Regulators Are Banning SMS OTP — What You Need to Know

A Regulator-by-Regulator Guide

How the world’s financial regulators are forcing SMS one-time passwords out of banking — what each one has actually mandated, the deadlines that matter, and where to find the primary-source documents.

For two decades, the six-digit code texted to your phone was the default second factor in digital banking. That era is ending. SMS one-time passwords (OTPs) travel over a channel the bank does not control, can be intercepted through SIM swap, SS7 exploits, phishing and smishing, and increasingly fail against AI-assisted, adversary-in-the-middle attacks. Regulators have noticed — and over the last three years they have moved from gentle encouragement to hard deadlines and liability shifts.

This is not a single-market story. More than 25 regulators worldwide have now moved toward phishing-resistant authentication. Below is a market-by-market briefing on the regulators that matter most, what they have actually required (the detail matters — “banned” and “expanded the options” are very different things), and links to the primary instruments so you can verify each claim yourself.

At a glance

United Arab Emirates — the hardest line

The Central Bank of the UAE (CBUAE) issued a directive in June 2025 requiring all licensed financial institutions — banks, finance companies, exchange houses, insurers and payment service providers — to eliminate SMS- and email-based OTPs by 31 March 2026, replacing them with app-based and biometric authentication. Critically, the directive also shifts liability: institutions are now responsible for fraud linked to OTP authentication.

The transition has been visible to consumers. Banks began moving customers to in-app approval from July 2025, and several of the largest banks switched off SMS OTP for online card payments from 6 January 2026. This is the clearest “ban” of any major market.

Primary source: Central Bank of the UAE — centralbank.ae. Reporting detail: Gulf News.

Singapore — OTP removed from the login

On 9 July 2024, the Monetary Authority of Singapore (MAS) and the Association of Banks in Singapore (ABS) announced that major retail banks would progressively stop using OTPs for bank-account login for customers who have activated a digital token. The digital token authenticates the login directly, removing the code that scammers phish for. Note the scope: this targets the login step for digital-token users — decisive, but narrower than a blanket statutory ban.

Primary source: MAS media release — Banks in Singapore to Strengthen Resilience Against Phishing Scams.

Malaysia — among the earliest movers

Bank Negara Malaysia (BNM) was one of the first central banks anywhere to publicly direct banks off SMS OTP, instructing financial institutions in September 2022 to migrate to more secure authentication for high-risk activities — account opening, fund transfers, payments and changes to account settings. That direction hardened with BNM’s updated Risk Management in Technology (RMiT) policy, issued 28 November 2025, under which SMS OTP is no longer compliant as a standalone second factor, device binding defaults to one device per account, and MFA must be interception-resistant.

Primary source: Bank Negara Malaysia — Policy Document on Risk Management in Technology (RMiT) — bnm.gov.my.

Philippines — a firm 2026 deadline

The Bangko Sentral ng Pilipinas (BSP) issued Circular No. 1213 in June 2025 to implement Section 6 of the Anti-Financial Account Scamming Act (AFASA). It requires supervised institutions to transition away from interceptable authentication mechanisms — explicitly SMS and email OTPs — for high-risk transactions and critical account changes by 30 June 2026. OTPs retain a single permitted use: confirming ownership of a registered mobile number, never authorising a transaction. In January 2026, the BSP publicly confirmed it is not extending the deadline, and under AFASA, institutions without adequate controls bear liability for customer losses.

Primary source: Bangko Sentral ng Pilipinas — Circular No. 1213 — bsp.gov.ph.

India — mandate 2FA, but OTP stays

India is the market most often mischaracterised. On 25 September 2025, the Reserve Bank of India issued the Reserve Bank of India (Authentication Mechanisms for Digital Payment Transactions) Directions, 2025, to be complied with by 1 April 2026 (cross-border card-not-present transactions by 1 October 2026). The Directions require two-factor authentication for all domestic digital payments, with at least one factor dynamically generated per transaction, and they open the door to device-bound passkeys, biometrics and tokens.

What the RBI did not do is ban SMS OTP. The framework states plainly that it “does not call for discontinuation of SMS based OTP” — it expands the menu of acceptable factors rather than removing the old one. The direction of travel is clear; the instrument is principle-based, not prohibitive.

Primary source: RBI Press Release 2025-2026/1165 — rbidocs.rbi.org.in.

