Why the deadline matters for an integration today
HSBC announced in July 2025 that it would wind down its retail and International Wealth and Premier Banking business in Bangladesh, phased over roughly six to eight months. The customer-facing piece — HSBC Bangladesh's Personal Internet Banking (PIB), which the mobile app rides on — switches off on 4 December 2025. Corporate and Institutional Banking is staying.
That fixes the shape of any integration we take on for this app. The interesting work now is not building a long-running daily feed; it is a clean, signed-off bulk extraction before the cutoff, plus a hand-off archive that survives after PIB goes dark. Anything we ship targets that constraint first.
What sits behind the PIB login
The app describes itself in plain functional terms — accounts at a glance, transfers, bill pay, device management — and PIB on the web carries the heavier surfaces (eStatement archive, RTGS, interbank). For an integrator the interesting domains line up like this:
| Data domain | Where it lives in the app or PIB | Granularity | What an integrator does with it |
|---|---|---|---|
| Account balances and summary | "View your accounts at a glance" home tile | Per-account, current | Daily snapshot for a treasury feed; alert on low balance ahead of cutoff |
| eStatement archive | PIB eStatement inbox (per the bank's own description, twelve issues are retained) | Monthly PDF per account | One-shot bulk download, hash check, ledger build for migration to the next bank |
| Transfer history | "Transfer funds" history view | Per-transaction, timestamped | Reconcile against an external GL or ERP |
| BEFTN and RTGS confirmations | Inter-bank fund transfer and RTGS flows | Per-transfer with settlement stamp | Treasury confirmation pass; match against beneficiary statements |
| Bill-payment records | PIB Pay Bills history | Per-bill, biller-coded | Vendor reconciliation and utility ledger |
| Device and security log | "Manage devices and security settings" | Device list, last-used time | Audit trail for the compliance file |
Routes we'd actually weigh up
1. User-consented PIB extraction with hard-token / PIN auth
The most direct path during the wind-down. The customer signs into PIB the way they always have — 6-digit PIN plus the HSBC hard-token security device, or the biometrics path on the app — and the integration runs alongside that session, with consent and scope documented. We treat this as the spine for any pre-cutoff build because it does not depend on any new agreement with HSBC during a wind-down.
2. Authorized interface integration / protocol analysis
For the mobile app surfaces specifically (balances tile, in-app transfer history, device list), we capture and document the request and token chain the app uses against the bank's backend, then reproduce the calls server-side. This is the route that survives front-end version bumps during the wind-down, where small UI changes are common as HSBC trims features.
3. Native PDF export as a working fallback
PIB already produces signed monthly eStatement PDFs. Treated as a first-class delivery (not a fallback to a fallback), this gets a customer a clean, regulator-friendly archive of the closing twelve months without depending on any other surface staying up.
For a build commissioned today, what works in practice is to lead with the consented PIB extraction, lean on the eStatement PDFs for the closing-record handover, and only add the protocol-analysis layer when a customer specifically wants the daily-balance tile or the device log alongside the statements. We say this in the call rather than as a rule.
An eStatement pull, sketched
Illustrative shape only; the exact paths, parameter names and the OTP step are confirmed during the build against a consenting account. The point is to show the moving parts an integrator should expect.
# pip install requests
import requests, hashlib
from pathlib import Path
# 1. Authenticated PIB session
# Carries the 6-digit PIN plus the HSBC hard-token OTP the app uses today
sess = requests.Session()
sess.post(
"https://www.pib.hsbc.com.bd/auth/login",
data={"customer_id": CID, "pin": PIN, "otp": TOKEN_OTP},
).raise_for_status()
# 2. eStatement inbox — twelve issues per account, per HSBC's own description
inbox = sess.get(
"https://www.pib.hsbc.com.bd/api/estatements",
params={"account": ACCOUNT, "from": "2024-12", "to": "2025-12"},
).json()
# inbox: [{"month": "2025-11", "doc_id": "...", "ccy": "BDT", "sha256": "..."}, ...]
# 3. Bulk download before the 4 December 2025 PIB switch-off
out = Path("hsbc-bd-archive"); out.mkdir(exist_ok=True)
for s in inbox:
pdf = sess.get(
f"https://www.pib.hsbc.com.bd/estatements/{s['doc_id']}"
).content
assert hashlib.sha256(pdf).hexdigest() == s["sha256"], s["month"]
(out / f"hsbc-bd-{ACCOUNT}-{s['month']}.pdf").write_bytes(pdf)
The same session is used to walk the RTGS confirmation list. Above BDT 1,00,000 each leg carries a settlement timestamp that we lift into the normalized ledger as the match key, instead of trusting the BEFTN posting day.
