Free trial

Regulatory updates: Strong authentication for digital banking and the enterprise workforce

Authentication
Frederik Mennes,
Regulatory updates: Strong authentication for digital banking and the enterprise workforce

The past few months have been quite busy for financial regulators around the world focusing on strong authentication. Central banks and cybersecurity agencies in the European Union, United Arab Emirates, and the Philippines issued strong authentication regulations or guidance. In this article, we highlight regulatory updates that financial services institutions, as well as enterprises, should be aware of.

European Union: Payment Services Regulation (PSR) taking shape

On 18 June 2025, the Council of the European Union published its position on the upcoming Payment Services Regulation (PSR), the long-awaited successor of the revised Payment Services Directive (PSD2) from 2015. This position comes as a response to the draft proposal of the European Commission, published in June 2023, and follows the review of the European Parliament in April 2024.

In the areas of strong authentication of users of digital banking applications, the position of the Council contains the following noteworthy elements:

  • Article 85(10). The Council proposes that the authentication elements that make up an authentication mechanism need to belong to different categories, as is currently the case under PSD2. This goes against the Commission’s proposal to allow authentication elements from the same categories (i.e., possession, knowledge, and inherence). Hence, two biometric elements (e.g., fingerprint and behavioural biometrics) would not be allowed.
  • Article 88(1). The Council proposes that PSPs need to provide their entire customer base (including, for example, people with disabilities) with at least one suitable authentication mechanism free of charge. This is in line with a recommendation from the Parliament in their April 2024 review.
  • Article 88(2). The Council proposes to relax the Commission’s requirement that strong customer authentication must not only rely on smart phones or smart devices. Their proposal is to allow relying on smart devices only, if the business model or the payment account package chosen by the payment service user consists of providing services exclusively through a smart device.

Now that the Parliament and Council have published their views on the draft PSR, the trilogue negotiations among the Commission, Parliament, and Council about the final PSR text can start. It can be expected that the PSR will be finalized in Q4 of 2025 or early 2026.

United Arab Emirates: Cracking down on weak authentication

Next, on 23 May 2025, the Central Bank of the UAE (CBUAE) circulated Notice CBUAE/FCMCP/2025/3057 to financial institutions in the UAE that are card issuers, offering digital banking services or e-wallets. This Notice was published in response to increasing fraud and cybercrime targeting banks.

Among the key provisions of the Notice related to digital banking:

  • Financial institutions are prohibited from using weak authentication methods such as SMS OTP, email OTP, or static passwords as the only authentication mechanism for login, transaction confirmation, and other sensitive operations.
  • For web-based Internet banking, the end-user must approve a confirmation from a different secure channel, such as the mobile banking app, hardware token, or soft token.
  • Financial institutions must implement fraud detection systems to analyse transactions in real-time, 24/7 and 365 days a year, to identify unusual consumer activity for fraud detection. Financial institutions are also encouraged to use advanced fraud detection methodologies, such as behavioural analysis and behavioural biometrics.

Financial institutions are required to comply with the Notice’s requirements by 31 March 2026.

Philippines: Increasing mobile banking security and moving away from weak authentication

On 30 May 2025, Bangko Sentral ng Pilipinas (BSP) issued Circular No. 1213. The main requirements related to strong authentication are as follows:

  • Banks should refrain from installing mobile applications on unsecured devices, such as, but not limited to, those with outdated systems, rooted or jailbroken devices, or emulators. This requirement essentially means that banks should equip their mobile banking apps with app shielding functionality that can analyze security characteristics of the device where they are installed.
  • Banks should adopt strong device fingerprinting, a technique that collects data about the device being used, in order to detect account access from unknown, unexpected devices.
  • Banks have to limit the use of SMS OTP and email OTP, as these can be intercepted relatively easily. Instead they should adopt strong authentication mechanisms, such as biometric authentication, behavioural biometrics, or passwordless authentication. The Circular specifically calls out FIDO-based authentication mechanisms as an example of passwordless authentication.

Banks need to comply with the Circular within 1 year from its effective date, which means the compliance deadline is around 25 June 2026.

European Union: ENISA recommending phishing-resistant MFA under NIS2

Finally, on 26 June, ENISA, the EU’s cybersecurity agency, published technical implementation guidance for organizations that need to comply with the revised Network and Information Security (NIS2) directive.

NIS2 defines broad cybersecurity requirements, including authentication requirements, for companies and organisations active in critical sectors, such as energy, transport, and healthcare. Article 21 of NIS2 requires companies to use multi-factor authentication (MFA) to authenticate workforce members when they remotely access their company network, log on to their workstations, access privileged accounts, and so on. However, NIS2 does not provide a definition of what constitutes MFA.

ENISA’s technical guidance ranks MFA methods in three categories, and recommends companies select the MFA method based on the associated risk. The three categories are called “strongest”, “medium” and “last resort.”

  • Strongest encompasses phishing-resistant MFA, such as MFA based on FIDO standards, including, for example, FIDO hardware security keys.
  • Medium refers to MFA based on one-time passwords, implemented via push notifications on mobile or hardware tokens.
  • Last resort includes SMS or email OTP.

The NIS2 compliance deadline varies by country, depending on the status of the transposition of NIS2 into the domestic legislation of each European Union member state. At this moment, 14 member states (e.g., Belgium, Croatia, Denmark, Greece, Italy, Slovenia) have completed the transposition, while the 13 other member states (e.g., Austria, France, Germany, Poland, Portugal, Slovakia, Spain) are in various stages of transposition.

Conclusion

The United Arab Emirates and the Philippines are the next countries to phase out the usage of SMS OTP and email OTP for digital banking authentication. They follow earlier initiatives of the Monetary Authority of Singapore (MAS) and the Reserve Bank of India (RBI). At OneSpan, we applaud the transition to more secure, user-friendly, and cost-effective authentication mechanisms.

It is noteworthy that the European Union still allows SMS OTP for login to digital bank accounts (not for transaction signing or dynamic linking), despite the clear security issues of this authentication method.

The upcoming Payment Services Regulation, or its related Regulatory Technical Standards on Strong Customer Authentication, will hopefully phase out SMS OTP in Europe as well.

Finally, it is clear that the standards of the FIDO Alliance, of which OneSpan is a board member, are increasingly included in regulations and technical guidance related to strong authentication. FIDO-based authentication mechanisms offer enhanced security through phishing resistance, which mitigates common attack vectors associated with traditional password-based authentication. This strategic integration reflects a growing recognition of FIDO's robust framework in establishing more secure and user-friendly authentication protocols across various digital environments.

digipass fx authenticators are FIDO certified
Webpage

FIDO2 security keys

Go passwordless with Digipass FIDO2 security keys. Improve the user experience and thwart account takeover and advanced phishing schemes.

Learn more
Frederik Mennes
Frederik Mennes

Frederik Mennes is Director of Product Management & Business Strategy at OneSpan. In this role, he is responsible for defining and implementing OneSpan’s business strategy for specific industry verticals, and to determine how OneSpan responds to security and regulatory market trends. Previously, Frederik led OneSpan's Security Competence Center, where he was responsible for the security aspects of OneSpan's products and infrastructure. 

Contents
Share