The Central Bank of the UAE’s Notice No. CBUAE/FCMCP/2025/3057 has set a critical deadline of March 31, 2026, for Licensed Financial Institutions (LFIs) to transform their digital channel security.
While security efforts have long focused on the server side, this mandate compels LFIs to recognize and manage the often-neglected frontier of risk: the client side.
The key mandates of CBUAE Notice 3057 point to the necessity of real-time client-side control.
Meet the CBUAE Notice 3057 March 2026 Deadline
Here’s what you need to know about this mandate:
- Critical deadline: LFIs must comply with CBUAE Notice 3057 by March 31, 2026, to transform their digital channel security.
- Focus shift: The mandate requires LFIs to shift security efforts from the server-side to recognizing and controlling the often-neglected client-side frontier of risk.
- New liability: The Notice introduces an immediate liability shift, making LFIs responsible for compensating consumers for fraud losses; securing the client-side prevents e-skimming, the most common attack vector.
- Real-time control: LFIs must equip applications with controls for real-time detection of compromise (malware, RATs) and automatic session suspension, which relies on continuous client-side monitoring.
- Secure authentication: The ban on weak SMS/Email OTPs necessitates a shift to phishing-resistant methods, where client-side security protects the integrity of transaction details during the authentication flow.
Why financial institutions should focus on their client-side security to meet CBUAE
1. Eliminate the new financial liability
Notice 3057 introduces an immediate liability shift, under which the LFI is responsible for compensating consumers for financial losses from fraud involving compromised or intercepted authentication credentials, unless consumer negligence can be proven.
- The client-side focus: The most common attack vector for stealing payment and credential data is e-skimming (Magecart), which involves injecting malicious scripts directly onto the client-side payment page. This attack occurs before data is encrypted and sent to your server. By securing the client side, you directly prevent the theft of sensitive data, thus mitigating the LFI’s exposure to this new financial liability at the source.
2. Achieve real-time detection and session suspension
The Notice mandates that LFIs must equip their web and mobile banking applications with controls to detect indicators of compromise and automatically suspend active sessions when malware, Remote Access Tools (RATs), or screen-sharing software are detected.
- The client-side focus: These indicators of compromise—RATs, keyloggers, and tampered sessions—exist and operate on the client device. The only way to detect a compromised customer device in real-time is by continuously monitoring the session environment itself. A robust client-side solution provides the visibility to instantly detect these threats and trigger the mandated automatic session suspension, ensuring real-time integrity control.
3. Secure the authentication transition (The OTP Phase-out)
The ban on weak SMS/Email OTPs and static passwords requires a shift to phishing-resistant methods like passkeys and in-app authentication.
- The client-side focus: While approval occurs over a secure channel (e.g., the mobile app), the transaction initiation and confirmation details are still displayed and entered on the web page. Client-side security prevents an attacker from altering the displayed details or hijacking the session before the secure channel is established, protecting the integrity of the authentication flow.
Leveraging AI to empower your compliance program
Feroot’s PaymentGuard AI is designed to provide the specific visibility and automated control needed to meet these mandates without heavy lift from your teams. It acts as your compliance partner, ensuring you are audit-ready and protected well before the March 2026 deadline.
| Key Compliance Action for LFIs | How PaymentGuard AI Supports This Action |
| Gain visibility & control | Real-time script allowlisting & integrity: Automatically inventories every script running on regulated pages and enforces allowlists to block unauthorized code before data leaves the browser. |
| Enforce session integrity | Client-side change & tamper detection: Continuously detects DOM/content/header changes as end users receive them, alerting instantly and generating incident timelines for root-cause analysis. |
| Manage third-party risk | Full script visibility & control: Provides a complete inventory of all code, enabling you to set granular policies that prevent third-party scripts from accessing sensitive data. |
| Demonstrate ongoing compliance | “Regulator-ready” evidence reports: Provides a one-click export of script inventories, change-detection logs, and stakeholder dashboards mapped to Open Finance control themes. |
Laying the groundwork for your compliance program early
The March 2026 deadline may seem distant, but the liability shift is immediate, and implementing, testing, and rolling out new security controls for thousands of payment webpages requires a proactive timeline. By starting early with a client-side-focused approach, you transition from simply reacting to threats to establishing a framework for continuous monitoring and automated control.
Empower your institution not only to comply with the CBUAE Notice 3057 but also to transform your digital channels into a secure, trustworthy platform that ultimately saves millions in potential fraud liability and builds deeper consumer confidence.
Frequently Asked Questions
What is the official compliance deadline for CBUAE Notice 3057?
The critical deadline for full compliance is March 31, 2026.
What is the new financial liability introduced by this notice?
It introduces an immediate liability shift, holding the LFI responsible for compensating consumers for fraud losses, which can be mitigated by securing the client-side against e-skimming.
Why the focus on the client-side risk frontier?
The mandate requires shifting from server-side focus to controlling the client-side because threats like e-skimming and compromised user devices operate there, at the source of the risk.
How do LFIs achieve real-time detection and automatic session suspension?
This is achieved through continuous client-side monitoring to instantly detect indicators of compromise on the customer’s device and immediately trigger the mandated session suspension.
What is the impact on SMS/Email OTPs?
The Notice bans weak SMS/Email OTPs and static passwords. Client-side security is essential to protect the integrity of transaction details displayed on the web page during the shift to phishing-resistant authentication methods.
