The enemy within: The internal fraud at NDB

Abraham Lincoln famously observed that ‘a house divided against itself cannot stand’, underscoring that unaddressed internal issues have the potential to destabilise and ultimately undermine an organisation. Accordingly, the reported instance of a large internal fraud at National Development Bank PLC (NDB) involving certain employees underscores the risks arising from threats originating within the institution itself.

The information available in mainstream newspapers indicates that the matter is not a simple instance of fraud, but rather a coordinated internal operation involving insiders. It is reported that funds were misappropriated from the suspense account and subsequently routed via the banks’ SWIFT system to accounts held at other banks. Such conduct is commonly referred to as ‘internal fraud’ or ‘insider fraud’, which is considered more severe than external fraud, given that internal parties have greater opportunity to conceal, alter, or manipulate records, documents, and system logs.

For a clear understanding of the matter, a chronological presentation of relevant and selected public announcements made by the respective parties, together with a summary of their contents, is set out below. The summary provided comprise selected portions of the respective announcements, reproduced for relevance and the full versions are available in the public domain.

• 2 April 2026: NDB Bank made a corporate disclosure to the Colombo Stock Exchange (CSE) stating, inter alia, that an act of fraud had been uncovered, allegedly involving certain employees acting in connivance with one or more third parties. The disclosure further indicated that the initial estimated loss amounted to Rs. 380 million, while noting that the final loss could be substantially higher.
• 6 April 2026: The follow-up corporate disclosure by NDB Bank to the CSE revised the initially estimated loss to approximately Rs. 13.2 billion. This second announcement outlined several actions already taken, including the suspension and revocation of access of all implicated employees, the arrest of connected individuals by enforcement authorities, the notification of relevant regulatory bodies, and the securing of transaction logs, records, and other evidence for the ongoing investigation. From a financial perspective, the bank sought to reassure stakeholders by emphasising its resilience. 
• 6 April 2026: The Central Bank of Sri Lanka (CBSL), in its announcement, stated inter alia that it had conducted a preliminary assessment of the financial impact based on the information provided by NDB Bank and is satisfied that, notwithstanding the reported loss, the prudential ratios relating to capital adequacy and liquidity remain above the minimum regulatory requirements.
• 10 April 2026: Fitch Ratings downgraded NDB’s National Long-Term Rating to ‘A-(lka)’ from ‘A(lka)’, with a negative outlook. According to the Fitch Ratings, the downgrade reflects NDB’s weakened credit profile relative to that of similarly rated peers, following a fraud incident announced by the bank. Fitch Ratings believes the incident has put pressure on the bank’s capitalisation and profitability relative to that of similarly rated peers while the downgrade also reflects deficiencies in the bank’s internal risk controls relative to peers.
• 23 April 2026: NDB Bank made a corporate disclosure to the CSE stating, inter alia, that the Board has now commissioned Deloitte Touche Tohmatsu India LLP (Deloitte) to conduct a forensic review of the facts and circumstances relating to the fraud incident. The commissioning of the said forensic review has been carried out in consultation with and in line with recommendations provided by the Director of Bank Supervision of the CBSL. The review will examine the circumstances surrounding the fraudulent transactions, including any lapses in controls, oversight, and governance. Its findings, including any interim updates and the final report, will be submitted directly by Deloitte to the CBSL.

Subject to verification, this incident appears to be the largest banking scandal in the country’s history. In order to obtain a broader perspective on the magnitude of this fraud, which amounts to Rs. 13.2 billion, it may be useful to compare it with other notable figures. For instance, the estimated loss arising from the famous bond scam is approximately Rs. 7 billion. By way of another context, the original estimated cost of the Lotus Tower, a public development project, was around Rs. 19 billion.

In a banking environment, fraud often originates within internal accounts and operational processes. Typically, common targets include suspense accounts, dormant or infrequently monitored accounts, as well as reconciliation gaps between interconnected systems. Rather than breaching system security outright, perpetrators frequently manipulate legitimate processes to ensure that transactions appear authentic within system logs. To avoid detection, funds are often transferred in small or structured amounts across multiple accounts thereby complicating traceability. Such schemes may persist over time as they can involve manipulation of reconciliation processes, resulting in account balances and financial reports appearing accurate at a glance and reports still look normal, despite underlying irregularities.

Banks necessarily grant system access to carefully selected employees—often senior personnel in areas such as IT, operations, and finance—to facilitate day-to-day business activities. However, such trusted access may be misused with fraudulent intent, for instance through the exercise of elevated user privileges, exploitation of shared user credentials or weak access controls, or collusion with other employees to circumvent established controls. 

However, such forms of fraud are not new to the banking industry, particularly to professionals employed within banks, including auditors, compliance officers, and risk managers, whose core responsibilities include preventing, detecting, and mitigating such risks. There is substantial literature in the field, supported by numerous case studies. For instance, in India, one of the largest banking frauds—estimated at approximately USD 1.8 billion—was detected in 2018. The fraud allegedly involved the issuance of fraudulent financial guarantees (Letters of Undertaking) to obtain credit facilities from overseas banks without proper collateral. It was reported that bank employees misused the SWIFT system to issue guarantees without recording them in the core banking system, thereby creating undisclosed liabilities for the bank. 

