A major financial scandal at National Development Bank PLC has triggered calls for sweeping reforms and direct regulatory intervention, as authorities grapple with the fallout from a Rs. 13.2 billion internal fraud. The crisis has not only shaken depositor confidence but also raised broader concerns about governance standards within Sri Lanka’s banking system.

The Committee on Public Finance has taken a leading role in scrutinizing the issue, highlighting serious lapses in corporate governance and delayed disclosure of critical information. During recent parliamentary proceedings, chaired by Harsha de Silva, the committee emphasized that such failures are unacceptable, particularly in institutions entrusted with public funds.

The fraud itself reveals alarming operational weaknesses. Over a period exceeding 18 months, insiders allegedly manipulated CEFT transactions particularly during less-monitored weekend windows to execute unauthorized transfers. Despite clear warning signals, including abnormal spikes in receivables, management failed to act decisively.

The financial consequences have been substantial. The bank has absorbed the full loss, leading to a projected Rs. 4 billion loss in the first quarter of 2026 and a total net impact of approximately Rs. 7 billion. Although capital buffers remain above regulatory thresholds, the incident has strained the bank’s financial position and reputation.

In response, the Central Bank of Sri Lanka is under pressure to act decisively. One proposal gaining traction is the appointment of a seasoned banking professional to take temporary control of NDB’s management. This leadership change, expected to last at least three months, would focus on stabilizing the institution and implementing urgent corrective measures.

The proposed intervention aims to reinforce internal controls, address procedural gaps, and improve transparency. Strengthening operational discipline is seen as essential to restoring depositor trust, which has been shaken by the scale and duration of the fraud.

Simultaneously, law enforcement authorities are intensifying investigations. Multiple suspects are currently in remand custody, with allegations involving cryptocurrency transactions and coordinated internal collusion. The complexity of the scheme has underscored the need for more sophisticated monitoring systems within banks.

CBSL Governor Nandalal Weerasinghe has acknowledged the seriousness of the situation, confirming that a preliminary investigation is underway. The Central Bank is expected to report back to Parliament with detailed findings and recommendations.

Analysts argue that the NDB crisis is a wake-up call for the entire financial sector. It highlights the risks of complacency in governance and the need for continuous vigilance in regulatory oversight. The incident also raises questions about the effectiveness of existing supervisory frameworks.

As Sri Lanka navigates this challenge, the focus will be on restoring confidence and preventing recurrence. The success of the proposed intervention and the broader reform agenda will be crucial in safeguarding the integrity and stability of the country’s banking system.

Sri Lanka’s tourism industry, a cornerstone of economic recovery, is under mounting pressure as global shocks test the policy framework of the National People’s Power (NPP) government led by the Janatha Vimukthi Peramuna (JVP). Since taking office in November 2024, the administration has promoted a state-guided, reform-driven tourism model. However the latest figures reveal how vulnerable the sector remains to external disruptions.

Tourist arrivals plunged 22% year-on-year in the first eight days of April, falling to 39,627 from 50,542 a year earlier. Average daily arrivals also declined sharply to 4,953, down from 6,318, reflecting the immediate impact of escalating conflict in the Middle East on global aviation routes. These disruptions have particularly affected long-haul travel to island destinations like Sri Lanka.

Despite the downturn, cumulative arrivals reached 780,261 by 8 April, marking a modest 1% year-on-year increase. This growth was driven largely by strong inflows earlier in the year, indicating that the sector had been on a recovery path before geopolitical tensions intensified.

Market composition remains heavily concentrated. India leads with 158,628 visitors’ year-to-date, followed by the UK with 82,465 and Russia with 67,982. In early April alone, the UK contributed 4,045 arrivals, Australia 3,394, China 2,643, and Russia 2,064, alongside steady inflows from Germany, France, Bangladesh, the United States, and Switzerland. This dependence on a limited number of markets continues to expose structural weaknesses.

The NPP government has attempted to address these vulnerabilities through integrated tourism development, including heritage-led projects such as the redevelopment of Galle Fort. These initiatives aim to diversify offerings and increase visitor spending by combining culture, leisure, and emerging IT-linked tourism zones.

