3 compliance deadlines in 2026

Bangladesh Bank Compliance Solutions.

19 regulatory frameworks. One technology partner. Every scheduled bank, NBFI, MFSP, PSP, and IT vendor serving them falls under at least one of these frameworks. From Bangla QR criminal penalties to PDPO data localization -- KaritKarma delivers turnkey compliance stacks that map requirement-by-requirement to Bangladesh Bank circulars.

Talk to compliance teamView deadlines
19
BB circulars
150+
Institutions
4
Deadlines 2026-27
100%
Requirements met
Compliance deadlines

Sorted by urgency. Criminal penalties first.

Bangla QR -- June 30, 2026

82 days

Criminal penalties: BDT 30 lakh fine + up to 3 years imprisonment. All proprietary QR codes must be replaced.

Cyber Security Framework -- December 31, 2026

266 days

7-pillar framework. MFA mandatory. SIEM required. 72-hour incident reporting. 89% of banks are NOT AI-ready.

BB Partner Network -- December 31, 2026

266 days

BRPD-2 No-01. Secure extranet for all external partners. 61 banks, 100+ organizations. OAuth 2.1, RBAC, VPN, audit trails.

PDPO Data Protection -- May 2027

~395 days

Bangladesh's first data protection law. 1-5% annual turnover penalties. Applies to ALL organizations, not just financial.

Compliance areas

Every regulation. Mapped to working products.

Each Bangladesh Bank circular maps directly to KaritKarma products. No custom development needed. Deploy in days, not months.

82 days

Bangla QR

Mandatory QR Code Adoption

Remove all proprietary QR codes. Adopt unified Bangla QR standard. Criminal penalties for non-compliance under the Payment Systems Act.

LoneSock PayIntraPay
View solution
266 days

Cyber Security Framework

BB CSF v1.0 (2026)

7-pillar cybersecurity framework mandating MFA, access control, SIEM, incident reporting, and AI-ready security posture for all financial institutions.

WenmeDarwanAegisBitsPath
View solution
266 days

BB Partner Network

BRPD-2 No-01 (2026)

Secure centralized extranet for all external partners. OAuth 2.1 authentication, RBAC authorization, encrypted VPN, audit trails, fraud monitoring.

WenmeDarwanAegis
View solution
395 days

PDPO 2025

Personal Data Protection

Bangladesh's first comprehensive data protection law. Data localization, consent management, breach notification, right to erasure. Applies to ALL organizations.

WenmeDarwanProfessional Vault
View solution
Ongoing

ICT Security v4.0

Bangladesh Bank Guideline

Updated ICT security guidelines covering access management, network security, application security, and incident management for all banks.

WenmeDarwanAegis
View solution
Ongoing

AML/CFT

Anti-Money Laundering

Know Your Customer, transaction monitoring, suspicious transaction reporting, and sanctions screening requirements under BFIU directives.

AegisWenme
View solution
Clause-level platform mapping

19 frameworks. Line-by-line to our products.

We map our platform capabilities to specific regulatory clauses, not generic framework readiness. The table below lists every BB regulator-issued framework that touches bank IT and shows which of Wenme, Darwan, Aegis, or another KaritKarma product helps satisfy it.

