Whistleblower Programs in Bangladesh: The Best, Most Practical Guide for Companies in Bangladesh — With Dubai & London Context for Foreign Investors
By TRW Law Firm — Investigations, Compliance & Employment (Dhaka • Dubai • London)
Executive snapshot (read this first)
Whistleblowing is a business control, not just a policy. In Bangladesh, it’s how you catch bribery, procurement collusion, payroll ghosts, bonded-warehouse diversion, harassment, and data leaks before regulators or buyers do.
Bangladesh has a public-interest disclosure law (and sectoral expectations for banks and listed companies) plus serious criminal exposure around corruption and fraud. Treat all reports as legally sensitive and investigation-worthy.
UAE & UK add extra layers. DIFC/ADGM in the UAE have explicit whistleblowing regimes; the UK’s PIDA framework and sectoral rules (e.g., FCA/PRA) set a high bar on anti-retaliation, confidentiality, and “qualifying disclosures.” If you operate across Dhaka–Dubai–London, build one program with local addenda.
Design choices matter: anonymity vs. confidentiality, law-firm privilege, Bangla-first communications, WhatsApp intake, SLAs, domestic inquiries (Bangladesh), and careful cross-border data handling.
Winning formula: easy intake + strong protection + disciplined investigations + visible remediation + board metrics. That’s what regulators, donors, lenders, buyers—and your own people—expect.
Part A — What a whistleblower program really is (and isn’t)
A whistleblower program is a system that lets employees, contractors, suppliers, distributors, and even customers report concerns safely, and ensures those concerns are investigated fairly, with protection from retaliation. It’s not a poster or inbox. It’s the junction of:
Governance (policy, scope, roles, independence)
Intake (channels that people actually trust and use)
Protection (anti-retaliation measures that work in practice)
Investigation (lawful evidence + due process)
Outcome (remediation, discipline, and feedback)
Reporting (board dashboards and continuous improvement)
In Bangladesh, this system must “speak” Bangla and work on WhatsApp (or SMS/USSD) for hourly and field staff. In Dubai and London, it must slot into free-zone or UK statutory frameworks and satisfy sectoral regulators (banking, financial services, telecom).
Part B — Legal and regulatory context you must internalize
We’ll stay practical and high-level. Specifics evolve by circular or amendment; use this as your operating blueprint and confirm numbers and forms when you implement.
Bangladesh (core points)
Public-interest whistleblowing exists. A dedicated statute enables disclosure of public-interest information and aims to protect the discloser from victimization. In practice, your corporate policy should mirror that logic: good-faith reporting → protection from adverse action.
Corporate governance for listed companies expects an ethical conduct and reporting mechanism under the audit committee’s oversight, with channels to report concerns, confidentiality, and fair treatment.
Banking & financial services: Bangladesh Bank guidance expects banks and NBFIs to maintain whistleblowing policies, fraud-risk controls, and escalation mechanisms; many approvals (e.g., digital banking) scrutinize complaint/reporting channels.
Labour realities: Disciplinary action against employees requires due process (show-cause, domestic inquiry, reasoned order). If a reporter is punished without process, expect litigation and reinstatement risk.
Criminal law exposure: Bribery, gratification, forgery, false accounting, and money laundering are crimes. Reports touching these issues must be triaged with legal privilege and evidence preservation from hour one.
Harassment cases: Binding court guidelines require a Complaint Committee (woman-chaired, with external member) for sexual-harassment matters—your whistleblowing SOP must integrate with that process.
Data & cyber: A comprehensive privacy regime is imminent; today’s cyber and sector rules still expect log retention, incident response, and lawful handling of personal data in your case files.
UAE (Dubai and the federal context)
DIFC/ADGM (the two financial free zones) have explicit whistleblowing regimes: protected disclosures to specified persons; requirements for regulated firms (e.g., DFSA/FSRA) to maintain effective arrangements; anti-retaliation expectations; and confidentiality.
Mainland UAE does not yet have a single, sweeping whistleblowing statute, but sectoral and corporate-governance rules push firms—especially in financial services—to implement speak-up frameworks, protect reporters, and escalate to regulators where appropriate.
Defamation and cyber-crime laws: External/public allegations can create legal risk if false or malicious. A strong internal program is not optional; it’s protective.
United Kingdom (London)
PIDA (Public Interest Disclosure Act): robust protection for workers making qualifying disclosures about wrongdoing (criminal offenses, health/safety dangers, environmental damage, etc.), to employers or prescribed persons (regulators).
Sector rules (FCA/PRA): regulated firms must have independent channels, named champions, internal training, and reporting. Non-retaliation is actively policed.
NDAs cannot gag whistleblowers on protected disclosures. Culture and outcomes really matter in the UK: boards are expected to see metrics and act.
Takeaway: For Dhaka–Dubai–London operations, adopt a single global standard that meets the highest bar (often UK free-to-speak principles), then add Bangladesh and UAE annexes addressing local procedures, labour due-process, free-zone specifics, and defamation/data-handling cautions.
Part C — What should be “in scope” (and what should not)
Include (always): bribery/kickbacks, procurement collusion and bid rigging, fraud/asset misappropriation, financial reporting manipulation, AML/sanctions breaches, customs/bonded-warehouse abuses, health & safety violations, sexual harassment and bullying, data-privacy violations, cyber incidents, environmental harms, competition/antitrust concerns, human-rights/child-labour risks, and serious policy breaches.
Route specially:
Sexual harassment → to the Complaint Committee process (Bangladesh) with privacy and survivor-safety guardrails.
Labour grievances (pay errors, leave, overtime disputes) → HR grievance route, but keep the door open if retaliation emerges.
Customer complaints → service desk, unless they allege bribery/fraud/harassment—then treat as whistleblowing.
Part D — Program architecture that actually works in Bangladesh (and scales to Dubai & London)
1) Governance & independence
Board/Audit Committee oversight with a named Whistleblowing Officer (WBO) or “Speak-Up Officer.” The WBO should report functionally to Legal/Compliance, not to line management.
Investigation Charter approved by the board: authority to preserve data, interview staff, access premises, and engage external counsel/forensics.
Conflicts wall: anyone named in a report (or their chain of command) is walled off from triage, decisioning, and investigation.
2) Policy suite (Bangla + English; Arabic where relevant)
Whistleblowing Policy (plain language): scope, examples, channels, anonymity vs. confidentiality, how investigations work, anti-retaliation, and feedback timelines.
Anti-Retaliation Standard: clear list of prohibited behaviours (termination, demotion, shift changes, roster punishment, denial of leave, exclusion, harassment), interim protection measures, and sanctions for violators.
Data Handling SOP: who sees what; personal-data minimization; cross-border transfer rules; retention and secure archiving.
3) Intake channels (make them real)
24×7 web form (mobile-first), email, hotline, and WhatsApp number. Place a QR code on posters, payslips, ID card backs, and canteen boards.
Third-party/outsourced option for higher trust (especially helpful in Bangladesh for factory/field conditions).
Physical drop-boxes in plants (with daily dual-control collection).
Anonymous option: allowed, but encourage confidential named reports by explaining protections and how identity is shielded from local management.
Language: Bangla and English in Bangladesh; Arabic and English in Dubai; English (plus relevant community languages) in London.
4) SLAs & communications
Acknowledge within 48 hours (or next business day) if contact details exist.
Triage decision within 5–7 days: open, route, or close (with reason).
Status updates at least every 30 days until closure (even if just “in progress”).
Closure letters explaining outcome without disclosing confidential personnel info.
Part E — Anti-retaliation that people believe
Immediate shield: once a report is opened, HR and line management receive a hold notice prohibiting changes to the reporter’s role, pay, shift, or benefits without WBO approval.
Safety assessment: for harassment or intimidation risk, consider shift swaps, re-assignment, or no-contact orders (without penalizing the reporter).
Confidentiality: limit identity knowledge to the small core team; use code names in project trackers.
Monitoring: for 6–12 months post-closure, HR runs a retaliation check—performance ratings, overtime approvals, transfers, and leave decisions are reviewed.
