Tuesday Apr 28, 2026

ABOUT US ADVERTISING CONTACT

MENU

The end of the Board game is nigh

Tuesday, 28 April 2026 00:31 -     - {{hitsCtrl.values.hits}}

Sri Lanka’s commercial banks are governed, at least on paper, by directors who are supposed to be guardians of public trust, balance-sheet discipline, and systemic stability. Yet the emerging reality is harsher: too many Boards are populated by people with polished résumés, elegant titles, and impeccable social standing, but without the practical competence, intellectual courage, or ethical seriousness required to oversee a modern bank. The Companies Act No. 7 of 2007 and CBSL’s governance directions together place ultimate responsibility for the management, strategy, financial soundness, and risk oversight of the company squarely on the Board, which makes this competence gap not a cosmetic flaw but a structural danger. 

 

The great Sri Lankan banking Board illusion

Across Sri Lanka’s more than 20 licenced commercial banks, the myth of the “highly qualified Board member” has become one of the most dangerous fictions in corporate life. CBSL’s list of licensed commercial banks ran to 21 as of December 2025, which means this is not a niche governance problem inside one or two weak institutions but a sector-wide question of whether the people occupying these seats are truly fit to govern institutions that intermediate national savings, payments, liquidity, and confidence.

The problem is not that bank Boards include professionals from marketing, law, accounting, consumer goods, telecom, or general management. The problem is that such backgrounds are often treated as sufficient substitutes for actual banking-risk literacy, as though overseeing a deposit-taking institution with treasury exposures, capital requirements, payment-system risks, fraud vectors, and regulatory obligations were no more demanding than supervising a listed conglomerate or consumer brand. CBSL’s own governance framework requires director suitability based on qualifications and experience and makes the Board ultimately accountable for the bank’s financial soundness and risk management, yet the market still tolerates directors who would struggle to explain loan-loss provisioning, a capital adequacy ratio, read a liquidity report properly, interrogate a risk register, or recognise an abnormal build-up in a clearing or suspense balance.

This is where the illusion hardens into danger. In Sri Lanka, many Board appointments still owe as much to relationships, lobbying, shareholder maneuvering, reputation trading, and reciprocal influence as to demonstrable sector competence. CBSL’s governance direction explicitly requires a formal and transparent procedure to identify and nominate directors, which exists precisely because informal patronage and vested-interest appointments are governance poisons. The fact that these rules had to be strengthened in 2024 is itself a quiet admission that the old culture was not working. 

 

The most dangerous response to this moment would be to treat it as anti-business rhetoric or a populist attack on professionals. It is neither. Sri Lanka needs strong banks, strong Boards, and credible capital markets. But strength does not come from preserving the vanity of directors who cannot challenge management. It comes from building institutions where service on a bank Board means mastering the institution, not merely inheriting a seat on it. The polite fiction of the “eminent director” has lasted too long. Sri Lanka now needs directors willing to treat the role as a demanding public trust, not a decoration

 

The Boardroom culture of respectful ignorance

A modern commercial bank is a machine of intertwined risks. Credit risk is only one layer. Beneath it sit market risk, liquidity risk, operational risk, fraud risk, cyber risk, AML/CFT exposure, model risk, outsourcing risk, third-party risk, conduct risk, and regulatory risk. Add Basel III capital and liquidity standards, internal controls, audit trails, interbank settlement plumbing, and increasingly complex digital channels, and the conclusion is obvious: any director sitting on a bank Board without a working grasp of these issues is not “bringing diversity of perspective”; he or she may be helping create a blind spot at the top.

Yet too many Boards function through a culture of respectful passivity. The CEO and management arrive with PowerPoint slides, sanitised dashBoards, cheerful narratives, and carefully rationed bad news. Directors nod. A few ask cosmetic questions. The chair thanks management for the “comprehensive presentation.” The meeting moves on. The Board minute records that matters were “discussed.” Accountability disappears into etiquette. CBSL’s governance directions assume a Board capable of meaningful oversight over management and require Board committees for audit, risk, remuneration, and related-party transactions, but a committee structure is not competence. A director who cannot challenge what he is shown is not supervising management; he is attending a presentation. 

