Subscribe to the Non-Human & AI Identity Journal
Home FAQ Governance, Ownership & Risk Why are regulators moving away from SMS OTP…
Governance, Ownership & Risk

Why are regulators moving away from SMS OTP in financial services?

← Back to all FAQ
By NHI Mgmt Group Editorial Team Updated July 10, 2026 Domain: Governance, Ownership & Risk

Regulators are moving away from SMS OTP because it depends on a channel the institution does not control and it is vulnerable to interception and replay. They are also responding to fraud patterns that exploit weak recovery and step-up flows. The shift reflects a preference for stronger, device-bound authentication that better supports liability and audit requirements.

Why This Matters for Security Teams

Financial services regulators are not just reacting to SMS fragility, they are reacting to the mismatch between a low-assurance channel and high-impact transactions. SMS OTP can be intercepted, SIM-swapped, forwarded, or replayed, and those weaknesses become harder to defend once fraud disputes, step-up authentication, and recovery flows are involved. Guidance from NIST SP 800-63 Digital Identity Guidelines reflects the broader move toward stronger authenticators and tighter assurance evidence.

That shift also mirrors what NHI Management Group sees in operational risk: identity controls fail when the channel itself is outside institutional control. In Ultimate Guide to NHIs — Regulatory and Audit Perspectives, the pattern is clear: auditors want traceable, revocable, and policy-driven controls, not convenience-based exceptions that are difficult to prove after the fact. The same logic applies to customer authentication in regulated environments, especially where liability, consent, and transaction integrity matter.

NHI Management Group’s research also shows how quickly weak identity controls become systemic risk: 80% of identity breaches involved compromised non-human identities such as service accounts and API keys. In practice, many security teams encounter SMS OTP weaknesses only after account takeover or payment fraud has already forced a review of the control stack, rather than through intentional redesign.

How It Works in Practice

The replacement path is usually not “one factor instead of another” but a move toward authentication that is device-bound, phishing-resistant, and easier to audit. Regulators increasingly prefer methods that prove possession of a specific device or cryptographic key, rather than possession of a phone number that can be reassigned. That is why the industry conversation often centers on FIDO2, passkeys, secure app-based authenticators, and step-up flows that are tied to transaction context.

For financial institutions, the practical question is how to reduce reliance on a shared or interceptable channel without breaking recovery and accessibility. Current guidance suggests mapping authentication strength to risk: routine logins may use lower friction, while payments, beneficiary changes, and account recovery require stronger proof. NIST’s identity guidance and control baselines in NIST Cybersecurity Framework 2.0 and NIST SP 800-53 Rev 5 Security and Privacy Controls support that shift by emphasizing stronger access control, auditability, and recovery governance.

  • Bind authentication to a known device or cryptographic credential, not just a phone number.
  • Use risk-based step-up only when the transaction context justifies it.
  • Separate account recovery from routine authentication and require higher assurance there.
  • Log authentication and recovery events in a way that supports dispute handling and audit review.

For governance context, NHI Management Group’s Top 10 NHI Issues and Ultimate Guide to NHIs — Lifecycle Processes for Managing NHIs show the same operational principle: identity assurance degrades quickly when credentials are easy to intercept, hard to revoke, or poorly governed. These controls tend to break down in legacy banking stacks where SMS remains embedded in recovery, call-center, and exception-handling workflows because those paths are hardest to re-engineer.

Common Variations and Edge Cases

Tighter authentication often increases user friction and support overhead, requiring organisations to balance fraud reduction against accessibility, migration cost, and customer abandonment risk. That tradeoff is especially visible in retail banking, cross-border services, and markets where device penetration or mobile coverage is inconsistent.

There is no universal standard for this yet, but best practice is evolving toward a layered model. Some regulators and institutions still allow SMS as a fallback during transition periods, especially for lower-risk actions or where no better method is available. However, fallback should not silently become the default, and recovery should never be weaker than primary login. If SMS remains in the stack, it should be treated as a constrained exception with clear monitoring and deprecation criteria.

Another edge case is customer recovery after device loss. That process often becomes the weak link, because attackers target support desks, port-out requests, or knowledge-based checks after primary authentication hardens. Institutions should align recovery with the same assurance model used for high-risk transactions and document why any exception exists. For a deeper regulatory lens, see Ultimate Guide to NHIs — Regulatory and Audit Perspectives and the breach patterns discussed in the Zacks Investment Research breach. That approach matters most in environments with high fraud pressure and complex legacy recovery paths because those are the places where SMS survives longest after it has already become the weakest control.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST SP 800-63, NIST CSF 2.0, NIST AI RMF and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
NIST SP 800-63Defines stronger authenticator assurance than SMS OTP for regulated identity proofing.
NIST CSF 2.0PR.ACAccess control and authentication guidance supports replacing weak SMS-based step-up flows.
NIST AI RMFGOVERNRegulatory movement is driven by governance, assurance, and accountability for identity risk.
OWASP Non-Human Identity Top 10NHI-01Weak, reusable credentials mirror the risks regulators are trying to eliminate in identity flows.
NIST Zero Trust (SP 800-207)PS3Zero Trust prefers continuous, context-aware verification over trust in a phone-number channel.

Establish governance for authentication strength, fallback exceptions, and fraud-related accountability.

NHIMG Editorial Note
Reviewed and updated by the NHIMG editorial team on July 10, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org