Preventing the next financial scandal: Towards an AI-driven national financial intelligence framework

The recent alleged Rs. 13.2 billion fraud linked to National Development Bank PLC should not be viewed merely as an isolated institutional incident. It should instead be recognised as a critical warning signal for Sri Lanka’s entire financial governance ecosystem. Large-scale financial fraud rarely occurs due to a single operational lapse or a single dishonest individual. They emerge gradually when multiple layers of governance, oversight, risk intelligence, technological surveillance, and institutional accountability weaken simultaneously. The key question before Sri Lanka today is not merely how this incident occurred, but how similar crises can be strategically prevented in the future.

Governance must move beyond formal compliance

Sri Lanka now requires a comprehensive and integrated national fraud prevention strategy framework built upon governance, financial intelligence, Artificial Intelligence, regulatory coordination, and real-time technological surveillance, as presented by the author in Figure 1. Many institutions assume governance exists simply because committees, policies, and reporting structures are formally in place. However, governance is not about documentation alone; it is about active oversight, strategic vigilance, and accountability. Boards of financial institutions must strengthen the effectiveness and independence of Audit Committees, Integrated Risk Management Committees (IRMC), and Related Party Transaction Review Committees (RPTC). Governance discussions should not become ceremonial exercises limited to routine reporting. Boards must continuously question abnormal transaction patterns, unusual concentrations of approvals, rapid portfolio expansions, override activities, and operational dependence on key individuals. Strong governance begins when difficult questions are raised before crises emerge.

The expanding role of the Financial Intelligence Unit

An important strategic dimension highlighted in recent public discussions is the growing role of Sri Lanka’s Financial Intelligence Unit in strengthening national financial surveillance systems. In today’s highly digitised financial environment, fraud prevention cannot rely solely on manual reviews, periodic audits, or traditional compliance approaches. Suspicious transactions, unusual fund movements, money laundering risks, and behavioural irregularities require real-time intelligence capabilities supported by advanced technological infrastructure. Recent discussions regarding collaboration with international technology partners to strengthen monitoring systems for high-value transactions demonstrate the strategic direction Sri Lanka must pursue.

Towards an AI-driven national financial intelligence architecture

Sri Lanka already possesses a significant digital payment infrastructure through LankaPay and the CEFTS (Common Electronic Fund Transfer Switch) ecosystem, operating under the regulatory oversight of the Central Bank of Sri Lanka. The next strategic step should therefore be the gradual development of an integrated AI-driven national financial intelligence architecture connecting the Financial Intelligence Unit, LankaPay infrastructure, CEFTS transaction networks, banks and finance companies, digital payment systems, and regulatory platforms through real-time intelligence integration.

Using Artificial Intelligence, Machine Learning, predictive analytics, behavioural analytics, anomaly detection, and network intelligence systems, Sri Lanka can significantly strengthen its fraud-detection and financial-surveillance capabilities. Such systems can automatically identify suspicious transaction patterns, rapid fund movements, abnormal behavioural activity, layered transactions, circular fund transfers, related-party exposure risks, mule accounts, digital fraud attempts, and emerging systemic vulnerabilities in real time.

Regulatory-driven technological standardisation

Another critical area requiring urgent attention is the role of core banking system providers and financial technology vendors supporting Sri Lanka’s banking and financial services industry. Modern financial institutions operate heavily through integrated technological ecosystems, including core banking platforms, digital payment systems, AML monitoring tools, impairment modelling systems, cybersecurity infrastructure, and transaction surveillance technologies.

However, one of the major challenges faced by many financial institutions, particularly smaller banks and finance companies, is the high cost of developing or integrating advanced AI-driven fraud detection and risk intelligence capabilities into their systems. In many cases, core banking system providers charge substantial implementation and customisation costs when institutions independently request sophisticated monitoring, anomaly detection, behavioural analytics, or impairment automation.

This creates uneven technological capabilities across the financial sector, with larger institutions able to afford advanced systems while smaller institutions continue to rely on manual processes and spreadsheet-based controls. Recent supervisory observations have highlighted that certain institutions still perform impairment model calculations manually, while regulators encourage greater automation and system-driven controls.

Sri Lanka now stands at an important cross- roads. The future sta- bility of the financial system will not depend solely on traditional compliance and post- crisis investigations, but on the country’s ability to build an intelligent, integrated, and technol- ogy-driven governance ecosystem. Institutions that fail to modernise governance, financial intelligence, and risk surveillance capabilities may struggle to survive in the increasingly digi- tal financial world

In this context, the Central Bank of Sri Lanka can play a transformative strategic role by introducing minimum mandatory technological governance standards applicable to core banking system providers and regulated financial institutions. Instead of individual institutions separately negotiating expensive integrations, CBSL could require approved core banking and financial technology vendors to incorporate AI-driven fraud detection systems, anomaly-monitoring tools, impairment-automation capabilities, AML-intelligence frameworks, and behavioural analytics modules into minimum regulatory technology architecture standards.