This polite inertia is particularly lethal in relation to technology and payments. Sri Lankan banks today run on core banking systems, switches, interfaces, APIs, card networks, digital onBoarding tools, treasury systems, payment gateways, mobile apps, interbank fund-transfer mechanisms, user-access frameworks, audit logs, and outsourced or shared service dependencies. Yet there is little reason to believe that many Boards possess even one director with a serious grasp of complex IT architecture, cyber resilience, interbank settlement vulnerabilities, identity and access management, or the forensic meaning of anomalous transaction patterns. Some Boards even commission cyber audits without validating the terms of reference, clarifying the deliverables they want, or asking management to walk them through the findings in plain language. When cyber or operational risk is presented, it is often translated into soft corporate language such as “incidents,” “controls,” “enhancements,” and “frameworks” until its urgency is drained away. That is not governance. It is ritualised non-understanding.

 

The NDB lesson: When numbers scream and Boards whisper

If anyone still believes this is all theoretical, the NDB fraud saga should end that complacency. NDB’s own disclosures in April 2026 said the bank’s internal investigation established a fraud of approximately Rs. 13.2 billion, that implicated employees had been suspended, that a separate oversight structure had been imposed on the affected unit, and that an independent forensic review would be appointed. The bank also acknowledged that the quarter ended 31 March 2026 would swing to an estimated loss after tax of around Rs. 4.0 billion after provisioning for the maximum expected loss. 

Public reporting tied to the case alleges that a huge build-up in CEFT-related receivables had become visible in the accounts and that the Board audit and risk structures failed to interrogate it. One public investigative account says the CEFT suspense balance had risen to around Rs. 12.22 billion by the time the fraud was uncovered and specifically criticises the Board Audit Committee and Board Risk Committee for failing to detect or investigate the surge. That same report points to a multi-layered supervisory and control environment that still failed to stop an 18-month build-up.

Now step back from the case details and look at the systemic implication. A bank Board does not need to be a room full of coders, forensic accountants, and former regulators. But it does need enough competence to recognise that a material, growing, unresolved balance in a settlement or receivables bucket is not a clerical curiosity. It is a flare in the sky. If a Board with accomplished professionals, including highly credentialed audit figures, can sit above such a build-up without demanding forensic drilling into the note disclosures, ageing reports, reconciliation breaks, user-access logs, and operational exceptions, then the market must ask an uncomfortable question: are these Boards genuinely unable to understand what they are shown, or unwilling to confront what they suspect? The distinction matters legally and morally because gross negligence and knowing concealment do not call for the same remedies.

That is why the problem is bigger than one institution. In Sri Lanka, after every scandal, the script is familiar. There are expressions of shock, affirmations that customer balances are safe, announcements of independent reviews, and assurances that controls are being strengthened. What is missing is a ruthless public reckoning with director competence. Banks do not fail only because rogue employees exist. They fail because control failures persist long enough to become franchises of concealment.

 

 A director who cannot challenge what he is shown is not supervising management; he is attending a presentation. When cyber or operational risk is presented, it is often translated into soft corporate language such as “incidents,” “controls,” “enhancements,” and “frameworks” until its urgency is drained away. That is not governance. It is ritualised non-understanding

 

 

When qualifications become costumes

There is a special irony in the aura surrounding “qualified” directors. Accounting credentials, audit pedigrees, MBAs, former CEO titles, and social prestige are all useful signals, but in Sri Lanka they often function as costumes rather than proof of fitness. The Board member with accounting credentials may still avoid hard confrontation. The former auditor may still retreat into vague process language. The “independent” director may be independent only in the legal form, not in thought or courage. And when challenged, too many of these figures deflect into procedure: committee charters existed, presentations were made, auditors signed, controls were reviewed, governance reports were published. That defence misses the point. Governance is not the production of paper; it is the exercise of judgment.

