In response to a surge in digital adoption and increasingly sophisticated fraud attempts, the Central Bank of the UAE (CBUAE) has released updated directives for Licensed Financial Institutions (LFIs) — aimed at overhauling outdated authentication methods.
The regulation mandates a shift away from legacy credentials like SMS OTPs, email OTPs, and static passcodes, all of which are now deemed insecure. LFIs must instead adopt strong authentication methods such as biometric verification, passkeys, soft tokens, and Risk-Based Authentication (RBA) to safeguard financial and non-financial user journeys.
But compliance is only part of the challenge. The real question for LFIs is: Can we meet regulatory expectations without sacrificing user experience or operational agility?
At Wibmo, a PayU company, we believe the answer is a resounding yes.
The Challenge for LFIs
CBUAE’s mandate applies across the board — not just to financial transactions like online purchases and fund transfers, but also to non-financial activities, including login authentication, account changes, and beneficiary additions. This broad applicability means LFIs must re-architect their digital authentication infrastructure holistically.
Moreover, the regulation doesn’t only impact issuers. Acquirers must also step up their fraud prevention systems to ensure safe processing across touchpoints such as POS, wallets, ecommerce platforms, and QR code payments.
The result? A dual-front challenge:
- Issuers must enable multi-layered, user-friendly, and regulation-compliant authentication.
- Acquirers must enhance risk mitigation without creating friction at checkout.
It’s a tall order — unless you have the right technology partner.
Wibmo’s End-to-End Solution for LFIs
Wibmo’s Authentication Suite is purpose-built to help LFIs navigate this regulatory transformation. Our platform enables secure, seamless, and intelligent authentication across both issuing and acquiring operations — empowering banks and fintechs to comply with CBUAE mandates while enhancing customer trust.
The solution combines biometric verification, passkey-based login, and AI/ML-driven RBA, integrated via lightweight SDKs and APIs. This makes it easy for financial institutions to embed strong security directly into their mobile and web applications, without overhauling existing infrastructure.
From logins to lifecycle events to high-value transactions, Wibmo makes every touchpoint secure, compliant, and frictionless.
Key Use Cases We Cover :
Issuing Use Cases
Wibmo supports a wide range of card-based authentication flows, including those required by 3D Secure (3DS) and EMVCo protocols. Our Issuer SDK and ACS Passkey components enable banks to verify users through biometrics or passkeys during card transactions — whether on desktop, mobile browser, or in-app.
These flows include:
- -Guest checkout and tokenized card payments
- -Recurring transaction authentication
- -Soft token verification within issuer-controlled environments
With step-up authentication and AI-driven fraud detection baked in, issuers gain robust security without compromising conversion.
Non-Financial Use Cases
CBUAE guidelines also target non-financial activities, often overlooked yet equally vulnerable to fraud. Wibmo addresses this gap by offering strong authentication for tasks such as:
- -Card issuance and reissuance
- -Modifying spend or withdrawal limits
- -Updating personal data like contact details
- -Adding beneficiaries or ordering checkbooks
- -Password resets and security parameter changes, login (web/mobile), etc
- -Web portal management (login, consumer activities on mobile application, etc.)
These use cases are often the first targets for phishing or social engineering. Our behavioral biometrics and device profiling help LFIs secure them with minimal disruption to the user experience.
Powered by Risk-Based Authentication (RBA)
Static rules can’t keep up with dynamic fraud patterns. That’s why Wibmo’s authentication framework is anchored in Risk-Based Authentication, powered by AI and machine learning.
Each interaction — financial or not — is profiled in real-time using dozens of data points: device attributes, login velocity, behavioral patterns, and historical activity. Based on the risk score, the system either approves the interaction, steps up with additional verification, or blocks it entirely.
This adaptive model helps reduce false declines, combat fraud more effectively, and ensure a smoother experience for legitimate users.
With ~2% increase in conversion and up to 80% reduction in latency, our RBA system not only protects but also performs.
Regulatory-Ready Security Framework
At Wibmo, we don’t treat security as an add-on — it’s the foundation of our product. Our authentication suite has been architected to meet not only the CBUAE mandates but also broader PCI DSS, EMVCo, and global security standards.
We’ve organized our security features into four core blocks:
1. Anomaly & Threat Detection
Our SDKs actively scan for device and environment anomalies, such as:
- -Jailbroken or rooted devices
- -Biometric mismatches
- -SIM swap attempts
- -Emulator or screen recording environments
-Early detection of such threats ensures malicious actors are blocked before any damage occurs.
2. Attack Defense Mechanisms
We deploy real-time protections against modern fraud vectors:
- -Man-in-the-middle (MITM) attacks
- -Phishing, vishing, and malware injection
- -Reverse proxy detection
- -Fraud ring pattern analysis
These defenses reduce liability exposure for LFIs and ensure higher confidence in every digital interaction.
3. Data Encryption & Tokenization
-Wibmo employs military-grade encryption protocols:
-AES encryption for data security at rest
- -Enhanced SSL pinning for data in transit
- -Cryptographic token validation to prevent replay or spoofing
- -PCI DSS compliance for all card-related flows
Whether in a mobile app or a browser session, customer data is always protected.
4. Behavioural Intelligence
Our behavioural biometrics module learns and adapts to each user’s behavior — from typing patterns to swipe gestures — to create a secure, invisible layer of authentication.
This behavioural profiling is cross-checked with:
- -Device fingerprinting
- -Login timing and geolocation
- -Transaction history and spend velocity
It’s like a digital fingerprint for every customer — impossible to replicate, yet effortless to use.
Designed for Integration, Built for Scale
A key strength of Wibmo’s solution lies in its ease of integration. Our lightweight SDKs and flexible APIs allow fast embedding into mobile banking apps, internet banking platforms, merchant checkouts, and even third-party wallet interfaces.
The platform supports:
- -Web and mobile flows
- -Biometrics, Face ID, fingerprint, TOTP, and passkey
- -Issuer-side 3DS authentication
- -Acquirer-side fraud scoring and decline logic
-Banks and fintechs can go live quickly — without interrupting existing services or customer journeys.
A Future-Proof Solution for UAE’s Financial Ecosystem
The CBUAE mandate isn’t just a regulatory necessity — it’s a long-overdue shift toward stronger, more intelligent authentication in the digital banking era.
LFIs that respond proactively can turn compliance into a competitive advantage, offering customers a secure, intuitive, and consistent experience across every digital channel.
At Wibmo, we’re proud to support this transformation with a platform that’s compliant by design, scalable by architecture, and intelligent at its core.
Want to explore how Wibmo can help your institution align with the CBUAE guidelines?
Let’s connect, write to [email protected].