Full coverage -- native capability that directly fulfils the clause
Partial coverage -- requires configuration or a co-deployed product
Out of scope -- framework applies to the bank's internal operations, not a vendor product
Footnoted -- circular number and current status need compliance-officer verification
FrameworkKey clauses / scopeWenmeDarwanAegisOther products
Bangla QR
BPSS / NPSD circular, 2026
Unified EMV-QR standard. All proprietary QR codes must be replaced with Bangla QR by June 30, 2026. Criminal penalties under the Payment Systems Act.Out of scopeOut of scopeOut of scopeLoneSock Pay + IntraPay QR switching
Cyber Security Framework v1.0
BB CSF, 2026
7-pillar framework: governance, IAM/MFA, network + endpoint, appsec, SIEM, 72-hr incident response, third-party risk. Mandatory by Dec 31, 2026.MFA + OAuth 2.1 + WebAuthn (Pillar 2)RBAC + SoD + audit (Pillar 2, 7)SIEM + AI threat detection (Pillar 5)BitsPath 72-hr incident alerts
BB Partner Network Guideline
BRPD-2 No-01, 29 Mar 2026
Secure centralized extranet for all external partners of scheduled banks. OAuth 2.1 authentication, RBAC, encrypted VPN, audit trails, fraud monitoring.OAuth 2.1 partner authPartner RBAC + audit trailPartner traffic monitoringPV encrypted partner data
Personal Data Protection Ordinance (PDPO)
PDPO Act, 2025 (effective May 2027)
Bangladesh's first comprehensive data protection law. Data localization, consent, breach notification, right to erasure. Applies to ALL data controllers.Consent + identity recordsAccess audit + purpose bindingBreach anomaly detectionProfessional Vault DC localization
ICT Security Guideline v4.0
BB ICT Guideline v4.0
Foundational ICT security controls for scheduled banks: network, endpoint, application, access, and incident management. Superseded in part by CSF v1.0 but still referenced.Centralized identity + MFAAccess management + auditLog aggregation + detectionOut of scope
Guidelines on ICT Security for Scheduled Banks and Financial Institutions
BRPD, foundational
Umbrella ICT-risk guideline covering governance, policy, physical + logical security, and outsourcing for scheduled banks and NBFIs.Logical access controlsPolicy + SoD + auditSecurity monitoringOut of scope
Guidelines on Cloud Computing
BRPD cloud circular
Risk, data-residency, exit, and control requirements for banks using public / private / hybrid cloud. Data must stay in Bangladesh for regulated workloads.Sovereign identityCloud access policyCloud log monitoringAPNIC-member Dhaka DC
Cyber Incident Reporting Framework
BB incident reporting circular
Mandatory reporting of cyber incidents to Bangladesh Bank within defined windows (72 hours for significant events). Standard incident taxonomy.Identity-event feedTamper-evident audit trailIncident detection + correlationBitsPath 72-hr notification
Outsourcing Guidelines (BRPD)
BRPD outsourcing circular
Vendor due-diligence, contract, oversight, and exit-plan requirements when banks outsource IT or business functions.Vendor SSO federationVendor ABAC + access reviewVendor activity monitoringOut of scope
Business Continuity Management (BCM) Guidelines
BB BCM guideline
BCP/DR planning, RTO/RPO targets, annual testing, and crisis-communication requirements for banks and financial institutions.DR-paired identityDR-paired authZFailover monitoringOut of scope
Vulnerability Assessment & Penetration Testing (VAPT)
BB VAPT requirement
Mandatory annual VAPT, quarterly vulnerability scans, remediation SLAs, and reporting to Bangladesh Bank for all critical systems.Pen-test-ready identityLeast-privilege enforcementExploit-attempt detectionOut of scope
Data Classification & Handling
Sub-guideline under ICT Security
Classification tiers (Public/Internal/Confidential/Restricted), encryption-in-transit + at-rest, DLP, and handling rules per tier.Attribute-tagged identityABAC on classification tagsExfiltration detectionPV encrypted storage
Access Management & Privileged Access
Sub-guideline under ICT Security
Least-privilege, JIT elevation, PAM for administrative accounts, quarterly access reviews, and full session recording for privileged use.WebAuthn for privileged accessJIT RBAC + access reviewPrivileged-session anomalyOut of scope
Audit Trail & Log Retention
Sub-guideline under ICT Security
Immutable audit trails on all security-relevant events, minimum retention (typically 90 days online + multi-year archive), centralized log aggregation.Auth event logAuthorization decision logCentral SIEM + retentionPV long-term archive
Multi-Factor Authentication Mandate
BB MFA directive
MFA required for all customer-facing banking, internet banking, mobile banking, and privileged admin access. Strong customer authentication for high-value transactions.MFA enforcement + audit logStep-up authZ policiesAuth-abuse detectionOut of scope
e-KYC Guidelines
BB e-KYC circular
Electronic KYC using NID verification, liveness checks, risk-tiered onboarding, and periodic re-KYC. Digital onboarding for banks, MFS, and financial products.Verified identity attributesKYC-tier-aware accessSynthetic-identity + liveness fraudOut of scope
Digital Financial Services (DFS) Guidelines
BB DFS guideline
Prudential and operational requirements for MFS, PSPs, and digital banks: licensing, consumer protection, interoperability, transaction limits.DFS consumer identityDFS role modelTransaction fraud scoringLoneSock Pay DFS rails
AML/CFT - BFIU Circulars
BFIU circulars (various)
KYC, sanctions screening, transaction monitoring, STR/SAR reporting, sanctions list updates. Applies to all reporting organizations.KYC-bound identitySegregation of AML dutiesTransaction monitoring + STR triageOut of scope
Customer Interest Protection (CIPC)
BB Customer Interest Protection Centre circulars
Grievance redressal, service-standard disclosures, complaint SLAs, and consumer-protection audits for banks and DFS providers.Authenticated complainantGrievance access controlsOut of scopeBitsPath grievance channel

Scroll the table horizontally to see all product columns.

Circulars marked with are widely-recognised Bangladesh Bank guidelines where the current circular number, version, or enforcement date should be confirmed with a compliance officer before quoting in an audit response. KaritKarma tracks the canonical source for each row and updates this mapping as BB issues revisions.

Compliance bundles

Pre-configured stacks. Immediate compliance.

