Bangladesh Bank has introduced a comprehensive new framework aimed at strengthening the security, efficiency and resilience of digital communications across the country’s financial ecosystem. The directive, titled Guidelines on Partner Network, Version 1.0 (2026), marks a significant step towards modernising interconnectivity among regulated institutions while addressing emerging cyber risks.
Issued through an official circular on Sunday, the central bank emphasised that it maintains electronic connectivity with a wide range of licensed entities. These include scheduled banks, non-bank financial institutions, mobile financial service providers, payment service providers and payment system operators. In addition, the central bank’s systems are integrated with various government agencies to support IT-enabled public services, underscoring the growing importance of secure digital infrastructure.
At the core of the framework is an extranet-based system known as the “Partner Network”, which facilitates the exchange of financial and operational data between the central bank and participating organisations. Recognising the rapidly evolving technological landscape, the regulator has prioritised uninterrupted connectivity, robust data protection and operational continuity.
Key Features of the New Guidelines
| Area | Key Requirements |
|---|---|
| Connectivity | Secure extranet-based communication with the central bank |
| Eligibility | All licensed and regulated entities may join upon compliance |
| Categorisation | Category-A (high security + redundancy), Category-B (security with optional upgrade path) |
| Network Security | Segregation, firewall zoning, abnormal traffic monitoring |
| Access Control | Restricted to authorised personnel; no internet access in extranet zones |
| Change Management | Documented processes, testing, rollback plans, audit trails |
| Remote Access | VPN-based, encrypted, authenticated and logged connections |
| Device Policy | Ban on personal devices; mandatory antivirus and secure configuration |
| Monitoring | Continuous surveillance, vulnerability testing and patch management |
| Incident Reporting | Mandatory disclosure of disruptions with detailed analysis |
The guideline introduces a structured classification of participating organisations into two tiers. Category-A entities are required to ensure both high-level security and system redundancy, while Category-B entities must meet baseline security standards and are encouraged to upgrade to higher resilience levels over time.
To enhance accountability, each institution must designate a specialised team responsible for managing and monitoring its connection to the Partner Network. The central bank retains authority to identify and flag non-compliance, ensuring that standards are uniformly upheld.
A strong emphasis has been placed on cybersecurity controls. These include strict network segregation, firewall zoning, and real-time monitoring of abnormal system behaviour. The framework also mandates comprehensive change management protocols, requiring institutions to maintain detailed documentation, testing procedures and rollback mechanisms before implementing system changes.
Remote connectivity is another critical focus area. All external access must be secured through encrypted virtual private networks, with stringent authentication and logging requirements. Additionally, the use of personal devices within the network has been expressly prohibited, reflecting heightened concerns over insider and endpoint vulnerabilities.
The guideline further requires organisations to maintain continuous system monitoring, conduct regular vulnerability assessments, and ensure timely software updates. Backup systems, secure configurations and traffic filtering are also mandatory components of the compliance framework.
In the event of any disruption or cyber incident, institutions must promptly report detailed information regarding the cause, impact and affected infrastructure. Service level agreements and the use of approved network providers—preferably with redundancy—are also compulsory.
All relevant institutions have been instructed to fully comply with the new requirements by 31 December 2026, signalling a clear regulatory push towards a more secure and resilient digital financial architecture in Bangladesh.