- Calls for mandatory cybersecurity standards to be enforced
- Reports highlight finger-pointing between Treasury, CBSL
- Lack of competency of PDMO/ERD staff, poor transition management cited
- Report finds cybersecurity lapses at Treasury
- Recommends NAO conduct audit of foreign debt payment process
The Committee on Public Finance (COPF) has concluded that the Central Bank of Sri Lanka (CBSL) cannot completely absolve itself of responsibility for the $ 2.5 million cyber fraud that disrupted the Government’s foreign debt repayment process, despite legal arguments that primary responsibility rested with the Ministry of Finance and the Public Debt Management Office (PDMO).
In its investigative report tabled in Parliament on Friday (10), the committee found that the fraud was the result of governance, procedural, and operational failures across multiple institutions rather than an isolated cyberattack.
While acknowledging the Attorney General’s legal interpretation that responsibility shifted to the PDMO after debt management functions were transferred, the COPF concluded that serious shortcomings within both the Ministry of Finance and the CBSL enabled the fraud to succeed.
The report examined the theft of $ 2.5 million in public funds that occurred between November 2025 and January 2026, when Sri Lanka was completing the final stages of its external debt restructuring programme.
A significant portion of the report focuses on the disagreement between the Ministry of Finance and the CBSL over who should bear responsibility for the incident.
Ministry officials argued that the CBSL, as the Government’s banker, should have exercised greater vigilance over Anti-Money Laundering (AML) concerns and questioned suspicious payment instructions before processing them. They also maintained that the staff of the newly-established PDMO lacked sufficient experience and relied heavily on the Central Bank during the institutional transition.
The CBSL rejected those claims, stating that the fraud originated from payment instructions generated through a compromised Ministry of Finance email system. According to the CBSL, its responsibility was limited to executing authorised payment instructions submitted by the ministry, while verifying payment details remained the responsibility of ministry officials.
Although the Attorney General’s interpretation largely supported the Central Bank’s legal position, the COPF concluded that the dispute itself exposed significant weaknesses in governance and institutional accountability.
The committee noted that while legal responsibility may currently rest with the PDMO following the transfer of debt management functions, policy reforms were required to clearly define the CBSL’s future responsibilities when acting as banker to the Government.
Accordingly, the COPF has recommended amendments to the Financial Transactions Reporting Act (FTRA), stating that the current legal framework leaves ambiguity regarding the CBSL’s obligations in relation to suspicious transactions involving Government payments.
The report also questioned earlier assurances jointly given by the Secretary to the Treasury and the CBSL Governor that coordination mechanisms between the institutions were adequate. The COPF found that there was considerable room for improvement, particularly during the transition of debt management responsibilities.
According to the committee, the fraud occurred during a complex institutional transition following the enactment of the Public Debt Management Act No.33 of 2024.
The legislation transferred debt management functions from the CBSL’s Public Debt Department and the ministry’s External Resources Department (ERD) to the newly-established PDMO.
However, the COPF found that the 18-month transition lacked basic governance safeguards. There were no formal terms of reference governing the transfer, no measurable Key Performance Indicators (KPIs) to assess whether officers had received adequate training, and no Memorandum of Understanding defining the responsibilities of the CBSL and the PDMO until 9 March 2026 – months after the fraud had already taken place.
The committee concluded that a properly negotiated agreement before the transition would likely have clarified institutional responsibilities and prevented the subsequent dispute over accountability.
The report also identifies serious cybersecurity weaknesses within the Ministry of Finance. Unlike most departments, which operated on a centralised IT platform, the ERD maintained its own separate email infrastructure using Microsoft Exchange Server 2016.
Among the committee’s findings was that major foreign debt repayments were historically authorised by a single director without independent review by more senior officials. Officials also failed to perform basic verification by checking lender invoices against signed loan agreements before approving payments.
The committee further found that during the transition period, ERD officers failed to copy their PDMO counterparts on official correspondence, creating information gaps that were exploited by the fraudsters.
In addition, the CBSL’s Finance Department had flagged one payment to a United Arab Emirates account in November 2025 as a potential AML concern. The COPF found that the warning had not been adequately escalated or acted upon by senior ministry officials.
The committee concluded that while cybercriminals had executed the fraud, institutional failures across multiple agencies made the theft possible.
It has been recommended that the National Audit Office (NAO) conduct a special audit of the entire foreign debt repayment process to establish an independent account of procedural failures across both the Ministry of Finance and the CBSL.
The COPF has also called for an immediate revision of the Government’s Financial Regulations, which have remained largely unchanged since 1992, mandatory implementation of Sri Lanka Computer Emergency Readiness Team cybersecurity standards across the public sector, the creation of a secure database containing verified lender information to eliminate reliance on email instructions, and the introduction of a comprehensive whistleblower protection policy for the public service.