Discipline: retaliation is a stand-alone misconduct with serious penalties up to dismissal.
UAE twist: Balance whistleblower protection with defamation/cyber exposure—encourage internal disclosure first and keep identity tightly controlled. Free zones (DIFC/ADGM) set explicit anti-retaliation expectations—mirror them group-wide.
UK twist: Train managers on PIDA concepts: do not dismiss, demote, or treat detrimentally a worker for a protected disclosure. Review NDAs to ensure they expressly preserve protected disclosures.
Part F — Triage and scoping (first 72 hours done right)
Risk sort: life/safety risk, criminal exposure, regulator notice triggers, data breach involving personal data, senior-management implication, public-interest sensitivity.
Legal hold: send Bangla + English hold to named custodians; suspend auto-deletion for email, chats, drives, WhatsApp exports (where lawful), logs, CCTV, access control, ERP.
Team & conflicts: assign a case lead; check conflicts; if senior leadership is implicated, escalate to board/audit chair and external counsel.
Plan: write a scoping memo—allegations, issues, elements to prove, custodians, systems, third-parties, initial hypotheses, and timeline.
Part G — Evidence and investigations (Bangladesh-fit, UAE/UK-compliant)
1) Digital evidence you will actually use
Messaging: WhatsApp/IMO/Messenger are primary in Bangladesh. Use targeted exports with consent/policy; forensically image devices when proportionate and lawful.
Email & cloud: preserve mailboxes and shared drives (Google/Microsoft), including admin logs.
Trade tests: HS code and price vs. market benchmarks; LC amendment patterns; third-country routing; inventory reconciliation.
Network links: shared phones/addresses among vendors and employees; bKash/Nagad wallet clusters; distributor hub-and-spoke patterns.
5) Due process and outcomes
Bangladesh: for employees, follow domestic inquiry steps before dismissal—show-cause, inquiry, reasoned order.
UAE: observe free-zone rules for regulated entities; maintain strict confidentiality; verify visa/employment consequences with HR.
UK: ensure fairness and reasonableness; keep records anticipating tribunal scrutiny; preserve protected disclosure status.
Part H — Integration with harassment and dignity-at-work processes
Complaint Committee (Bangladesh): whistleblowing intake routes sexual-harassment matters to the Committee. Maintain victim-centric safeguards, privacy, and time-bound investigations.
Training: supervisors and committee members need specialized training; keep case logs and closure actions.
Overlap: where harassment involves bribery or procurement coercion, run a joint plan: safety first, then financial and conduct aspects.
Part I — AML, sanctions, and financial-crime disclosures
If reports suggest money laundering or sanctions violations, escalate to Legal/Compliance immediately.
For regulated entities (banks, NBFIs, PSPs), trigger internal AML escalation; assess whether to file suspicious reports under financial-intelligence rules.
For non-regulated corporates, still treat findings like criminal exposure; tighten controls; consider law-enforcement engagement through counsel.
Part J — Competition/antitrust and trade disclosures
Bangladesh: watch for hub-and-spoke information flows via shared distributors or trade associations.
UAE/UK: sector regulators (and UK CMA) take collusion seriously; first-in leniency can matter. Your policy should encourage prompt internal reporting and counsel review for leniency strategies.
Part K — Data protection and cross-border handling
Bangladesh: treat case files as sensitive personal data; restrict access; prepare for a modern privacy regime.
Dubai (UAE): free zones have privacy regimes; mainland has sectoral expectations. Be careful with external disclosures.
London (UK): personal data in case files must meet UK data-protection standards; redact and minimize exports.
General rule: keep investigations on-shore where possible; if you must export, use secure transfer, need-to-know, and anonymization/pseudonymization where feasible.
Part L — Foreign companies in Bangladesh: the 24 big cautions
No “facilitation” payments—they’re bribes.
Use a third-party hotline to boost trust among factories/field staff.
PIDA awareness (UK): managers must understand protected disclosures.
Subsidized “rewards”: if you pilot small recognition for high-value tips, do so privately and carefully (UK competition enforcers sometimes publicize informant rewards; Bangladesh corporates should avoid market-wide bounties that could encourage frivolous claims).
Supplier speak-up: QR codes on POs and contracts; enable non-employee reporting.
Data minimization: don’t mirror whole phones if message exports will do.
Metric discipline: track retaliation audits and time to closure—buyers ask for these.
Union engagement: reassure worker reps that whistleblowing isn’t anti-union; share aggregate stats.
Dawn-raid readiness: whistleblowing can lead to raids—train reception/security.
Privilege: route high-risk matters through counsel; mark communications appropriately.
Document hygiene: avoid loose chat comments (“we all know they pay chai-pani”)—these sink defenses.
Public-interest reports: some disclosures may properly go to authorities—help employees do this safely and lawfully.
Contract clauses: add anti-retaliation, audit rights, and speak-up requirements to distributor/agent contracts.
Close the loop: send closure letters; publish anonymized case studies—people need to see the system working.
Part M — Technology & process design that staff will actually use
Case-management platform with role-based access, audit logs, and time-stamped actions.
Retaliation is misconduct. No demotions, pay cuts, roster punishments, shift changes, harassment, or exclusion due to reporting or cooperating. Breach = discipline up to dismissal.
Thank you; summary of steps (without naming disciplined persons); whether substantiated; high-level remediation; next steps; reiteration of anti-retaliation and contact for any concerns.
Part R — Special scenarios & playbooks
1) Procurement/Kickbacks
Indicators: split POs under limits; new vendors days before award; shared phone/email DNA with staff; vague “marketing” invoices.
Actions: freeze payments; legal hold; vendor KYC (TIN/BIN, UBO); three-way match; interview evaluation committee; remediate with pre-qualification and conflict declarations.
2) Bonded-Warehouse Diversion
Indicators: yield anomalies; scrap volumes surge; night dispatches.
Indicators: shared phones/bank accounts; no photos; overtime clusters under one supervisor.
Actions: HRIS ↔ bank/mobile-wallet reconciliation; physical headcount checks; liveness on biometrics; policy and roster fixes.
4) Harassment
Use the Complaint Committee route; protect complainant; no forced mediation; time-bound outcomes; training.
5) Cyber/Data
Contain; image devices; rotate credentials; examine logs; classify incident; notify as per policy; remediate with MFA, PAM, DLP.
Part S — Board dashboard (quarterly)
Volume: reports by source (employees, suppliers, customers), by site, by category.
Speed: acknowledgment SLA, median days to triage/close.
Outcomes: substantiation rate; financial recovery; control fixes shipped; repeat-finding rate.
Protection: retaliation audits; zero-case confirmation; any allegations of retaliation and outcomes.
Culture: awareness survey scores; anonymous vs. named trend; training completion rates.
Cross-border: UK/UAE specific metrics; regulator interactions (if any).
Serious matters: high-risk cases, escalations to authorities (count, not details), lessons learned.
Part T — Frequently asked questions (fast, practical answers)
Q: Should we allow anonymous reports in Bangladesh? Yes. Provide both anonymous and confidential named channels. Anonymous options increase intake early; as trust builds, more reporters will identify themselves.
Q: Can we review WhatsApp chats on personal phones? Only where lawful and proportionate, and consistent with BYOD or consent frameworks. Prefer targeted exports and minimize collection.
Q: Do we have to tell authorities immediately about bribery allegations? Not automatically. Assess credibility and evidence with counsel. Where credible and material, design an engagement plan with authorities. Never obstruct.
Q: How do we stop false or malicious reports? State clearly that bad-faith reporting is misconduct. But do not weaponize this—most reports mix facts and misunderstandings. Investigate proportionately.
Q: Can NDAs stop someone from going to a regulator (UK)? No. Protected disclosures are preserved. Make this explicit in NDAs and handbooks.
Q: Will people use the hotline? Only if it’s visible, Bangla-first, multi-channel, and seen to work (closure letters, anonymized case studies, and visible fixes).
Q: What about defamation risk in the UAE? Encourage internal reporting; keep strict confidentiality; investigate promptly; escalate externally through counsel as needed.
