Fraud, settlement, escrow, MFS bridging. All four on the wires we own.
For banks, MFS operators, NBFIs, and PSPs who need real-time fraud scoring, a sovereign domestic switch, bank-custodial escrow, and an on-prem CBS-to-MFS bridge. All four designed against Bangladesh Bank, BFIU, and PDPO 2025 requirements.
Stack at a glance
- 50ms
- Aegis scoring budget
- 91
- Aegis fraud rules
- PCI v4.0
- IntraPay controls, audit pending
- Tier-1
- Bank escrow partner
What is the fintech stack?
Four products, two live, one engineering-complete, one roadmap.
The KaritKarma fintech stack is four products composed for the regulatory and operational reality of Bangladesh financial institutions. Aegis is the real-time fraud detection service (live). IntraPay is the sovereign domestic payment switch (engineering substantially built, BB PSP licence pending). Hold.bd is the bank-custodial escrow service with a tier-1 commercial bank partner (live). FinBridge is the vision-stage on-premises bank-to-MFS bridge (Q4 2026 target, explicitly labelled roadmap).
Every product is designed against the Bangladesh Bank Cyber Security Framework, BB Partner Network (BRPD-2), BFIU AML/CFT, and PDPO 2025, with the clause families documented on our compliance pages. No generic posture claims.
The problem
Bangladesh fintech, fought with imported tools, loses on every front.
Generic fraud SaaS does not see Bangladesh patterns
Hundi corridors, MFS agent split transactions, SIM swap with synthetic identity, dormant-account reactivation, off-hours velocity on national holiday calendars. Western fraud platforms train on Western data and miss every one of these.
Manual review eats the analyst payroll
Banks staff queues of analysts to clear flagged transactions. Aegis is built to clear the bulk of traffic at the rules gate with early exit, reserving human review for the ambiguous cases the deep ensemble cannot resolve alone.
No escrow rail for high-value digital transactions
Share transfers, business acquisitions, broker-mediated deals run on trust and a paper agreement. Hold.bd settles them with bank-custodial deposits, signed KYC agreements, and a formal dispute workflow with mediation and evidence.
Payment fragmentation across providers
bKash, Nagad, Rocket, bank transfer, cards, each with a different API, a different reconciliation cadence, and a different failure mode. IntraPay normalises them behind one ISO 8583 switch with bilateral netting, code-enforced fee splits, and a PCI DSS v4.0 control framework.
The products
Four products. Honest status labels on every one.
Aegis
Real-Time AI Fraud Detection
Real-time 3-layer cascade scoring engineered to a 50ms budget. 91 detection rules across 14 categories, 51 reason codes, Bangladesh-specific intelligence for hundi corridors, SIM swap, and MFS agent fraud. Consortium federated learning in pilot. Live at aegis.karitkarma.com.
IntraPay
Sovereign Interbank Switch
Sovereign domestic payment switch. Rust ISO 8583 switch core, 10 Go services plus a Python ML fraud scorer and a TypeScript merchant API, EMVCo BanglaQR engine, MFS aggregation built for bKash, Nagad, and Rocket (sandbox adapters today). PCI DSS v4.0 control framework implemented, QSA audit pending. BB PSP licence and BIN allocation pending.
Hold.bd
Bank-Custodial Escrow
Bank-custodial escrow for Bangladesh's high-value transactions. Identity-bound deposits, signed agreement at KYC, milestone-based release, a formal dispute workflow with evidence and assigned mediators, and partner-bank trust accounts. Not custodial-bank, bank-custodial.
FinBridge
On-Prem Bank-to-MFS Switch (Roadmap, Q4 2026)
Vision-stage on-premises Digital Payment Switch connecting a bank's core banking system to bKash, Nagad, Rocket, and Upay rails without CBS data leaving the bank's data centre. ISO 8583 plus ISO 20022 bridging. Bank-owned deployment, designed for BB Cyber Security Framework. Q4 2026 target.
Why KaritKarma
Built for the Bangladesh financial system.
Twenty-six years of financial-infrastructure engineering. We know the BB clauses, the BFIU expectations, the MFS agent network behaviour, and the hundi corridors. Imported fraud SaaS does not.
Rules gate with early exit, 50ms budget
The Layer 1 rules gate exits early on clear approve or block decisions; only ambiguous cases reach the fast models and the deep ensemble. The whole cascade is engineered to a 50ms scoring budget, with no foreign cloud round-trip.
91 detection rules, 51 reason codes
14 rule categories covering velocity, geographic, device, AML, account takeover, mule detection, SIM swap, MFS agent fraud, dormant accounts, and cross-channel patterns. Every decision carries a SHAP-mapped reason code with bilingual Bengali and English analyst narratives.
Regulatory compliance built in
Automatic CTR triggering at BDT 10 lakh, structuring detection at 80 to 99 percent of the CTR threshold, SAR at three high-severity rules in seven days, and STR PDF generation. PCI DSS v4.0 control framework on IntraPay with the QSA audit pending.
