Monday Apr 27, 2026
Monday Apr 27, 2026
Monday, 27 April 2026 00:16 - - {{hitsCtrl.values.hits}}
The rapid digitalisation of banking has fundamentally transformed financial intermediation, delivering transformational efficiency, accessibility, and innovation. Real-time payments, digital onboarding, and AI-enabled services have reshaped customer expectations and redefined how financial institutions operate. However, alongside these advancements, new and increasingly sophisticated vulnerabilities have emerged. The same technologies that enable speed and convenience can, in certain circumstances, be exploited to facilitate fraud through system loopholes, operational glitches, and instances of human intervention to facilitate frauds. As defined by the Basel Committee on Banking Supervision, operational risk is “the risk of loss resulting from inadequate or failed internal processes, people and systems, or from external events” (Basel II, June 2004, para. 644). In some cases, fraud networks have become more organised and technologically enabled, leveraging these weaknesses in a coordinated manner. What was once primarily an operational risk has therefore evolved into a more complex structural challenge with broader systemic implications.
Sri Lanka’s push towards digitalisation, supported by Government
initiatives to modernise payments, financial inclusion, and technology infrastructure, is highly commendable. These efforts have the potential to accelerate innovation, improve efficiency, and bring banking services to previously underserved populations. However, rapid digitalisation must be accompanied by strong risk management, robust governance, and meticulous due diligence. Without these safeguards, increased access and speed can inadvertently amplify fraud vulnerabilities, expose systemic weaknesses, and create opportunities for cybercrime.
A recent large-scale fraud incident in a leading bank in Sri Lanka underscores this reality. Regardless of whether client deposits are directly impacted, any loss ultimately weakens the bank’s stability and affects all stakeholders; at its extreme, such losses can escalate into broader systemic risks for the financial system. While it may appear isolated, it reflects a broader and more concerning trend the convergence of digital exposure, evolving fraud methodologies, and inherent vulnerabilities within complex financial systems. Such incidents, once occurred, should not be viewed in isolation or reduced to specific points of failure.
While investigating the recent incident, the more important lesson is not confined to specific points of failure, but the recognition that similar risks can emerge across any institution. In an increasingly digital and interconnected environment, no bank is immune. Fraud is no longer purely external; it can manifest within systems, processes, and, at times, human behaviour. This serves as a timely reminder that vigilance, resilience, and continuous strengthening of controls are essential across the entire banking sector not in reaction to past events, but in anticipation of future risks.
The evolution of fraud: From incidents to ecosystems
Financial crime has undergone a profound transformation. Traditional fraud once limited to forged documents or isolated insider actions has evolved into a complex, technology-driven ecosystem operating across borders and platforms. A key driver is the rise of crypto assets and digital investment channels. While these innovations have expanded financial opportunities, they have also created fertile ground for exploitation. Fraudsters capitalise on hype, complexity, and limited investor awareness to promote schemes that promise unrealistic returns. At the same time, human psychology greed, fear of missing out, and urgency to recover losses remains a critical enabler of misconduct.
Outsourcing IT development adds another layer of vulnerability. External engineers often have deep insight into a bank’s systems, sometimes beyond the direct control of system owners. While this approach is efficient, it introduces latent cyber risks malware, data breaches, or system manipulation especially if coupled with collusion between insiders and third parties. Banks must ensure strict access controls, continuous monitoring, and institutional ownership of system security, so innovation never comes at the cost of resilience.
AI in banking: A double-edged transformation
Artificial intelligence is rapidly reshaping banking operations by significantly enhancing credit assessments, strengthening fraud detection capabilities, and transforming customer engagement. It enables faster decision-making by processing large volumes of data in real time, allowing quicker and more efficient credit approvals and risk evaluations. It also improves predictive insights by identifying patterns and anticipating risks such as defaults or fraudulent activity, supporting more proactive risk management. In addition, AI enhances customer experience through personalised services, intelligent chatbots, and real-time support, making banking more responsive, convenient, and customer-centric.