Q: Can suppliers use our program? They should. Encourage supplier and contractor reports; add non-retaliation obligations to contracts.
Part U — How TRW makes this painless (and effective)
Training: all-hands, manager, investigator, and Complaint Committee modules (Bangla/English/Arabic).
Case management: selection and configuration of platforms; lawful data handling in Bangladesh/UAE/UK.
Analytics: AP/GL and trade-based red-flag libraries; mobile-money and procurement patterning.
Investigations: rapid legal holds, digital forensics (devices, chats, cloud, ERP), interviews, documentation, and outcome memos fit for regulator or court.
Remediation: control fixes, supplier contract re-papering, culture campaigns, and quarterly board dashboards.
Cross-border alignment: one global standard with Bangladesh and UAE/UK addenda so you clear audits in Dhaka, Dubai, and London without rewriting the book every time.
A credible whistleblower program in Bangladesh isn’t a formality—it’s your early-warning radar for bribery, safety failures, harassment, payroll fraud, bonded-warehouse diversions, and cyber risk. If you operate across Dhaka, Dubai, and London, build to the highest common denominator (UK-style protection, UAE free-zone discipline), then tune for Bangladesh realities: Bangla-first communications, WhatsApp-friendly intake, domestic-inquiry due process, and genuine anti-retaliation. Do that, and your program will not just “comply”—it will protect people, margins, and your license to operate.
Compliance Audits & Training (2025): The Complete Playbook for Companies in Bangladesh — with Dubai & London Context
By TRW Law Firm — Regulatory, Investigations & Workforce Compliance (Dhaka • Dubai • London)
Why this guide
Compliance is no longer a binder on a shelf; it’s an operating system that protects licenses, clears bank approvals, satisfies buyers/donors, keeps insurers comfortable, accelerates M\&A and, bluntly, stops bad headlines. In Bangladesh—where your business likely touches multiple regulators (NBR, Bangladesh Bank, BSEC, BTRC, DIFE, environment, local authorities)—a smart audit-and-training program is the single best way to detect risk early and embed the right behaviors.
If you’re a foreign company entering or scaling in Bangladesh, you also need cross-border alignment with your head-office standards and with rules your teams in Dubai (UAE mainland and free zones) and London (UK) already follow. This guide gives you a field-tested, step-by-step method to build and run a program that works in all three locations without fragmenting your controls.
Use this as your operating blueprint. Statutory rates, thresholds, and formats evolve; confirm numbers at implementation. No external links are included, by request.
Part A — What “compliance audits & training” really mean (done right)
Compliance audits: recurring, risk-based checks of whether your policies, controls, and records meet law, license conditions, standards you’ve promised to customers/bankers/buyers, and your own code of conduct. They are independent of line management, documented to a forensic standard, and culminate in remediation that actually gets done.
Compliance training: task-focused, role-based learning that changes behavior: short modules, local language, examples from your processes, manager toolkits, and measurement of behavior change. It is not a one-off slideshow.
Design principle: Treat both as part of one loop: Risk map → Controls → Audits → Findings → Remediation → Training → Metrics → Board. Rinse and repeat. When this loop runs monthly/quarterly, you stop “unknown unknowns.”
Part B — The regulatory landscape you must build for
Bangladesh: multisector, document-heavy
NBR (Tax & VAT): registrations, withholding, VAT credits, transfer pricing, e-filings, e-BIN, e-TIN, and documentation of supply chains.
Bangladesh Bank (BB): foreign exchange approvals and reports, outward remittances (royalties/dividends/management fees), AML/CFT, payments/PSP/MFS rules, ICT & cloud standards for banks and digital banks.
BTRC/Telecom: service/user licenses, type approval, import NOCs, spectrum, lawful interception, data retention, spam/A2P hygiene.
Environment: ECA/ECR, site clearances, effluent and emissions monitoring, waste manifests.
Local authorities: trade licenses, fire licenses, factory licenses, signage, and site usage.
Data & cyber: evolving data-protection regime; cyber incident and log-retention expectations; banking/telecom sector specifics.
Dubai / UAE: license-first, sector overlays
Mainland economic departments and free zones (DIFC/ADGM/JAFZA etc.) set license scopes, governance, and in free zones often whistleblowing/data standards.
Sector regulators (especially DFSA/FSRA in financial centers, telecom, health, and education) impose control and training requirements.
AML/CFT for designated non-financial businesses & professions (DNFBPs), and financial institutions.
Labor and immigration compliance, corporate governance for larger entities and government-related entities.
London / UK: control culture, individual accountability
Company law and FRC/BEIS governance expectations for boards and audit committees; robust whistleblower protection.
Health & Safety Executive standards, ICO data-protection enforcement, competition law scrutiny.
Strong expectations for documented risk assessments, board oversight, and management attestations.
Takeaway: Build one global standard that meets UK-level expectations (documentation, independence, anti-retaliation), then bolt on Bangladesh specifics (registers, approvals, sector filings) and UAE nuances (licensing, free-zone regimes). This avoids three different programs and keeps your auditors, buyers, and banks calm.
Part C — The 10-component compliance framework (copy this)
Tax/VAT/NBR: registrations, returns, source tax deduction and deposit, VAT e-filings, TP documentation, customs records for HS codes and bonded warehouses.
FX/BB: BOI/registration or approvals for foreign investment; reporting for inbound equity; dividend repatriation files; royalty/service fee approvals; export proceeds realization; BAFEDA rates alignment; AML/CFT program.
Telecom/BTRC: service or user licenses, type approvals, import NOCs, numbering/short codes, spectrum logs, LI and data retention setup, spam/A2P controls.
Dubai & London add-ons: license scope in the UAE (free zone vs. mainland), governance and AML expectations; UK board/audit-committee documentation, training attestations, and data-privacy controls.
Step 2: Build your audit universe
List all auditable entities: head office, factories, warehouses, branches, depots, call centers, data centers/cloud tenants, shared services, C\&F agents (documentation), large suppliers (if contractually auditable), distributors (for competition/brand compliance), and high-risk third-party processors (payroll, IT).
Step 3: Risk-rate and prioritize
Score by regulatory impact, financial exposure, frequency of errors, history, and change (new system/vendor/regulator). In Bangladesh, anything touching NBR, BB, BSEC, BTRC, DIFE, or environment should land in the top tiers.
Step 4: Audit plan and cadence
Quarterly: tax/VAT, FX/BB outward remittances, payroll/wages/OT, procurement & AP, bonded-warehouse/inventory, telecom spam/A2P and LI tests, cyber incident register review.
Annual: full governance review (board, audit committee), training effectiveness, competition/antitrust health check, ESG claims.
Step 5: Fieldwork (Bangladesh-fit)
Data room: registers and filings in Bangla/English, payment challans, bank SWIFT/BEFTN proofs, customs packs, numbering/spectrum letters, safety logs, and board/audit committee minutes.
Sampling: risk-based; for wages, draw samples across grades and shifts; for VAT, sample input credits and mismatched invoices; for FX, sample each category (dividend, royalty, service fee, freight).
Walkthroughs: payroll run, OT approvals, invoice intake, GRN/three-way match, LC opening and amendment, data-incident playbook, spam/A2P throttling, LI test calls (for operators).
Board & C-suite: fiduciary and oversight duties, audit committee playbook, dawn-raid and crisis roles.
Locales & language: Bangla-first for Bangladesh; Arabic/English in Dubai; English in London, with accessibility for non-native speakers.
2) Modality & frequency
Micro-learning: 10–15 minute modules; one topic per week for frontline staff, monthly for corporate teams.
Workshops: quarterly deep-dives for finance/tax, FX/BB, procurement, and safety/POSH committees.
Simulations: dawn-raid tabletop, FX file “build & defend,” bonded-warehouse spot check, LI test call drill, data-incident tabletop.
Manager toolkits: five-minute huddles with talking points and job aids.
Attestations: annual for code and key policies; event-based for role changes.
Refresher cadence: annual baseline modules + rolling micro-nudges.
3) Measurement & effectiveness
Pre/post tests; target 80%+ mastery.
