Regulatory Playbook: Bangladesh¶
| Field | Value |
|---|---|
| Market | Bangladesh (BD) |
| Regulator | Bangladesh Bank (BB) |
| Status | Draft — requires local compliance review |
| Owner | Country Manager BD / CDO |
| Created | 2026-04-05 |
| Review | Semi-annually |
| Reference | Cross-Border Compliance Framework |
Purpose¶
This is the operational playbook for Simpaisa's Bangladesh operations. The Cross-Border Compliance Framework defines what the law requires. This playbook defines what we actually do: who is responsible, what processes run, what reporting is due, and what happens when something goes wrong.
Bangladesh requires both a PSP licence and an MFS licence (where mobile financial services are offered). The BFIU acts as the financial intelligence unit for AML/CFT matters. ICT Security Guideline v4.0 (2023) imposes comprehensive technology and security requirements on all financial institutions.
Regulatory Landscape¶
| Dimension | Requirement | Source |
|---|---|---|
| Primary licence | PSP Licence under Bangladesh Payment and Settlement Systems Regulations 2014. MFS Licence under MFS Regulations 2022 (requires scheduled commercial bank or financial institution as equity partner). | BPSS Regulations 2014, MFS Regulations 2022 |
| AML/KYC | Full CDD for merchants. EDD for high-risk transactions. Agent sensitisation on AML/CFT risks required. PEP and sanctions screening. | Money Laundering Prevention Act 2012 (MLPA), Anti-Terrorism Act 2009, BFIU circulars |
| Data localisation | All financial data must be stored within Bangladesh. All manufactured, collected, and processed data must be stored inside the country. | BB ICT Security Guideline v4.0 (2023), MFS Regulations 2022 |
| Encryption | Data at rest and in transit must be encrypted per ICT Security Guideline v4.0. | BB ICT Security Guideline v4.0 (2023) |
| PII handling | Personal data governed by Digital Security Act 2018. Cross-border transfer restricted by data localisation mandate. | Digital Security Act 2018, ICT Security Guideline v4.0 |
| Transaction limits | Per Bangladesh Bank tier structure for MFS providers. Threshold amounts trigger real-time reporting. | MFS Regulations 2022 |
| Reporting | STR/SAR filing with BFIU. Monthly reporting to BB Payment Systems Department. Real-time reporting for transactions exceeding threshold amounts. | MLPA 2012, BPSS Regulations 2014 |
| Audit | Annual external audit. BB on-site inspection at any time. IS audit per ICT Security Guideline v4.0. | BPSS Regulations 2014, ICT Security Guideline v4.0 |
| Incident reporting | Significant incidents to Bangladesh Bank within 24 hours. AML-related breaches to BFIU immediately. ICT Security Guideline requires immediate incident reporting to BB. | BB ICT Security Guideline v4.0, BFIU circulars |
Current Compliance Status¶
| Requirement | Status | Gap | Risk |
|---|---|---|---|
| PSP / MFS Licence | Active | None | — |
| AML/KYC processes | Partially compliant | CDD processes undocumented. KYC workflow exists but not aligned to latest BFIU circulars. Agent AML/CFT sensitisation not evidenced. | HIGH |
| Data localisation | Partially compliant | Transaction data on AWS RDS (region unconfirmed). Cross-border data flow documentation missing. ICT Guideline v4.0 mandates all data stored in-country. | HIGH |
| Encryption at rest | Non-compliant | PII stored in plain text (SECURITY-ARCHITECTURE.md, Finding R2). ICT Security Guideline v4.0 requires encryption. | CRITICAL |
| Encryption in transit | Compliant | TLS 1.2+ for all external communications. | — |
| Transaction monitoring | Partially compliant | Rule-based monitoring exists. No automated STR/SAR generation. Real-time reporting for threshold transactions not implemented. | MEDIUM |
| Incident reporting to BB | Unknown | No documented process for BB notification within 24 hours or BFIU immediate notification. | HIGH |
| Annual audit | Unknown | Audit history not documented in Architecture repo. | MEDIUM |
| Request signing | Non-compliant | Pay-Ins has no request signing (SECURITY-ARCHITECTURE.md, Finding 1). | CRITICAL |