What lands in your repo at the end
For an HSBC Bangladesh build, the delivery is shaped by the deadline rather than by the long tail. A typical package is:
- An OpenAPI 3.1 description of the endpoints we end up using against PIB — auth, inbox listing, statement download, balance, transfer history, RTGS confirmation, bill-pay history — written from the live traffic, not from a template.
- Runnable Python source (sync and asyncio variants) that performs the consented login, walks the inbox, hashes and writes the twelve monthly PDFs, and builds a per-account ledger CSV from the transaction pages inside each statement.
- A protocol and auth-flow report covering the PIN plus hard-token chain, OTP handling, and the session lifetime the app currently uses — so your team can re-run or audit the pull without us.
- A pytest suite with VCR cassettes recorded against a consenting account, plus golden files for the ledger CSV so future schema drift is caught loudly.
- A short interface document that pairs each PIB surface we touched with a screenshot, a request/response example, and the field-level provenance for the ledger columns.
- A compliance and data-retention note specifying what we logged, what we stored, and how long we held the consenting credentials in scope.
Three integration shapes we see for this app
Pre-cutoff archive. A one-shot pull of the eStatement set, transfer history and RTGS confirmations, hashed and handed over as a closed, regulator-friendly archive. Commissioned by customers who want a clean record of their HSBC relationship before they move on.
Migration assist. The same data, transformed into the import shape of a successor bank — most often a Standard Chartered, Brac Bank or City Bank account, or for SMEs a continuation onto HSBC's Corporate and Institutional rails. We normalize biller codes and counterparty names so the receiving bank's app does not see twelve months of "unknown payee".
Treasury reconciliation snapshot. For a business that ran its receipts through HSBC Bangladesh PIB, a settlement-confirmed view of every RTGS leg above BDT 1,00,000 across the wind-down window, ready to drop into a SAP, Oracle or Xero feed.
Things we plan around on this build
- The December 2025 PIB switch-off as a hard schedule. We size the engagement so the bulk pull, the integrity check, and the customer's sign-off all complete before the cutoff, and we treat anything after as a read-only archive job. No silent post-cutoff scrape attempts.
- Front-end churn during a wind-down. Banks trim features as they close a franchise, so we bake a smoke run into each authenticated session — a small check against a consenting account that fails loudly when an endpoint shape changes — and we hold a short bench window after delivery to absorb the late-stage breakages that arrive in the last weeks of PIB.
- The 25 February 2025 BD-RTGS upgrade. The newer customer-credit-confirmation event changes which timestamp is authoritative for above-floor transfers; we lift that confirmation into the ledger as the match key, instead of relying on next-business-day BEFTN posting.
- Hard-token plus 6-digit PIN auth. The session model is short-lived and OTP-bound, so the pull is structured as one or two long authenticated runs rather than many small jobs — and we hold the consenting credentials only while the active extraction needs them.
Consent under the Bangladesh framework
Bangladesh does not run a PSD2-style open-banking statute. Bangladesh Bank's role on the data side is the BD-RTGS Rules and the BEFTN regime — settlement and payment-systems law, not consumer data-portability law. Some local banks have voluntarily opened APIs (UCB launched its open API banking service in 2022, reported as the country's first), but HSBC Bangladesh is not part of that group, and during a retail wind-down it would not be the moment to pursue a new arrangement either.
So the dependable basis for this integration is the customer's own authorization over their PIB session, with a written consent letter that scopes which accounts, which date ranges, and which surfaces are in play; a logged extraction trail; and a data-minimization rule that drops the credentials and the session state as soon as the pull is complete. Where the customer is a business, we add an NDA on top. None of this is a precondition the reader has to clear before we will start — onboarding and the consent paperwork are arranged with you during the kick-off, and the build runs against a consenting account from there.
Sources and review notes
The wind-down date, the retail-only scope and the corporate-banking carve-out are taken from HSBC's announcement coverage and the Daily Star follow-up. The PIB surfaces — twelve eStatement issues, BEFTN, RTGS, bills — are described as in the bank's own PIB pages. RTGS limits and the February 2025 upgrade come from Bangladesh Bank's BD-RTGS rules. Bangladesh's open-banking posture is checked against the Open Banking Tracker country page.