Behavioral KPIs: drop in repeat audit findings; reduction in invoice exceptions; on-time FX filings; hotline usage and zero-retaliation rate; safe behavior observations.
Manager scorecards: training completion, audit issue closure, incident response quality.
Board dashboard: training coverage, pass rates, behavior change metrics.
Part F — Bangladesh “hot spots” your audits and training must cover
Wages & OT math: correct base, legal multipliers, payslip transparency; alignment with sector minimums; registers accurate and contemporaneous.
VAT/TAX: e-filings, input credit support, withholding deposits on time, TP files, customs classification and valuation consistency.
Telecom/BTRC: correct license class; type approvals; import NOCs; numbering/short codes; spam/A2P controls; LI testing and data retention; spectrum logs.
Competition: RPM and MFN creep in distribution; trade association hygiene; hub-and-spoke risks via shared distributors.
Third-party risk: C\&F agents, customs brokers, distributors, and cash-collection agencies; due diligence, contracts with audit rights, and payment transparency.
Data & cyber: incident playbook; log retention; vendor security; proportionate handling of personal data in case files.
Part G — Foreign companies: 25 cautions when operating in Bangladesh
“Facilitation” payments are bribes—train and enforce zero tolerance with real scenarios.
Document everything—boards in the UK/UAE expect forensic-grade files; Bangladesh regulators often ask for originals/certified copies.
Bangla-first policies, posters, and training for frontline teams.
Chain-of-custody for documents and devices; courts and regulators value it.
Domestic inquiries mandatory for dismissals—skipping them loses cases.
Supplier & contractor inclusion—extend hotline and training to their staff.
Distributors—competition training (no RPM/MFN without legal review); licensed channels only.
Bonded-warehouse—frequent spot checks; reconcile yield, scrap, and night dispatches; GPS and weighbridge controls.
C\&F agents—UBO checks, site visits, control clauses, audit rights, payment terms via bank only.
FX remittances—require documentation; plan timelines; keep central bank engagement professional and complete.
VAT credits—don’t book without matching documentation and supplier compliance.
Payroll—biometrics with liveness; headcount roll calls; bank/MFS reconciliation; payslips match registers.
POSH—do it properly; buyers check this first.
Data—collect minimally; keep investigations on-shore when feasible; use secure transfers if cross-border.
Telecom tech—no unapproved devices; type approval first; import NOCs for shipments.
Numbers/codes—short codes and sender IDs must be allocated; throttle spam; keep complaint logs.
Whistleblowing—confidential internal channels; anti-retaliation that actually works.
Board oversight—quarterly dashboards with trends, not anecdotes.
Dawn-raid readiness—front-desk scripts; counsel on speed dial; log everything taken/copied.
M\&A—clean teams for competitively sensitive info; pre-close conduct rules.
Leases & licenses—sites must match trade and factory licenses; mismatches invite inspection.
Training proof—attendance, tests, and manager confirmations; buyers and regulators request them.
CSR/Donations—screen beneficiaries; avoid political or front entities; require reports.
Speak-up culture—publish anonymized case studies and fixes; this makes the system real.
Part H — Cross-border alignment: Dhaka ↔ Dubai ↔ London
One policy set, three addenda: global code, anti-bribery, competition, privacy, investigations; then Bangladesh, UAE, and UK annexes for local specifics (hotline prescriptions, due-process, free-zone rules, PIDA).
Shared controls: same AP/GL red-flag analytics, procurement approvals, third-party due diligence, and incident playbooks across offices.
Training translations: Bangla and Arabic plus English; same scenarios localized (e.g., bonded-warehouse in BD; free-zone customs in UAE; SMCR conduct in UK).
Board reporting: one dashboard with geography filters; consistent severity ratings and issue taxonomy.
Part I — 30/60/90-day build plan (greenfield or turnaround)
Days 1–30 — Stabilize
Appoint Compliance Lead and Audit Manager; publish a CEO note.
Map obligations and create your risk register with owners.
Stand up a compliance calendar (Bangladesh filings, Dubai license anniversaries, UK board events).
Select a case/audit tool (even a disciplined spreadsheet can work at the start) and set issue lifecycle rules.
Run two quick audits: (1) wages/OT/payslips & POSH, (2) FX outward remittances and supporting files.
Launch foundational training (code, speak-up, anti-bribery, safety basics).
Days 31–60 — Institutionalize
Approve annual audit plan and perform two process audits (VAT/AP; bonded-warehouse/inventory).
Build role-based training tracks and manager toolkits; implement attestations.
Create hotline (web, WhatsApp, phone) and anti-retaliation standard; integrate with HR and investigations.
Start a third-party due-diligence sweep: top 50 vendors/agents by spend/risk; re-paper contracts (audit rights, ABC/AML clauses).
Test data-incident and dawn-raid simulations.
Days 61–90 — Assure
Close findings with evidence of fix; run a repeat test on one area to prove improvement.
Conduct board briefing with dashboard; agree on quarterly targets.
Publish an anonymized case study of a finding and its fix; celebrate behavior change.
Lock the 12-month roadmap (below).
Part J — Twelve-month maturity roadmap
Coverage: audit 100% of high-risk processes and 60–70% of medium risk; rotate the rest.
Findings: reduce repeat findings by 50%; close 90% of “Major+” issues within target time.
Training: >95% completion for foundational modules; role-based modules >85% within 90 days.
Behavior change: measurable drops in invoice exceptions, FX file returns, LI/Spam infractions, and POSH procedural gaps.
Speak-up: rising hotline usage with zero retaliation; monthly checks prove it.
Third-party: all high-risk partners vetted and contracted with audit rights; at least one audit performed on each of the top ten.
Data & cyber: incident tabletop twice; patch cadence meets policy; logs retained and sampled quarterly.
Cross-border sync: Dhaka, Dubai, and London share one dashboard and taxonomy; local annexes updated twice a year.
Part K — Functional audit checklists (ready to use)
1) Tax & VAT (NBR)
Registrations valid; e-TIN and e-BIN mapped to all sites.
VAT credits supported by compliant invoices; supplier compliance verified.
WHT deducted and deposited on time with certificates issued.
Training lift: pre/post assessment deltas; behavior KPIs moving the right way.
Culture: whistleblowing awareness scores, hotline usage trends, zero retaliation confirmations.
Management attestations: quarterly sub-certifications by process owners.
Independent assurance: annual external review of the program’s design and effectiveness.
Part N — FAQs (fast, practical answers)
Do we need a separate “compliance audit team” if we already have internal audit? Not necessarily. Many firms run compliance audits within Internal Audit but with a dedicated compliance specialist and a legal/compliance sign-off. What matters is risk-based planning, independence, and issue closure discipline.
How often should we train? Foundational annually (with micro-nudges during the year); role-based quarterly for high-risk teams; new joiners within 30 days. Managers need targeted refreshers aligned with audit findings.
Should training be the same across Dhaka, Dubai, and London? Core content should match; local addenda should address Bangladesh registers and due-process, UAE licensing/free-zone nuances, and UK conduct/data expectations.
What’s the biggest cause of repeat findings? Ownership and incentives. Fix it by naming a single owner, setting a deadline, tying part of managers’ KPIs to issue closure, and re-testing within one quarter.
Can we rely on vendor certifications instead of auditing them? Start with certifications, but sample audit high-risk vendors annually. Paper alone won’t catch reality in logistics, bonded-warehouse, or call-center environments.
What if a finding suggests criminal conduct? Escalate to Legal immediately; preserve evidence; consider whistleblower protection; assess regulator notifications; and plan a defensible investigation with due-process.
Part O — The TRW method (how we make this painless)
Blueprint & build: risk registers, calendars, policy stacks, control libraries mapped to Bangladesh, UAE, and UK requirements.
Audit factory: workpaper templates, sampling plans, issue lifecycles, dashboards; shadow audits to embed skills in your team.
Training studio: Bangla/English/Arabic micro-learning, workshops, simulations, manager toolkits, and certification tracking.