Such an approach would create economies of scale, reduce industry-wide implementation costs, strengthen standardisation, and significantly improve sector-wide financial resilience. More importantly, it would help Sri Lanka gradually transition from fragmented, reactive risk-management practices to a unified, intelligent, and technology-driven financial-governance ecosystem.

In the future, core banking systems should no longer serve merely as transaction-processing platforms. They should evolve into intelligent financial risk-management and fraud-prevention systems capable of continuously identifying emerging vulnerabilities before they escalate into systemic crises.

Role of the Board of Directors

The Board of Directors is the highest governance authority within a financial institution and therefore bears ultimate responsibility for institutional integrity, effective governance, and risk oversight. Fraud prevention should not be viewed merely as an operational or compliance function, but as a strategic board-level responsibility. Boards must ensure that institutions maintain strong governance cultures, independent oversight mechanisms, effective whistleblowing structures, and technology-enabled risk management systems. Directors should continuously question abnormal transaction trends, override approvals, unusual concentration risks, rapid growth patterns, and operational dependencies on key individuals. Most major financial scandals globally were not caused solely by the absence of policies, but by boards’ failure to identify and challenge emerging warning signals in time.

Role of the Integrated Risk Management Committee (IRMC)

The Integrated Risk Management Committee (IRMC) plays a central role in identifying, monitoring, and escalating enterprise-wide risks across the institution. In the modern financial environment, the IRMC should move beyond traditional credit and market risk discussions toward integrated fraud intelligence and predictive risk surveillance. The committee should regularly review fraud risk indicators, cyber threats, AML exposures, suspicious transaction trends, operational vulnerabilities, related-party exposures, system override patterns, and anomaly-detection reports generated by AI-driven systems. The IRMC must also ensure that risk management frameworks remain aligned with evolving technological and regulatory risks while maintaining close coordination with compliance, cybersecurity, and operational risk functions.

Role of Internal Audit

Internal audit serves as the institution’s independent assurance mechanism and represents the third line of defence within governance structures. However, modern internal audit functions should move beyond traditional checklist-based compliance reviews toward continuous and technology-enabled risk auditing. Internal auditors should increasingly utilise data analytics, forensic auditing techniques, AI-supported anomaly testing, system access reviews, behavioural monitoring, and real-time transaction analysis. Importantly, internal audit independence must remain protected from management influence and operational pressure. Where internal audit functions become weak, compromised, or under-resourced, institutional vulnerabilities increase significantly.

Role of External Auditors

External auditors also play a critical role in preserving public trust and strengthening confidence in the financial system. In today’s increasingly digitised environment, external audits should extend beyond traditional financial verification to deeper, fraud-sensitive, risk-oriented approaches. Auditors should pay closer attention to unusual transaction flows, overridden approvals, rapid balance-sheet movements, related-party exposures, control weaknesses, and system-generated anomalies. Professional scepticism, forensic awareness, technological understanding, and data-driven auditing approaches are becoming increasingly important components of audit quality in the modern financial sector.

Role of technology providers and core banking system vendors

Modern financial institutions operate heavily through integrated technological ecosystems, including core banking platforms, digital payment systems, AML monitoring tools, impairment modelling systems, cybersecurity infrastructure, and transaction surveillance technologies. Consequently, technology providers and core financial system vendors have become critical stakeholders in financial stability and fraud prevention. If technological systems have weak controls, inadequate monitoring, override vulnerabilities, poor audit trails, or delayed anomaly-detection mechanisms, institutional fraud risks can escalate significantly. Therefore, financial institutions must ensure that technology platforms are designed not merely for operational efficiency, but also for governance, risk intelligence, and fraud prevention.

Role of compliance and Anti-Money Laundering (AML) functions

Compliance and AML divisions represent the frontline intelligence and surveillance functions within modern financial institutions. Their responsibilities extend far beyond regulatory reporting, including continuous monitoring of suspicious transactions, customer due diligence, sanctions screening, politically exposed person (PEP) assessments, and behavioural transaction analysis. In increasingly digitised financial environments, AML and compliance units should operate through AI-supported monitoring systems that can identify emerging anomalies in real time. Effective fraud prevention, therefore, requires compliance functions to operate independently with sufficient authority, technological capability, and direct escalation access to senior management and boards.

Role of cybersecurity and information security governance

Modern financial fraud increasingly intersects with cyber risks, digital vulnerabilities, identity theft, system intrusions, and unauthorised access mechanisms. Consequently, cybersecurity governance must become a central pillar of financial fraud prevention strategies. Financial institutions should strengthen access controls, privileged-user monitoring, encryption standards, penetration testing, cybersecurity intelligence systems, and real-time threat-detection capabilities. As financial ecosystems become increasingly interconnected, cyber resilience becomes directly linked to institutional stability and public trust.

