By : Nalinda Indatissa (President Council)
The rapid digitalisation of banking has fundamentally transformed the manner in which financial institutions operate, while simultaneously exposing them to sophisticated forms of internal and external fraud. Among these, internal IT fraud—perpetrated by employees within the bank’s own technological infrastructure—presents a particularly serious legal and regulatory challenge. Such fraud is often facilitated by privileged system access, technical knowledge, and the ability to circumvent internal controls.
In this context, the question of liability assumes critical importance, especially in determining whether the bank, as an institution, bears responsibility for the acts of its employees. The resolution of this issue depends not only on traditional legal doctrines such as vicarious liability and contractual obligations, but also on a detailed examination of the bank’s internal governance systems, supervisory mechanisms, and the degree of diligence exercised in preventing and detecting such misconduct, as measured against binding regulatory standards.
Vicarious Liability
The foundational principle governing institutional responsibility in cases of internal fraud is that of vicarious liability. Under this doctrine, an employer is held liable for wrongful acts committed by its employees in the course of their employment. In the banking context, where IT personnel are entrusted with access to critical systems, any misuse of such authority—even for fraudulent purposes—may fall within the scope of employment if it is sufficiently connected to the functions assigned to the employee. Courts are generally inclined to hold that where the employment relationship has materially enabled the commission of the fraud, the bank cannot disclaim responsibility merely on the basis that the act was unauthorized or criminal in nature.
Non-Delegable Duty of Care
Banks owe a high and non-delegable duty of care to their customers to ensure the safety of funds and the integrity of transactional systems. This duty arises from both the fiduciary nature of the banker–customer relationship and the inherent risks associated with financial intermediation. Consequently, a bank cannot evade liability by attributing wrongdoing solely to rogue employees. The obligation to maintain secure systems, enforce controls, and ensure proper supervision remains with the institution at all times.
Contractual Liability
The relationship between a bank and its customer is fundamentally contractual. One of the core obligations of the bank is to honour only those transactions that are properly authorized by the customer. Where internal IT fraud results in unauthorized debits or transfers, the bank is prima facie in breach of contract. The burden then shifts to the bank to demonstrate that it exercised due care and that the loss did not arise from any deficiency in its systems, supervision, or internal controls.
Assessment of Institutional Diligence
The determination of whether a bank has acted diligently is central to the allocation of liability. Courts apply an objective standard, often described as the “reasonable bank” test, assessing whether the institution has acted in accordance with the practices expected of a prudent and well-regulated bank. In the contemporary regulatory environment, this assessment is no longer confined to general industry practice but is increasingly anchored in compliance with binding regulatory directions, particularly those governing technology risk management and resilience.
Regulatory Benchmark for Diligence
In Sri Lanka, Banking Act Directions No. 16 of 2021 (as amended by Directions No. 5 of 2023) establishes a comprehensive and legally binding framework for technology risk management. These Directions require licensed banks to implement structured governance, risk assessment, and control mechanisms in respect of all technology-driven operations. Accordingly, the concept of a “reasonable bank” must be understood in light of these mandatory standards. A failure to comply with such Directions—whether by omission of required processes or inadequate implementation—may constitute direct evidence of a lack of institutional diligence.
Supervisory Framework and Board Oversight
The Directions expressly impose ultimate responsibility for technology risk management on the board of directors. The board is required to define the bank’s IT strategy, ensure the establishment of effective governance structures, and oversee the implementation of risk management frameworks. This includes ensuring that adequate supervisory mechanisms exist at all operational levels, supported by escalation protocols for reporting irregularities. The absence of active and informed board oversight is therefore not merely a governance lapse but a breach of regulatory obligation.
Risk Assessment and Internal Capital Adequacy
The regulatory framework mandates that technology risk be integrated into the Internal Capital Adequacy Assessment Process (ICAAP), ensuring that banks maintain sufficient capital to absorb potential losses arising from technology-related incidents. In addition, banks are required to conduct periodic Risk and Control Self-Assessments (RCSA) in respect of technology-driven products and services. A failure to conduct such assessments, or to act upon their findings, may indicate that foreseeable risks were neither identified nor mitigated.