A great compliance program in Bangladesh isn’t mysterious: know your obligations, build controls people can actually use, audit them with rigor, fix what you find, and train the exact teams who run the risks—then show the board the movement in numbers. If you operate across Dhaka, Dubai, and London, aim high and harmonize: UK-grade governance, UAE licensing discipline, and Bangladesh document reality, all in one loop. Do this well and inspections are routine, bank and buyer audits are uneventful, exports and remittances flow, and your people know exactly how to do the right thing—every month, not just once a year.
Corporate Investigations in Bangladesh (2025): A Complete Field Manual for Local & Foreign Companies
By TRW Law Firm — Investigations, Compliance & Disputes (Dhaka & Dubai)
Why this matters
Bangladesh is a high-growth market with dense supply chains (RMG, leather, light engineering), fast-rising services (fintech, logistics, e-commerce), and significant government touchpoints (permits, customs, taxation, utilities). Those touchpoints create real investigative workloads: procurement collusion, kickbacks, inventory shrink, payroll fraud, grey traffic in telecom, trade-based money laundering (TBML), workplace harassment, data leaks, and cyber incidents. If you operate here—especially as part of a multinational—you need a repeatable, defensible investigation playbook that respects local law and culture while aligning with global standards (anti-bribery, AML, sanctions, data & labour rules).
This guide gives you the end-to-end “how”: governance and privilege, scoping, evidence, interviews, digital forensics, regulator engagement, remediation, and a foreign-investor caution list tailored to Bangladesh.
Important: numbers and procedures can change via notifications and circulars. Use this as your operating blueprint and confirm specifics when you implement.
Part A — What counts as a “corporate investigation” (Bangladesh reality)
Common triggers
Allegations via hotline or HR: harassment, discrimination, bullying, retaliation
Digital ecosystems: WhatsApp/IMO/Facebook Messenger groups, Google/Microsoft suites, local ERPs, MFS wallets (bKash, Nagad), POS, ride-along apps
Part B — The legal & enforcement backdrop (what you must internalize)
Criminal law & corruption: Bribery and “speed money” are criminal; the Anti-Corruption Commission (ACC) investigates/prosecutes. Donor-funded projects add debarment exposure.
Money laundering & TFS: Proceeds of corruption/fraud can trigger AML obligations; the central bank’s financial intelligence unit issues directives and freeze orders; regulated entities must file STRs/SARs.
Corporate/securities: Listed-company governance rules expect internal control, related-party discipline, and fair disclosure; violations invite enforcement and shareholder litigation.
Labour & domestic inquiries: Discipline must follow due process—show-cause → impartial inquiry → reasoned order—or courts can reinstate with back wages.
Data & cyber: A formal personal data regime is emerging; cyber offenses are policed under current cyber laws. Treat PI and system logs as sensitive; implement lawful, proportionate collection.
Dawn raids: ACC, police units, tax/VAT intelligence and other authorities can conduct searches/seizures with due process. Know your response script.
Extraterritorial overlays: FCPA/UKBA and other foreign laws can apply to conduct within Bangladesh, especially for multinationals or USD-cleared payments.
Takeaway: Your investigation playbook must anticipate criminal exposure, labour due-process, regulatory notifications, data sensitivity, and cross-border legal risks—all at once.
Part C — Governance & privilege: build the right cockpit
Investigation Charter
Board-approved document that sets scope, authority, and independence of the investigations function (Legal/Compliance with HR and Internal Audit).
Defines thresholds for external counsel, forensic firms, and when to brief the board/audit committee.
Independence & conflicts
Segregate investigators from local management in scope. Require conflict declarations for each matter (no one investigates their own chain).
Legal privilege & work product
Engage counsel early and document that the purpose is to obtain legal advice. Limit distribution, watermark drafts, and log access.
Anti-retaliation
Board-backed “no retaliation” policy with Bangla-language communications. Track for reprisals after reports/interviews.
Set one communications channel; enforce need-to-know.
Part E — Evidence & forensics (Bangladesh-specific realities)
1) Digital forensics & data sources
Messaging apps: WhatsApp, IMO, Messenger, Viber, Telegram—collect chat exports and, where lawful, forensically image devices. Expect hybrids (personal device used for work). Use consent and policy for BYOD.
Email & cloud: Google/Microsoft tenants; preserve mailboxes, Drive/SharePoint, audit logs; collect admin logs for group changes and deletions.
Payroll: ghost identities, bank/MFS accounts linked to supervisors, overtime anomalies.
Part F — Interviews (doing them right in Bangladesh)
Language & setting: Offer Bangla or English. Use trained interpreters; avoid managerial presence for rank-and-file.
Notice & fairness: Explain purpose, process, and anti-retaliation. For employees facing discipline, outline rights per policy/standing orders.
Sequencing: Start with neutral witnesses, then supporting, then subjects. Cross-verify facts; use documents to anchor.
Style: Fact-first, neutral, no promises. Avoid leading questions or threats.
Records: Contemporaneous notes; ask the witness to review key points. For critical interviews, audio (with consent) or two-investigator notes.
Part G — Playbooks for the most common Bangladesh cases
1) Procurement kickbacks & bid rigging
Red flags: new vendor incorporated days before award; shared contact data with staff; sequential quotes with identical typos; split POs under thresholds; “consulting” invoices post-award.
Steps
Pull vendor master data; match NPWP/TIN/BIN, bank accounts, directors/UBOs; cross-link to staff phone numbers and addresses.
Examine rebate/marketing service invoices; look for no deliverables.
Interview procurement, finance, and warehouse on receipt and quality checks.
If collusion suspected, prepare a self-reporting path and supplier debarment plan.
Remediation
Rewrite vendor policy; introduce pre-qualification, conflict declarations, audit rights. Install three-way match and duplicate invoice alerts.
2) Trade-Based Money Laundering (TBML)
Red flags: price mismatch vs. indices; odd Incoterms; repeated LC amendments; third-party payments outside contract; goods never seen at gate; frequent BoE value disputes.
Part H — Working with regulators & law enforcement
When to notify: If there’s material criminal exposure, significant customer impact, or regulatory reporting triggers (e.g., STRs for AML), brief counsel on whether and when to notify.
Searches & seizures: Have a dawn-raid SOP: verify warrant/order, call counsel, escort the team, log everything taken/copied, assert privilege, and request sealed copies of digital images.
Witnesses: Prepare staff; insist on counsel’s presence for formal statements; avoid speculation; correct inaccuracies in writing.
Media: Centralize comms. No casual quotes. Internal memo first; external messaging vetted by counsel/PR.
Part I — Outcomes & remediation (what “good” looks like)
Targeted refreshers for procurement, logistics, finance, supervisors; Bangla-first “what to do when asked for a bribe” scripts.
Board reporting
Quarterly pack: new matters, time to close, substantiation rates, controls fixed, open actions, and trendlines.
Part J — Foreign-investor caution list (Bangladesh-specific)
“Speed money” is a bribe. There is no legal facilitation exception.
Third-party risk: Customs brokers, C\&F agents, distributors, consultants—run real due diligence (UBO, site visit, references, litigation/blacklist checks).
Cash & MFS flows: Kickbacks route via mobile wallets; correlate phone numbers and device IDs with employees/vendors.
Trade corridors: TBML risk around HS codes and price manipulation; insist on independent checks.
Bonded warehouse: High diversion risk; inventory controls must be tight and audited.
Shared distributors: High chance of hub-and-spoke info sharing—hard line on competitor data.
Labour due-process: Don’t terminate without a domestic inquiry; courts punish shortcut discipline.
POSH compliance: A functioning complaint committee is non-negotiable for buyers and courts.
Data transfer & privacy: Treat PI and logs sensitively; use proportionate collection; be ready for data-authority scrutiny as rules mature.
Books & records: No vague GLs (“market development”), no off-book cash, no “marketing services” without outputs.
Gifts/hospitality: Public officials—extremely conservative; document approvals; pay vendors directly, not per diems.
Distributor RPM: Don’t police retail prices; focus on quality standards and availability KPIs.
Call centers: Use licensed routes; avoid grey VoIP.
IP leakage: Guard tech packs and patterns; lock down supplier access; watermark files.