Even the external accountability environment encourages mediocrity. Sri Lanka’s regulatory architecture is capable of issuing directions and, in some contexts, monetary penalties. The FIU has publicly imposed administrative penalties on institutions for AML/CFT non-compliance, demonstrating that financial sanctions are available within the regulatory toolkit. But these amounts are often small relative to institutional scale, and they do not amount to a public culture of director-level pecuniary accountability for oversight failures in major banks. 

This is the paradox. The State knows that weak governance can destabilise financial institutions, but it also fears that aggressive action against directors of major banks could trigger panic, contagion, or a broader confidence shock. So the system hesitates. It trims around the edges. It prefers quiet directives to loud accountability. It nudges rather than punishes. And Boards learn the lesson: unless the institution is already on fire, the personal consequences of underperformance are likely to be limited. Comparable regimes such as the UK’s Senior Managers and Certification Regime, Singapore’s stronger enforcement culture, and Australia’s BEAR show that individual accountability in finance is possible when regulators choose to make it real.

 

The accountability vacuum and the coming litigation wave

That culture of hesitation is no longer sustainable. Sri Lanka is entering a period in which multiple legal, regulatory, shareholder, depositor, and reputational claims can pile up around institutions already under strain. Once governance failure becomes visible, it rarely stays confined to one proceeding. It metastasises into civil suits, derivative actions, regulatory directives, forensic findings, auditor scrutiny, ratings pressure, capital-market distrust, depositor anxiety, and possible criminal investigation. The point is not merely that banks may face cases; it is that Boards and senior management now confront a world in which their old assumption of safe ambiguity is breaking down.

 

The State knows that weak governance can destabilise financial institutions, but it also fears that aggressive action against directors of major banks could trigger panic, contagion, or a broader confidence shock. So the system hesitates

 

 

There is already evidence that governance and control weaknesses can convert into market penalties. Public analysis tied to the NDB case argues that the crisis moved from reputational embarrassment to measurable cost-of-capital damage once the market began treating the control weakness as real. Whether one agrees with every line of that analysis, the broader principle is sound: once investors conclude that a Board cannot read its own institution, funding and franchise consequences follow. 

And when those consequences arrive, the same elite circles that treated Board appointments as ornaments may discover that ornamentation is not a defence. A director’s prestige in another industry does not immunise him from the consequences of having failed to understand a bank’s risk profile. Nor should it. If anything, the higher the social standing, the greater the duty to prove competence rather than assume deference.

 

The escape hatch elite

There is another, uglier dimension to this conversation: exit options. In South Asia’s elite systems, accountability is often asymmetrical. Ordinary depositors, minority shareholders, employees, and domestic taxpayers remain trapped inside the consequences of institutional failure. But some senior figures—well-networked, internationally mobile, financially diversified—can contemplate escape. The historical memory of Arjuna Mahendran remains potent not because every current banker is comparable, but because it taught the public a brutal lesson: the powerful often have fallback jurisdictions, foreign residency, and assets beyond easy local reach. Public reporting shows Sri Lanka sought Mahendran’s extradition from Singapore and that the effort became legally and diplomatically fraught, while later commentary argues Sri Lanka’s own legal preparation was deficient. 

That perception is devastating for trust. If the public begins to believe that banking-sector grandees can preside over failures, collect years of fees and prestige, and then retire into Singapore, Australia, Canada, or the United States while local institutions absorb the wreckage, the legitimacy of the entire governance model collapses. Even where such exit plans are only rumoured or precautionary, the suspicion itself corrodes confidence. A banking system cannot survive long on the idea that gains are private, prestige is social, and accountability is geographically optional.

