Regulatory Playbook: Bangladesh

Owner	Classification	Review Date	Status
Compliance & Regulatory	Confidential	April 2027	Active

Regulatory Playbook: Bangladesh

Field	Value
Market	Bangladesh (BD)
Regulator	Bangladesh Bank (BB)
Status	Draft — requires local compliance review
Owner	Country Manager BD / CDO
Created	2026-04-05
Review	Semi-annually
Reference	Cross-Border Compliance Framework

Purpose

This is the operational playbook for Simpaisa's Bangladesh operations. The Cross-Border Compliance Framework defines what the law requires. This playbook defines what we actually do: who is responsible, what processes run, what reporting is due, and what happens when something goes wrong.

Bangladesh requires both a PSP licence and an MFS licence (where mobile financial services are offered). The BFIU acts as the financial intelligence unit for AML/CFT matters. ICT Security Guideline v4.0 (2023) imposes comprehensive technology and security requirements on all financial institutions.

Regulatory Landscape

Dimension	Requirement	Source
Primary licence	PSP Licence under Bangladesh Payment and Settlement Systems Regulations 2014. MFS Licence under MFS Regulations 2022 (requires scheduled commercial bank or financial institution as equity partner).	BPSS Regulations 2014, MFS Regulations 2022
AML/KYC	Full CDD for merchants. EDD for high-risk transactions. Agent sensitisation on AML/CFT risks required. PEP and sanctions screening.	Money Laundering Prevention Act 2012 (MLPA), Anti-Terrorism Act 2009, BFIU circulars
Data localisation	All financial data must be stored within Bangladesh. All manufactured, collected, and processed data must be stored inside the country.	BB ICT Security Guideline v4.0 (2023), MFS Regulations 2022
Encryption	Data at rest and in transit must be encrypted per ICT Security Guideline v4.0.	BB ICT Security Guideline v4.0 (2023)
PII handling	Personal data governed by Digital Security Act 2018. Cross-border transfer restricted by data localisation mandate.	Digital Security Act 2018, ICT Security Guideline v4.0
Transaction limits	Per Bangladesh Bank tier structure for MFS providers. Threshold amounts trigger real-time reporting.	MFS Regulations 2022
Reporting	STR/SAR filing with BFIU. Monthly reporting to BB Payment Systems Department. Real-time reporting for transactions exceeding threshold amounts.	MLPA 2012, BPSS Regulations 2014
Audit	Annual external audit. BB on-site inspection at any time. IS audit per ICT Security Guideline v4.0.	BPSS Regulations 2014, ICT Security Guideline v4.0
Incident reporting	Significant incidents to Bangladesh Bank within 24 hours. AML-related breaches to BFIU immediately. ICT Security Guideline requires immediate incident reporting to BB.	BB ICT Security Guideline v4.0, BFIU circulars

Current Compliance Status

Requirement	Status	Gap	Risk
PSP / MFS Licence	Active	None	—
AML/KYC processes	Partially compliant	CDD processes undocumented. KYC workflow exists but not aligned to latest BFIU circulars. Agent AML/CFT sensitisation not evidenced.	HIGH
Data localisation	Partially compliant	Transaction data on AWS RDS (region unconfirmed). Cross-border data flow documentation missing. ICT Guideline v4.0 mandates all data stored in-country.	HIGH
Encryption at rest	Non-compliant	PII stored in plain text (SECURITY-ARCHITECTURE.md, Finding R2). ICT Security Guideline v4.0 requires encryption.	CRITICAL
Encryption in transit	Compliant	TLS 1.2+ for all external communications.	—
Transaction monitoring	Partially compliant	Rule-based monitoring exists. No automated STR/SAR generation. Real-time reporting for threshold transactions not implemented.	MEDIUM
Incident reporting to BB	Unknown	No documented process for BB notification within 24 hours or BFIU immediate notification.	HIGH
Annual audit	Unknown	Audit history not documented in Architecture repo.	MEDIUM
Request signing	Non-compliant	Pay-Ins has no request signing (SECURITY-ARCHITECTURE.md, Finding 1).	CRITICAL
Rate limiting	Non-compliant	No documented rate limiting (SECURITY-ARCHITECTURE.md, Finding 5). ICT Security Guideline v4.0 requires robust IT infrastructure controls.	HIGH
Customer fund segregation	Unknown	MFS Regulations 2022 require customer funds in trust account. Status not documented.	HIGH

Operational Processes

1. Merchant Onboarding (Bangladesh)

MERCHANT ONBOARDING FLOW (BD)
─────────────────────────────────────────────────────

  Application      CDD/KYC         Technical        Go-Live
  ──────────┐   ┌──────────┐   ┌──────────┐   ┌──────────┐
  │ Merchant │──▶│ Identity │──▶│ API Key  │──▶│ Live     │
  │ applies  │   │ verified │   │ Sandbox  │   │ traffic  │
  │          │   │ Docs     │   │ Testing  │   │          │
  └──────────┘   │ checked  │   │ Webhook  │   └──────────┘
                 └──────────┘   │ config   │
                                └──────────┘

  Owner: Commercial (BD)    Compliance (BD)     Engineering     Operations (BD)
  SLA:   2 business days    5 business days     3 business days  1 business day
  Total: 11 business days target

Required documents for CDD (Bangladesh):

• Trade Licence issued by City Corporation / Municipality

• Company registration certificate (RJSC)

• TIN (Tax Identification Number) certificate

• National ID (NID) of directors

• Bank account verification letter

• Beneficial ownership declaration (>25% shareholders)

• Board resolution authorising payment services engagement

Enhanced Due Diligence triggers:

• Monthly volume exceeding Bangladesh Bank threshold amounts

• High-risk merchant category (gambling, crypto, precious metals)

• PEP (Politically Exposed Person) as beneficial owner

• Adverse media screening hit

• Agent-based distribution (per BFIU sensitisation requirements)

2. Transaction Monitoring

Check	Frequency	Threshold	Action
Velocity check	Real-time

100 transactions/minute per merchant

| Alert + temporary hold
Amount anomaly| Real-time|

3x average daily volume

| Alert + manual review
Threshold reporting| Real-time| Transactions exceeding BB-prescribed threshold| Real-time report to BB
New merchant spike| Daily|

10x first-day average within first 30 days

| Manual review
Dormant reactivation| On event| No transactions > 90 days, then sudden high volume| Manual review + re-KYC
STR screening| Daily batch| Rule-based pattern matching against BFIU typologies| STR filed with BFIU within 3 business days if confirmed

STR filing process:

1. Alert generated by monitoring system or flagged by operations staff.

2. Compliance Officer (BD) reviews within 24 hours.

3. If suspicious: STR prepared using BFIU prescribed format.

4. STR filed with Bangladesh Financial Intelligence Unit (BFIU) within 3 business days.

5. Internal record retained for 5 years minimum.

6. No tipping-off: merchant not informed of STR filing.

3. Incident Response (Bangladesh-Specific)

In addition to the global Incident Response Playbook (Standards/INCIDENT-RESPONSE-PLAYBOOK.md):

Requirement	SLA	Owner
BB notification for significant incidents affecting payment systems	Within 24 hours of detection	Country Manager BD + CDO
BFIU notification for AML-related breaches	Immediate notification	Country Manager BD + Compliance BD
BB ICT incident reporting per Guideline v4.0	Immediate reporting to BB	Country Manager BD + CDO
BB ad-hoc inspection response	Immediate cooperation	Country Manager BD

BB notification template:

TO: Payment Systems Department, Bangladesh Bank
FROM: Simpaisa Bangladesh — PSP Licence No: [XXXX]
DATE: [YYYY-MM-DD]
SUBJECT: Security Incident Notification — [Brief Description]

1. Nature of incident: [description]
2. Date/time detected: [timestamp]
3. Systems affected: [list]
4. Customer impact: [number affected, data exposed if any]
5. Containment actions taken: [list]
6. Root cause (preliminary): [if known]
7. Estimated resolution: [timeline]
8. Contact for follow-up: [name, phone, email]

4. Data Localisation

Current architecture (non-compliant):

• Single AWS RDS instance. Region not documented as Bangladesh-local.

• Transaction data may traverse UAE or other regions.

• ICT Security Guideline v4.0 mandates all financial data stored within Bangladesh.

Target architecture (per Data Architecture, DA-06):

• Primary transaction data resides in-country (local DC or approved Bangladesh infrastructure).

• Only aggregated/anonymised data flows to UAE for group reporting.

• Cross-border transfer prohibited for raw transaction and MFS data.

Action items:

1. Confirm current RDS region. If not Bangladesh-local, initiate migration plan.

2. Document all cross-border data flows with data classification.

3. Implement column-level encryption for PII before any data leaves Bangladesh.

4. Verify compliance with ICT Security Guideline v4.0 data storage requirements.

5. Reporting Calendar

Report	Frequency	Due Date	Recipient	Owner
Monthly transaction summary	Monthly	10th of following month	BB Payment Systems Dept	Operations BD
Real-time threshold reports	Real-time	On occurrence	BB Payment Systems Dept	Operations BD
Suspicious Transaction Reports	As needed	Within 3 business days of confirmation	BFIU	Compliance BD
Annual compliance report	Annually	Q1 of following year	BB	Compliance BD + CDO
External audit report	Annually	Per BB-specified timeline	BB	Finance + CDO
IS audit per ICT Guideline v4.0	Annually	Per BB framework timeline	BB	CDO
AML/KYC programme review	Annually	Per MLPA requirements	Internal + BB on request	Compliance BD
Annual audited financial statements	Annually	Per BB schedule	BB	Finance

6. Key Contacts

Role	Responsibility	Name
Country Manager BD	Overall Bangladesh operations, BB relationship	TBD
Compliance Officer BD	AML/KYC, STR filing, regulatory reporting, BFIU liaison	TBD
Operations Lead BD	Transaction monitoring, merchant support	TBD
CDO	Technology, security, data architecture decisions	Daniel O'Reilly

Remediation Priorities

Based on the compliance status assessment above:

Priority	Item	Risk	Owner	Target
1	PII encryption at rest	CRITICAL	CDO	Q2 2026
2	Pay-In request signing	CRITICAL	CDO	Q2 2026
3	Data localisation — confirm region and migrate if required	HIGH	CDO + Country Mgr BD	Q2 2026
4	BB incident notification process	HIGH	Country Mgr BD	Q2 2026
5	Rate limiting implementation	HIGH	CDO	Q3 2026
6	CDD process documentation aligned to BFIU circulars	HIGH	Compliance BD	Q2 2026
7	Customer fund segregation verification (MFS trust account)	HIGH	Finance + Country Mgr BD	Q2 2026
8	Automated STR generation	MEDIUM	CDO + Compliance BD	Q3 2026

Connection to Strategy

This playbook directly supports:

• SG1 (Operational Excellence): documented processes, incident response SLAs

• SG4 (Market Expansion): Bangladesh as a key growth market requiring full regulatory alignment. ICT Security Guideline v4.0 compliance is a prerequisite for continued operations.

• Foundational Support #5 (Standardised global network): Bangladesh follows the Pakistan playbook template for consistency across the group