Security & safety: Genuine fire drills, PPE, lock-out/tag-out—buyers audit this.
Speak-up channels: Provide Bangla-language hotline/email/WhatsApp; protect whistleblowers in practice.
Language & documents: Keep Bangla-English versions of contracts, handbooks, notices; staff must understand them.
Notarization & stamping: Budget time for certified copies and stamping where needed; courts expect originals or certified dupes.
Board oversight: Quarterly MI on investigations; audit committee timeboxed remediations.
Exit strategies: If you must exit a distributor or employee, follow contract + law—notice, cure, inquiry, settlement.
Dawn-raid readiness: Train reception/security; keep an evidence room; know your counsel’s number.
Foreign law overlays: FCPA/UKBA risks—ban “success fees” with vague services; structure FMV consulting.
Charity/CSR: Vet beneficiaries; avoid political or front charities; require reports and photos.
M\&A clean team: No competitively sensitive sharing pre-close; clean team for pricing and customer-level data.
Travel & security: For sensitive sites or disputes, use security briefings and escorts; never carry original master records off-site without chain-of-custody.
Part K — Toolkits you can copy today
1) Investigation intake form (one page)
Reporter details (may be anonymous)
Allegation summary (who/what/when/where)
Urgency/safety risks
Systems and people implicated
Evidence known to exist (chats, documents, CCTV, logs)
2) Legal hold (Bangla + English)
Clear description of records and dates
Prohibition on deletion/alteration
How to preserve chats, phones, laptops, cloud folders
Contact for questions; acknowledgment required
3) Digital forensics kit list
Evidence bags and seals; Faraday bags
Write-blockers; imaging software; hash tools
External encrypted drives; chain-of-custody forms
SIM/microSD adapters; device chargers/cables
Camera and label printer
4) Interview checklist
Case facts summary; exhibits; witness history
Neutral opening; rights explanation; interpreter booked
Specific, time-anchored questions; no leading
Notes, signatures or audio (with consent)
5) Dawn-raid SOP (wallet card)
Verify IDs and warrant/order
Call counsel and investigations lead
Escort officials; allocate a room; log copies/seizures
Training completion for investigators and line managers
Part N — Fast FAQs
Can we copy employee WhatsApp chats on personal phones? Only with lawful basis and in line with your policy (e.g., BYOD consent) and proportionality. Prefer targeted exports over full device images. In sensitive cases, seek employee consent or use work-managed apps.
Do we have to tell the ACC immediately about bribery allegations? Not automatically. Assess credibility and evidence quickly under counsel. If substantiated or if there’s immediate public risk, design a regulator engagement plan. Maintain evidence integrity at all times.
Can we dismiss without inquiry if theft seems obvious? No. Bangladesh labour law expects due process. Conduct a domestic inquiry and issue a reasoned order, or you risk reinstatement with back pay.
How do we handle vendors threatening to “expose” us if we terminate them? Stick to contracts and facts. Document breaches, issue cure notices, and terminate per terms. Have litigation and PR plans ready; never pay hush money.
What about moving evidence out of Bangladesh for review? Minimize personal data exports; anonymize where possible; use secure channels and logs; check contractual and regulatory duties before transfer.
Part O — The TRW advantage (how we help end-to-end)
Great investigations are operational systems, not heroic one-offs. In Bangladesh, that means (1) lawful evidence, (2) clean interviews, (3) forensic accounting that sees both bank and mobile money, (4) respect for labour due-process, and (5) control fixes that stop repeat incidents. Put this playbook in motion, and your investigations will be fast, fair, and defensible—at home and in front of any regulator or court.
BIDA Post-Approval Compliance in Bangladesh (2025): The Complete, Practical Playbook for Foreign Companies
By TRW Law Firm — Foreign Investment, Regulatory & Disputes
No links. No fluff. This is a field manual you can drop straight into your implementation plan after you receive a Bangladesh Investment Development Authority (BIDA) approval or registration.
1) What “BIDA post-approval” really means
Getting a BIDA approval or registration (for a new industrial/commercial project, a branch/liaison/representative office, or specific facilitation like work permits and visa recommendations) is only your starting gun. The real work is the post-approval build-out: entity setup, tax/VAT, banking & FX, land/building/environment, labour & immigration, sectoral permits, import/export readiness, and ongoing reporting to BIDA and other regulators.
4) Choosing the right structure (company vs. branch vs. liaison)
Company (subsidiary or JV)
Pros: Full operating scope; easier revenue recognition; clearer dividend pathway; limited liability; eligibility for tax incentives or bonded regimes. Cons: Requires full corporate compliance; transfer pricing and withholding on intercompany flows; takes longer to wind down.
Post-approval watch-outs
Timely share issuance against FDI receipts; equity valuation discipline for future rounds; reporting through AD bank
Board setup with independent oversight for governance and bank/FX signatories
Tax & VAT registrations and monthly compliance rhythm from Day-1
Branch office
Pros: Can conduct approved business activities of the foreign head office; revenue may be permitted if approval scope includes it. Cons:Direct tax nexus to parent; profit repatriation requires tax clearance; regulatory approvals are narrower; winding up includes settlement with regulators and tax.
Post-approval watch-outs
Spend only within scope in the BIDA approval letter; update approvals if scope expands
Maintain books in Bangladesh; obtain audits as required; keep head-office recharges arm’s-length and well-documented
Liaison/Representative office
Pros: Easiest to open; ideal for market research, coordination, quality control with no commercial trading. Cons:No revenue-earning; expenses funded by inward remittances only; heavy scrutiny if activities look “commercial”.
Post-approval watch-outs
Strictly non-commercial: no invoices, no local revenue, no purchase-and-sale on own account
Quarterly/periodic activity reports and inward fund documentation; keep payroll and vendor taxes fully compliant
5) The first 100 days (timeline you can run)
Days 1–15: Mobilise
Incorporate/register the approved form (company/branch/liaison)
Obtain TIN and BIN; open AD bank accounts
Assign implementation owners for FX, permits, tax/VAT, labour, facility, trade
Days 16–45: Capital & identity lock-in
Bring in initial capital/funds as per approval conditions
For companies: issue shares, update cap-table, complete statutory filings, and bank/FDI reporting
For branch/liaison: align expenses to inward remittances and scope
Days 46–75: People & premises
File work permits/visa recommendations for expatriates; initiate police/security clearances where required
Finalise leases, building approvals, utility connections
Initiate fire and environmental clearances (if applicable)
Go live with VAT (monthly returns) and withholding workflows
Submit any BIDA progress updates/renewals due within the period
6) Banking & FX: the traps that catch foreign investors
FDI evidence trail: Every foreign equity remittance must be traceable via bank certificates and swift/credit advice; your share issuance and statutory registers must match the bank’s FDI reporting.
Share issuance timing: Do not sit on foreign remittances. Issue shares within your internal deadline policy and keep audited reconciliation of “advance against equity.”
Foreign loans: Obtain the required registrations/clearances before drawdown; ensure pricing, tenor, and security comply with policy; obtain a loan registration number from the central bank (via your AD bank) where applicable.
Intercompany services: Put written contracts in place (scope, deliverables, pricing); apply withholding tax correctly; consider VAT on imported services (reverse charge) when applicable; maintain transfer-pricing documentation.
Dividend repatriation: Board resolution, audited financials, tax/VAT clearance where relevant, bank documents and working papers—all lined up. Don’t declare if you have unresolved non-compliance that could block the bank.
Expense funding for branch/liaison: Keep remittances within scope; avoid local borrowings; avoid mixing local sales receipts (not permitted for liaison) with remitted funds.
7) Immigration & staffing: being both fast and compliant
Work permits: Anchor each expatriate role to a specific business need; include JD, organisation chart, and localisation plan. Expect the authorities to test whether a local could fill the role over time.
Visa recommendations: Plan entry and extension cycles well in advance; keep passport, police verification, tax ID, and lease/utility proofs ready.
Ratios & localisation: Many sectors expect conservative expat-to-local ratios (often expressed as a maximum share of expats on payroll) and a transition plan to train local successors.