Role of human resource governance and ethical leadership

Fraud prevention is not solely a technological or regulatory challenge; it is also a human governance issue. Financial institutions should strengthen employee screening processes, segregation of duties, mandatory leave policies, job rotation mechanisms, ethics training, and behavioural risk management practices. Excessive performance pressure, weak ethical leadership, and poor oversight of employees can significantly increase the risk of fraud. Institutions must therefore ensure that organisational cultures reward integrity alongside performance.

Strengthening whistleblower protection mechanisms

Many large-scale financial frauds globally were detected through internal whistleblowers rather than audits or regulatory inspections. Institutions must therefore establish independent, confidential, and protected whistleblowing mechanisms that encourage early reporting of suspicious activities. Employees should feel secure when escalating concerns without fear of retaliation, discrimination, or career damage. Effective whistleblower protection systems significantly strengthen institutional transparency and fraud prevention capacity.

Importance of data governance and data integrity

The effectiveness of AI-driven fraud detection systems depends heavily on the quality, consistency, and integrity of institutional data. Fragmented databases, poor data governance practices, inconsistent customer records, and weak system integration can significantly reduce the effectiveness of predictive intelligence systems. Financial institutions must therefore strengthen enterprise-wide data governance frameworks, real-time data integration capabilities, and information accuracy standards to support effective anomaly detection and financial intelligence operations.

Technology as a strategic defence mechanism

Traditional fraud detection systems are largely reactive. AI-driven financial intelligence systems become predictive, continuous, scalable, and proactive. Instead of waiting for quarterly audits, whistleblower complaints, or institutional collapse, intelligent systems can identify anomalies immediately and escalate concerns to institutions and regulators before damage becomes systemic. Modern financial fraud evolves rapidly through digital systems, cyber channels, and interconnected transaction ecosystems. Traditional manual supervision mechanisms are increasingly insufficient in such an environment.

Sri Lankan financial institutions must therefore invest aggressively in AI-driven fraud analytics, real-time transaction surveillance, cybersecurity intelligence, automated risk scoring, and advanced anomaly detection systems. Technology today is no longer merely an operational support function. It has become a strategic national defence mechanism for financial stability and public trust.

Strengthening the three lines of defence

The effectiveness of the “Three Lines of Defence” framework also remains essential for institutional resilience. Operational management must own risks as the first line of defence. Risk management and compliance divisions should independently challenge business operations as the second line of defence. Internal audit must operate with genuine independence as the third line of defence. However, when these layers become influenced by organisational politics, excessive commercial pressure, or weak accountability cultures, institutional vulnerability increases significantly. Fraud prevention cannot survive where independence is compromised.

Organisational culture: The invisible control system

Even the most advanced technological systems cannot compensate for a weak organisational culture. Fraud risks increase when unethical shortcuts are tolerated, whistleblowers feel unsafe, or employees fear escalating suspicious activities. Institutions must therefore cultivate ethical cultures encouraging transparency, accountability, and early intervention. In many global financial scandals, warning signs existed long before institutional collapse occurred. The problem was not the absence of signals, but the failure of institutions to act decisively upon them.

Fraud prevention as a national economic priority

Sri Lanka has experienced several financial controversies and governance failures over the years, which have weakened public confidence in institutions and markets. The recent NDB-related incident should therefore become a turning point for structural reform rather than another temporary headline. Preventing future financial fraud requires coordinated collaboration among regulators, financial institutions, the Financial Intelligence Unit, auditors, technology providers, policymakers, and law enforcement agencies. Fraud prevention cannot remain a reactive compliance exercise triggered only after losses occur. It must become an integrated national strategy embedded within governance systems, institutional culture, leadership accountability, and advanced financial intelligence infrastructure.

Strong financial systems are not built solely on profitability and growth. They are built on vigilance, transparency, accountability, technological intelligence, and public trust. In today’s interconnected financial world, protecting institutional integrity is no longer merely a corporate responsibility. It is a national economic necessity.

Sri Lanka now stands at an important crossroads. The future stability of the financial system will not depend solely on traditional compliance and post-crisis investigations, but on the country’s ability to build an intelligent, integrated, and technology-driven governance ecosystem. Institutions that fail to modernise governance, financial intelligence, and risk surveillance capabilities may struggle to survive in the increasingly digital financial world. The recent incident should therefore become not merely a scandal to investigate, but a catalyst to transform Sri Lanka’s financial governance architecture for the future.

(The author is Professor in Finance, Department of Accountancy and Finance, Faculty of Management Studies,  Sabaragamuwa University of Sri Lanka; Immediate Past President – Sri Lanka Institute of Marketing and Executive Director/Chief Executive Officer - PMF Finance PLC)