Bangladesh Bank has unveiled a detailed regulatory framework to strengthen the security and reliability of digital communications across the country’s financial sector. The newly issued directive, Guidelines on Partner Network, Version 1.0 (2026), aims to ensure seamless connectivity while safeguarding sensitive financial data in an increasingly digitalised environment.
In a circular released on Sunday, the central bank noted that it is electronically connected with a broad network of licensed institutions. These include scheduled banks, non-bank financial institutions, mobile financial service providers, payment service providers and payment system operators. The central bank also maintains digital links with government agencies to deliver technology-driven public services, making secure connectivity a national priority.
The guideline formalises the use of an extranet-based system known as the “Partner Network”, through which data and operational information are exchanged between the regulator and participating organisations. With cyber threats becoming more sophisticated, the central bank stressed that maintaining uninterrupted, secure and efficient communication channels is now critical for financial stability.
Core Provisions of the Framework
| Component | Description |
|---|---|
| Network Structure | Extranet-based Partner Network for data exchange |
| Participation | Open to all regulated entities subject to compliance |
| Classification | Category-A (high availability with redundancy), Category-B (baseline security with upgrade pathway) |
| Security Controls | Network segregation, firewall zoning, anomaly detection |
| Access Policy | Strict authorisation; internet access prohibited in secure zones |
| System Changes | Mandatory testing, audit trails, rollback mechanisms |
| Remote Connectivity | Encrypted VPN access with authentication and logging |
| Device Standards | Personal devices banned; updated security software required |
| Monitoring | Continuous oversight, vulnerability scans and patching |
| Incident Response | Mandatory reporting with detailed impact assessments |
Under the new policy, organisations are divided into two categories based on their operational resilience. Category-A institutions must maintain both strong security controls and system redundancy to ensure uninterrupted service. Category-B entities are required to meet essential security standards, with encouragement to upgrade to higher resilience over time.
To ensure effective implementation, each participating organisation must appoint a dedicated team or focal point responsible for managing its Partner Network operations. The central bank will oversee compliance and may take action against any entity that fails to meet the prescribed standards.
The framework places particular emphasis on cybersecurity. Institutions must adopt strict network segmentation practices, establish layered firewall protections and continuously monitor systems for unusual activity. Detailed requirements have also been set for change management, ensuring that any system modification is properly documented, tested and reversible in case of failure.
Remote access protocols have been significantly tightened. All external connections must use secure, encrypted virtual private networks that comply with recognised cryptographic standards. Access is restricted to authorised personnel only, and all activities must be logged for audit purposes.
Additionally, organisations are required to maintain robust system hygiene. This includes regular vulnerability assessments, timely software updates, secure configuration of hardware, and the disabling of unnecessary ports and services. The prohibition of personal devices within the network highlights the regulator’s focus on minimising internal security risks.
In cases of system failure or cyber incidents, institutions must promptly inform the central bank, providing comprehensive details on the disruption, its causes and its operational impact. The guideline also mandates formal service agreements and the use of approved network providers, preferably with backup arrangements to ensure continuity.
All relevant institutions have been directed to comply fully with the new guidelines by 31 December 2026, reinforcing the central bank’s commitment to building a secure, resilient and future-ready digital financial infrastructure.