Payroll & personal tax: Register expats for TIN; operate withholding correctly from month one; issue salary certificates; ensure immigration and tax records match.
Contractors & agents: If you deploy third-party headcount, ensure they are lawful, paid lawfully, and not a backdoor to exceed expat limits.
8) Facility, environment, safety & labour: the inspection triangle
Land & title: Check chain of title and permitted land use before you sign; zone authorities add their own conditions.
Building approvals: Secure plan approval/occupancy certificates; keep as-built drawings on site.
Fire safety: Approval, equipment commissioning, drills calendar, maintenance logs; display evacuation plans.
Environmental clearance: Category (Green/Orange/Red), IEE/EIA where required, ECC on display; run your ETP/stack within limits; maintain lab reports and logs; prepare for surprise inspections.
Labour & OHS: Written contracts, wages/benefits, hours & overtime, leave, OHS risk assessments, PPE, machine guards, LOTO, confined space permits, first-aiders and fire wardens, grievance channels.
Registers & evidence: Visitor log, inspection log, training records, incident reports, root-cause analyses, corrective actions with due dates.
9) Trade readiness: import/export without surprises
IRC/ERC: Obtain the right type (industrial vs. commercial) and renew on time.
HS classification: Build a master at 8 digits; nothing moves until HS is confirmed—this drives permits and taxes.
Sector NOCs:
BSTI compulsory certification for many foods, electrics, construction & consumer items
BTRC type approval/NOCs for any wireless/telecom/RF hardware
DGDA for drugs/medical devices/APIs
Plant/animal quarantine for agrifood
Explosives/BAERA/DoE for hazardous/regulated items
Customs & brokers: Put SLAs into your C\&F contracts (draft filing, response times, amendment windows); demurrage is usually a process failure, not a policy problem.
Bonded regime (exporters): Apply early, map input-output and wastage norms, and set up daily issue/return logs; reconcile monthly.
Banking systems: Use your AD bank’s electronic channels for import reporting and EXP issuance; diary export proceeds realisation dates and follow-up cadence.
10) Tax & VAT rhythm (because banks and buyers will look)
TIN/BIN in place before transactions start; trial-run a VAT return early to test master data and invoice hygiene.
Withholding at source: Install an AP blocking rule—no payment without the right withholding section/rate; auto-issue certificates to vendors.
Reverse charge VAT: On imported services; coordinate with FX payments and bank packs.
Quarterly tax provision: Avoid year-end scrambles; hold board certification for financials; reconcile tax/VAT to GL regularly.
Refunds/credits (VDS, import advances): Track certificates and claim windows; missing documents cost real money.
Renewals: Keep a renewal calendar for BIDA permissions, work permits, visa recommendations, and any project registration validity.
Material changes: Notify BIDA if you change registered office, project scope, key officers, shareholding/control, or project cost structure, as your approval may reference these.
Facilitation through OSS: Use the One-Stop Service channels where they work—but maintain parallel relationships with the underlying agencies; practical progress often requires direct follow-through.
Do branch/liaison offices need VAT registration (BIN)? Often a BIN is needed for invoices from counterparties and for withholding/VAT compliance even if you don’t sell goods/services. Assess your exact flows; when in doubt, register early.
Can a liaison office sign sales contracts? A liaison is fundamentally non-commercial. If you need to conclude contracts or book revenue, switch to a company or a branch with explicit approval.
Is dividend remittance pre-approved? Generally no prior approval is required if you meet banking, tax and company-law conditions. But your AD bank will only process if your evidence pack is clean and there are no regulatory flags.
Can we import capital machinery before ECC? Plan sequencing carefully. Many zones and projects expect at least environmental site clearance before major equipment moves. Don’t risk importing machinery you cannot install legally.
What’s the fastest way to get stuck? Missing NOCs (BSTI/BTRC/DGDA/SPS) on arrival; no share issuance after FDI; expired fire/ECC; a liaison doing commercial acts; and poor evidence.
18) The TRW 30-Day Diagnostic (optional but powerful)
Gap map against this playbook (BIDA, FX, immigration, facility, trade, tax/VAT)
Document health check (do you actually have the evidence?)
Priority fixes (top 10 with owners and due dates)
Regulator-ready packs (dividend, work permit, ECC renewal, export proceeds)
Board briefing (what’s red/amber/green; what could block operations or remittances)
19) Final word
BIDA approval is permission to begin, not the finish line. Foreign investors who succeed in Bangladesh do three things better than everyone else:
They sequence permits, people, capital, and trade so nothing idles at the port or in a drawer.
They document everything—so banks, buyers, and inspectors say “yes” on the first pass.
They localise—not just staff, but also the compliance rhythm: VAT close, ETP logs, fire drills, and expat renewals become habits.
Import/Export Licensing in Bangladesh: The Complete Playbook (2025, No-Links Edition)
This guide is written for founders, GMs, trade managers, in-house counsel, and finance/operations teams. It covers the full lifecycle—from getting licensed, to banking and customs, to sector permits, bonded warehousing, zones, and post-clearance audits. Keep it as your working SOP and adapt the checklists to your product lines.
Regulations, tariff rates, and circulars change. Treat any time-sensitive thresholds here as directional; confirm with your bank, customs broker (C\&F), and the latest government notices when you execute.
1) The “licensing stack” (who does what)
Office of the Chief Controller of Imports & Exports (CCI\&E): Issues the Import Registration Certificate (IRC) and Export Registration Certificate (ERC), plus indenting registration. New issues and renewals run through the current online licensing system (OLM).
National Board of Revenue (NBR) – Customs & VAT: Customs controls ports/airports/land borders and runs the electronic declaration system. VAT issues the 9-digit Business Identification Number (BIN) and governs import-stage VAT/SD and local VAT.
Bangladesh Bank (BB): Foreign-exchange regulator. AD banks report import transactions through the Online Import Monitoring System (OIMS) and export declarations through the Online Export Monitoring System (OEMS/EXP).
Sectoral regulators: Depending on HS code and risk, you may need clearances from BSTI (standards/compulsory certification), DGDA (drugs/medical devices), BTRC (wireless/telecom equipment), Plant Quarantine/DAE (SPS), Fisheries/Livestock, Explosives, Atomic Energy, Department of Environment (DoE), and others.
Trade & certification bodies:Export Promotion Bureau (EPB) and chambers issue certificates of origin where needed.
Zones & parks:BEPZA (EPZs), BEZA (economic zones), and BHTPA (hi-tech parks) have their own import/export permit mechanics, customs arrangements, and duty relief regimes.
2) Business prerequisites (for local and foreign-owned entities)
Incorporate (company/branch/liaison) and obtain TIN (income tax).
Obtain a 9-digit VAT BIN (mandatory for customs, banking, and invoicing).
Open accounts with an Authorized Dealer (AD) bank—your operational gateway for L/Cs, import payments, export proceeds, and OIMS/OEMS reporting.
Build an internal HS-code master at 8 digits (Bangladesh tariff). Tie each HS to: duty/SD/VAT/AIT/RD/AT, sector permits, and any bans/restrictions. Make this your single source of truth.
3) Import Registration Certificate (IRC): industrial vs. commercial
What it is: Your foundational license to import.
Industrial IRC: For manufacturers to import capital machinery and inputs (raw/packaging).
Commercial IRC: For traders importing finished goods for resale.
How to get/renew: Apply/renew online via CCI\&E’s portal with: incorporation docs, TIN, BIN, trade license, bank solvency, and prescribed fees. Keep names, addresses, and activities consistent across all registrations.
Practical rules of the road
Match IRC type to the use case. Using an Industrial IRC to import retail stock (or a Commercial IRC to import duty-relieved inputs) risks reassessment and penalties.
Renew early; build a renewal calendar with reminders 60–90 days before expiry.
4) Export Registration Certificate (ERC) and export basics
ERC is the base registration for exporters (sector-specific variations exist). Apply and renew online similar to the IRC.
EXP & proceeds
Before shipment, your AD bank issues an EXP in the OEMS system for each export. Customs and banks see the same electronic record.
