By Robin Hood
The NDB Bank fraud was the largest banking fraud in the country and when the numbers finally stopped moving, the damage was not 380 million rupees. It was not even close. The true figure, once the general ledger had been properly excavated, stood at 13.2 billion rupees, roughly 44 million US dollars drained through what investigators now describe as a sustained, systematic manipulation of bank accounts.
Many people are in custody. But a few people did not create the conditions for this. Institutions did.
The first question belongs to the Board. In January, an internal probe was triggered by a multi million rupee irregularity. That probe, by any reasonable standard of governance, should have been the ignition point for a total systems audit. It was not.
Instead, what followed appears to have been a narrow, contained review, the kind of investigation designed to answer the question already asked, rather than the questions not yet imagined.
Months later, the initial public estimate of the damage came in at 380 million rupees. The actual figure was thirty-five times larger. That gap is not a rounding error. It is a diagnostic failure. It tells us that the Board either lacked the technical literacy to interrogate their own risk infrastructure, or chose not to. A board that cannot read the room when multi million rupees goes missing is a board operating on institutional faith rather than financial vigilance.
Then there is the four-eyes principle, the elementary two-person authorization requirement that governs high-value transactions in every credibly run financial institution. A junior manager-level employee reportedly bypassed this control repeatedly, at scale, over time. The principle did not fail. The culture around it did.
Rules without enforcement culture are decorations. The Board approved the framework. The Board is responsible for whether it breathed.
EY audited the books. The 2025 year-end audit, by all available accounts, did not flag the general ledger discrepancies that sit at the center of this case. This demands scrutiny that goes beyond disappointment. External auditors are not merely contract reviewers. They carry a public assurance function. When they sign off on a financial institution’s controls, depositors and counterparties rely on that signature.
The central question here is not whether EY followed its own sampling methodology. The question is whether that methodology was calibrated for comfort or for risk. Materiality thresholds, the levels below which individual entries are considered immaterial and therefore unreviewed, can, if set too generously, allow dozens of fraudulent entries to aggregate quietly into a catastrophic sum. The auditor’s relationship with the institution, particularly its tenure, warrants examination. Familiarity is the enemy of skepticism.
The Central Bank of Sri Lanka sits at the apex of this accountability architecture, and its position is the most difficult to defend. Banks report to the Bank Supervision Department regularly and in granular detail. Inter-bank settlement patterns, capital adequacy ratios, and liquidity movements all flow through that department. If a senior banker was being questioned internally in January and rumors were in circulation, the CBSL’s supervisory intelligence network should have registered pressure long before April.
Instead, the regulatory response came after the capital was already impaired, dividend suspensions and expansion halts imposed as stabilisation measures rather than preventative ones. Liquidity support extended after the damage is not oversight. It is consequence management. The distinction matters enormously.
A few individuals are in custody. That is where the legal process begins, and it should continue. But criminal accountability for the actors cannot substitute for institutional accountability for the architecture. A mid-level manager who moves 13.2 billion rupees without triggering a kill-switch is not a mastermind operating against an otherwise sound system. He is a symptom of one that was never truly sound. The board authorised the systems. The auditors declared them safe. The regulator watched from a distance.
The vault was open. The question Sri Lanka must now answer honestly is who was supposed to be watching it.