Central Bank of UAE boosts consumer protection against fraud

Digital banking security in the United Arab Emirates is about to undergo a major transformation. Fraud is rising in the region as criminals take advantage of weak authentication methods. To protect consumers, the Central Bank of the UAE (CBUAE) has acted decisively with Notice No. CBUAE/FCMCP/2025/3057.

Issued in May 2025, this UAE Central Bank notice will essentially transform how banks protect their customers.

In this blog, we share highlights related to the new strong authentication and fraud prevention requirements. We understand these new rules will raise important questions for security and digital banking leaders who must turn them into an operational reality. For more in-depth answers, we invite you to meet with us at MEBIS, the Middle East Banking Innovation conference, or download our new white paper.

Understanding the new CBUAE regulations

The CBUAE's new regulatory framework aims to strengthen the authentication mechanisms used for financial transactions, and to enhance the fraud detection and prevention capabilities of financial institutions. The new security measures apply to both digital bank accounts and electronic wallets.

Overview of authentication requirements

The key takeaway is:

To combat weak authentication methods, the notice prohibits FIs from using SMS OTP, email OTP, or static passwords as the sole authentication method for financial transactions and account provisioning.

For device and bank account access:

• First-time access: FIs must use strong identity verification technology like Emirates Face Recognition.
• Recurring logins: With a trusted device, FIs can use login credentials such as static PINs or device-native biometrics.
• Web and online banking access: Consumers must approve a confirmation from a different secure channel. This could be the mobile banking application or a soft token (e.g., a standalone authentication app).

Mandatory step-up authentication:

The notice requires step-up authentication for:

• Modification of limits or card parameters
• Modification of security parameters
• Initiation of payment
• Modification of personal data, such as address or contact details
• Request for a new card

For 3-D Secure transactions, financial institutions:

• Are prohibited from using weak authentication for second-factor authentication (2FA).
• Must use methods like in-app verification, soft tokens, tap to authenticate, or biometrics.
• Will now be responsible for fraud reported on 3D Secure transactions that used SMS OTP.

Biometrics:

The notice encourages the use of biometric authentication in banking, such as:

• Behavioural biometrics and behavioural analysis
• Digital biometrics

White paper

New CBUAE requirements: Is your bank ready?

Learn the essential insights for UAE banking security teams.

Download now

Overview of fraud detection and prevention requirements

The Central Bank UAE mandates comprehensive fraud detection and prevention controls for UAE banks. Highlights include:

Real-time transaction analysis

FIs must:

• Implement systems to analyse transactions to identify unusual consumer activity for fraud detection.
• Ensure their systems are capable of stopping or declining suspicious transactional activity in real time.
• Incorporate risk-scoring mechanisms to evaluate the probability of fraudulent activity for each transaction.
• Analyse consumer account activity to identify suspicious or high-risk behaviour, such as sudden large withdrawals or activity from unusual locations.

Confirmation of payee

• For domestic transfers: Financial institutions must provide certain information to the consumer before they confirm the transaction. This includes the payee's name, account number, bank details, and account type.
• For instant payments: FIs must ensure controls are in place to enable the consumer to verify the name of the payee.

Advanced security controls

• Mobile banking: FIs must ensure controls suspend mobile banking app sessions when screen sharing, malware, or remote access tools (RATs) are detected, or when the consumer is on an active call.
• Web banking: FIs must ensure no screen-sharing application is active during browser-based sessions.

Account monitoring & monitoring of banking transactions

FIs must:

• Do periodic reviews of dormant or inactive UAE bank accounts to identify any unusual activity.
• Have internal controls to check for early identification of mule accounts.
• Analyze financial transactions based on odd, unexpected, or suspicious behaviour.

Implementation timeline for Central Bank of UAE new rules

Financial institutions have until 31 March 31 2026 to comply with most requirements.

However, requirements related to SMS OTP-authenticated 3D Secure transactions are effective immediately.

Security evolution requires implementation excellence

The CBUAE's banking authentication and fraud prevention requirements represent a necessary evolution in the security of the region’s banking services. However, achieving compliance extends well beyond selecting proven technology solutions and security features. It requires understanding and addressing usability, implementation, and integration challenges.

OneSpan has the expertise to help UAE banks protect account holders. We work with 60% of the world’s top 100 banks, spanning mobile apps, web banking, ATMs, branch systems, and call centers. With the most comprehensive authentication portfolio in the industry alongside our mobile app security and real-time fraud detection and prevention capabilities, we can help accelerate your compliance.

Contact us to discuss your compliance and implementation needs. Speak with our team of technical and regulatory experts today.