Repatriation timeline: Export proceeds are generally expected to be realized within a standard window (commonly cited as 120 days). Always align with your bank on the current timeline and any special relaxations.
Certificates of origin
For preference or origin-sensitive markets, obtain CO from EPB or the relevant chamber. Maintain origin documentation from suppliers to back the CO.
5) Banking & foreign exchange: OIMS (imports) and OEMS (exports)
OIMS (imports): Your AD bank records LCA/L/C details, import payments, and any refunds/adjustments.
OEMS/EXP (exports): Your AD bank issues the EXP and monitors realization.
Working practice: Assign one senior trade officer at your AD bank as your “single throat to choke.” Agree templates for refund ticketing, amendments, and overdue cases so you don’t argue process each time.
6) Customs 101 (imports): the clearance flow
Core documents
Commercial invoice, packing list, transport document (BL/AWB/TR), insurance, IRC, BIN, TIN, L/C or contract, permits/NOCs (if any), and accurate HS classification.
Duties & taxes
Bangladesh uses a multi-component structure: Customs Duty (CD), Supplementary Duty (SD) (for selected goods), VAT, Advance Income Tax (AIT) or Advance Tax (AT) at import, Regulatory Duty (RD) where applicable. Your ERP should compute Total Tax Incidence (TTI) from the HS master—not ad-hoc spreadsheets.
Electronic declaration & selectivity
Declarations are lodged electronically; Customs applies risk-based green/yellow/red channels and examination as assigned. A good compliance history, correct valuation, and clean documentation keep you in lower-risk lanes.
Post-Clearance Audit (PCA)
Customs audits importers after release. Keep your shipment packs well-indexed (invoices, contracts, permits, valuation notes, test reports) for at least the statutory retention period.
BSTI (standards/compulsory certification): Many foods, electricals, construction materials, and consumer goods need certification/marks. Plan pre-shipment testing and licensing; missing BSTI documents is a seizure-level issue.
Plant/Animal SPS (DAE/MoFL): Plant quarantine permits and phytosanitary certificates for plant products; veterinary/health certificates for animal products.
DGDA: Import licenses and product registrations for pharmaceuticals, APIs, and many medical devices.
BTRC: Type approval/NOCs for wireless/telecom/RF equipment (e.g., routers, phones, radios). Pay attention to band specs (e.g., dual-band Wi-Fi requirements) and labeling.
Explosives/Industrial gases/Chemicals: Licenses and storage approvals for explosives, oxidizers, gas cylinders, and hazardous chemicals.
Atomic Energy/BAERA: Radiation-emitting devices (e.g., X-ray, certain measuring instruments) need clearance.
Department of Environment (DoE): Environmental clearance for facilities; specific import permits for hazardous wastes and certain batteries/e-waste flows.
Used machinery, scrap, and certain risk goods often require PSI or age/economic-life certification. Bake these into your purchase contracts and LC terms; retro-fitting later is painful.
8) Bonded warehouse & duty relief (exporters)
If you export (especially RMG and other manufacturers), you may qualify for bonded warehousing to import inputs duty-free against export obligations.
Apply through the Bond Commissionerate for a bond license.
Operate with strict input-output co-relation, wastage norms, secure stores, and auditable production/issue records.
Expect bond audits. Sloppy reconciliations and “lost” inputs are the fastest path to demand notices.
Temporary import / no ATA Carnet
Bangladesh does not operate the ATA Carnet system. Temporary admission runs on national rules with bonds/guarantees and time-bound re-export. Diarize your re-export deadlines; late closure burns deposits and risks penalties.
9) Special regimes: EPZs, EZs, and Hi-Tech Parks
EPZ (BEPZA): Imports/exports are processed through zone-specific permits with customs presence at the factory gate. Duty/VAT incentives are tied to export performance and zone rules.
Economic Zones (BEZA): Separate customs procedures and online one-stop services; incentives vary by zone and business type.
Hi-Tech Parks (BHTPA): Generous exemptions on capital machinery, spares, and VAT; special rules on local sales and bonded facilities. Clarify at Day-0 where to locate your importing entity—moving in/out later is complex.
Banking: Negotiate documents under L/C or present under collection; repatriate within the standard window; consider any permitted short-term retention for payable matching (confirm current rule with your bank).
CO/Preference: Obtain the certificate/statement of origin as needed.
11) Import operations: step-by-step you can copy
Classify the product (HS 8-digit) and check:
Bans/restrictions, SRO conditions, and sectoral permits (BSTI/BTRC/DGDA/SPS/Explosives/BAERA/DoE).
Ensure registrations: IRC (right type), BIN, TIN, and AD bank set-up.
Arrange finance: L/C (most common) or permitted alternative (advance/open account) under BB rules; get LCA authorization through your bank’s OIMS flow.
Collect permits/NOCs: BSTI licenses/test reports, BTRC type approval, plant quarantine import permits, DGDA import licenses, explosives/BAERA/DoE clearances as applicable.
Ship & clear: C\&F lodges the Bill of Entry; Customs assesses duties/taxes; exams as assigned; pay duty; take delivery from port/ICD.
Banking closure: Bank updates OIMS for payments/refunds; you keep SWIFTs, entry prints, and receipts in the shipment pack.
File retention: Keep the full file for PCA and bank audits.
12) Indenting agents, C\&F agents, and other third parties
Indenting registration (CCI\&E): Required if you act as a buying/selling agent for foreign suppliers. Keep agency agreements on file.
C\&F agents: Must be licensed under customs rules. Vet them like you’d vet a finance vendor: license validity, staffing, digital readiness, service levels, integrity history.
Contract SLAs to insist on
Time limits for draft declarations, amendment windows, response to query memos, and escalation ladder. Most demurrage flows from process drift, not policy.
13) Valuation & SROs: defending your declared value
Customs valuation follows international principles, but special orders (SROs), tariff values, or minimum values may apply in certain categories. Build a price dossier for each SKU: supplier quotes, catalogues, order confirmations, incoterm breakdowns, freight/insurance proofs, and—if related parties—your transfer-pricing policy. Keep it updated; it’s your shield in a valuation query.
14) Common mistakes (and how to avoid them)
BIN/identity mismatches: Entity names, BINs, and addresses inconsistent across invoice, airway bill, and Bill of Entry—clearance stalls.
Wrong IRC type: Industrial vs. Commercial misapplied; expect reassessment.
Segregation of duties: Request/approve/receive/pay separated; spot checks on valuation and permits independent of the requestor.
19) FAQs (fast, practical answers)
Do all importers need BSTI? No. Only if your HS falls under the compulsory certification list. Map every HS to the list before you ship.
What’s the usual timeline to realize export proceeds? Commonly quoted at 120 days from shipment. Confirm the current window and any special relaxations with your AD bank.
Can we use ATA Carnet for temporary imports? No. Bangladesh doesn’t operate ATA Carnet. Use national temporary admission with customs bonds/guarantees and diarize re-export.
We’re in a BEPZA EPZ—do we still need an IRC? Zone companies follow zone-specific import/export permits and customs processes. Many still maintain IRC/ERC for flexibility, but your primary channel is the zone authority’s permit system.
How do we prevent valuation disputes? Maintain a contemporary price dossier for each SKU and ensure related-party pricing is supported by your transfer-pricing policy.
Can we import with a Commercial IRC and later convert goods for manufacturing? Not safely. Match IRC type and duty treatment to the real use; otherwise expect reassessment.
Post-clearance: lab tests (if taken), PCA correspondence, any refunds/adjustments vouchers
21) Final notes & risk radar
HS is destiny: 90% of trouble starts with sloppy classification. Get a technical classification memo for complex products.
Permits first, contracts second: Make permits/NOCs a condition precedent in the purchase order or LC.
Document once, reuse forever: Build a digital DMS with shipment packs indexed by entry/export number; PCA becomes painless.
People & partners: Your C\&F agent and AD bank trade desk are as important as your internal team—treat them like core vendors with SLAs and performance reviews.
When in doubt, escalate early: Query memos, valuation doubts, or missing permits are cheaper to fix before the cargo berths.