Segregation of Duties, Authorization and Supervision Levels
One of the most critical safeguards against internal fraud is the strict segregation of duties. A prudent bank must ensure that the functions of system development, system administration, transaction initiation, authorization, and review are separated among different individuals or departments. Multi-level authorization protocols must be implemented, particularly for high-value or sensitive transactions. Equally important is the separation between those who execute transactions and those who supervise or audit them. Any concentration of power in a single individual or unit is likely to be viewed as a serious lapse in internal control and inconsistent with regulatory expectations.
Access Control and Periodic Review
The Directions impose specific obligations in relation to user access management. Banks are required to conduct periodic reviews of access privileges, including quarterly reviews for critical systems and regular reviews for non-critical systems. Administrative privileges must be strictly controlled, and all access must be subject to logging and independent review. A failure to implement or document such reviews may be treated as clear evidence of deficient control systems.
Documentation and Record-Keeping
A well-governed bank must maintain comprehensive and contemporaneous documentation of its IT governance and operational activities. This includes IT policies, standard operating procedures, access logs, audit trails, system change records, incident reports, and minutes of meetings of relevant committees. Documentation serves not only operational purposes but also evidentiary functions in legal proceedings. The inability to produce records demonstrating compliance with regulatory requirements may give rise to an adverse inference against the bank.
Monitoring, Reporting and Incident Escalation
The regulatory framework requires banks to establish structured monitoring and reporting mechanisms. Suspicious activities, system anomalies, and control breaches must be promptly identified and escalated. Importantly, cybersecurity incidents and technology-related breaches must be reported to the supervisory authorities in accordance with prescribed timelines, including reporting to the Bank Supervision Department under applicable circulars. Failure to comply with such reporting obligations may aggravate liability and suggest an attempt to conceal or downplay systemic weaknesses.
Whistleblowing and Internal Reporting Mechanisms
A robust whistleblowing framework is an essential component of effective governance. Employees must be provided with secure and confidential channels to report suspected misconduct. The effectiveness of such mechanisms is relevant to the assessment of whether the institution fostered a culture of accountability and transparency. The absence of such systems, or their ineffective implementation, may be viewed as contributing to the persistence of internal fraud.
Internal Audit and Independent Review
The Directions require that the internal audit function independently assess the effectiveness of technology risk management on a regular basis, including annual reviews of compliance. Audit findings must be reported to the board and acted upon without delay. A failure to implement audit recommendations or to address identified vulnerabilities is often treated as compelling evidence of negligence.
Third-Party Risk Management
Banks are also required to manage risks associated with outsourced technology services. This includes ensuring that third-party service providers adhere to equivalent standards of security and control. Liability cannot be avoided by outsourcing critical functions; the bank remains ultimately responsible for risks arising from such arrangements.
Liability of the Board of Directors
In addition to institutional liability, the conduct of the board of directors is subject to heightened scrutiny in light of express regulatory obligations. The Directions clearly place ultimate responsibility for technology risk management on the board, thereby imposing a positive duty to ensure compliance with all prescribed requirements, including RCSA processes, access reviews, incident reporting, and audit oversight. Directors are required to exercise informed judgment, actively engage with risk issues, and ensure that adequate systems of control are in place and functioning effectively. A failure to do so—whether through inaction, lack of inquiry, or disregard of known risks—may constitute a breach of fiduciary duty. In appropriate cases, such failures may expose directors to regulatory sanctions, personal liability, or disqualification, particularly where their conduct has materially contributed to the occurrence or continuation of fraud.
Post-Incident Conduct and Remedial Action
The conduct of the bank after the discovery of fraud is also relevant. A diligent institution is expected to act swiftly to contain the incident, secure systems, preserve evidence, notify regulators, and mitigate customer loss. Prompt corrective action and transparency may mitigate liability, whereas delay or concealment may aggravate it.
Conclusion
In cases of internal IT fraud, liability will ordinarily attach to the bank due to the combined operation of vicarious liability, contractual obligations, and the non-delegable duty of care owed to customers. However, the determination of liability is now firmly grounded in compliance with binding regulatory standards, particularly those contained in Banking Act Directions No. 16 of 2021 (as amended). These Directions provide a clear and objective benchmark for assessing institutional diligence. Where a bank fails to implement the required governance structures, risk assessments, access controls, reporting mechanisms, and audit processes, the resulting fraud is likely to be viewed not merely as the act of rogue employees, but as the consequence of systemic and regulatory failure. In such circumstances, liability may extend beyond the institution to its governing body, reinforcing the central role of the board in ensuring technological integrity and accountability.