CBSL and Finance Ministry Strengthening Systems to Prevent Repeat of USD 2.5M Fraud, Says Governor

The Central Bank of Sri Lanka (CBSL) and the Ministry of Finance are working closely to strengthen systems and prevent a recurrence of the alleged fraudulent transfer of USD 2.5 million belonging to the Finance Ministry, CBSL Governor Dr. Nandalal Weerasinghe said.

Speaking at a media briefing at the Central Bank on Wednesday, Dr. Weerasinghe said both institutions are reviewing existing procedures and using their expertise to introduce safeguards against similar incidents.

Responding to questions from journalists, the Governor stated the Central Bank does not bear direct responsibility for altering or verifying payment instructions issued by account holders. When a payment instruction is issued, the CBSL’s responsibility is limited to processing the transaction once the account details and payment mechanisms are correctly verified.

Dr. Weerasinghe added that banks do not have the authority to change customer instructions and that confirmation of receipt after a transfer is generally handled by the receiving institution. He noted statements relating to the transaction in question would have been received by the relevant institution in Australia.

Expanding on the institutional division of labour, the Governor told a public lecture following the Annual Economic Review 2025 that primary responsibility for recipient details lies with the External Resources Department (ERD) and the newly established Public Debt Management Office (PDMO) under the Ministry of Finance. Following the enactment of the Public Debt Management Act, No. 33 of 2024, operational responsibilities for public debt payments migrated from the Central Bank’s Public Debt Department to the PDMO, with the function fully moving to the new office on January 1. The clarification followed concerns raised by digital content creator Bruno Diwakara, who questioned the ERD’s use of an obsolete 2016 Exchange Server as recently as 2020.

The remarks are the Governor’s first detailed public statement on systemic prevention measures since the Treasury cyber fraud was disclosed. The fraud involved a hacker-intercepted email that misdirected a sovereign debt repayment intended for the Australian Export Finance Agency.

The incident has triggered parliamentary debate, a probe by the Committee on Public Finance, and demands by opposition parties for a separate Sectoral Oversight Committee inquiry.