However, the sector is simultaneously grappling with climate-related disruptions. Recent cyclonic activity in the Indian Ocean has damaged coastal infrastructure and triggered booking cancellations, particularly among small and medium enterprises reliant on beach tourism.

Critics argue that while the government’s long-term strategy is structurally sound, it lacks short-term crisis management mechanisms. Aviation disruptions and extreme weather have exposed gaps in resilience planning, while delays in implementing public-private partnerships have slowed project execution.

Looking forward, analysts stress the need for diversification beyond traditional markets, improved air connectivity, and investment in climate-resilient infrastructure. Strengthening regional tourism and digital outreach could also help offset global uncertainties.

As Sri Lanka navigates these intersecting challenges, the NPP government’s ability to align its ideological vision with practical, responsive policymaking will determine whether the tourism sector can sustain recovery or face renewed instability.

A sweeping redevelopment initiative targeting Galle Fort is positioning the historic enclave as a future hub for tourism, IT, and leisure but not without raising complex questions about heritage management and urban transformation.

Spearheaded by the Urban Development Authority, the Galle Regeneration Project seeks to repurpose key state-owned buildings through adaptive reuse. Among the most significant moves is the transfer of the High Court and Magistrate’s Court buildings into a tourism-focused development under a PPP model, following their relocation to a modern judicial complex outside the fort.

Authorities frame the initiative as a solution to longstanding urban challenges. Heavy daytime traffic caused by administrative offices and a lack of nighttime activity have undermined the fort’s potential as a dynamic tourist destination. By relocating institutional functions, planners aim to create a lively, accessible environment that attracts visitors beyond daylight hours.

The project builds on earlier conservation successes. The restoration of the Dutch Hospital into a commercial precinct demonstrated the economic viability of adaptive reuse. More recently, conservation work on the old police barracks and residence, as well as municipal buildings near the Dutch cemetery, has paved the way for similar transformations.

Five key heritage structures including the old post office and the historic Dutch Commissariat warehouse—have been prioritized for conservation under plans developed by the Galle Heritage Foundation. According to project updates, work has already begun on several of these sites, with at least one fully completed.

International backing, including World Bank-supported infrastructure improvements, adds momentum to the initiative. Upgraded walkways along the fort’s granite ramparts and enhanced monument lighting are expected to improve visitor experience and safety.

However, the redevelopment has sparked debate among conservationists and local stakeholders. Critics argue that increasing commercialization could erode the fort’s cultural significance and marginalize its residential character. There are also concerns about whether PPP-driven projects will prioritize public interest or private profit.

Despite these concerns, the government remains confident that the project will strengthen Sri Lanka’s tourism economy. With visitor numbers already exceeding 300,000 annually, officials see untapped potential in repositioning Galle Fort as a multi-functional destination blending history, leisure, and innovation.

The outcome of this initiative could set a precedent for heritage site management across the country. Whether it becomes a model of sustainable development or a cautionary example will depend on how effectively it balances preservation with progress.

Bilaal Lookman, a first-year law student of Sri Lankan origin, has been elected as a municipal councillor in France at the age of 18.

He secured a seat on the city council of Guyancourt, located on the outskirts of Paris, after contesting in the recent municipal elections—where he also cast his vote for the first time.

Born in November 2007 to a family with roots in Mannar and Jaffna, Lookman is among the youngest elected officials in France.

He developed an early interest in public affairs, gaining experience through internships in the offices of a Member of Parliament, a former Minister of Education, and the mayor of his town during his mid-teens.

Lookman has also engaged with senior political figures and diplomats, while actively participating in community service from a young age through local youth councils and volunteer work with a food-aid organisation.

The Ministry of Defence has announced the implementation of a special island-wide security programme to ensure a safe and peaceful environment during the Sinhala and Tamil New Year season.

The initiative has been launched under the direction of Defence Secretary Air Vice Marshal Sampath Thuyacontha, with the joint involvement of the Tri-Forces, Sri Lanka Police, and intelligence agencies.

According to the Ministry, the coordinated security plan will cover a range of events taking place across the country, including festivals, musical shows, and religious activities during the festive period.

