Notifications
Clear all
Topic starter
08/06/2026 4:19 pm
TL;DR: The Central Bank of the UAE has issued new rules that ban SMS OTP, email OTP, and static passwords as sole methods for financial transactions and account provisioning, while requiring step-up authentication, real-time fraud detection, and stronger beneficiary confirmation, according to OneSpan. The shift makes authentication quality, transaction monitoring, and mobile session controls central to banking identity governance.
NHIMG editorial — based on content published by OneSpan: La Banque centrale des Émirats arabes unis renforce la protection des consommateurs contre la fraude
Questions worth separating out
Q: How should banks replace SMS OTP for high-risk transactions?
A: Banks should move high-risk actions to step-up authentication that is bound to the transaction, not the login.
Q: Why do weak authentication methods create fraud risk in digital banking?
A: Weak methods create fraud risk because they authenticate a session without proving that the person, device, and transaction are still trustworthy.
Q: How do organisations know whether transaction monitoring is working?
A: Transaction monitoring is working when suspicious transfers are interrupted before completion and the risk score reflects the actual behaviour of the session, not just the login event.
Practitioner guidance
- Map high-risk banking actions to step-up controls Require stronger verification for card limit changes, security setting changes, new card requests, personal data edits, and first-time device enrolment.
- Bind transaction approval to beneficiary transparency Surface beneficiary name, account number, bank details, and account type before transfer confirmation so the customer can validate the payment target.
- Instrument mobile session integrity checks Detect screen sharing, malware, remote access tools, and active call conditions, then suspend the session before the payment flow completes.
What's in the full article
OneSpan's full article covers the operational detail this post intentionally leaves for the source:
- The exact authentication methods the CBUAE allows for first access, recurrent logins, and online banking confirmation.
- The specific mobile and online session control conditions that should trigger suspension or blocking.
- The implementation timeline for most obligations versus the immediate SMS OTP rule.
- The fraud monitoring and beneficiary-verification requirements banks will need to map into workflow and channel design.
👉 Read OneSpan's analysis of the CBUAE fraud and authentication rules →
CBUAE fraud controls: what changes for banking IAM teams?
Explore further
08/06/2026 5:54 pm
Strong banking authentication now has to be transaction-bound, not login-bound. The CBUAE notice makes a familiar IAM mistake impossible to ignore: assuming that proving identity once is enough for the rest of the session. In high-risk banking, the approval event is the security boundary, not the initial login. Practitioners should read this as a governance shift from access assurance to transaction assurance.
A few things that frame the scale:
- The average estimated time to remediate a leaked secret is 27 days, despite 75% of organisations expressing strong confidence in their secrets management capabilities, according to The State of Secrets in AppSec.
- Only 44% of developers are reported to follow security best practices for secrets management, exposing a significant developer behaviour gap.
A question worth separating out:
Q: Who is accountable when fraud occurs through weak customer authentication?
A: Accountability depends on the specific channel and control failure, but regulators increasingly place responsibility on the institution when weak authentication remains in use for high-risk transactions. In practice, banks should assume ownership of the decision chain from authentication through confirmation, because the customer cannot be expected to compensate for weak control design.
👉 Read our full editorial: Uae banking fraud rules push stronger customer authentication
