UAE Banks Ending SMS Codes: Biometric Switch by March 31 2025

Banks across the United Arab Emirates confirmed that all core services—mobile platforms, online banking, ATMs, and call centers—remain fully operational. However, a critical regulatory deadline is reshaping how residents authenticate transactions: the Central Bank of the UAE has mandated that all SMS-based authentication must end by March 31, 2025, forcing customers to adopt biometric or in-app verification methods immediately.

Why This Matters for Your Daily Banking

• SMS authentication ends March 31, 2025: All UAE banks must discontinue text-based one-time passwords by month's end, requiring customers to activate biometric or in-app verification or face potential transaction rejections starting April 1.

• Cyber threats are escalating: The UAE Cybersecurity Council has logged a sharp uptick in AI-powered attacks and social engineering schemes targeting financial accounts.

• Fraud liability shifts to banks: Under new Central Bank rules, institutions now bear responsibility for OTP-related fraud, accelerating security overhauls.

• Daily cyber-assault volumes reach 200,000 attempts: The nation deflects between 90,000 and 200,000 attempted cyber breaches daily, many state-sponsored.

The Authentication Revolution Arrives

The Central Bank of the UAE (CBUAE) has set March 31, 2025 as the final date for licensed financial institutions to eliminate SMS and email one-time passwords. This transition, triggered by Notice No. CBUAE/FCMCP/2025/3057, reflects a stark reality: SIM swap fraud, phishing, and social engineering attacks have rendered text-based security obsolete.

Dr. Mohamed Al Kuwaiti, head of the UAE Government Cybersecurity Council, disclosed that the nation deflects between 90,000 and 200,000 attempted cyber breaches daily, many state-sponsored. The cybersecurity landscape shows a significant uptick in AI-powered attacks targeting financial infrastructure and personal accounts.

Under the new framework, banks must implement biometric verification (fingerprint and facial recognition), in-app transaction approvals, and risk-based authentication systems that analyze user behavior in real time. First-time account access now requires Emirates Face Recognition technology, while recurring logins trigger mandatory step-up authentication.

The regulatory shift also transfers liability: banks are now accountable for losses stemming from OTP-related fraud, a change that has accelerated investments in AI-powered fraud monitoring platforms and behavioral intelligence tools capable of intercepting scams before money moves.

What Residents Face: The Fraud Playbook

The Ministry of Interior and Abu Dhabi Police have cataloged a surge in impersonation scams, where criminals pose as government officials or bank staff via phone, SMS, WhatsApp, and social media. The objective: trick residents into revealing passwords, PINs, or account credentials—data that legitimate institutions never request.

Phishing attacks remain pervasive, with fake emails and cloned websites designed to mirror official bank portals. More sophisticated schemes involve malicious remote-access applications distributed through fraudulent "Consumer Protection" websites, granting attackers real-time control over a victim's device and the ability to execute unauthorized transactions.

Social engineering tactics exploit psychological pressure—urgent warnings about account suspensions, fabricated security alerts, or fake prize offers on social media—to extract sensitive information. For businesses, scammers have deployed bogus financial statements using the names of reputable audit firms to bypass bank verification processes, while fake financing offers from individuals posing as Emirati entities demand upfront fees before vanishing.

The SIM swap threat has proven particularly damaging: criminals hijack mobile numbers to intercept OTPs, effectively seizing control of banking apps. This vulnerability is precisely why the CBUAE mandated the phase-out of SMS-based authentication.

Impact on Expats and Residents: What You Must Do Now

For the estimated millions of residents and expats who depend on digital banking for daily transactions, the March 31, 2025 deadline requires immediate action. Those who have not yet activated biometric authentication or downloaded their bank's latest app version may face transaction rejections or account access delays starting April 1.

Key Actions for All Customers:

• Update mobile banking apps to the latest version supporting biometric login.

• Register fingerprints or facial recognition within the app settings before March 31.

• Test in-app approval workflows for transfers and bill payments now to familiarize yourself with the new process.