A special joint operations room has also been established at Police Headquarters in Colombo, staffed by Tri-Forces officers. The centre is tasked with enhancing coordination among security agencies, improving information sharing, and ensuring rapid response to any emergency or security situation.

Members of the public can reach the operations room via the following contact details:
Telephone: 011-2013051 / 011-2027148 / 011-2027149 / 011-2430912
Email: [email protected]

The Ministry of Defence has urged the public to cooperate with security forces and law enforcement authorities to help maintain a safe and secure environment for all during the New Year celebrations.

The Central Bank of Sri Lanka (CBSL) has assured the public that National Development Bank PLC (NDB) remains financially stable, following the recent disclosure of an internal fraud incident.

In a statement issued on Friday, the CBSL said it has been closely monitoring the situation and confirmed that NDB continues to maintain capital and liquidity levels well above the minimum regulatory requirements.

The Central Bank emphasised that the incident has had no impact on customer accounts or deposits, which remain safe and secure.

CBSL further noted that it is maintaining continuous engagement with the bank and other relevant stakeholders to assess developments.

The regulator also affirmed its readiness to take any necessary measures to safeguard the stability of the bank and protect the interests of depositors.

Showers or thundershowers will occur at several places in Western, Sabaragamuwa, North-western, Southern and Uva provinces and in Anuradhapura, Mannar, Kandy and Nuwara-Eliya districts after 2.00 p.m.

Mainly dry weather will prevail over the other parts of the island.

Misty conditions can be expected at some places in Central, Sabaragamuwa and Uva provinces during the early hours of the morning.

The general public is kindly requested to take adequate precautions to minimize damages caused by temporary localized strong winds and lightning during thundershowers.

On the apparent northward relative motion of the sun, it is going to be directly over the latitudes of Sri Lanka during 05th to 15th of April in this year. The nearest areas of Sri Lanka over which the sun is overhead today (11th) are Pomparippu, Anuradhapura, Mihinthale, Galenbindunuwewa, Agbopura and Serunuwara about 12:11 noon.

Artemis II’s four astronauts made a dramatic return to Earth on Friday, splashing down in the Pacific Ocean and marking the end of humanity’s first crewed lunar mission in more than 50 years.

Commander Reid Wiseman, pilot Victor Glover, mission specialists Christina Koch and Canada’s Jeremy Hansen reentered Earth’s atmosphere aboard the Orion capsule Integrity at speeds of up to Mach 33. The high-speed descent, reminiscent of NASA’s Apollo era, tested the spacecraft’s heat shield as temperatures soared during reentry and communications temporarily blacked out.

Mission Control closely monitored the tense six-minute blackout period before parachutes deployed successfully, slowing the capsule to a safe splashdown speed. Recovery teams aboard the USS John P. Murtha were on standby off the coast of San Diego. Officials confirmed a “perfect bull’s-eye splashdown,” signaling a successful conclusion to the mission.

Launched on April 1, Artemis II did not land on the moon but achieved several historic milestones. The crew traveled farther from Earth than any humans before, surpassing the Apollo 13 record by reaching a distance of over 252,000 miles. During the flyby, the astronauts captured unprecedented views of the moon’s far side and witnessed a total solar eclipse, describing the experience as unforgettable.

The mission also echoed iconic moments from past lunar expeditions, including imagery similar to the famous “Earthrise” photograph taken during Apollo 8. The crew’s journey drew global attention and praise from world leaders and public figures.

Despite minor technical issues involving onboard systems, the astronauts completed the nearly 10-day mission successfully. Artemis II serves as a critical test flight for NASA’s broader Artemis program, which aims to establish a sustained human presence on the moon.

Future missions are already in planning, with Artemis III expected to test docking procedures in Earth’s orbit and Artemis IV targeting a crewed lunar landing near the moon’s south pole later this decade.

By : Nalinda Indatissa (President’s Counsel)

The rapid digitalisation of banking has fundamentally transformed the manner in which financial institutions operate, while simultaneously exposing them to sophisticated forms of internal and external fraud. Among these, internal IT fraud—perpetrated by employees within the bank’s own technological infrastructure—presents a particularly serious legal and regulatory challenge. Such fraud is often facilitated by privileged system access, technical knowledge, and the ability to circumvent internal controls.

