The Central Bank of the UAE has set a firm deadline: by March 31, 2026, all banks and financial institutions must end the use of SMS and email one-time passwords.

The change shifts liability for OTP-related fraud to banks and financial institutions. If a code is intercepted or shared during an attack, the institution is responsible for covering the loss.

If you are a bank, insurer, payment provider, or exchange house, you will need to replace OTPs with phishing-resistant authentication and build the systems to detect and stop account takeovers in real-time.

In this post, we explain what the new mandate means and what UAE banks need to do to prepare.

What is CBUAE Notice 2025/3057

In May 2025, the Central Bank of the UAE issued Notice 2025/3057, directing all UAE-licensed banks and financial institutions that serve consumers to phase out SMS and email one-time passwords (OTPs) and static passwords for customer authentication.

The rule requires institutions to move away from these legacy controls and adopt risk-based authentication methods that verify both the customer and their device in real-time. It marks a shift from relying on single-factor credentials to continuous, intelligence-driven identity assurance.

The Central Bank introduced this mandate in response to growing fraud losses linked to OTP interception, SIM swaps, phishing, and remote access attacks. OTPs are now considered unsafe because they depend on open communication channels and are not cryptographically tied to the user or session. Once a fraudster obtains or replays a code, they can bypass all downstream controls, effectively turning the OTP into a single point of failure.

Financial institutions are now liable for fraud linked to OTPs

Under the new mandate, banks and financial institutions are now fully liable for fraud linked to OTP-based authentication. If a customer’s one-time password is intercepted or shared during a phishing or SIM swap attack, the institution must reimburse the customer for the loss.

Although the full compliance deadline is March 31, 2026, the liability shift is already in effect for 3D Secure transactions. Risk teams should treat SMS and email OTP as a deprecated control and accelerate migration to phishing-resistant authentication tied to the device and session. Delaying replacement now creates not only compliance risk but direct financial exposure.

How to prepare for CBUAE Notice 2025/3057

To meet Notice 3057, banks need to replace OTPs with stronger authentication, build real-time fraud detection, and maintain full auditability of every decision.

1. Implement phishing-resistant authentication

Replace SMS and email OTPs with methods that are cryptographically tied to the user and their device. The Central Bank recognizes the following as compliant options:

• Passkeys (FIDO2): Device-bound credentials that cannot be intercepted or replayed
• In-app authentication: Push approvals and transaction confirmations within the institution’s mobile app
• Biometrics: Fingerprint or facial verification using secure on-device sensors
• Hardware or software tokens: Cryptographic tokens for high-risk actions and transaction approvals

We recommend starting with 3D Secure and payment approvals, where OTP fraud hits hardest and losses are immediate. Then extend these controls to account recovery and device binding, which are the next weakest links once OTPs are removed.

Finally, tune your step-up logic based on real business context (new payees, high-value transactions, beneficiary changes) and use real-time risk scores instead of binary triggers, so trusted users stay frictionless while risky sessions get stepped up automatically.

2. Deploy real-time fraud detection

The notice also requires banks to maintain real-time fraud detection systems that analyze every transaction and automatically block or challenge suspicious activity before it is authorized.

Device and behavioral signals are central to making this work. Together, they allow banks to detect anomalies in real-time and spot the early signs of account takeover, such as new or compromised devices, remote access tools, or unusual interaction patterns. These same signals can reveal social engineering or coercion that would otherwise pass authentication checks.

Each transaction should be scored using a mix of device, location, and behavioral data to identify deviations from a customer’s normal pattern. That means understanding how, where, and from what device a user typically logs in or transacts, and flagging behavior that falls outside that profile. Building this context across sessions gives the system the intelligence it needs to stop fraud before funds move.

3. Suspend active sessions under attack

Real-time detection only works if it can act inside a live session. The new mandate expects banks to contain account takeovers in progress by automatically suspending sessions when signs of compromise appear.

This is where zero-day signals matter. Fraudsters constantly rotate tools and tactics, so systems need to detect new and unfamiliar threats in real-time, even without prior user history or model training. Indicators such as screen sharing, remote access software, or malware activity suggest the customer’s device is no longer in their control.

Build response logic that reacts to those signals instantly. When the device or session shows signs of external control, pause sensitive actions, lock transfers, and require re-verification before resuming. The goal is to stop fraud in session, not after settlement.

4. Maintain an audit trail for every decision

Banks should maintain a detailed record of how authentication and fraud decisions are made and enforced. When regulators review compliance with the new mandate, they will expect institutions to demonstrate how risk is assessed and how key controls are applied in real-time.

Every authentication or transaction event should generate an auditable record showing the risk signals considered, the action taken, and the result. This gives risk and compliance teams evidence that controls are working as intended and supports model tuning and post-incident review.

Platforms like Sardine automatically capture these events and build a continuous audit trail, so banks and financial institutions can show exactly how they’re meeting the mandate’s requirements when asked.

How Sardine supports this directive

If you’re now responsible for meeting Notice 3057, you’re probably rebuilding authentication flows, rethinking how you score risk in real-time, and figuring out how to prove those controls are working. That’s where we can help.

At Sardine, we give banks the signals and risk infrastructure they need to detect active account takeovers and maintain visibility across every session. Our platform brings together device intelligence, behavioral biometrics, and continuous authentication so you can meet the mandate with stronger controls and less friction for customers.

• Device intelligence: We inspect every device for risk signals like SIM swaps, malware, screen sharing, and remote access tools. That lets you confirm whether the device, network, and SIM are trusted before a transaction goes through and catch compromised sessions early.
• Behavioral biometrics: We build a behavioral profile for each customer based on how they naturally type, swipe, and navigate. When those patterns shift, we can flag signs of coercion, automation, or account takeover, even when credentials and devices appear valid.
• Continuous authentication: We monitor device and behavioral signals throughout each session, not just at login. If risk increases mid-session, we trigger step-up authentication or suspend the session automatically, stopping attackers without disrupting trusted customers.
• Step up authentication: We support progressive risk checks that help banks meet the mandate’s requirement for adaptive, risk-based authentication. Our no-code workflow builder lets risk teams ingest fraud, compliance, and credit data in one place to create and adjust step-up flows without engineering support.
• 3D Secure compliance: We enhance 3D Secure by improving how issuers detect fraud and approve good transactions. Our device and behavioral signals give the system stronger context before authentication, so it can approve more legitimate payments without introducing friction and stop high-risk ones before they go through.

Schedule a demo to see how UAE financial institutions can meet Notice 3057 requirements with Sardine.