Compliance deadline: December 31, 2026

Bangladesh Bank Partner Network Compliance, Delivered.

The BB Partner Network Guideline (BRPD-2 No-01, dated 29 March 2026) requires 61 banks and 100+ financial institutions to implement secure extranet access for all external partners. KaritKarma provides the complete compliance stack: Wenme (identity), Darwan (authorization), and Aegis (fraud detection).

Talk to compliance teamView requirements map
61
Scheduled banks
100+
Organizations
Dec 31
2026 deadline
8/8
Requirements met
What is it

Bangladesh Bank Partner Network Guideline (BRPD-2 No-01, 2026)

The BB Partner Network Guideline (BRPD-2 Circular No-01, dated 29 March 2026) is a regulatory directive from Bangladesh Bank mandating all scheduled banks and financial institutions to establish a secure, centralized extranet -- termed the “Partner Network” -- for managing digital access by external partners.

This directive addresses a critical gap in Bangladesh's financial infrastructure: the absence of standardized, secure connectivity between banks and their growing ecosystem of technology partners. With the rise of mobile financial services (bKash, Nagad, Rocket), payment service providers, fintech companies, and IT vendors requiring real-time access to banking systems, Bangladesh Bank recognized the need for a unified security framework.

The guideline covers eight key compliance areas: strong authentication (section 2.3.1), role-based access control (section 2.3.3), encrypted connectivity (section 3.2.6), audit trails (section 4.1), vulnerability assessment (section 4.3), real-time monitoring (section 5.2), partner classification (section 2.4), and incident response (section 6.1).

Circular Reference
BRPD-2 No-01, 29 March 2026
Issuing Authority
Bangladesh Bank (Central Bank)
Compliance Deadline
December 31, 2026
Scope of compliance

Who needs to comply with BB Partner Network guidelines?

The Bangladesh Bank BRPD-2 Partner Network guideline applies to every financial institution and their technology ecosystem in Bangladesh.

Primary

61 Scheduled Banks

All state-owned, private, foreign, and specialized banks licensed by Bangladesh Bank.

Primary

Non-Bank Financial Institutions

NBFIs with Bangladesh Bank licenses including leasing, investment, and micro-finance companies.

Category A Partner

MFSPs (bKash, Nagad, Rocket)

Mobile financial service providers with direct CBS access and transaction processing capabilities.

Category A Partner

Payment Service Providers

PSPs, payment system operators, and fintech companies with bank system integration.

Category A/B

IT Vendors & Tech Partners

Core banking vendors, ATM service providers, and technology partners with system access.

Category B Partner

Auditors & Regulators

External audit firms and regulatory reporting entities accessing bank networks for oversight.

Requirements mapping

Every BRPD-2 requirement. Mapped to a working product.

Each section of the Bangladesh Bank Partner Network guideline (BRPD-2 No-01, 29 March 2026) maps directly to a KaritKarma product. No custom development needed.

Section 2.3.1

Strong Authentication (OAuth 2.1, PKCE, MFA, WebAuthn)

Wenme

100% passwordless OAuth 2.1 + mandatory PKCE. WebAuthn/FIDO2, TOTP, hardware keys. Sub-100ms P99.

Section 2.3.3

Role-Based Access Control (RBAC) with SoD

Darwan

42 API endpoints. RBAC + ABAC hybrid. Separation of duties, time-bound assignments, access reviews.

Section 3.2.6

Encrypted VPN Tunnels & Network Segmentation

Infrastructure

KaritKarma Tier-3 DC with IPSec/WireGuard. Certificate-based mutual auth. Per-partner segmentation.

Section 4.1

Comprehensive Audit Trail

Darwan + Wenme

Immutable, hash-chained audit logs. Every auth event, every access decision. Tamper-proof, SOC 2 ready.

Section 4.3

Vulnerability Assessment & Penetration Testing

Aegis

3-layer AI fraud cascade. 80+ detection rules. 0.9955 ROC-AUC. Continuous vulnerability monitoring.

Section 5.2

Real-Time Monitoring & Anomaly Detection

Aegis

Sub-50ms fraud scoring. Bangladesh-specific intelligence. Rule engine + ML + deep learning cascade.

Section 2.4

Partner Classification (Category A / Category B)

Darwan

Attribute-based policies differentiate high-risk (Category A) from standard (Category B) partners.

Section 6.1

Incident Response & Notification

Aegis + BitsPath

Automated incident detection + multi-channel alerting (Email, SMS, WhatsApp) via BitsPath CPaaS.

The compliance stack

Three products. Complete BB Partner Network compliance.

Instead of building identity, authorization, and fraud detection in-house (6-12 months, 3-5 engineers), deploy KaritKarma's battle-tested stack in days.