In this context, the question of liability assumes critical importance, especially in determining whether the bank, as an institution, bears responsibility for the acts of its employees. The resolution of this issue depends not only on traditional legal doctrines such as vicarious liability and contractual obligations, but also on a detailed examination of the bank’s internal governance systems, supervisory mechanisms, and the degree of diligence exercised in preventing and detecting such misconduct, as measured against binding regulatory standards.

Vicarious Liability

The foundational principle governing institutional responsibility in cases of internal fraud is that of vicarious liability. Under this doctrine, an employer is held liable for wrongful acts committed by its employees in the course of their employment. In the banking context, where IT personnel are entrusted with access to critical systems, any misuse of such authority—even for fraudulent purposes—may fall within the scope of employment if it is sufficiently connected to the functions assigned to the employee. Courts are generally inclined to hold that where the employment relationship has materially enabled the commission of the fraud, the bank cannot disclaim responsibility merely on the basis that the act was unauthorized or criminal in nature.

Non-Delegable Duty of Care

Banks owe a high and non-delegable duty of care to their customers to ensure the safety of funds and the integrity of transactional systems. This duty arises from both the fiduciary nature of the banker–customer relationship and the inherent risks associated with financial intermediation. Consequently, a bank cannot evade liability by attributing wrongdoing solely to rogue employees. The obligation to maintain secure systems, enforce controls, and ensure proper supervision remains with the institution at all times.

Contractual Liability

The relationship between a bank and its customer is fundamentally contractual. One of the core obligations of the bank is to honour only those transactions that are properly authorized by the customer. Where internal IT fraud results in unauthorized debits or transfers, the bank is prima facie in breach of contract. The burden then shifts to the bank to demonstrate that it exercised due care and that the loss did not arise from any deficiency in its systems, supervision, or internal controls.

Assessment of Institutional Diligence

The determination of whether a bank has acted diligently is central to the allocation of liability. Courts apply an objective standard, often described as the “reasonable bank” test, assessing whether the institution has acted in accordance with the practices expected of a prudent and well-regulated bank. In the contemporary regulatory environment, this assessment is no longer confined to general industry practice but is increasingly anchored in compliance with binding regulatory directions, particularly those governing technology risk management and resilience.

Regulatory Benchmark for Diligence

In Sri Lanka, Banking Act Directions No. 16 of 2021 (as amended by Directions No. 5 of 2023) establishes a comprehensive and legally binding framework for technology risk management. These Directions require licensed banks to implement structured governance, risk assessment, and control mechanisms in respect of all technology-driven operations. Accordingly, the concept of a “reasonable bank” must be understood in light of these mandatory standards. A failure to comply with such Directions—whether by omission of required processes or inadequate implementation—may constitute direct evidence of a lack of institutional diligence.

Supervisory Framework and Board Oversight

The Directions expressly impose ultimate responsibility for technology risk management on the board of directors. The board is required to define the bank’s IT strategy, ensure the establishment of effective governance structures, and oversee the implementation of risk management frameworks. This includes ensuring that adequate supervisory mechanisms exist at all operational levels, supported by escalation protocols for reporting irregularities. The absence of active and informed board oversight is therefore not merely a governance lapse but a breach of regulatory obligation.

Risk Assessment and Internal Capital Adequacy
The regulatory framework mandates that technology risk be integrated into the Internal Capital Adequacy Assessment Process (ICAAP), ensuring that banks maintain sufficient capital to absorb potential losses arising from technology-related incidents. In addition, banks are required to conduct periodic Risk and Control Self-Assessments (RCSA) in respect of technology-driven products and services. A failure to conduct such assessments, or to act upon their findings, may indicate that foreseeable risks were neither identified nor mitigated.

Segregation of Duties, Authorization and Supervision Levels

One of the most critical safeguards against internal fraud is the strict segregation of duties. A prudent bank must ensure that the functions of system development, system administration, transaction initiation, authorization, and review are separated among different individuals or departments. Multi-level authorization protocols must be implemented, particularly for high-value or sensitive transactions. Equally important is the separation between those who execute transactions and those who supervise or audit them. Any concentration of power in a single individual or unit is likely to be viewed as a serious lapse in internal control and inconsistent with regulatory expectations.