• Verify official communication channels—only contact numbers and domains listed on the bank's official website are legitimate.

Special Guidance for Expats:

• If traveling abroad during the transition: Contact your bank before traveling to ensure biometric authentication works on your device in other countries, or request temporary in-app approval methods as a backup.

• International remittances: Overseas transfer authentication will now require biometric approval or in-app confirmation, potentially adding an extra step but significantly reducing fraud risk.

• Language support: Most UAE banks now offer 24/7 customer support in English for app setup and biometric registration. Request English-language assistance through official bank hotlines or mobile apps if needed.

• Multiple banking relationships: If you maintain accounts with banks across different countries, contact each institution separately to confirm their transition timelines align with the UAE deadline.

Investors and business owners face heightened scrutiny under the enhanced AML/CFT guidelines issued by the CBUAE. Financial institutions must conduct thorough due diligence, track all transactions, and report suspicious activity to the UAE Financial Intelligence Unit. The Dubai Financial Services Authority (DFSA) and Financial Services Regulatory Authority (FSRA) have echoed these requirements for entities operating within the Dubai International Financial Centre (DIFC) and Abu Dhabi Global Market (ADGM).

The Broader Cybersecurity Campaign

The banking sector's security overhaul is part of a national effort. The UAE Banks Federation, in collaboration with the Central Bank and Cybersecurity Council, has invested heavily in cyber resilience and incident response protocols.

Authorities report that a significant portion of cybersecurity incidents in the region target banks and financial services, making the sector a prime target. Ransomware attempts have increased, and the trend continues with AI-powered phishing campaigns and deepfake scams becoming increasingly common.

Third-party vendor breaches—compromises affecting payment API providers, HR outsourcing firms, and SaaS platforms—have emerged as a weak link, prompting banks to audit supply chains more rigorously. Such incidents underscore vulnerabilities that extend beyond traditional banking channels.

The Cybersecurity Council also flagged risks linked to employees and residents connecting to open Wi-Fi networks, prompting advisories for residents to avoid public Wi-Fi when accessing financial apps.

Enforcement and Penalties

The Central Bank of the UAE has adopted a zero-tolerance stance on non-compliance. Institutions failing to meet the March 31, 2025 deadline face substantial fines, license suspensions, or revocation. The regulator has already imposed penalties on financial institutions for AML violations and inadequate fraud controls, signaling that enforcement will be swift and severe.

Banks must implement comprehensive anti-fraud frameworks covering prevention, detection, investigation, and response. This includes accurate account reconciliations, independent audits, rigorous document scrutiny, and systematic fraud detection tools integrated into core banking platforms.

The introduction of Confirmation of Payee services adds another layer, verifying that the recipient name matches the account number before funds are transferred—a measure designed to thwart authorized push payment fraud, where victims are tricked into sending money to criminals.

Practical Advice for Residents

The UAE Royal Police and banking authorities stress that official bodies never request personal or banking information through unofficial channels. Residents should:

• Ignore unsolicited calls or messages claiming to be from banks, government agencies, or support teams.

• Verify requests directly by contacting the bank using numbers listed on official websites or the back of payment cards.

• Report fraud attempts immediately to Abu Dhabi Police (via the Aman service), Dubai Police, or the CBUAE Consumer Protection Unit.

• Avoid downloading apps from links sent via SMS or email; use only official app stores.

• Enable transaction alerts to receive real-time notifications of account activity.

For those who suspect they have been compromised—whether through a phishing link, SIM swap, or remote-access scam—the immediate step is to contact the bank's fraud hotline and request a temporary account freeze while the investigation proceeds.

The shift away from SMS-based security and the surge in attempted cyber intrusions reflect a global trend, but the UAE's regulatory response is among the most aggressive in the region. While the March 31 deadline may create short-term friction for residents adjusting to new authentication methods, the long-term benefit is a financial ecosystem significantly more resistant to fraud, backed by real-time monitoring, biometric safeguards, and inter-bank intelligence sharing that can identify and neutralize threats before they reach customer accounts.