The Identity Trust Pulse

Raising the Bar on Fraud Protection in the UAE: Decoding Notice No. 3057.2025

LexisNexis® Risk Solutions

Share episode

Use Left/Right to seek, Home/End to jump to start or end. Hold shift to jump forward or backward.

0:00 | 19:16

With the 31 March 2026 deadline approaching, Central Bank Notice No. 3057.2025 is raising the standard for fraud protection across the UAE banking sector.

In this episode, Joey Bajela from LexisNexis® Risk Solutions, sits down with Iyad Mourtada, ACFE Authorized Trainer, to explore why the Central Bank of the UAE introduced the mandate and what Licensed Financial Institutions now need to change.

With nearly half of citizens reportedly targeted by cybercrime, they discuss the move away from SMS and email OTP, the shift toward biometric and device-bound authentication, behavioral monitoring, liability changes, and closer scrutiny of suspicious and mule-linked accounts.

For fraud, risk and digital leaders, this episode outlines what action looks like under tightening regulatory expectations in the UAE and beyond.

DISCLAIMER: The information provided in this podcast is for informational purposes only and is not intended to and shall not be used as legal advice.  The views and opinions expressed in this episode are solely those of the speaker/s and do not necessarily reflect the views or positions of LexisNexis Risk Solutions.  LexisNexis Risk Solutions does not warrant that the information provided in this podcast is accurate or error-free.

Kicking Off From Dubai

SPEAKER_02

Welcome to our first episode of the year of the Identity Trust Pulse Podcast. I'm so excited to be with you. My name is Joey Badgelor. I'm the lead engagement manager at Lexus Nexus Risk Solutions. And this marks our first episode of the year, shooting live and direct from the UAE in Dubai. So today I have with me Ayed Mortada, an ACFE authorized trainer. And I'm really excited to be with him, a well-known face in the industry. And today we're going to be talking about regulation and the notice 3057. So we're going to go straight into the topic and into the heart of the matter. So, Ayed, tell me a little bit about the regulation and what it means for LFIs.

SPEAKER_00

So the main issue, the main reason why the central bank in UAE decided to go and uh issue this notice is because of the amount of fraud and scams happening in UAE. The Cyber Security Council said that over the last one year, more than approximately 49% of the citizens here in UAE, they were actually targeted and they were victims for cybercrime. And we can see that most of these cyber crimes are attacking the banks, attacking the organizations and the individuals. So individuals here in UAE actually they suffer approximately around, based on the Cyber Security Council,$2,000 plus on average. And some of them they were victims more than one time, even. So and we can see exactly the uh reason is because of the hackers or the cyber criminals, they are taking advantage of the weaknesses in the controls from the uh bank side and from the consumer side. So the main reason for this notice is to focus on the fraud prevention related to the consumer interaction with the bank and ensuring that the bank is using the most powerful authentication techniques to ensure that the hacker will not be able to take advantage of the weaknesses that they currently have, which is currently they have the SMS OTP, they have the email OTP, they have the different kinds of authentication where it's allowing the hacker to bypass the controls that currently they have inside uh the bank, and they were able to trick the consumer into releasing this information to them directly.

SPEAKER_02

Oh wow, okay, okay. I I resonate a lot with that. Me as a personal consumer, and we see the fraud attacks by the cyber criminals, even myself, I've been recently receiving text messages which um purportably be from the that the Dubai police asking me to click on a link and take me to a website, entering my OTPs. So yeah, I can see exactly what's happening in the landscape. Um thank for thanks for elaborating on that. So just a little bit about the regulation in itself. You mentioned OTPs, email OTPs. What are actually some of the mandates for LFIs? What do they have to do? What is it spelling out in the regulations?

App, Biometric, And Device Binding

SPEAKER_00

So the first mandate, the main focus is focusing on authentication. Okay. So we need to be able to uh uh uh stop using the SMS OTB verification, stop using the email verification, and try to use more uh uh powerful authentication like in-the-app notification for certain transactions, trying to use biometric authentication for uh uh the transaction, trying to use device-bound uh authentication, trying to use uh uh encrypted token verification. The main objective is we are afraid from what we call man-in-the-middle attack. We are afraid from someone hacking the device of the consumer or someone trying to trick the consumer in one way or another. So when you are using one of these authentications, in that way, that will guarantee if someone took your uh a SIM card and did SIM swap, where he is now controlling your SIM card and getting the OTP, with this kind of authentication, he will not be able to get it because the notification is happening inside the app itself. Or when we are gonna have some device bound in case someone trying to download the mobile app on his device and trying to log into your bank account, he will not be able to do that because the device is linked to the app on your device only, it will not work on another device. So the main objective is to make sure that we strengthen all the security issues related to the transaction between the client and the bank to ensure no one is gonna hack that transaction, or if in case any of the hackers they were able to hack the session, the central bank said you need to have the proper way for you to be able to find if the session is being hacked to deactivate it, to find if the transaction is unusual, you need to suspend it. So the bank is required not only to go and uh implement a new authentication, but also they need to monitor the activity and the transaction happening related to the session and related to the account to find any red flags.