Instead of assembling point solutions, deploy a pre-integrated compliance stack. Each product is already connected to the others.

BB Compliance Suite

Core compliance stack covering authentication, authorization, and fraud detection. Meets Partner Network, Cyber Security Framework, and ICT Security requirements.

WenmeIdentity & MFA

OAuth 2.1 + PKCE, WebAuthn/FIDO2, passwordless

DarwanAuthorization & Audit

42 endpoints, RBAC + ABAC, SoD, audit trails

AegisFraud Detection & SIEM

3-layer AI cascade, 80+ rules, sub-50ms scoring

Covers
Partner NetworkCyber Security FrameworkICT Security v4.0

Digital Bank Stack

Full technology stack for banks undertaking digital transformation while meeting all regulatory requirements simultaneously.

Wenme + Darwan + AegisSecurity Layer

Authentication, authorization, fraud detection

BitsPathCommunications

72-hour incident reporting, customer notifications

LoneSock Pay + IntraPayPayments

Bangla QR, domestic switching, payment processing

Professional VaultData Protection

Encrypted storage, data localization, PDPO compliance

Covers
All BB regulationsPDPO 2025Bangla QRAML/CFT
Request compliance bundle assessment
Infrastructure

Data sovereignty is not optional.

PDPO 2025 mandates data localization. Bangladesh Bank requires domestic data processing. KaritKarma operates a Tier-3 data center as an APNIC member -- all compliance data stays in Bangladesh on hardware we physically own.

AS 64005
Autonomous System
APNIC registered
Tier-3
Data Center
99.99% uptime
IPv4/v6
Dedicated IP Blocks
Not shared hosting
15+
Years Operating
Since 2010

Data stays in Bangladesh

Authentication logs, authorization decisions, audit trails, fraud detection data, and customer PII -- all stored in Bangladesh on KaritKarma-owned infrastructure. Meets both PDPO 2025 data localization and Bangladesh Bank data sovereignty requirements.

Dhaka DCAPNIC memberOwn hardwarePDPO compliant
Frequently asked questions

Bangladesh Bank compliance questions

What Bangladesh Bank compliance deadlines are coming in 2026-2027?
There are four major Bangladesh Bank compliance deadlines approaching: (1) Bangla QR mandatory adoption -- June 30, 2026, with criminal penalties of BDT 30 lakh fine and up to 3 years imprisonment; (2) BB Cyber Security Framework v1.0 -- December 31, 2026, mandatory for all banks and financial institutions; (3) BB Partner Network (BRPD-2 No-01) -- December 31, 2026, mandatory for 61 banks and 100+ organizations; (4) PDPO 2025 (Personal Data Protection Ordinance) -- enforcement expected May 2027, applicable to all organizations processing personal data in Bangladesh.
How can KaritKarma help with Bangladesh Bank regulatory compliance?
KaritKarma provides turnkey compliance solutions mapping directly to Bangladesh Bank regulatory requirements. The BB Compliance Suite includes Wenme (identity and authentication -- meets MFA, OAuth 2.1, WebAuthn requirements), Darwan (authorization and access control -- meets RBAC, separation of duties, audit trail requirements), and Aegis (AI fraud detection -- meets SIEM, monitoring, incident reporting requirements). Additionally, BitsPath provides 72-hour incident notification capability, Professional Vault handles encrypted data storage, and LoneSock Pay with IntraPay address Bangla QR payment requirements.
What are the penalties for non-compliance with Bangladesh Bank regulations?
Penalties vary by regulation. Bangla QR non-compliance carries the strictest penalties: up to BDT 30 lakh (approximately $27,000) fine and imprisonment of up to 3 years under the Payment Systems Act. PDPO 2025 violations carry penalties of 1-5% of annual turnover. Partner Network and Cyber Security Framework non-compliance may result in monetary penalties, restrictions on banking operations, mandatory corrective action plans, and in severe cases, license restrictions from Bangladesh Bank.
Which organizations need to comply with Bangladesh Bank regulations?
The scope varies by regulation: BB Partner Network applies to 61 scheduled banks, NBFIs, MFSPs (bKash, Nagad, Rocket), PSPs, and IT vendors -- over 100 organizations. The Cyber Security Framework applies to all banks, NBFIs, MFSPs, and PSOs. Bangla QR applies to all payment service providers, banks, and MFS operators. PDPO 2025 applies to ALL organizations (not just financial) processing personal data of Bangladesh citizens. Combined, these regulations affect 150+ institutions directly.
Time is running out

3 deadlines in 2026. Are you ready?

Bangla QR criminal penalties start June 30. Cyber Security Framework and Partner Network deadlines follow December 31. KaritKarma's compliance team is ready to assess your gaps and deliver solutions.

Schedule compliance assessmentView fintech solutions