Access Control and Periodic Review

The Directions impose specific obligations in relation to user access management. Banks are required to conduct periodic reviews of access privileges, including quarterly reviews for critical systems and regular reviews for non-critical systems. Administrative privileges must be strictly controlled, and all access must be subject to logging and independent review. A failure to implement or document such reviews may be treated as clear evidence of deficient control systems.

Documentation and Record-Keeping

A well-governed bank must maintain comprehensive and contemporaneous documentation of its IT governance and operational activities. This includes IT policies, standard operating procedures, access logs, audit trails, system change records, incident reports, and minutes of meetings of relevant committees. Documentation serves not only operational purposes but also evidentiary functions in legal proceedings. The inability to produce records demonstrating compliance with regulatory requirements may give rise to an adverse inference against the bank.

Monitoring, Reporting and Incident Escalation
The regulatory framework requires banks to establish structured monitoring and reporting mechanisms. Suspicious activities, system anomalies, and control breaches must be promptly identified and escalated. Importantly, cybersecurity incidents and technology-related breaches must be reported to the supervisory authorities in accordance with prescribed timelines, including reporting to the Bank Supervision Department under applicable circulars. Failure to comply with such reporting obligations may aggravate liability and suggest an attempt to conceal or downplay systemic weaknesses.

Whistleblowing and Internal Reporting Mechanisms

A robust whistleblowing framework is an essential component of effective governance. Employees must be provided with secure and confidential channels to report suspected misconduct. The effectiveness of such mechanisms is relevant to the assessment of whether the institution fostered a culture of accountability and transparency. The absence of such systems, or their ineffective implementation, may be viewed as contributing to the persistence of internal fraud.
Internal Audit and Independent Review
The Directions require that the internal audit function independently assess the effectiveness of technology risk management on a regular basis, including annual reviews of compliance. Audit findings must be reported to the board and acted upon without delay. A failure to implement audit recommendations or to address identified vulnerabilities is often treated as compelling evidence of negligence.

Third-Party Risk Management
Banks are also required to manage risks associated with outsourced technology services. This includes ensuring that third-party service providers adhere to equivalent standards of security and control. Liability cannot be avoided by outsourcing critical functions; the bank remains ultimately responsible for risks arising from such arrangements.
Liability of the Board of Directors
In addition to institutional liability, the conduct of the board of directors is subject to heightened scrutiny in light of express regulatory obligations. The Directions clearly place ultimate responsibility for technology risk management on the board, thereby imposing a positive duty to ensure compliance with all prescribed requirements, including RCSA processes, access reviews, incident reporting, and audit oversight. Directors are required to exercise informed judgment, actively engage with risk issues, and ensure that adequate systems of control are in place and functioning effectively. A failure to do so—whether through inaction, lack of inquiry, or disregard of known risks—may constitute a breach of fiduciary duty. In appropriate cases, such failures may expose directors to regulatory sanctions, personal liability, or disqualification, particularly where their conduct has materially contributed to the occurrence or continuation of fraud.
Post-Incident Conduct and Remedial Action
The conduct of the bank after the discovery of fraud is also relevant. A diligent institution is expected to act swiftly to contain the incident, secure systems, preserve evidence, notify regulators, and mitigate customer loss. Prompt corrective action and transparency may mitigate liability, whereas delay or concealment may aggravate it.
Conclusion
In cases of internal IT fraud, liability will ordinarily attach to the bank due to the combined operation of vicarious liability, contractual obligations, and the non-delegable duty of care owed to customers. However, the determination of liability is now firmly grounded in compliance with binding regulatory standards, particularly those contained in Banking Act Directions No. 16 of 2021 (as amended). These Directions provide a clear and objective benchmark for assessing institutional diligence. Where a bank fails to implement the required governance structures, risk assessments, access controls, reporting mechanisms, and audit processes, the resulting fraud is likely to be viewed not merely as the act of rogue employees, but as the consequence of systemic and regulatory failure. In such circumstances, liability may extend beyond the institution to its governing body, reinforcing the central role of the board in ensuring technological integrity and accountability.