SPEAKER_02

I see. Thank you, thank you. And then um moving on a little bit more after some of the other points in the regulation. Again, we talked about the fraud trends, um maybe people on the phone to the fraudster, maybe the fraudster maybe directing the customer to do something on the behalf of the fraudster, maybe taking control of the screen. Is there some points around the regulation that speaks to like being on the phone or screen sharing that um you want to tell our audience about?

Monitoring Sessions And Transactions

SPEAKER_00

Yeah, so so one of the issues that always we notice that there are certain unusual behavior. And this is where always one of the issues that the banks now they need to look at, not only about who is logging, is the username, password correct, or uh the OTB they get on the app correct, it's about what we call the behavioral biometrics. So, behavioral biometrics, how are you holding your phone? Are you holding your phone in the proper way for you to use the phone, or the phone is held upside down or next to your uh head? That will show us that maybe this is not you who's holding it or someone having control over. Uh, another thing is it you doing it or AI? Because if you are trying to enter your username and password, you are gonna enter it slowly, but AI is gonna just copy and paste, or it's gonna enter it very fast. So that will tell us there is a bot actually doing the attack, it's not the human doing the attack. Figuring out exactly how the user usually will log in. He will log in from Android phone, and now we can see his login from iPhone phone. We can see exactly that the operating system changed. Or this user usually he will do uh login in the morning. Uh we see him log in at a weird time in the weekend, and he's doing a massive amount of transfer. So looking at different behavior related to how he's using the device, which device he's using, what is the time of the use, what is the amount he's transferred, by looking at all these behavioral biometrics, we will be able to identify if this is the user who's actually entering and using the phone to do the transaction or someone else.

SPEAKER_02

Um okay, okay. Thank you for explaining that. Um I was also going to add on um when you mentioned about the unauthorized activity, you know, um, as a as an X Linux resolutions, you know, we help our customers um identify those unusual patterns. You know, when you mentioned the behavioral intelligence, um, you know, that's a really good control, like you say, to understand the user and how they behaved. Is it you know them that's really making this transaction because of that learned behavior? You know, these are the controls which the central bank is asking the LFIs to up their controls and up their security state to you know protect the customers who are using their channels. So um really good to kind of see that in the in the UAE. Let's talk a little bit maybe about the liability shift because um I think that's also a key part of the regulation.

Behavioral Biometrics Explained

SPEAKER_00

So the main issue in the old days that you said always the consumers are uh responsible in case they share their OTB with the hacker or with the criminal because in that way they are uh were not following the proper uh guideline of the bank. Now there's a liability shift, and this liability shift is not only in UAE. We can see this liability shift happening in UK, in other parts of the world, where they are saying you as a bank, you need to first to make sure you have the proper system to monitor a transaction to identify if this is a fraud transaction or not, and you need to create awareness for the consumer, but you need to have systems in place for you not to use normal authentication like SMS or TP or email OTB or any kind of ways where the hacker can take advantage of it. So now the liability shift where the banks are responsible for the fraud that consumer will have in case they are still using any of these, you know, uh uh uh uh SMS or email OTP. And they need to switch to push notification or device bound or biometric for them to be able to secure the transaction. Plus, they need to do the monitoring to be able to have the proper system in place, they need to give the chat the consumer a chance for them to notify them in case anything happened with a proper communication channel, and they need to suspend any transaction they see unusual, and at the same time, they need to be able to monitor the transaction to look for any risk factors. If they find any risk factors, they need to stop the transaction before happening and they need to deactivate the account if it's needed for high-risk transaction. This liability shift is very interesting. We can see, for example, in Singapore, what they did in Singapore, which is something really nice, maybe the central bank here will implement. They say if any consumer requested from the bank to move more than 50% of their balance, immediately the bank will suspend the transaction and will contact the customer to verify. Why? Because the hacker he will tell you, I'm from the government, something happened in your account, move all your money. So, in that case, who of us is gonna go move 50 more than 50% of his balance at one point? That's a big red flag. And in this way, they were able to protect their consumer. So, this is one of the things that you can think about here in UAE. You can have something as a risk factor. If someone is trying to move their money more than 50% of the amount inside their account, that's a red flag. Something is going on.

SPEAKER_02

Yeah, yeah. Excellent, excellent. So obviously the um deadline being the March 31st of 2026, you mentioned you know quite a number of um number of points that the LFIs have to have to adhere to by the by the 31st. So I think we've covered the behavioral kind of intelligence and identifying whether the transaction meets the pattern of the usual behaviors of the of the customer. Um, we've talked about maybe the active call and the kind of the screen sharing with the social engineering. Um, we've also talked about the activity monitoring and kind of transaction monitoring as well. Um, and then we just talked about the liability. So, again, you know, other other jurisdictions in the world, um, the UAE, you know, taking a first uh move into like the liability shift to the LFI from previously to the from the customer. I guess maybe the last point maybe about the regulation, and you mentioned about the bounded device um ID and V to make sure that a customer is that that device on their phone is the real customers. Would you be able to just talk a little bit about um the regulation from the other side of the fraud, which talks about meals? So again, you know, when there's obviously a scam or a fraud, that customer is maybe tricked into paying an account which is going to receive the money. But again, you know, maybe what about the controls? What does the central bank, the UAE C B say about the controls for the receiving bank and um to make sure that you know the customer on the other side or the bank out on the other side is a legitimate account?

