Card disputes & fund-transfer recalls — how they actually work

Card disputes — auth vs posted, the 60-day window, and what banks won't dispute

Authorisation vs posting

When you (or someone using your card) make a purchase, the merchant first asks your bank for an authorisation — a hold against your available balance. A day or two later, the merchant submits the transaction for settlement and it poststo your statement. Banks sometimes tell customers "we can't dispute it until it posts." That's a defensive default, not always a hard rule. Emirates Islamic, for example, explicitly accepts disputes "once the fraudulent amount [is] authorised even if it is not posted in the card/account statement."

The 60-day window

Most UAE banks require disputes to be submitted within 60 days of the statement date(not the transaction date) — for example Emirates Islamic publishes exactly this. Don't wait. The clock starts the moment you can see the disputed item on your statement.

What banks will not dispute

If a transaction was authenticated by something only you could provide, the bank will usually refuse to dispute it. Emirates Islamic explicitly excludes three: "Chip & PIN — Contactless — Secure transaction approved by using OTP." The reasoning: the bank has cryptographic evidence that you approved it. If your PIN, contactless card, or OTP was used by a scammer, that is treated as fraud against you that you may have facilitated (sometimes called gross negligence) — and you may not be eligible for an automatic refund. You can still file a police report and pursue it as a criminal case.

120-day resolution, possible 30-day provisional credit

Dispute resolution can take up to 120 days. During that time the bank may issue a provisional credit within 30 days of receiving the dispute, while the investigation runs. This credit is temporary — if the investigation finds the transaction was authorised, the bank reverses the credit.

Fund-transfer recalls — three rails, three realities

A "recall" is a request from your bank to another bank to send the money back. What's actually possible depends entirely on which rail the transfer used and where the money is right now.

International transfer (SWIFT / Quick Remit)

• Recall is permitted, but typically only while the transfer is still pending processingat your bank. Once it's left the country, recall depends on the receiving bank and the regulator there.
• Best-effort: the bank does not guarantee success. Mashreq publishes this verbatim: "Bank will make reasonable effort to honor the request but cannot guarantee a successful recall." Charges can apply — Mashreq quotes up to AED 300 per recall request.

AANI / UAEIPP — instant local payments

• AANI is the UAE's instant-payment system. Funds settle in seconds. Once the money is in the beneficiary's account, recall requires the beneficiary's consent and their bank's acknowledgement.Mashreq is explicit: any customer recall request "shall always be subject to the receipt of authorisation/consent for such recall by the beneficiary of such funds, and in addition, the receipt of acknowledgement from the relevant beneficiary bank."
• The CBUAE's Aani Fraud Playbook (published by Aletihad Payments, the operator) explains the recovery reality plainly: "difficult to trace and recover funds due to the speed at which they can move fraudulent funds through the network."
• Move fast.The first hour matters more than the next day. Call your bank's fraud line immediately, freeze your card in the app in parallel, and file an eCrime/Aman report so there is a police case number on record.

UAEFTS local transfer

• For UAEFTS local AED transfers (the rail most corporate / scheduled payments use), a recall is possible once the transfer status is "Processed By Bank," via your bank's online portal with a free-text reason — but again the receiving bank's cooperation determines whether the funds actually come back.
• Batched payments (file uploads, baskets) generally can't be recalled through this self-service flow — you have to call the bank.

Fraud recall vs "wrong account" recall

Same technical mechanism, different legal pressure:

• Fraud recall— you were tricked. A police case number strengthens the recall: the receiving bank is more likely to freeze the funds if there's a criminal investigation. File the police report fast.
• Erroneous (wrong-account) recall— you typed the wrong account number or IBAN. The legal basis is unjust enrichment under UAE Civil Transactions Law — the recipient is obliged to return funds received by mistake. But your bank can't force this; the recipient has to agree (and many do, once their bank asks).

Your rights — what the CBUAE rules actually say

These are paraphrases of clauses in force. They give you a regulatory backstop when a bank tries to push back.

• 24/7 reporting channels. Every licensed financial institution must provide digital and phone channels available 24 hours a day, 7 days a week, to let consumers report loss, theft, fraud, or misuse of accounts or cards.
• 30 business days to report. Consumers must be allowed a minimum of 30 business days to report an unauthorised transaction after they were properly informed of it.
• 30 calendar days to refund. Unauthorised payments must be reimbursed after investigation completes or within 30 calendar days of when the matter was first reported by the consumer or identified by the bank — whichever is shorter. The only carve-out: evidence that the consumer acted fraudulently or with gross negligence.
• Burden of proof. A transaction is presumed authorised if proper and secure validation procedures were applied — unlessthe consumer provides prima facie evidence to establish reasonable doubt that they didn't execute it. That last clause is what disputes hinge on.
• Mandatory complaint resolution route.If the bank can't clearly confirm and document the authorisation and a dispute remains, the complaint must immediately be referred to the complaint resolution mechanism.
• Banks must alert you of fraud attempts. Banks must give customers multiple communication channels through which they can be alerted to attempted fraudulent activity and verify those attempts promptly. They must let you deactivate / reactivate your card. And they must inform you of your contractual rights for reimbursement when unauthorised transactions happen.

Scam patterns the regulator tracks

The CBUAE's Aani Fraud Playbook (v1.0, Sept 2023) names nine fraud typologies banks must monitor on the instant-payment rail. Two are flagged as new threats; three are flagged as expected-increase.

Spot a fake bank SMS in 1 second — the AD- rule

UAE telecom rules require every legitimate marketing SMS to start with the sender code AD-XXXX, where XXXXis the advertiser's name. If a message claiming to be from your bank is sent from a regular mobile number, or the sender name has no AD- prefix, treat it as suspicious by default.

• You also have the right to block marketing SMS by category — banking, real estate, health, education, retail, tourism, charity — through your telco.
• Your telco must provide a spam-reporting facility, usually a short code you can forward suspicious SMS to.

For transactional SMS (one-time-passwords, balance alerts, fraud alerts), banks use their own TDRA-registered sender ID (e.g. FAB, ADCBALERT, EtisalatINF) — not the AD- prefix. If you see AD-Banknameon what looks like a transactional alert (OTP, fraud warning), that's wrong and worth a second look.

What about FRC / ERC?

If you've seen these acronyms — "Fraud Recall Code," "Erroneous Recall Code" — they're internal terms banks use on the bank-to-bank back-channel when one bank asks another to send a payment back. They are not customer-facing terminology. You don't need to mention them to your bank. Saying "please initiate a fraud recall" or "I sent this to the wrong account, can you recall it?" in plain English is exactly what the staff need to hear.

What your bank does need from you, every time:

• The transaction reference number (in your statement / app)
• The date and time
• The beneficiary's account / IBAN / phone (whatever was used)
• A short, factual description of what happened
• If fraud is involved: the police case number once you have one