| Rate limiting | Non-compliant | No documented rate limiting (SECURITY-ARCHITECTURE.md, Finding 5). ICT Security Guideline v4.0 requires robust IT infrastructure controls. | HIGH |
| Customer fund segregation | Unknown | MFS Regulations 2022 require customer funds in trust account. Status not documented. | HIGH |
Operational Processes¶
1. Merchant Onboarding (Bangladesh)¶
MERCHANT ONBOARDING FLOW (BD)
─────────────────────────────────────────────────────
Application CDD/KYC Technical Go-Live
──────────┐ ┌──────────┐ ┌──────────┐ ┌──────────┐
│ Merchant │──▶│ Identity │──▶│ API Key │──▶│ Live │
│ applies │ │ verified │ │ Sandbox │ │ traffic │
│ │ │ Docs │ │ Testing │ │ │
└──────────┘ │ checked │ │ Webhook │ └──────────┘
└──────────┘ │ config │
└──────────┘
Owner: Commercial (BD) Compliance (BD) Engineering Operations (BD)
SLA: 2 business days 5 business days 3 business days 1 business day
Total: 11 business days target
Required documents for CDD (Bangladesh): - Trade Licence issued by City Corporation / Municipality - Company registration certificate (RJSC) - TIN (Tax Identification Number) certificate - National ID (NID) of directors - Bank account verification letter - Beneficial ownership declaration (>25% shareholders) - Board resolution authorising payment services engagement
Enhanced Due Diligence triggers: - Monthly volume exceeding Bangladesh Bank threshold amounts - High-risk merchant category (gambling, crypto, precious metals) - PEP (Politically Exposed Person) as beneficial owner - Adverse media screening hit - Agent-based distribution (per BFIU sensitisation requirements)
2. Transaction Monitoring¶
| Check | Frequency | Threshold | Action |
|---|---|---|---|
| Velocity check | Real-time | > 100 transactions/minute per merchant | Alert + temporary hold |
| Amount anomaly | Real-time | > 3x average daily volume | Alert + manual review |
| Threshold reporting | Real-time | Transactions exceeding BB-prescribed threshold | Real-time report to BB |
| New merchant spike | Daily | > 10x first-day average within first 30 days | Manual review |
| Dormant reactivation | On event | No transactions > 90 days, then sudden high volume | Manual review + re-KYC |
| STR screening | Daily batch | Rule-based pattern matching against BFIU typologies | STR filed with BFIU within 3 business days if confirmed |
STR filing process: 1. Alert generated by monitoring system or flagged by operations staff. 2. Compliance Officer (BD) reviews within 24 hours. 3. If suspicious: STR prepared using BFIU prescribed format. 4. STR filed with Bangladesh Financial Intelligence Unit (BFIU) within 3 business days. 5. Internal record retained for 5 years minimum. 6. No tipping-off: merchant not informed of STR filing.
3. Incident Response (Bangladesh-Specific)¶
In addition to the global Incident Response Playbook (Standards/INCIDENT-RESPONSE-PLAYBOOK.md):
| Requirement | SLA | Owner |
|---|---|---|
| BB notification for significant incidents affecting payment systems | Within 24 hours of detection | Country Manager BD + CDO |
| BFIU notification for AML-related breaches | Immediate notification | Country Manager BD + Compliance BD |
| BB ICT incident reporting per Guideline v4.0 | Immediate reporting to BB | Country Manager BD + CDO |
| BB ad-hoc inspection response | Immediate cooperation | Country Manager BD |
BB notification template:
TO: Payment Systems Department, Bangladesh Bank
FROM: Simpaisa Bangladesh — PSP Licence No: [XXXX]
DATE: [YYYY-MM-DD]
SUBJECT: Security Incident Notification — [Brief Description]
1. Nature of incident: [description]
2. Date/time detected: [timestamp]
3. Systems affected: [list]
4. Customer impact: [number affected, data exposed if any]
5. Containment actions taken: [list]
6. Root cause (preliminary): [if known]
7. Estimated resolution: [timeline]
8. Contact for follow-up: [name, phone, email]
4. Data Localisation¶
Current architecture (non-compliant): - Single AWS RDS instance. Region not documented as Bangladesh-local. - Transaction data may traverse UAE or other regions. - ICT Security Guideline v4.0 mandates all financial data stored within Bangladesh.