Impact of such frauds

In large-scale internal banking frauds, the immediate victim is the bank itself, as losses are absorbed into its balance sheet through reduced profits, erosion of capital, and the need for provisions or write-offs. However, the real impact extends to shareholders, who are the ultimate economic owners of the institution. From an accounting perspective, fraud-related losses do not represent the disappearance of funds but rather a reduction in shareholders’ equity, effectively transferring the economic burden to the shareholders of the bank. The table below sets out the top 10 shareholders of NDB as at 31st December 2025.

Accordingly, both the Employees Provident Fund (9.46%) and the Employees’ Trust Fund Board (3.38%) are among the top ten shareholders of NDB. These two funds constitute key components of country’s social security framework, providing financial security to employees upon retirement. As such, since both funds represent the retirement savings of the national workforce, the implications of this fraud extend beyond the institution itself and affect salaried employees and their long-term retirement savings, thereby raising broader public policy concerns. In addition, state-linked institutions such as Bank of Ceylon and Sri Lanka Insurance Corporation are also among the major shareholders. Accordingly, it would be reasonable to expect that the respective Government entities responsible for managing these funds as well as Government representatives of the said State-linked institutions, would give due consideration to these matters and, where appropriate, raise concerns in the broader interest of the public.

Moreover, as the reported profit is expected to be converted into a loss after incorporating the impact of the fraud, this may result in a significant reduction in taxable income. Consequently, there could be a material loss of tax revenue to the Government.

With regard to market impact, following the second market disclosure by NDB Bank, the share price of NDB Bank declined by approximately 15% on 7 April 2026, after the CSE lifted the trading halt. Consequently, shareholders have incurred capital losses. 

The announcement by NDB Bank states that the CBSL has directed the bBank to suspend the payment of cash dividends, as well as to restrict discretionary payments and suspend branch expansions with immediate effect. While these regulatory measures are prudential in nature, they have an impact on shareholder returns.

As discussed above, Fitch Ratings downgraded NDB Bank following the fraud incident announced by the bank. Such a downgrade may lead to an increase in the bank’s cost of funds, as investors may demand higher risk premiums. This, in turn, could exert pressure on net interest margins and, ultimately, have an adverse impact on profitability.

With regard to customers and deposit holders of NDB Bank, both the bank and the CBSL have stated in their public disclosures that the incident has not had any impact on customer accounts or deposits, which remain safe and secure.

However, such incidents have the potential to erode public confidence in the financial system and, by extension, the broader economy. The spillover effects may include diminished public trust in the banking sector, increased regulatory scrutiny across institutions, and higher compliance costs, which may ultimately be passed on to customers.

Framework of internal and risk controls

There exists a regulator-aligned framework of internal and risk controls that banks are expected to maintain. This includes, inter alia, a Board-approved risk appetite and control framework, an effective Audit Committee, clear segregation of duties at all levels, and a strong and independent Internal Audit function to ensure proper governance and oversight. In addition, banks are expected to maintain whistleblower mechanisms with appropriate protection, as well as fit and proper assessments for key personnel.

Further, robust control mechanisms are required in areas such as access management and identity controls, transaction processing, general ledger and financial reporting, and compliance, including AML/CFT obligations. Banks are also expected to have dedicated functions for monitoring, analytics, and fraud detection, supported by both internal audit processes and external audit and regulatory reporting. The regulatory requirements issued by the CBSL encompass most of these control expectations.

Where internal controls are not effectively implemented, a substantial degree of responsibility may rest with the Key Management Personnel and Internal Audit function. Internal Audit is required to assess whether controls are operating effectively, serving as an independent assurance mechanism within the institution. It is responsible for providing objective assurance to the Board and the Audit Committee that risk management, internal controls, and governance processes are functioning as intended.

Notwithstanding the existence of such extensive internal control frameworks, the occurrence of a fraud of this magnitude over a period of time, potentially spanning several months or years, is a matter of significant concern. 

Other layers of accountability

Following the disclosure of this fraud, in addition to the identified internal control weaknesses within the bank, questions have been raised regarding the effectiveness of oversight exercised by the Board of Directors, the External Auditors, and by the regulatory reviews.

In a banking fraud case, the Board of Directors carries the highest governance responsibility, even though they are not involved in day-to-day transactions. They are not expected to detect individual fraud transactions, but they are responsible for ensuring systems exist to prevent and detect fraud early. 

Banking Act Direction No. 05 of 2024 on Corporate Governance for Licensed Banks dated 30 September 2024 states, inter alia,  that the Board shall be ultimately responsible and accountable to oversee the management of affairs and the governance framework of the bank, business strategy, financial soundness, and risk management; and to ensure that the business of such bank is carried out in compliance with all applicable laws and regulations and is consistent with safe and sound banking practices. Thus, the Board must ensure strong internal control framework, effective risk management system, independent internal audit function, proper IT governance and cybersecurity controls, effective Audit Committee oversight and compliance with laws and regulations.

