Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Bangladesh: Data Protection in the Financial Sector

sankai / Signature collection /

1. Governing Texts

1.1. Legislation

The Digital Security Act 2018 ('the Digital Security Act') provides general provisions on privacy and data protection in Bangladesh. In addition, there is also the Information & Communication Technologies Act 2006 (only available in Bengali here), which also deals with data protection in Bangladesh.

Furthermore, Article 43 of the Constitution of the People's Republic of Bangladesh ('the Constitution') provides that:

Every citizen shall have the right, subject to any reasonable restrictions imposed by law in the interests of the security of the State, public order, public morality, or public health:

  • to be secured in their home against entry, search, and seizure; and
  • to the privacy of their correspondence and other means of communication.

Therefore, the State is bound to protect the privacy of citizens; otherwise the victim may, and has the right, to progress to the High Court Division in accordance with Article 44(1) of the Constitution.

In regard to the financial sector, privacy is mainly regulated by the Central Bank of Bangladesh ('the Bangladesh Bank'). The Bangladesh Bank provides various guidelines and codes of conduct which impose an obligation on banks and financial institutions to uphold customer confidentiality. The restrictions mainly relate to disclosing customer transactions or account related information to third parties. Currently, there is no such law or policy which restricts banks or its officials from disclosing customers' personal data (apart from account transaction) to third-party marketing companies. Relevant legislations, guidelines, and codes of conduct include:

1.2. Supervisory authorities

Regulators and supervisory authorities responsible for enforcing the regulations outlined in section on legislation above include:

2. Personal and Financial Data Management

The industry specific laws and regulations mentioned in section on legislation above, above govern the collection, processing, and transfer of personal financial data by financial institutions.

2.1. Legal basis for processing

Consent, performance of a contract, legal obligation, legitimate interest, and other legal bases can be used by financial institutions that collect, process, and transfer data.

There is no general data protection law or policy in Bangladesh; however, there are certain regulations, guidelines, and circulars which deal with this issue. Although the requirements as to how customer data can be legitimately collected and processed are not set out in detail, there are guidelines which provide that data handling authorities should not disclose customer data.

As a general rule, under Section 26 of the Digital Securities Act, if any person illegally collects, sells, supplies, or uses any personal information without any legal authority, that person shall be liable for up to five years of imprisonment and/or a fine or both. So typically, if bank officials illegally sell or supply personal information, they may be held responsible under the Digital Security Act.

Banks, pursuant to Know Your Customer ('KYC') requirements, collect customer data. The law permits collection of customer data but prohibits the disclosure of customer data.

For ensuring accountability and smooth function of the Bank or Financial Institution, Banks have a practice to maintain a record Book. Hence, In Bangladesh, a separate law has been enacted named Bankers' Books Evidence Act. As per the Section 2(1)(l) of the Bankers' Books Evidence Act, Bankers' Books include ledger, day-book, cash-book, account book, customer's information, deeds, and all other books or records that are used on a daily basis, either kept in writing or in any Electronic Means. Section 4 of the Bankers' Books Evidence Act, states that the entries and information of the Bankers' book will be considered as the 'Prima facie Evidence' in case of any legal proceedings. As a result, these entries and information are considered as so confidential that it must be protected sincerely and no one can disclose this information except as provided by law. Hence, the Bankers' Books Evidence Act has prescribed some permissible areas and conditions where the Customer's information can be shared (Section 7 of the Bankers' Book Evidence Act) and violation of which will result in punishment with an imprisonment of either description for a term which may not exceeding to three years, or with fine not exceeding BDT 1 million (approx. €10,620) (or both (Section 8 of the Bankers' Book Evidence Act).

Moreover, Schedule of the Bankers' Books Evidence Act is set to regulate the proper Authorisation of the disclosure of the Customer's Information whereas it is clearly found that the authorised person can only disclose the Customer's information in the areas as permitted by the law.