However, AI also introduces new risks. Systems reliant on incomplete, manipulated, or fraudulent data can:
Limited transparency in AI decision-making further amplifies these risks. Unlike traditional systems, AI can propagate errors quickly and across portfolios, creating hidden systemic vulnerabilities. Bank collapses due purely to IT or AI failures are rare, but technologyrelated failures and frauds have caused massive losses, regulatory fines, service disruptions, and eroded trust. The use of AI-based loan evaluation systems and heavy reliance on external consultants for credit decisions may still be premature for economies like ours. While these tools can support efficiency, they are not a substitute for strong banking judgment and sound credit discipline. If fraud risks and system exploitation continue to rise, banks that over-rely on technology and third-party advice may need to return to more fundamental, principle-based credit evaluation practices to protect asset quality and financial stability. These high-risk approaches can ultimately lead to both operational and credit losses. In addition, significant investments in IT systems and advanced solutions may not deliver the expected returns, resulting in capital being deployed without commensurate value creation.
Recent examples, Commonwealth Bank of Australia (AUD 1 billion suspected fraud) . Commonwealth Bank reported investigations into up to AUD 1 billion in suspected fraudulent home loans allegedly facilitated through falsified documentation and potentially aided by synthetic/AIgenerated materials. While the loans were mostly secured, the scale highlights how digital forgery techniques can elevate fraud risk.
Bangladesh Bank Cyber Heist (2016), Hackers infiltrated the central bank’s systems and used stolen credentials to send fraudulent SWIFT payment instructions totaling nearly $1 billion, successfully stealing $81 million. The attackers also deleted audit records and manipulated internal systems to conceal the theft, exposing deep vulnerabilities in system security and oversight.
Deloitte’s Center for Financial Services predicts that gen AI could enable fraud losses to reach $ 40 billion in the United States by 2027, from $ 12.3 billion in 2023, a compound annual growth rate of 32%.
The rapid pace of technological advancement means banks cannot combat fraud in isolation, as they increasingly rely on third-party providers developing advanced anti-fraud solutions. Given that a threat to one institution can quickly become a risk to the wider financial ecosystem, bank leaders must adopt collaborative strategies both within and beyond the banking sector to stay ahead of generative AI-driven fraud. This will require stronger industry-wide cooperation and closer engagement with trusted technology partners, with clearly defined roles and responsibilities to address accountability and liability in fraud risk managementConsidering the given facts, the recommendation is to have a hybrid model in banking that blends AI-driven insights with human judgment, ensuring efficiency while safeguarding credit discipline and financial stability. Banks should step up their investments to create more agile fraud teams to help stop this growing threat.
Strengthening oversight: Internal audit, compliance and external audit
Although regulators continue to issue guidance and directions on strengthening controls, banks have a shared responsibility to ensure effective implementation. In today’s highly volatile and fast-changing environment, no single institution can manage these risks alone. Only a collective commitment across the banking sector can safeguard stability, trust, and system integrity. As a result of such incidents, more stringent controls and regulatory directions are likely to follow. This will ultimately require banks to invest further in technology-based control systems as well as additional human resources for oversight and monitoring, leading to a continued increase in operating costs.
It is important to note that directors of strategically important institutions ,whether banks or large business entities with systemic exposure, carry a profound responsibility. Their role must be substantive, with dedicated time for committees and oversight, not ceremonial or prestigedriven. By limiting multiple board commitments that dilute focus, directors can channel their full attention into one institution, delivering deeper insight, stronger governance, and more effective risk management.
Effective oversight is central to maintaining trust and stability. Internal auditors, compliance functions, and external auditors all play a key role in this process. Internal audit, in particular, should move beyond periodic reviews and adopt a more continuous, risk-focused approach to:
Compliance functions must anticipate emerging risks, embed discipline in KYC and AML processes, and foster a culture where controls are non-negotiable.
External auditors provide independent scrutiny, ensuring transparency and accountability. However, observed challenges highlight areas for improvement:
Despite these challenges, reconciliation of accounts, aging of long-outstanding items, and spot checks remain paramount duties. Strong oversight depends not only on systems, but also on disciplined, independent, and coordinated audit and compliance practices. Fraud dose not usually happen because one department fails completely. Instead, it happens because of weak coordination and unclear responsibility between different control layers in the bank. In this context, banks may benefit from selectively engaging independent external assurance support for targeted deep-dive reviews, particularly in reconciling long-outstanding items and investigating suspected transactions. Such focused reviews would be supplementary in nature and designed to strengthen existing internal controls and audit processes.
The psychology of quick wealth and consequences
The pursuit of rapid wealth through digital investments introduces a dangerous behavioral dimension. Many individuals are influenced by:
When investments fail as they often do, losses can be severe, often triggering a cycle of urgent attempts to recover losses, escalation into riskier ventures, and increased vulnerability to fraud. In extreme cases, this can even push individuals toward unethical behavior or manipulation of systems, amplifying personal and institutional risk. What begins as speculative investment can evolve into fraud, misconduct, and broader financial instability.