Vendor Intelligence And Risk Signals

The Liability Shift To Banks

SPEAKER_00

So so the the uh uh way of uh implementing this over the last 10 months allowed the banks to go and say we need to start from uh at the beginning by implementing what we call fraud prevention uh system and monitoring system. So the banks, in a way, they said first we need to go and create what we call ownership and governance for the chief risk officer, for the chief compliance officer, for the chief information officer to ensure that they have the proper system of controls in place. So this is the first step, either from the receiving or from the sending, they need to have that in place. The second thing is all about going and saying what are our policies that are related to uh monitoring the transaction, what are our policies related to reporting transactions, what are our procedures related to what we are gonna monitor, what we are not gonna monitor, what is our risk risk management system to highlight which one is high risk, which one is medium risk, which one is low risk, for us to monitor and identify. And after that, what action we are gonna take and which authentication method we are gonna use based on each one of these methods. And finally, what are our fraud prevention and investigation methods where to, in case we discover there is a transaction fraudulent, how we are gonna prevent it by suspending, for example, the session, if it's happening through session, by also uh suspending the transaction before it actually happened, and at the same time by monitoring the account to see if there is any unusual activity happening in this account. One of the examples in UAE, you can see a Mule account where uh there is an account there, and there is a red flag that this account is receiving small payment from so many accounts, and then there is a large payment going from this account to another foreign account. So, looking at these unusual transactions, they are responsible for monitoring this transaction, for identifying any suspicious activity, and at the same time, they are responsible for notifying the proper authority to investigate it inside their bank if it's needed, or notify the regulator in case the issues are related to money laundering. So, but the main objective of the notice is actually the protection of the consumer and monitoring the account to ensure no cyber fraud and no cyber uh scams happen to the uh consumers of the bank and making sure that the bank is having the proper security and the proper control to ensure everything streams in the proper way.

SPEAKER_02

Thank you, thank you, Iad. Um, I like I like the points that you're making about the mule and monitoring the account. I was going to add on at LexusNexus Richolutions, we help our customers with our UAE banking consortium where we share intelligence of bad devices who have been involved in meal activity, confirm meal activity so those our customers, the banks, can use that further intelligence to um, you know, make an extra layered decision around actually this transaction may be coming from a device which has been associated with financial crime. You know, these devices are accessing these accounts. This account may be not a good account to receive money because of that extra signal that we get. I think it all speaks to the regulations that you that you just kind of spelt out. I mean ultimately preventing that um the customers, perfect, preventing the LFI's customers from the impacts of financial crime and fraud. Um, okay, good. Um, so I think we're coming to maybe the end of the podcast. I've really kind of enjoyed this in this conversation. Um, is there any other points that you wanted to kind of add on uh for our audience about the LFIs from the the UAE mandates in itself, um, in terms of the fraud environment, uh anything else that you wanted to tell our users about?

Setting Risk Policies And Governance

SPEAKER_00

So the main and objective of this transformation is we need to ensure that in our banking sector here in UAE, we have transparency and we have accountability and at the same time awareness. So it's the responsibility also of the bank is to create awareness to the consumer that now, even with all these security controls, don't share your personal information, don't share your ID, don't share your device with anyone. Because if someone actually got your device and they have access to your app for any reason, now there is a risk. And we are gonna try to monitor this risk, but at the same time, always we start by creating awareness and prevention and making sure that the consumers are working with us to make sure this fraud will not happen. But at the end of the day, it's the bank's responsibility to ensure that the system in place, in case something happens, they are gonna be able to catch it before it's too late.

SPEAKER_02

Excellent, excellent. Thank you, thank you, Iyad. And maybe just maybe a final word from myself as well. Um, I think the regulations are a fantastic thing. Um, March 31st, in about six weeks' time, um, we're looking forward to um the new control environment here in the UAE. Um, like again, just uh reiterating what you were saying about you know, this is to prevent um customers from being victims of fraud, um having an increased control framework for the whole um country and region. Um and I strongly believe that this will have you know you know effective change from um preventing customers, making sure the LFIs have good controls, uh, you know, removing you know weak, ineffective controls, you know, protecting the customer more, um, and you know, again, you know, making sure that the standard uh is raised higher in the UAE. So again, uh we're really looking forward to these changes. Um so um I'd just like to thank you, um Iyad, for being a great, a great guest. Um again, I really enjoyed the conversation. Thank you to all our listeners for listening in, and uh, we'll catch you back again for our next episode. Thank you, thank you, everyone.

Detecting And Stopping Mule Accounts

SPEAKER_01

The information provided in this podcast is for informational purposes only and is not intended to and shall not be used as legal advice. The views and opinions expressed in this program are solely those of the speakers and don't necessarily reflect the views or position of Lexus Nexus Resolutions. Lexus Nexus Resolutions does not warrant that the information provided in this podcast is accurate or error free.