Target architecture (per Data Architecture, DA-06): - Primary transaction data resides in-country (local DC or approved Bangladesh infrastructure). - Only aggregated/anonymised data flows to UAE for group reporting. - Cross-border transfer prohibited for raw transaction and MFS data.
Action items: 1. Confirm current RDS region. If not Bangladesh-local, initiate migration plan. 2. Document all cross-border data flows with data classification. 3. Implement column-level encryption for PII before any data leaves Bangladesh. 4. Verify compliance with ICT Security Guideline v4.0 data storage requirements.
5. Reporting Calendar¶
| Report | Frequency | Due Date | Recipient | Owner |
|---|---|---|---|---|
| Monthly transaction summary | Monthly | 10th of following month | BB Payment Systems Dept | Operations BD |
| Real-time threshold reports | Real-time | On occurrence | BB Payment Systems Dept | Operations BD |
| Suspicious Transaction Reports | As needed | Within 3 business days of confirmation | BFIU | Compliance BD |
| Annual compliance report | Annually | Q1 of following year | BB | Compliance BD + CDO |
| External audit report | Annually | Per BB-specified timeline | BB | Finance + CDO |
| IS audit per ICT Guideline v4.0 | Annually | Per BB framework timeline | BB | CDO |
| AML/KYC programme review | Annually | Per MLPA requirements | Internal + BB on request | Compliance BD |
| Annual audited financial statements | Annually | Per BB schedule | BB | Finance |
6. Key Contacts¶
| Role | Responsibility | Name |
|---|---|---|
| Country Manager BD | Overall Bangladesh operations, BB relationship | TBD |
| Compliance Officer BD | AML/KYC, STR filing, regulatory reporting, BFIU liaison | TBD |
| Operations Lead BD | Transaction monitoring, merchant support | TBD |
| CDO | Technology, security, data architecture decisions | Daniel O'Reilly |
Remediation Priorities¶
Based on the compliance status assessment above:
| Priority | Item | Risk | Owner | Target |
|---|---|---|---|---|
| 1 | PII encryption at rest | CRITICAL | CDO | Q2 2026 |
| 2 | Pay-In request signing | CRITICAL | CDO | Q2 2026 |
| 3 | Data localisation — confirm region and migrate if required | HIGH | CDO + Country Mgr BD | Q2 2026 |
| 4 | BB incident notification process | HIGH | Country Mgr BD | Q2 2026 |
| 5 | Rate limiting implementation | HIGH | CDO | Q3 2026 |
| 6 | CDD process documentation aligned to BFIU circulars | HIGH | Compliance BD | Q2 2026 |
| 7 | Customer fund segregation verification (MFS trust account) | HIGH | Finance + Country Mgr BD | Q2 2026 |
| 8 | Automated STR generation | MEDIUM | CDO + Compliance BD | Q3 2026 |
Connection to Strategy¶
This playbook directly supports: - SG1 (Operational Excellence): documented processes, incident response SLAs - SG4 (Market Expansion): Bangladesh as a key growth market requiring full regulatory alignment. ICT Security Guideline v4.0 compliance is a prerequisite for continued operations. - Foundational Support #5 (Standardised global network): Bangladesh follows the Pakistan playbook template for consistency across the group