When considering the role of the External Auditor in this case, NDB Bank has entrusted its external audit function to one of the “Big 4” accounting firms, which is internationally recognised and widely accepted. According to the Banking Act, No. 30 of 1988, every licensed commercial bank shall appoint a qualified auditor to audit the accounts of such bank out of the list issued by the Director of Bank Supervision and the duties of such auditor shall be to prepare a report in respect of the accounts, balance sheet and profit and loss account examined by him, to be submitted to each of its shareholders; and to submit a report to its head office in respect of the Balance Sheet and Profit and Loss account examined by him (Section 39).

While the Act itself gives the core duties, read with practice and CBSL directions and supervisory expectations, External Auditors are expected to report material irregularities or risks, fraud, or misstatements; support regulatory supervision; and ensure compliance with prudential requirements. 

External Auditors do not monitor transactions daily, prevent fraud, audit 100% of transactions, and guarantee detection. Such responsibility lies with bank management, Internal Auditors, and Board/Audit Committee. If External Auditors identify unusual patterns, anomalies which could smell fraud or could lead to fraud during their testing and assessment, what they can do is to report them to the Audit Committee, management, or in serious cases, may qualify audit opinion. 

While the primary responsibility for preventing and detecting fraud rests with the bank’s management, it may be argued that the External Auditor has an indirect role. In particular, the matters in question could be regarded as material irregularities or significant internal control weaknesses that might reasonably have been identified during audit procedures and reported to the appropriate parties at an earlier stage. If so, earlier detection may have helped mitigate or prevent the continuation of the fraud, thereby raising a question for the External Auditor to consider.

This case calls into question the soundness of the country’s banking regulatory framework. Licensing, regulation and supervision of banks is one of the core functions of the CBSL. The main techniques of supervision are continuous off-site monitoring and surveillance and periodic on-site examinations of banks, meetings with bank management and co-operation with external auditors. The CBSL monitors the compliance of banks with a number of prudential requirements such as those in respect of capital adequacy, liquidity, corporate governance, risk management, large exposures, etc. In addition, the internal controls in banks are also assessed.

Such incidents have the potential to undermine the perceived effectiveness of the CBSL in fulfilling its mandate to ensure the safety and soundness of the banking and financial system. To ensure fairness, any allegation of regulatory failure in this case must be substantiated by clearly identifying specific supervisory lapses, rather than being inferred solely from the occurrence of fraud. Notwithstanding the foregoing, it is evident that this incident serves as a significant wake-up call to reassess the robustness of the existing regulatory and supervisory framework of the CBSL.

In this context, and in order to ensure appropriate regulatory intervention, the CBSL may, where necessary, initiate or refer the matter for further investigation. Based on the findings of such investigations and the circumstances of the case, it may exercise its enforcement powers, including issuing directions, requiring remedial action plans, imposing operational restrictions, and, where warranted, removing directors or senior officers. 

Irrespective of the formal definition of responsibilities of External Auditors and the CBSL, public perception often holds these institutions and professionals to a high standard of accountability, particularly given their critical roles and the level of trust placed in them. 

In conclusion, the fact that this fraud is reported to have occurred over a period of time, bypassing multiple layers of control, suggests that it is not attributable to a single point of failure, but rather indicative of a broader systemic breakdown of internal controls. Fraud of this nature typically involves a combination of factors, including privileged insider access, weak or overridden segregation of duties, inadequate monitoring of risky accounts and system activities, ineffective audit follow-up mechanisms, and delayed or insufficient detection analytics. Such circumstances are often referred to as ‘multiple failure conditions’. 

From a regulatory perspective, several important lessons emerge. The existence of control frameworks on paper does not necessarily ensure their effective implementation in practice. Furthermore, the incident highlights the extent to which IT-related risks can translate into significant financial risks. Organisational culture also plays a critical role, as weak ethical standards may facilitate fraudulent conduct. In essence, such failures are seldom due to the absence of rules, but rather arise from deficiencies in enforcement, monitoring, and accountability.

At a broader level, as financial systems become increasingly technology-driven, it is neither practical nor desirable to revert to manual processes. Accordingly, all stakeholders, including the public, have a role to play in supporting a secure financial ecosystem by exercising due care in the use of digital financial services. This includes safeguarding sensitive information such as one-time passwords (OTP), PINs, and CVV numbers, avoiding suspicious links or messages, regularly monitoring bank accounts and transactions, and promptly acting on official alerts or instructions issued by banks. 

Ultimately, it is prudent to avoid drawing premature conclusions, as forensic review and investigations are still ongoing, and additional information may emerge in due course.

(The author is a finance professional and a visiting lecturer and may be contacted at [email protected].)

Disclaimer: The views and opinions expressed in this article are solely those of the author and do not necessarily reflect the views or positions of any organisation with which he is associated, engaged, or employed. The content is provided for general informational and analytical purposes only and should not be interpreted as definitive findings or conclusions, nor as professional advice. This article is based on publicly available information, including official announcements, reports, and other secondary sources available at the time of writing. While reasonable care has been taken to ensure accuracy and completeness, no representation or warranty, express or implied, is made as to the reliability or sufficiency of the information presented. The author accepts no responsibility or liability for any actions taken or not taken based on the contents of this article.