phones, the 2-3 percent of expat residents with limited UAE presence, foreign cardholders, and elderly or accessibility-needs customers. Banks may retain SMS OTP for documented edge-case segments. Solutions include bank-branch in-person authentication, IVR voice biometric, FIDO2 hardware keys (YubiKey), and assisted authentication via branch staff.

Next Steps

To plan your migration from SMS OTP to CBUAE-compliant authentication, visit our SMS OTP Service for UAE platform page. For broader UAE SMS OTP context (what still works outside banking), see SMS OTP UAE Complete Guide 2026. For non-bank fintech architecture see UAE Non-Bank Fintech SMS OTP guide. For TDRA approval timelines see TDRA Sender ID Approval 2026. For UAE pricing see UAE SMS OTP Pricing 2026. For predictions on which GCC regulators follow next see GCC Banking SMS OTP Phase-Out Predictions.