Three Letters to Three Regulators
How public cloud actually fits inside the Bangladeshi regulatory frame, written as three pieces of correspondence — to BTRC, to Bangladesh Bank, and to the Data Protection Authority.
This piece is written as three letters because that is, functionally, what public-cloud governance in Bangladesh has become. Each authority asks a different question; each is owed a different answer; and the strongest enterprise posture is one that can produce all three at once without contradicting itself. The letter format is deliberate — much of the substantive guidance in our regulatory environment now arrives via formal correspondence, and the institutions that respond well are the ones whose internal teams can speak each authority’s idiom natively.
Letter one — to the Bangladesh Telecommunication Regulatory Commission
Sir/Madam — the workloads we operate that touch national telecommunications infrastructure or that depend on licensed connectivity will run on BTRC-licensed Cloud Service Providers, in Tier-III certified facilities, under in-country control planes, with named key personnel and annual audit. Where they cannot, we will document the carve-out and its lawful basis.
The BTRC frame is about telecom-grade infrastructure: physical certification, control-plane sovereignty, and the operator’s accountability for who can administer the platform. The expectation is operational, not theoretical. The licensing framework has matured materially in the last three years; what was once a relatively slim set of conditions now runs to several hundred pages of annexes covering facility design, personnel attestation, network topology, and audit process. Institutions that subcontract their cloud-service consumption to BTRC-licensed providers benefit from the licence-holder’s accountability. Institutions that go around the licence for any production workload do so at their own risk.
Letter two — to Bangladesh Bank
To the Honourable Governor — the workloads we operate that touch core banking, the payments switch, customer master records, transaction ledgers, and channel systems will run inside Bangladesh, on infrastructure that maintains the controls listed in the ICT Security Guideline cycle 4.0. Outsourcing arrangements with cloud providers will be specifically authorised, with breach-notification cadences, exit provisions, and audit rights preserved.
The Bangladesh Bank frame is about the prudential safety of the financial system. The Guideline expects evidenced controls, not asserted ones. The breach-notification cadence is hours, not days; the exit provisions exist precisely so the regulator never depends on a single provider remaining available. The Guideline cycles are also predictable — each iteration adds depth in two or three control domains, and the institutions that participate in the consultation phase end up with their feedback reflected in the final document. The institutions that do not participate find themselves rebuilding controls in response to language they could have shaped earlier.
Letter three — to the Data Protection Authority
To the Honourable Chair — personal data of Bangladeshi citizens will remain in country by default. Where we transfer it across borders, we will document the lawful basis. Sensitive categories will receive elevated handling. Our Data Protection Officer is named and reports with structural independence. Our breach response is exercised on a cadence consistent with the Act’s notification window.
The DPA frame is about the citizen’s relationship to their own data. The Act is recent; the expectations are still settling. The institutions that engage early — submitting flow maps, asking clarifying questions, publishing their DPO contact — are the ones whose first formal review goes smoothly. Across the customers we work with, the institutions whose DPO meets quarterly with the regulator have, on average, materially better outcomes when their first material findings arrive than the institutions whose DPO has never introduced themselves.
How the three frames overlap
The three frames are not independent. A single customer-facing banking application will simultaneously sit under BTRC’s connectivity and Tier-III rules, Bangladesh Bank’s ICT 4.0 outsourcing and breach notice, and the DPA’s residency and consent posture. The strongest operational posture is one in which a single control-mapping spreadsheet shows, for every requirement, which authority requires it, which control implements it, and which evidence pipeline produces the audit artefact. We have spent enough time with customers to know that this spreadsheet is the single most-leveraged document the compliance function maintains.
Where things go wrong
Source: Cloud Digit advisory engagement composite, 2024–2026.
What the next eighteen months look like
Two trajectories deserve attention. The three authorities increasingly cross-reference each other’s requirements, producing a single control surface that institutions can comply with once. And the guidance is becoming more sector-specific — BB’s notices on cloud outsourcing, the DPA’s draft implementing rules, BTRC’s evolving licensing annexes. The institution that builds a defensible posture for one regulator usually finds the others proportionately easier. Two further developments are likely in the next eighteen months: a thematic review by the DPA on a specific sector (almost certainly digital banking or healthcare), and a refresh of BB’s ICT Guideline that strengthens the cloud-outsourcing provisions further.
The institutional posture that lasts
Three traits show up in the institutions whose regulator-facing posture is durable. The compliance function is staffed at the right seniority to engage authorities directly, not only through external counsel. The data-flow map is updated quarterly, not in panic. And the control-mapping spreadsheet is owned by a named individual whose performance is measured against its accuracy, not its existence.
Read next
- Compliance
A Conversation About the Data Privacy Act
A reconstructed dialogue with a CIO who is reading the Act for the first time — what they ask, what I answer, and where the reading turns operational.
- BFSI
The Audit That Goes Wrong: A Cautionary Walk Backwards
A composite incident, traced backward through the controls that should have prevented it. What was missing at each step, and what would have caught it.
- Cloud Strategy
A Letter on the Bangladesh Cloud Economy
Annual letter to the Cloud Digit board on the shape, drivers, and trajectory of the Bangladeshi cloud market. Written in the long-form-thesis style that serious investors actually read.