The Central Bank of the UAE published Notice No. CBUAE/FCMCP/2025/3057 on May 23, 2025. It was sent to every licensed financial institution operating in the country, addressed directly to CEOs and Managing Directors. The subject: Prevention of Fraud Incidents Impacting Consumers.
At first glance, it reads like many regulatory notices — a mix of authentication requirements and monitoring guidelines. But the details matter here, especially for teams running merchant acquiring operations. The notice covers five distinct requirement areas, each with real operational implications and financial penalties attached from March 31, 2026.
Below is a clear breakdown of what's changing and what it actually means if you're in compliance, fraud, or risk at a UAE bank or PSP.
User Authentication: SMS OTP Is Officially Out
The most headline-worthy item is the authentication ban. LFIs are prohibited from using SMS OTP, Email OTP, or static passcodes as a standalone authentication method for any transaction, enrolment, provisioning, or channel access.
For 3DSecure transactions specifically, the ban on weak second-factor authentication is immediate and carries direct liability: if a fraud incident occurs on a 3DS transaction that was authenticated via SMS OTP, the LFI is held fully liable and must issue a full refund to the consumer promptly. No exception.
Strong authentication methods that are explicitly allowed include in-app verification, soft tokens, tap-to-authenticate, biometrics, and passkeys. Risk-based passive authentication is also permitted, but only if the LFI accepts liability for any fraud on those transactions.
Step-up authentication is now required for five specific actions: modifying account limits or card parameters, changing security settings, initiating payments, updating personal data, and requesting a new card. The step-up method must be an extra passcode or verification layer within the banking app — not a new SMS.
The hard deadline for phasing out SMS OTP-based authentication entirely: March 31, 2026.
Preventive Controls: Small Details, Real Consequences
Beyond authentication, the notice lists several operational requirements that don't get headlines but will show up in audits. LFIs must display the payee name, account number, bank details, and account type to the consumer before confirming any domestic or international fund transfer. For instant payments, payee name verification must be in place.
Sessions in the mobile banking app or any asset management application must be automatically suspended when screen sharing is detected, when malware or malicious code is present, or when the consumer is on an active phone call. For browser-based login, no screen sharing application can be active during the session.
Perhaps the most interesting operational requirement: LFIs should, to the maximum extent possible, avoid sending clickable links in emails or SMS to retail consumers. Push notifications from the banking app should replace them. This is a direct response to phishing attack vectors.
Transaction Monitoring: The 24/7 Baseline
All LFIs must implement systems that analyse transactions in real time, around the clock, every day of the year. The systems must be capable of stopping or declining suspicious transactions in real time, risk-scoring each transaction, analysing consumer account activity for unusual behavior (sudden large withdrawals, high-velocity transactions, unfamiliar locations, changes to static data), and monitoring activity across all channels — mobile, browser, card.
The notice also calls for mechanisms to identify mule accounts early — accounts used to move fraudulently obtained funds — based on unexpected or suspicious transaction patterns.
All LFIs are encouraged to use behavioral analysis, digital biometrics, and behavioral biometrics as advanced fraud detection methodologies.
Merchant Acquirers: The E-Skimming Requirement
This is where the notice hits acquiring banks and PSPs with something operationally demanding. Any institution classified under Merchant Acquiring Services or Payment Aggregation Services — as well as banks providing merchant acquiring services — must perform daily scans of merchant and payment gateway URLs to detect malware and malicious code designed to compromise payment details.
This covers e-skimming attacks (also known as Magecart-style attacks) where malicious JavaScript is injected into a merchant's checkout page to silently harvest payment card data.
The requirement is explicit: if malware or malicious code is detected, all transactions on the infected page must be halted until appropriate measures are applied. There is no grace period. Daily scans are the operational requirement.
On top of this, merchant acquirers must implement real-time or near-real-time fraud monitoring systems specifically designed for their merchant portfolios — capable of flagging multiple cards used by the same user, high-velocity purchases from the same email ID or device, suspicious bulk orders, and enumeration attacks where fraudsters test stolen card data at scale.
Data Security, PCI DSS, and Consumer Empowerment
LFIs must comply with the UAE Information Assurance (IA) Regulation and, where applicable, the SWIFT Consumer Security Controls Framework. PCI DSS compliance is also explicitly referenced — LFIs must ensure their service providers who process, store, or transmit payment credentials are compliant too.
Merchant acquirers must ensure network tokenization is used for all credential-on-file transactions initiated by merchants. All LFIs must implement brand protection solutions to detect fake ads, phishing scams, and domain name misuse.
On the consumer side, LFIs must provide seamless self-service options for reporting suspicious activities and managing accounts. Manual, friction-heavy reporting methods — such as filling out a form and submitting it by email or visiting a branch — are explicitly called out as unacceptable.
What Non-Compliance Looks Like
The financial penalty for significant violations from March 31, 2026 is up to AED 250,000 per violation. But the more immediate risk for acquirers is the liability clause on 3DS fraud with SMS OTP — that's effective immediately from the notice date, not from March 2026.
Banks still running SMS OTP as their primary 3DS authentication method are, right now, taking on full liability for any fraud disputes on those transactions.
How Onlayer Helps
Onlayer's Transaction Monitoring Service and Merchant Monitoring Service are built specifically for the compliance environment that this notice is pushing institutions toward. The platform covers real-time transaction analysis, continuous merchant portfolio monitoring, and daily scanning of merchant URLs for e-skimming code and malicious payloads.
Onlayer already operates across 20M+ merchants worldwide and works with acquiring banks, PSPs, and national card schemes across 150+ country-specific compliance frameworks. For teams looking to operationalize the CBUAE's new merchant monitoring and e-skimming detection requirements without rebuilding their monitoring stack, it's worth a conversation.
Would you like to learn more about the mandate and how Onlayer could help you with, schedule a demo with our experts today!