Wenme

Passwordless Identity

100% passwordless OAuth 2.1 with mandatory PKCE. WebAuthn/FIDO2 passkeys, TOTP, hardware security keys. Sub-100ms P99 latency. Handles section 2.3.1 authentication requirements completely.

  • OAuth 2.1 + mandatory PKCE
  • WebAuthn/FIDO2 passkeys
  • Multi-factor authentication
  • Enterprise SSO (SAML 2.0, OIDC)
  • Immutable auth audit log
  • Sub-100ms P99 response
Covers BRPD-2 sections
Section 2.3.1Section 4.1
Learn more about Wenme

Darwan

Authorization Service

Centralized RBAC + ABAC authorization with 42 API endpoints. Separation of duties enforcement, time-bound role assignments, periodic access reviews. Handles sections 2.3.3 and 2.4 completely.

  • 42 authorization API endpoints
  • RBAC + ABAC hybrid policies
  • Separation of duties (SoD)
  • Time-bound role assignments
  • Category A / B differentiation
  • Tamper-proof audit trail
Covers BRPD-2 sections
Section 2.3.3Section 2.4Section 4.1
Learn more about Darwan

Aegis

AI Fraud Detection

3-layer AI fraud cascade with 80+ Bangladesh-specific detection rules. Sub-50ms scoring, 0.9955 ROC-AUC accuracy. Handles sections 4.3, 5.2, and 6.1 for vulnerability assessment, monitoring, and incident response.

  • 3-layer AI cascade scoring
  • 80+ Bangladesh-specific rules
  • Sub-50ms fraud decisions
  • 0.9955 ROC-AUC accuracy
  • Real-time anomaly detection
  • Automated incident alerting
Covers BRPD-2 sections
Section 4.3Section 5.2Section 6.1
Learn more about Aegis

Build in-house vs. deploy KaritKarma

Build in-house
  • 6-12 months development time
  • 3-5 senior engineers dedicated
  • OAuth 2.1 + PKCE from scratch
  • RBAC engine with SoD logic
  • ML fraud detection pipeline
  • Ongoing maintenance burden
  • No battle-tested track record
Deploy KaritKarma stack
  • Deploy in days, not months
  • Wenme: 100K+ daily users proven
  • Darwan: 42 endpoints, 4 SDKs (C#/Go/Node/Rust)
  • Aegis: 0.9955 ROC-AUC, 373 tests
  • 15+ years production experience
  • Tier-3 DC, APNIC member (AS 64005)
  • Maintained and updated by KaritKarma
Implementation roadmap

How to achieve BB Partner Network compliance

Seven steps from assessment to certification. Each step maps directly to BRPD-2 No-01 (29 March 2026) requirements.

01

Assess current partner access landscape

Inventory all external partners currently accessing your bank systems. Classify each as Category A (high-risk: CBS access, transaction processing) or Category B (standard: audit, reporting). Document current authentication methods, access controls, and audit capabilities.

02

Deploy centralized identity with Wenme

Integrate Wenme as your centralized identity provider. Wenme provides OAuth 2.1 with mandatory PKCE, WebAuthn/FIDO2 passkeys, multi-factor authentication, and enterprise SSO -- meeting section 2.3.1 of the BRPD-2 guideline. Deployment takes days, not months, with SDKs for React, Next.js, Node.js, Go, and .NET.

03

Implement RBAC and access policies with Darwan

Connect Darwan to Wenme JWTs for authorization. Configure role-based access control with 42 API endpoints covering RBAC, ABAC, separation of duties, time-bound assignments, and periodic access reviews. Darwan satisfies section 2.3.3 with built-in Category A / Category B policy differentiation.

04

Establish encrypted partner connectivity

Set up IPSec or WireGuard VPN tunnels for all partner connections. Configure certificate-based mutual authentication, per-partner network segmentation, and bandwidth policies as required by section 3.2.6. KaritKarma provides Tier-3 data center infrastructure with APNIC-registered IP blocks (AS 64005).

05

Deploy fraud detection and monitoring with Aegis

Activate Aegis for real-time transaction monitoring and anomaly detection. Aegis provides a 3-layer AI cascade (rule engine + machine learning + deep learning) with 80+ Bangladesh-specific detection rules, sub-50ms scoring, and 0.9955 ROC-AUC accuracy -- meeting sections 4.3 and 5.2.

06

Configure audit trail and incident response

Enable Darwan and Wenme immutable audit logging for all authentication events and access decisions. Configure BitsPath for automated incident notifications via Email, SMS, and WhatsApp. Set up quarterly access reviews for Category A partners and semi-annual reviews for Category B, as required by section 4.1 and 6.1.

