A high-value foreign payment made by the State should not depend only on paperwork moving through several desks. It should depend on whether the instruction is genuine, whether the beneficiary is verified, whether any change in payment details is independently confirmed, and whether the system is capable of detecting fraud before public money leaves the country.
Those questions have now moved to the centre of Sri Lanka’s public finance debate after the alleged diversion of $ 2.5 million from a Treasury-linked overseas payment. The incident, which involved funds intended for a foreign debt repayment to Australia, has raised fresh concerns over the controls applied to high-value Government foreign payments, particularly where payment instructions are transmitted, changed, verified, and approved.
The Treasury case has also come at a time when the Committee on Public Finance (COPF) has questioned the Central Bank of Sri Lanka (CBSL) over the financial fraud reported at NDB Bank. Although the two matters are different in nature, one involving a Government foreign payment and the other involving an internal bank fraud, both have directed attention to the same issue, that is, whether Sri Lanka’s financial control systems are detecting operational and fraud risks early enough.
Treasury responsibility chain questioned
Former Finance Minister and MP Ravi Karunanayake, speaking to The Sunday Morning, said the Treasury payment matter should not be treated as a routine administrative failure without first establishing where the payment control chain broke down.
“It is absolutely an error, collusion, or a hack,” Karunanayake said.
He said the explanation that a payment was made according to the instruction received did not sufficiently address the issue, particularly in relation to the institutional responsibilities that existed during the transition of payment functions.
Referring to the CBSL Governor’s statement that “what is given is what is paid,” Karunanayake said: “That is fallacious because up to 31 December, the onus of payment was in the hands of the Central Bank.”
He said the payment process had to be examined against the division of responsibilities between the Treasury and the CBSL, including the period during which systems and responsibilities were being migrated. According to him, the important issue is not merely who processed the payment, but who was required to verify the payment instruction and beneficiary details before the transaction was completed.
“The issue is where the payment instruction originated, who verified it, and who was responsible at that point. That is where the grey area exists,” Karunanayake said.
The Treasury-linked payment incident became public after the Finance Ministry confirmed that cyber criminals had diverted funds linked to a foreign currency transaction.
Verification before payment
The Treasury case has raised a direct operational question of what minimum safeguards should apply before the State makes any high-value overseas payment.
Cybersecurity expert Asela Waidyalankara told The Sunday Morning the answer should not be limited to callback verification or multi-person approval, although such controls were necessary. He said the system should address the full chain of risk, from email security and access control to staff awareness and independent governance.
“I think it goes a little beyond callback verification and all of that,” Waidyalankara said. “Email-wise, it can be strengthened. The email server itself can be strengthened. Then we have what is called privileged access management, which is basically checking who has access.”
He said business email compromise, spoofing, and phishing attacks were now sophisticated enough to bypass weak manual processes. For institutions handling large payments, this means the control framework should include secure email systems, tools to detect impersonation, restricted access to sensitive payment functions, and proper monitoring of users with privileged access.
“To prevent email spoofing from happening, there are certain tools, software as well as hardware, that can be installed,” he said.
According to Waidyalankara, the State should treat phishing simulation and cybersecurity training as mandatory for officials handling high-value payments.
“Investing money in phishing simulation and phishing training is a must going forward,” he said. “Anyone handling high-value payments should go through phishing simulation and should pass. If they do not pass, that should be flagged.”
His position is that fraud control cannot depend only on seniority or long experience. Staff who handle large transactions must be tested against the type of fraud attempts they are likely to face, particularly when payments are made based on email communication, external instructions, or documents received from third parties.
Manual controls have limits
Waidyalankara said every overseas payment by the Treasury should require a strict verification chain, especially when creditor details or payment instructions change. However, he cautioned that manual verification alone may not be enough.
“That should be the norm,” he said. “But phishing scams are becoming more sophisticated. So there is a layer of technology control that we also need to be cognisant of. Manual verifications can go only so far.”
The issue is alarming because Government payment systems often rely on several approval stages. However, a long approval process does not always mean a secure process. If each official only checks whether the previous step has been completed, a false instruction can move through the chain without being independently challenged.
Waidyalankara said Sri Lanka should also avoid converting long manual procedures into equally long digital procedures without redesigning the process.
“We have a very convoluted manual process. Let us say this is a 17-step process. Do we need all 17 steps if we are going to digitise that? I do not think so,” he said. “Maybe it is very routine and designed for a manual process. But if you are having something digital, maybe you need only three. Then you need to relook at that and probably re-engineer your entire process around that.”
He said the issue pointed to a gap in the way institutions understood digital transformation. “That is probably a gap in understanding, in my opinion,” he said.
