TL;DR: Regulators in the UAE, Singapore, Malaysia, the Philippines, India, the EU, the United States, Vietnam and Saudi Arabia are moving banking away from SMS OTP, but with different mandates, deadlines and liability shifts, according to IDlayr. The security issue is no longer whether SMS OTP is convenient, but whether organisations can still rely on a channel they do not control.
NHIMG editorial — based on content published by IDlayr: The Global SMS OTP Ban, a regulator-by-regulator guide
By the numbers:
- More than 25 regulators worldwide have now moved toward phishing-resistant authentication.
- The State Bank of Vietnam has reported a roughly 50% drop in fraudulent transactions since rollout.
- The UAE requires licensed financial institutions to eliminate SMS- and email-based OTPs by 31 March 2026.
Questions worth separating out
Q: What breaks when SMS OTP is still used for high-risk banking actions?
A: SMS OTP breaks down when an attacker can intercept or redirect the code through SIM swap, phishing or carrier-layer abuse.
Q: Why are regulators moving away from SMS OTP in financial services?
A: Regulators are moving away from SMS OTP because it depends on a channel the institution does not control and it is vulnerable to interception and replay.
Q: How do banks know when to replace SMS OTP first?
A: Banks should replace SMS OTP first wherever it authorises money movement, account changes or recovery actions, because those flows carry the highest fraud and liability exposure.
Practitioner guidance
- Map every OTP-dependent customer journey Inventory login, transaction approval, account recovery and account-change flows by country, product and risk tier so you know where SMS OTP still authorises access or movement of funds.
- Separate proof of login from proof of transaction Use different controls for low-risk authentication and high-risk financial actions, because several regulators allow OTP only for narrow verification purposes and not as an authorisation factor.
- Prioritise device-bound replacements for high-risk flows Move the highest-risk journeys first to device-bound or cryptographic methods that can survive SIM swap, porting and phishing without depending on carrier-delivered codes.
What's in the full article
IDlayr's full article covers the jurisdiction-by-jurisdiction regulatory detail this post intentionally leaves for the source:
- Primary-source references for each regulator and instrument, including the exact policy wording behind the SMS OTP restrictions.
- Market-specific deadlines and scope notes that separate full bans, partial restrictions and narrower step-up requirements.
- Country-by-country explanations of what counts as an acceptable replacement factor in each jurisdiction.
- Operational notes on how banks are sequencing consumer migration away from SMS OTP without breaking access.
👉 Read IDlayr's regulator-by-regulator guide to SMS OTP restrictions →
SMS OTP bans in banking: what identity teams need to know?
Explore further
SMS OTP has become a liability-bearing authentication control, not a neutral convenience. Once regulators shift fraud responsibility back to the institution, the authentication method is no longer just a UX choice. The control has to be judged on interception resistance, account-change safety and evidentiary strength. Practitioners should treat OTP retirement as part of customer-risk governance, not a cosmetic MFA upgrade.
A few things that frame the scale:
- More than 25 regulators worldwide have now moved toward phishing-resistant authentication, according to Ultimate Guide to NHIs.
- 92% of organisations expose NHIs to third parties, raising concerns about supply chain security, according to Ultimate Guide to NHIs.
A question worth separating out:
Q: Who is accountable when SMS OTP fraud occurs under new rules?
A: Accountability depends on the jurisdiction, but the article shows a clear trend toward shifting more responsibility to the institution when OTP-based fraud succeeds. That means policy, control design, customer communication and evidence retention all become part of the accountability chain, not just the authentication method itself.
👉 Read our full editorial: SMS OTP bans are reshaping banking authentication worldwide