By: Staff Writer
May 15, Colombo (LNW): Facing intensifying criticism over the Treasury’s $2.5 million digital payment scandal, Central Bank Governor Dr. Nandalal Weerasinghe this week sought to distance the Central Bank of Sri Lanka from direct responsibility for the controversial phishing attack that targeted Government debt servicing payments.
The Governor’s explanation came months after the fraudulent transfers first surfaced and after multiple investigations were launched involving the Criminal Investigation Department (CID), financial intelligence authorities, Parliament’s Committee on Public Finance (CoPF), and even Australian investigators connected to the overseas transactions.
Addressing the issue during the release of the CBSL Economic Review 2026, Weerasinghe argued that the Central Bank merely functioned as the Government’s banker and was obligated to execute authorised payment instructions received from State institutions.
“The CBSL is the bank of the Government, just as it is the bank of banks,” he said, comparing the arrangement to a commercial bank carrying out customer instructions. According to the Governor, once valid payment directions are received, the institution’s role is to process the transfer and debit the account accordingly.
The fraudulent transactions reportedly involved ten separate payment tranches linked to external debt servicing handled through the Treasury’s External Resources Department (ERD). Questions emerged after investigators discovered that spoofed payment instructions had allegedly been processed despite internal warnings and procedural concerns.
The Governor stressed that operational responsibilities surrounding debt management had changed significantly in recent years following institutional restructuring tied to Sri Lanka’s debt reform program. Functions previously managed by the Central Bank’s Public Debt Department were transferred to the Public Debt Management Office (PDMO) under the Finance Ministry.
According to Weerasinghe, the phishing incident occurred during this transition period, suggesting the restructuring may have altered established back-office procedures and accountability structures.
“This was the period that some decisions happened,” he remarked, while declining to provide detailed explanations because investigations remain active.
However, critics argue the Governor’s defence raises as many questions as answers. Financial analysts and opposition lawmakers have pointed out that the payments involved sovereign debt obligations and highly sensitive international transfers, making the apparent failure to identify suspicious instructions particularly alarming.
The incident has also renewed concerns about cyber-security vulnerabilities within Sri Lanka’s public financial infrastructure at a time when the Government is heavily reliant on external debt restructuring and international lender confidence.
Although Weerasinghe insisted the scam posed no broader threat to financial system stability, pressure continues to build over whether stronger verification mechanisms should have existed before millions of dollars were released overseas.
The Governor repeatedly emphasized that law enforcement authorities, including the CID and international agencies, were now investigating the matter. However his carefully worded explanation appeared aimed at reinforcing one central argument that responsibility for originating and verifying payment instructions rests primarily with Government institutions, not the Central Bank acting as payment executor.
Still, the Treasury phishing attack has become one of the most politically sensitive financial scandals in recent years, exposing weaknesses not only in cyber-security controls but also in the chain of accountability governing Sri Lanka’s public finance operations.