Other banking and MFS apps in the same picture
Bangladesh's account-data picture is dominated by three mobile-financial-service apps and a long tail of bank companion apps. Useful neighbours to know when a unified integration spans more than HSBC's footprint:
- bKash — the dominant MFS app, around 39.9% of the local MFS market per industry reporting; consented account access exposes wallet balance, transaction history and merchant payouts.
- Nagad — Bangladesh Post Office-backed MFS at roughly 18.1% share; per-user wallet history and cash-in/cash-out events.
- Rocket — DBBL's mobile financial service, around 11.7% share; account balance and transfer history, much of it a legacy base used for salary disbursement.
- Nexus Pay — Dutch-Bangla Bank's card-and-account companion, separate from Rocket.
- Astha — Brac Bank's retail mobile banking, statements and transfers behind a similar PIN-plus-OTP login.
- SC Mobile Bangladesh — Standard Chartered's retail app, the closest direct neighbour to HSBC PIB on data shape; many ex-HSBC retail customers are migrating onto it.
- EBL Skybanking — Eastern Bank's retail app with full accounts and card servicing.
- Citytouch — City Bank's retail app; balances, transfers and credit-card statement view.
- MTB Smart Banking — Mutual Trust Bank's app; accounts, transfers and BEFTN.
- Dhaka Bank Go — accounts and bill-pay on Dhaka Bank's retail rails.
The MFS share figures above are as carried in recent Bangladesh trade press and are reported, not measured here.
Questions buyers usually ask first
Will an integration still work after PIB shuts down on 4 December 2025?
For the existing Personal Internet Banking surfaces, no — once HSBC switches PIB off the consumer-side endpoints we extract from disappear with it. What survives is the data we have already captured: signed eStatement PDFs, a normalized transaction ledger, and the RTGS/BEFTN confirmation set, stored on your side. We size the build around finishing the bulk pull before the cutoff and handing you a closed archive.
Can historic eStatements still be retrieved during the wind-down period?
Yes, while the account is still active. The PIB eStatement inbox holds the most recent twelve issues per account in PDF; we download all of them in one authenticated pass, verify the file hashes against the listing, and write a per-account ledger from the transaction pages inside each statement so nothing is left only inside the PDF.
How does the 2025 RTGS upgrade change a reconciliation build?
Bangladesh Bank's BD-RTGS refresh on 25 February 2025 added customer credit confirmation and is moving toward 24x7 settlement. For an HSBC Bangladesh integration that means RTGS legs above the BDT 1,00,000 floor get a finer settlement timestamp and an explicit confirmation event, which we use as the authoritative match key instead of relying on next-day BEFTN posting.
Is HSBC Bangladesh covered by a national open-banking scheme?
Bangladesh does not have a PSD2-equivalent open-banking statute. Bangladesh Bank publishes the BD-RTGS and BEFTN payment-systems rules, and a handful of local banks have voluntarily exposed APIs (UCB launched its open API banking platform in 2022). HSBC Bangladesh's retail integration sits on consented customer access, not on a national AIS framework.
App profile
HSBC Bangladesh, package bd.hsbc.hsbcbangladesh, is the retail mobile companion for HSBC's Personal Internet Banking customers in Bangladesh, distributed on Google Play and the App Store. As the bank describes it, the app supports hard-token provisioning, 6-digit PIN or biometric login, account-summary view, fund transfers to HSBC and other banks, device-and-security management, and an online customer-service request flow. Sign-in uses the customer's existing PIB credentials; new registration is handled on www.hsbc.com.bd. HSBC announced in July 2025 that its retail and International Wealth and Premier Banking business in Bangladesh would wind down in phases; HSBC's own customer messaging puts the PIB switch-off on 4 December 2025. HSBC's Corporate and Institutional Banking activity in Bangladesh continues.
If you need this pulled before the PIB switch-off, the practical path is a single source-code delivery: we write the OpenAPI description, the runnable Python pull-script and the test fixtures against a consenting account, run the bulk extraction, and bill from $300 once you have signed off on the delivery — typical cycle is one to two weeks. The pay-per-call alternative is the hosted version of the same work: call our endpoints, pay only for the calls you make, no upfront fee. Either way, the right next step is the contact form at /contact.html with the account scope and the deadline you are working to.