External checks and standards
Waidyalankara said divisions that handle high-value foreign payments should be governed through a recognised information security framework. He cited ISO 27001 as one possible standard because it covers technology, people, and process controls.
“The best governance mechanism is having something similar to ISO 27001 within at least the division that handles these high-value payments,” he said. “There are technology controls, process controls, and people controls that need to happen and continuously get updated.”
He said such a system should not be left only to internal self-assessment. In his view, external auditors, technology partners, consulting firms, or specialist vendors should be involved in testing and improving the system.
“Self-regulation is fine, but after a while, if no one is pushing and prodding you, chances are you will lull into complacency once again and miss the plot,” he said. “I do not think you want that happening, especially when high-value transactions are concerned.”
He also identified multi-factor authentication, zero-trust architecture, least-privilege access, and privileged access management as controls that should be considered for sensitive payment environments.
“These cannot happen just by the officials themselves,” he said. “They must have some sort of partnerships with outside vendors, technology partners, audit firms, or consulting firms, to make sure everything is up to specification.”
NDB case adds pressure on oversight
While the Treasury case concerns a State foreign payment, the NDB matter has placed the banking sector’s internal controls and regulatory oversight under scrutiny.
The matter was taken up by the COPF at a meeting chaired by MP Dr. Harsha de Silva. Central Bank officials informed the committee that the fraud had contributed to a decline in NDB’s share price and credit ratings. COPF members questioned how the bank’s internal Audit Committee, external auditors, Board Audit Committee, and the CBSL’s Bank Supervision Department had failed to detect the irregularities.
According to the Parliament Secretariat statement, CBSL officials had told the COPF that no unusual activity had been flagged during the period in which the alleged fraudulent transactions had taken place. The COPF had also raised concerns over audit committee members who had served during the fraud period continuing in their roles while investigations were being carried out.
The committee had further discussed outdated banking security standards and the need for minimum technology and regulatory standards across banks. Central Bank officials had informed the COPF that discussions were underway to introduce new regulations to improve fraud management systems in banks.
Former Deputy Governor of the CBSL Dr. W.A. Wijewardena told The Sunday Morning that he would avoid commenting directly on the NDB case because the matter was before the Colombo Commercial Court.
“Many people say that there had been a failure by the Board of Directors. But because it is now before the Colombo Commercial Court, if we express any opinion on that, it may be considered sub judice,” he said.
He added that information on alleged failures could instead be obtained from the court filings, including the derivative action filed by M. Thyagaraja.
Training gap identified
Dr. Wijewardena said the issue still supported a review of financial control systems, especially in relation to the training of regulators and compliance officers.
“There is a necessity to train the people within the Central Bank and also train compliance officers in banks,” he said. “Those are the measures that should be taken to avoid repetition of these incidents by other banks also.”
Internal controls can fail at institutional level, but the regulatory system is expected to identify weaknesses before they result in large losses. If supervisors and compliance officers are not trained to detect new forms of fraud, oversight may remain dependent on reports submitted after the event.
In the banking sector, the COPF’s concerns have focused on why several layers of oversight did not identify the alleged irregularities earlier. In the Treasury case, the concern is whether payment instructions involving public funds were checked against a sufficiently strong verification system.
The two cases therefore raise separate but related questions. In government, the question is whether foreign payment instructions are independently verified before execution. In banks, the question is whether internal audit, external audit, board oversight, and regulatory supervision can identify fraud risk before it becomes a major loss.
Reputation risk after international coverage
Waidyalankara said the Treasury incident also carried reputational consequences because the matter had been reported internationally.
“Every finance minister in the world reads Bloomberg. Every hedge fund manager in the world reads Bloomberg. Anyone who is remotely interested in buying a Sri Lankan bond would be reading Bloomberg,” he said. “The reputational damage here is what we need to rectify.”
He said the response should not be limited to purchasing one new system or adding one more approval stage. “It is not one measure. It is not just buying one piece of technology. It is a series of steps along the lines of people, process, and technology that can really ramp up ability and ensure that reputation remains intact.”
Karunanayake also said the Treasury incident and the NDB fraud strengthened the case for a review of Sri Lanka’s financial control systems, both within Government and regulated banks.
Review of payment controls
The immediate issue for the Treasury is whether Sri Lanka has a mandatory protocol for high-value foreign payments.
Such a protocol would have to specify who verifies beneficiary details, how changes to payment instructions are confirmed, whether independent callback verification is required, how access to payment systems is controlled, and what happens when an instruction is received through a potentially compromised channel.
A proper protocol would also require a verified beneficiary database, secure communication channels, clear escalation rules, multi-person approval for sensitive changes, and technology controls to detect suspicious activity. It would have to apply not only at the final payment stage, but at the point where instructions are first received and entered into the system.