Why UAE Banks Must Act Now and Adopt Biometrics Immediately

Posted:

06 May 2026

Vaibhav Maniyar

UAE Banks Biometrics OTP Phase Out

In 2022, the Dubai Court of Cassation ordered a bank and a telecommunications company to jointly repay a client Dh1.5 million that was drained through SIM swap fraud. The court found both parties collectively liable for security breaches in their respective systems.

The Central Bank of the UAE has issued a directive requiring all financial institutions to eliminate SMS and email-based OTP authentication by March 31, 2026, mandating the adoption of methods such as Emirates Face Recognition, biometric verification, and mobile-based soft tokens.

The directive covers banks, finance companies, exchange houses, insurers, and payment service providers, essentially every licensed entity that touches a customer transaction. The transition began on July 25, 2025, when banks started moving customers to app-based authentication for domestic and international financial transactions.

SMS OTPs were never designed for financial authentication.

The problem is that the infrastructure underpinning SMS i.e. the SS7 signalling protocol that routes messages between networks, was built in 1975 and was never designed with security in mind. Its vulnerabilities are publicly documented, widely exploited, and essentially unfixable without replacing the protocol entirely.

As mentioned earlier, in the UAE, the banking industry has incurred considerable losses from SIM swap fraud schemes, where well-organised syndicates work closely across networks and target banks directly.

The mechanics are straightforward enough that even unsophisticated attackers can execute them by convincing a mobile carrier to port a victim's number to an attacker-controlled SIM, then intercept every OTP that number receives.

In 2024, 56% of UAE residents experienced at least one scam attempt every month, with 27% reporting financial losses and an average loss per victim of $2,194. Every percentage point in that figure represents customers calling their bank's fraud line, disputing transactions, and forming a view of whether their institution deserves their continued business.

Since July 2025, every fraudulent transaction that has passed through an SMS OTP flow and every SIM swap, every SS7 exploit, every social engineering call that ended with a customer reading a six-digit code aloud has been the bank's financial loss to absorb.


Where Biometrics Fits into This

The CBUAE's approved replacement methods include fingerprint and facial recognition, FIDO2-compliant cryptographic passkeys, and in-app push notifications confirmed with biometrics. Under the new system, transaction approvals are carried out directly within the bank's mobile application.

A customer receives a notification, reviews the transaction details, and confirms their identity using biometrics such as fingerprints, Face ID, or a PIN without needing to check an SMS inbox. This operates within a protected app environment, making interception considerably harder for an attacker.

Intercepting an SMS requires access to the SS7 network or the victim's phone carrier both achievable with the right criminal connections. Replicating a person's fingerprint or facial geometry from a live-detection-enabled scanner, on a device that has already been device-bound to a specific customer, requires physical access and bypasses nothing.

Several major banks including Emirates NBD, ADIB, and FAB had already completed the shift to biometrics or in-app solutions by September 2025, months ahead of the March 2026 deadline.

Further Reading: Biometric Identity Proofing

The Liability That Outlasts the Deadline

March 2026 marks the end of the permitted transition window. It does not mark the end of the exposure that banks accumulated between July 2025 and whenever they actually completed their migration.

Customers who suffered fraud during that window, through authentication methods the regulator had already flagged as inadequate, retain their right to pursue recovery. The Dubai Court of Cassation's 2022 ruling established that security system failures in both the bank and the carrier constitute joint liability. A bank that continued issuing SMS OTPs after the CBUAE identified them as a security risk, and whose customer was subsequently defrauded through that channel, is not occupying a strong legal position.

Every day of continued SMS OTP use after July 2025 has been a day of uncompensated fraud risk, accumulating quietly until a customer files a claim or a court issues a ruling. The technology to eliminate that exposure exists, the regulatory framework mandating it is already in force, and the banks that moved early have already demonstrated it works without driving customers away.


FAQs

The CBUAE biometric mandate requires all UAE-licensed banks and financial institutions to replace SMS and email OTP authentication with biometric or cryptographic alternatives by March 31, 2026. Compliant methods include:
  • Emirates Face Recognition
  • Device-bound biometrics (fingerprint, Face ID)
  • FIDO2-compliant cryptographic passkeys
  • In-app push notifications verified via biometrics

The SS7 vulnerability is a structural security flaw in Signaling System No. 7—the 1975-era telecom protocol that routes calls and SMS messages globally. Because SS7 was built without authentication, it implicitly trusts any command on its network. Attackers exploit this to intercept SMS one-time passwords (OTPs) without ever touching the victim's device, making SS7-based interception a primary reason regulators are phasing out SMS OTP for banking authentication.

Yes. UAE telecom companies can be held jointly liable for SIM swap fraud alongside the victim's bank. A landmark 2022 Dubai Court of Cassation ruling established this precedent, holding that a telecom provider that fails identity verification before porting a number is liable, and a bank whose system fails to detect the resulting fraudulent transfer is also liable. In other words, both parties must jointly reimburse the victim for stolen funds. This ruling applies even if either party acted independently of the other's failure.

Emirates Face Recognition is not the only compliant option, but some form of strong digital authentication will be mandatory for UAE banking by March 2026. The CBUAE allows banks to offer alternative methods, including:
  • Device-native biometrics (fingerprint, Face ID)
  • FIDO2 passkeys
  • Mobile soft tokens
Customers who refuse all app-based authentication can opt to retain SMS OTP, but must submit a formal written request and sign a liability waiver, transferring full financial responsibility for any resulting fraud to themselves.

Comments

Leave A Reply

Captcha