Pressure points: Target-driven culture and control erosion
A highly competitive, target-driven environment can, over time, weaken control frameworks. In today’s banking sector, institutions are under constant pressure to deliver strong performance, grow quickly, and show market leadership. While this drives progress, it can also create risks that are often overlooked. In a relatively small market like Sri Lanka, where many banks and financial institutions compete in similar areas, market growth has not kept pace with rising competition. These pressures can gradually weaken internal controls, increase the risk of losses, and reduce governance standards. Over time, this may also lead to weaker hiring decisions and a more opportunistic operating environment, further increasing institutional vulnerabilities.
The race to outperform peers and sustain momentum can shift focus disproportionately toward short-term results, gradually eroding operational discipline. In this environment, established manuals, policies, and procedural safeguards cornerstones of consistency, control, and sound risk management risk being diluted, sidelined, or selectively bypassed. In the pursuit of growth, recognition, and market leadership, institutions must guard against being overwhelmed by profits, awards, and public visibility.
Sustainable success is measured by:
True strength in banking lies not in speed or short-term accolades, but in responsible, disciplined, and secure operations. When aggressive growth expectations dominate, they can gradually weaken control environments, leading to compromised internal checks, diluted due diligence standards, and the normalisation of exceptions.
In such environments, early warning signals at both system and human levels may become less visible or overlooked. These can include gaps in employee screening as well as behavioural changes such as increased secrecy, unusual working patterns, or lifestyle shifts that are inconsistent with known income levels. Fraud rarely occurs as a sudden event; it typically develops over time in high-pressure cultures where speed and performance are prioritised over control discipline and governance rigor.
A collective responsibility: Collaboration across banking ecosystem
As a society and banking fraternity, there is an urgent need for collective and coordinated action. Incidents observed in one institution today can quickly manifest in another tomorrow, particularly in an interconnected financial system. The reality is that many fraudulent schemes remain undetected and ongoing, underscoring the need for heightened vigilance and shared responsibility.
The Central Bank of Sri Lanka has already issued comprehensive directions and guidelines that provide a strong foundation for safeguarding banking operations. These regulatory frameworks, combined with periodic supervision, are more than sufficient to guide institutions toward resilience and stability. Equally important is the timely identification and escalation of suspicious activity. Where concerns arise, institutions must act decisively by raising Suspicious Transaction Reports (STRs) without delay, ensuring that potential risks are flagged, investigated, and contained at an early stage. In an environment of intense competition, the inflow of large deposits particularly those originating from other financial institutions should not be embraced uncritically. Such transactions must be subject to rigorous due diligence, with a clear understanding of the source of funds and the underlying economic purpose. Failure to do so can inadvertently facilitate the movement of illicit funds across institutions.
This calls for:
Further noted, in many institutions, risk management is still seen as a compliance function rather than a core business responsibility. Modern banking requires “first-line ownership of risk”, where business units are directly accountable for identifying and controlling risks in real time. Financial system resilience depends not only on the strength of individual institutions, but on the collective discipline and vigilance of the entire ecosystem.
Conclusion: Integrity, discipline, sustainable performance and moving forward
In the aftermath of recent events, there has been considerable discussion, criticism, and at times a tendency toward blame-oriented narratives. At this stage, it is important to move beyond this and focus constructively on strengthening the system as a whole. Digital transformation, the AI revolution, growing investments in digital assets, and evolving human behaviour in relation to cybercrime continue to reshape banking, bringing both significant opportunities and new forms of risk. The priority now is not to revisit individual cases, but to reinforce the foundations that safeguard trust, stability, and institutional reputation across the sector.
Going forward, the focus should remain on strengthening governance and control frameworks, embedding a strong risk culture and ethical discipline, ensuring technology is supported by sound human judgment, aligning performance expectations with robust oversight mechanisms, and protecting long-term institutional value and public confidence. Banks should prioritise quality of performance over excessive or short-term profit targets, focusing instead on sustainable and responsible earnings growth. Ultimately, the future of banking will not be defined by the sophistication of its technology, but by the strength of its governance, the discipline of its culture, and the integrity of its decision-making systems. In this new era, resilience is not a function, it is a strategic imperative.
References