07

Conduct validation testing and submit compliance report

Run end-to-end compliance validation: penetration testing, vulnerability assessment, access control verification, and audit trail integrity checks. Generate compliance documentation mapping each BRPD-2 requirement to your implementation. Submit to Bangladesh Bank before the December 31, 2026 deadline.

Infrastructure

Runs on infrastructure we own. Not rented cloud.

KaritKarma operates a Tier-3 data center as an APNIC member with autonomous system number AS 64005. Your compliance infrastructure runs on hardware we physically control -- critical for Bangladesh Bank's data sovereignty requirements.

AS 64005
Autonomous System
APNIC registered
Tier-3
Data Center
99.99% uptime
IPv4/v6
Dedicated IP Blocks
Not shared hosting
15+
Years Operating
Since 2010

Data stays in Bangladesh

All partner authentication, authorization decisions, audit logs, and fraud detection data resides within Bangladesh on KaritKarma-owned infrastructure. This meets Bangladesh Bank's data localization requirements and ensures no sensitive financial data leaves the jurisdiction.

Dhaka DCBangladesh-hostedAPNIC memberOwn hardware
Frequently asked questions

BB Partner Network compliance questions

What is BB Partner Network guideline 2026?
The BB Partner Network Guideline (BRPD-2 Circular No-01, dated 29 March 2026) is a directive from Bangladesh Bank requiring all 61 scheduled banks and over 100 financial institutions to establish a secure, centralized extranet called the "Partner Network." This network provides controlled digital access for authorized external partners -- including mobile financial service providers (MFSPs), payment service providers (PSPs), fintech companies, IT vendors, auditors, and regulators -- while maintaining strict security, authentication, authorization, and audit trail requirements. Full compliance is mandated by December 31, 2026.
When is the BB Partner Network compliance deadline?
The compliance deadline for the BB Partner Network guideline (BRPD-2 No-01, 29 March 2026) is December 31, 2026. All 61 scheduled banks in Bangladesh must have their Partner Network infrastructure operational by this date. Non-compliance may result in regulatory penalties from Bangladesh Bank.
What are the BB Partner Network security requirements?
The BB Partner Network guideline (BRPD-2 No-01, 2026) mandates multiple security layers: (1) Strong authentication using OAuth 2.1 with PKCE, WebAuthn/FIDO2 passkeys, and multi-factor authentication per section 2.3.1; (2) Role-based access control (RBAC) with granular permissions and separation of duties per section 2.3.3; (3) Encrypted VPN tunnels for all partner connections per section 3.2.6; (4) Comprehensive audit trails with tamper-proof logging per section 4.1; (5) Regular vulnerability assessments and penetration testing per section 4.3; and (6) Real-time monitoring and anomaly detection per section 5.2.
How to comply with Bangladesh Bank BRPD-2 circular?
To comply with the Bangladesh Bank BRPD-2 Partner Network circular, institutions must: (1) Deploy a centralized identity provider supporting OAuth 2.1 + PKCE -- such as Wenme; (2) Implement role-based access control (RBAC) with separation of duties and time-bound permissions -- such as Darwan; (3) Establish encrypted VPN tunnels for all partner connections; (4) Deploy real-time fraud detection and anomaly monitoring -- such as Aegis; (5) Set up comprehensive audit logging with immutable trail; (6) Conduct vulnerability assessments and penetration testing; (7) Classify partners into Category A (high-risk) and Category B (standard) tiers. KaritKarma provides Wenme + Darwan + Aegis as a turnkey compliance stack.
What is Category A and Category B in BB Partner Network?
The BB Partner Network guideline (BRPD-2 No-01, 2026) classifies external partners into two tiers. Category A (high-risk) includes partners with direct CBS access, transaction processing capabilities, or access to sensitive customer data -- such as MFSPs (bKash, Nagad), PSPs, and core banking vendors. Category A partners require enhanced security: hardware security keys, continuous monitoring, shorter session timeouts, and annual penetration testing. Category B (standard) includes partners with limited access -- such as auditors, regulators, and read-only reporting vendors. Category B has standard authentication requirements but still requires MFA and audit logging.
What authentication is required for BB Partner Network?
Per section 2.3.1 of the BB Partner Network guideline (BRPD-2 No-01, 2026), all partner authentication must use: (1) OAuth 2.1 with mandatory PKCE (Proof Key for Code Exchange) for all authorization flows; (2) Multi-factor authentication (MFA) for every partner user; (3) WebAuthn/FIDO2 passkeys or hardware security keys for Category A partners; (4) Session management with configurable timeouts and token rotation; (5) Centralized identity provider with single sign-on capability. Wenme by KaritKarma meets all these requirements natively as a 100% passwordless OAuth 2.1 identity platform with WebAuthn/FIDO2 support.
Do I need RBAC for BB Partner Network compliance?
Yes. Section 2.3.3 of the BB Partner Network guideline (BRPD-2 No-01, 2026) explicitly mandates Role-Based Access Control (RBAC) with: (1) Granular permissions mapped to specific resources and actions; (2) Separation of duties (SoD) to prevent conflict of interest; (3) Principle of least privilege for all partner access; (4) Time-bound role assignments with automatic expiry; (5) Periodic access reviews (quarterly for Category A, semi-annually for Category B); (6) Complete audit trail of all access decisions. Darwan by KaritKarma provides all of this through 42 API endpoints with ABAC, SoD enforcement, and pre-built audit trail integration.
What VPN requirements does BB Partner Network have?
Section 3.2.6 of the BB Partner Network guideline requires all partner connections to traverse encrypted VPN tunnels with: (1) IPSec or WireGuard VPN with AES-256 encryption minimum; (2) Certificate-based mutual authentication; (3) Network segmentation isolating partner traffic from internal banking networks; (4) Per-partner VPN policies with bandwidth and access restrictions; (5) Real-time VPN session monitoring and anomaly detection; (6) Automatic disconnect on policy violation or suspicious activity.
Who needs to comply with BB Partner Network guidelines?
The BB Partner Network guideline (BRPD-2 No-01, 29 March 2026) applies to: (1) All 61 scheduled banks in Bangladesh; (2) Non-bank financial institutions (NBFIs) with Bangladesh Bank licenses; (3) Mobile financial service providers (MFSPs) such as bKash, Nagad, Rocket; (4) Payment service providers (PSPs) and payment system operators; (5) IT vendors and technology partners with bank system access; (6) Auditors and regulatory reporting entities accessing bank networks; (7) Any third party connecting to a bank's digital infrastructure. In total, over 100 organizations across the financial sector must comply.
What is the penalty for non-compliance with BB Partner Network?
While the specific penalty structure under BRPD-2 No-01 (2026) will be detailed in subsequent enforcement circulars, Bangladesh Bank's regulatory framework historically includes: (1) Monetary penalties escalating with severity and duration of non-compliance; (2) Restrictions on new product launches or partner onboarding; (3) Mandatory corrective action plans with supervision; (4) Public disclosure of non-compliant institutions; (5) In severe cases, restrictions on banking licenses or specific operations. Given the December 31, 2026 deadline, institutions should begin compliance immediately to avoid last-minute regulatory risk.
বাংলায় সারসংক্ষেপ