Sovereign, on the wires we own
APNIC AS 64005, Tier-3 data centre in Dhaka, dedicated IPv4 and IPv6 blocks. IntraPay's multi-site failover is designed in. No transaction routing or fraud workload sits on a foreign cloud.
KaritKarma vs the alternatives
What this stack replaces.
Side-by-side against the Western fraud SaaS, the foreign card network, and the bespoke bank-side build that fintech buyers evaluate first.
| Capability | KaritKarma | Imported or in-house |
|---|---|---|
| Real-time fraud scoring with Bangladesh fraud patterns | Aegis | Feedzai, FICO Falcon (generic global) |
| Sovereign domestic payment switch (no foreign cloud) | IntraPay | Visa, Mastercard, foreign-cloud PSPs |
| Bank-custodial escrow on a scheduled commercial bank | Hold.bd | Trust-only, lawyer-held deposits |
| On-prem CBS-to-MFS bridge (CBS data never leaves bank) | FinBridge (Q4 2026 target) | Custom bank-side integration project |
| Clause-level BB Cyber Security Framework mapping | Documented on our compliance pages | Your compliance team reconstructs it |
| Bangladesh holiday calendar in velocity rules | Built in, every release | Custom rules engine work |
Attributed claims: Aegis rule and reason code counts are verified in the Aegis codebase; the 50ms figure is its published scoring budget, not a measured percentile. IntraPay build status and pending items are stated per its codebase (pre-deployment, licence pending). Hold.bd bank-custodial model is verified in the Hold.bd codebase. FinBridge is labelled Q4 2026 roadmap with no shipped tense applied.
Buyer questions
Questions fintech buyers ask first.
Six written answers so the call starts on substance, not discovery.
- What is the KaritKarma fintech stack?
- Four products composed for Bangladesh financial institutions. Aegis is the real-time fraud detection layer (cascade scoring engineered to a 50ms budget, live at aegis.karitkarma.com). IntraPay is the sovereign domestic payment switch (Rust ISO 8583 core, PCI DSS v4.0 control framework with QSA audit pending, engineering substantially built, BB PSP licence pending). Hold.bd is the bank-custodial escrow service on partner-bank trust accounts (live). FinBridge is the vision-stage on-premises bank-to-MFS bridge (Q4 2026 target).
- How does Aegis detect Bangladesh-specific fraud?
- Purpose-built modules: hundi corridor detection across six named high-risk divisions, MFS agent behavioural profiling with float-drain detection, SIM swap risk scoring with a 72-hour window, 128-dimension behavioural DNA profiling per customer, and a Bangladesh holiday calendar (including Eid and Pohela Boishakh) that informs off-hours velocity analysis. These patterns are invisible to Western fraud platforms trained on Western card data.
- What is the Aegis deployment model for banks?
- A lightweight Go connector agent runs inside the bank data centre and streams transactions via encrypted gRPC to the scoring cloud. The bank keeps full control of the core banking system. Shadow mode validation runs in parallel with the existing fraud workflow before cutover. Fully on-premises deployment is available for banks that require it under PDPO 2025 data-localisation rules.
- What is IntraPay's status?
- Engineering is substantially built and pre-deployment: a Rust ISO 8583 card switch, Go services for transactions, tokenization, QR, MFS aggregation, clearing (bilateral netting with code-enforced fee splits) and settlement, an EMVCo BanglaQR engine, a Python ML fraud scorer, and a TypeScript merchant API and SDK. Wenme OAuth 2.1 plus DPoP are declared in the API spec, and Darwan RBAC is seeded with 35 permission keys, 11 roles, and 6 separation-of-duties constraints. The PCI DSS v4.0 control framework is implemented with automated evidence scripts; the QSA audit is pending. Open items: BB PSP licence, BIN allocation, and live pilot integrations with banks and MFS providers (current MFS adapters run against sandboxes).
- What is Hold.bd's regulatory model?
- Hold.bd is bank-custodial, not custodial-bank. Every deposit sits in a partner-bank trust account, identity-bound to the depositor through Wenme sign-in and KYC. The signed escrow agreement (personal or corporate) is generated and executed at KYC time and re-signed when terms change. Both buyer and seller must explicitly accept the escrow, releases are milestone-based with explicit approval, and disputes follow a formal workflow with evidence, an assigned mediator, and recorded resolution outcomes.
- What is FinBridge and when does it ship?
- FinBridge is a vision-stage on-premises Digital Payment Switch that connects a Bangladeshi commercial bank's core banking system to mobile financial service rails (bKash, Nagad, Rocket, Upay) without taking CBS data off-premises. Bank-owned deployment, ISO 8583 plus ISO 20022 message bridging, designed for the BB Cyber Security Framework. Q4 2026 target with a pilot bank. No codebase yet; every shipped-tense claim on the FinBridge product page is labelled vision, design, or roadmap.
Stop fraud before it costs you.
Get a personalized walkthrough of Aegis with one of our specialists. No commitment required.