CBUAE fraud controls: what UAE banking teams need to change

TL;DR: The Central Bank of the UAE now prohibits banks from relying on SMS OTP, email OTP, or static passwords alone for financial transactions and account provisioning, and it requires stronger authentication, real-time fraud detection, and step-up controls for high-risk actions, according to OneSpan. The practical shift is that authentication, transaction risk scoring, and session security now have to operate as one governance model, not separate controls.

NHIMG editorial — based on content published by OneSpan: Central Bank of UAE boosts consumer protection against fraud

Questions worth separating out

Q: What breaks when banks rely on SMS OTP as the only transaction authentication method?

A: Banks expose themselves to account takeover and transaction fraud because a stolen or relayed OTP proves only that a code was received, not that the session, device, or transaction is trustworthy.

Q: Why do consumer banking flows need step-up authentication for high-risk actions?

A: High-risk actions such as limit changes, new card requests, payment initiation, and profile changes carry much greater fraud impact than simple login.

Q: How do banks know if their fraud controls are actually working?

A: They should test whether suspicious transactions are declined or challenged in real time, whether payee verification stops redirection attempts, and whether risky sessions are suspended when the runtime environment changes.

Practitioner guidance

• Retire weak sole-authentication paths Remove SMS OTP, email OTP, and static password use as the only control for financial transactions and account provisioning.
• Map step-up triggers to high-risk banking events Tie mandatory step-up authentication to limit changes, card parameter changes, payment initiation, personal detail changes, and new card requests so the control fires at the point of greatest exposure.
• Align payee verification with transfer workflows Add confirmation of payee checks to domestic and instant payment flows before the transaction is committed.

What's in the full article

OneSpan's full blog covers the operational detail this post intentionally leaves for the source:

• A breakdown of the CBUAE notice requirements by authentication scenario, including first-time access, recurring logins, and web banking approval flows.
• Implementation context for step-up authentication across limit changes, payment initiation, and customer profile updates.
• Operational notes on mobile banking session suspension when screen sharing, malware, or remote access tools are detected.
• The white paper link and the vendor's compliance positioning for UAE banking security teams.

👉 Read OneSpan's analysis of the CBUAE consumer banking authentication rules →

CBUAE fraud controls: what UAE banking teams need to change?

Explore further

View Full Forum →  |  NHI Foundation Course →