Furthermore, by virtue of Rule 5 of the Right of Information Rules, customer data cannot be used for any purpose other than that for which it was collected, disclosed to any authority for any other purpose than that for which it was collected, or disclosed to any third party without customer consent.

Customer data collection is part of the contract that the customer signs with the bank, which allows the bank to collect and process customer information and report to the Bangladesh Bank. Banks are restricted from disclosing a customer's account or transaction-related information to any third party; however, personal data may not qualify as account-related information, which enjoys a protected status.

2.2. Privacy notices and policies

There is no specific requirement to give notice to customers, but all banks must have a privacy policy disclosed on their website. However, Circular No. 2 advises banks to notify the customers.

2.3. Data security and risk management

Banks in Bangladesh are obligated to comply with Basel III for capital adequacy; however, the security of customer data is not monitored by the Bangladesh Bank.

2.4. Data retention/record keeping

As per the MFS Regulations, data must be retained for at least six years from the date of origination.

3. Financial Reporting and Money Laundering

The legal requirements and local rules regarding the collection, processing, storage, and transfer of data for the purposes of customer due diligence, KYC, transaction reporting, and other law enforcement and compliance purposes are provided in the Code of Conduct and a bank's internal processing requirements.

The Code of Conduct provides that banks and financial institutions are authorised to collect documents and information regarding customer due diligence, KYC, and transaction reporting from the customer. In addition, banks, as per their internal processing requirements and agreements customers, collect, and retain the above documents. Some banks also incorporate clauses in the customer agreement to allow them to disclose certain information to their group or parent company.

4. Banking Secrecy and Confidentiality

Bangladesh imposes banking secrecy and confidentiality obligations only to a limited extent.

Under Section 94 of the Criminal Code, no bank or financial institution is authorised to disclose information related to customer accounts to the police or an investigation officer, unless there is an order from the Sessions Court. In any case, the High Court Division can direct the bank to disclose customer account information. In addition, it should be noted that by virtue of Section 12 of the Banking Act, a bank cannot share business information and data outside of Bangladesh without the prior approval of the Bangladesh Bank.

5. Insurance

Not applicable.

6. Payment Services

The Payment Systems Regulation specifically regulates payment service providers. However, there are no such data protection provisions outlined.

7. Data Transfers and Outsourcing

As stated in section on banking secrecy and confidentiality above, Section 12 of the Banking Act provides that cross-border data transfers are subject to the prior approval of the Bangladesh Bank. In addition, as per Circular No. 2, the restriction of certain outsourcing activities by the Bangladesh Bank compounds the protection against customer information leaking to third parties.

Furthermore, as per Rule 5 of the Right to Information Rules, the consent of the customer must be obtained prior to disclosing their personal data.

8. Breach Notification

Not applicable.

9. Fintech

There is no specific guideline regarding Fintech i.e. insuretech, regtech, blockchain, and artificial intelligence in relation to privacy in Bangladesh. However, in Clause 12.2 of the MFS Regulations, it is stipulated that in order to offer a secure infrastructure for financial transactions using mobile technology, transaction information cannot be viewed by unauthorised persons, thus ensuring that confidentiality is maintained and transaction information remains intact during transmission and cannot be altered, as well as ensuring that the authentic user has proper permission to perform the particular transaction (authorisation).

10. Enforcement

The Bangladesh Bank has the authority to cancel licences in cases of non-compliance with any directive or guidelines, but this is only in the event of leakage or disclosure of customer information to third parties.

11. Additional Areas of Interest

In light of Clause 34 of the Code of Conduct, the conduct of the employees and representatives of banks and non-banking financial institutions outside the office premises should reflect their place of employment and thus they should take necessary actions to ensure that their behaviour or actions do not compromise the business interests, safety, security and confidentiality of their employment. Therefore, employees must exercise caution while interacting with outside entities so as to not be perceived negatively by the media, society or the communities. In addition, affiliations with certain entities which may result in conflict of interest or disclosure of confidential information should be strictly avoided.

Sakib Sikder Partner
[email protected]
Jural Acuity, Dhaka