বাংলাদেশ ব্যাংক পার্টনার নেটওয়ার্ক নির্দেশিকা ২০২৬

বাংলাদেশ ব্যাংক BRPD-2 সার্কুলার নং-০১ (তারিখ: ২৯ মার্চ ২০২৬) অনুযায়ী, দেশের সকল তফসিলি ব্যাংক ও আর্থিক প্রতিষ্ঠানকে একটি নিরাপদ, কেন্দ্রীভূত এক্সট্রানেট -- যাকে “পার্টনার নেটওয়ার্ক” বলা হচ্ছে -- স্থাপন করতে হবে। এই নেটওয়ার্কের মাধ্যমে মোবাইল আর্থিক সেবা প্রদানকারী (বিকাশ, নগদ, রকেট), পেমেন্ট সার্ভিস প্রোভাইডার, ফিনটেক কোম্পানি, আইটি ভেন্ডর, অডিটর এবং নিয়ন্ত্রক সংস্থাসমূহ নিয়ন্ত্রিত ডিজিটাল অ্যাক্সেস পাবে।

সম্মতির সময়সীমা: ৩১ ডিসেম্বর ২০২৬। দেশের ৬১টি তফসিলি ব্যাংক এবং ১০০+ আর্থিক প্রতিষ্ঠানকে এই সময়সীমার মধ্যে পার্টনার নেটওয়ার্ক অবকাঠামো চালু করতে হবে।

KaritKarma-র সমাধান: Wenme (পরিচয় যাচাই), Darwan (অনুমোদন ও অ্যাক্সেস নিয়ন্ত্রণ) এবং Aegis (AI ভিত্তিক জালিয়াতি সনাক্তকরণ) -- এই তিনটি পণ্য মিলে BRPD-2 নির্দেশিকার আটটি প্রয়োজনীয়তার সবকটি পূরণ করে। নিজস্ব অবকাঠামোতে (Tier-3 ডেটা সেন্টার, APNIC সদস্য, AS 64005) পরিচালিত হওয়ায় সকল তথ্য বাংলাদেশেই থাকে।

8 months remaining

December 31, 2026 is closer than you think.

61 banks. 100+ organizations. One deadline. Start your BB Partner Network compliance assessment today. KaritKarma's compliance team will map your current infrastructure to BRPD-2 requirements and deliver a deployment plan.

Schedule compliance assessmentView fintech solutions