 

A bank Board does not need to be a room full of coders, forensic accountants, and former regulators. But it does need enough competence to recognise that a material, growing, unresolved balance in a settlement or receivables bucket is not a clerical curiosity. It is a flare in the sky. If a Board with accomplished professionals, then the market must ask an uncomfortable question: are these Boards genuinely unable to understand what they are shown, or unwilling to confront what they suspect? The distinction matters legally and morally because gross negligence and knowing concealment do not call for the same remedies

 

 

Why the law must change

This is why the time has come to clean up the Act—not symbolically, but structurally. CBSL’s 2024 corporate governance directions strengthened the regulatory framework for licenced banks, and that was necessary. But a direction is not the same as a culture of consequences. Sri Lanka needs legal reform that turns Board service at banks from an elite decoration into a fiduciary burden with measurable standards. 

At a minimum, the law and supervisory architecture should move toward several hard reforms:

  • Mandatory fit-and-proper standards should include demonstrated banking, treasury, risk, regulatory, audit, or technology competence for a meaningful portion of every bank Board, not just broad “business experience.”
  • Board members should face periodic independent competency assessments, cascading through the Board Nomination Committee, the Board itself, and the regulator, tied to actual bank governance tasks including balance-sheet reading, capital and liquidity comprehension, cyber and operational-risk oversight, and understanding of CBSL directions.
  • Material unresolved balances in suspense, clearing, transit, settlement, or “other assets” categories should trigger mandatory Board-level escalation, committee review, and enhanced disclosure once thresholds are breached, with thresholds calibrated carefully enough to avoid both noise and complacency.
  • Director-level pecuniary penalties and temporary disqualifications should be available where there is gross neglect of oversight, not only where intentional misconduct can be proven.
  • Banks should be required to disclose, in more candid language, the specific expertise matrix of each director and any gaps in payments, IT, cyber, treasury, or regulatory oversight capability.
  • External auditors and Board audit committees should be required to provide sharper public explanation where unusual balances, persistent reconciliations, or material control anomalies exist inside broad line items such as “other financial assets.”
These are not radical proposals. They are the minimum one would expect in a country that has already paid heavily for elite impunity across multiple sectors. Banking is too systemically important to be governed as a gentleman’s club with PowerPoint decks. 

 

Banks do not fail only because rogue employees exist. They fail because control failures persist long enough to become franchises of concealment

 

 

A warning, not a sermon

The most dangerous response to this moment would be to treat it as anti-business rhetoric or a populist attack on professionals. It is neither. Sri Lanka needs strong banks, strong Boards, and credible capital markets. But strength does not come from preserving the vanity of directors who cannot challenge management. It comes from building institutions where service on a bank Board means mastering the institution, not merely inheriting a seat on it. 

The warning signs are already here. A sector of 21 licensed commercial banks cannot afford a culture in which too many directors are selected by network and prestige, too many committees exist as theatre, too many presentations substitute for interrogation, too many credentialed figures hide behind process, and too many regulators worry more about immediate embarrassment than long-term rot. 

Sri Lanka does not have a shortage of accomplished people. It has a shortage of people willing to say, publicly and without euphemism, that a bank Board is not an award, not a social platform, and not a retirement accessory. It is a high-risk public trust. Those who do not understand that trust should not hold the seat. Those who hold the seat and fail the trust should lose more than face. Responsible insiders who understand the problem should now be distinguishing themselves from this pattern, not defending it. 

If this moment is wasted, the consequences will not stay within Boardrooms. They will spread to depositors, investors, borrowers, payment systems, confidence, and the country’s already fragile credibility. The polite fiction of the “eminent director” has lasted too long. Sri Lanka now needs directors willing to treat the role as a demanding public trust, not a decoration. 

 

(The author is a retired serial entrepreneur and senior business leader with several decades of experience across Sri Lanka, the US and the UK, spanning technology, logistics, banking, finance and trading. He has led pioneering digital payments and transaction infrastructure projects, built global commercial relationships, and served at executive, Board and chairman level with responsibility for strategy, governance, risk and compliance)

Recent columns

COMMENTS