European Union — restricted, and tightening

Under PSD2’s Strong Customer Authentication (SCA) regime and the EBA’s Regulatory Technical Standards, SMS OTP is not outright banned: it can serve as a possession element where it meets requirements such as dynamic linking. In practice, regulators and the market increasingly treat plain SMS OTP as insufficient. The proposed PSD3 and the Payment Services Regulation (PSR) will tighten SCA further, reduce exemption thresholds and give explicit weight to phishing-resistant methods, with implementation generally expected around 2027–2028.

Primary sources: European Banking Authority — RTS on SCA — eba.europa.eu; European Commission PSD3/PSR proposals — finance.ec.europa.eu.

United States — “restricted,” not retired

There is no single US banking mandate, but the centre of gravity has shifted. In July 2025, NIST published SP 800-63B-4, which for the first time formally classifies SMS/PSTN OTP as a “restricted” authenticator — still permitted, but only with conditions and risk mitigations, and with a clear expectation that organisations at AAL2 migrate away. Around it, federal practice is moving: the US Patent and Trademark Office discontinued SMS authentication on 1 May 2025, FINRA has been phasing SMS OTP out of its own systems, and the FCC has tightened SIM-swap and port-out protections.

Primary source: NIST SP 800-63B-4, Digital Identity Guidelines — pages.nist.gov/800-63-4.

Vietnam — biometrics on top, by value

The State Bank of Vietnam issued Decision No. 2345/QĐ-NHNN (18 December 2023), in force from 1 July 2024, requiring biometric authentication for individual transfers at or above 10 million VND (or above 20 million VND cumulative per day) and for first-time or new-device transactions, verified against the national population database. The SBV has reported a roughly 50% drop in fraudulent transactions since rollout. SMS OTP persists for lower-value flows, but the high-risk tier now demands biometrics.

Primary source: State Bank of Vietnam — sbv.gov.vn.

Saudi Arabia — the framework approach

The Saudi Central Bank (SAMA) has advanced authentication expectations through its Cyber Security Framework, increasingly steering institutions beyond OTP toward FIDO2 and device-bound credentials. Saudi Arabia is frequently cited as a model of specificity and measurable outcomes in authentication regulation.

Further reading: Ideem, SAMA Authentication Requirements; primary framework: SAMA — sama.gov.sa.

The common thread

Read across these markets and a single pattern emerges. The “ban” markets (UAE, Philippines), the “remove it from the risky flows” markets (Singapore, Malaysia, Vietnam), and the “raise the bar without banning” markets (India, EU, US) are all doing the same thing for the same reason: moving the proof of identity off a shared secret sent over a channel the bank doesn’t control, and onto something cryptographic, device-bound, and hard to intercept. No major regulator anywhere is moving back toward SMS OTP.

For any institution operating across borders, the practical conclusion is that an SMS-OTP exit is no longer a question of if but of which deadline hits first. The replacement needs to satisfy a possession factor that regulators recognise, survive SIM swap and porting, and work without adding checkout friction — which is precisely where network-verified, device-bound mobile trust comes in.

Primary sources

• UAE — CBUAE: centralbank.ae
• Singapore — MAS: Banks in Singapore to Strengthen Resilience Against Phishing Scams (9 Jul 2024)
• Malaysia — BNM: Risk Management in Technology (RMiT) policy, bnm.gov.my (28 Nov 2025)
• Philippines — BSP: Circular No. 1213 / AFASA, bsp.gov.ph
• India — RBI: Authentication Mechanisms for Digital Payment Transactions Directions, 2025 (25 Sep 2025)
• EU — EBA / European Commission: RTS on SCA, PSD3 & PSR proposals
• United States — NIST: SP 800-63B-4, Digital Identity Guidelines (Jul 2025)
• Vietnam — SBV: Decision 2345/QĐ-NHNN, sbv.gov.vn
• Saudi Arabia — SAMA: sama.gov.sa

Last updated June 2026. Regulatory positions change; verify against the primary instruments before relying on any deadline.

About the author: Paul McGuire

Paul McGuire is CEO of IDlayr. He has spent over two decades at the intersection of mobile, telecoms, and digital identity. He works directly with banks, payment platforms, and large consumer apps deploying Silent Network Authentication to replace SMS OTP, eliminating ATO and SIM Swap fraud risk. He has held senior leadership roles across mobile and technology businesses in the USA and internationally.