$ 2.5 m Treasury cyber heist: IMF grants waiver over external debt arrears breach

 Missed payment to Australian Govt. triggered breach of program criterion

 IMF describes non-observance as minor and supports waiver request

 Authorities to introduce new payment procedures and debt management system

 Program performance otherwise assessed as broadly strong, noted IMF

The International Monetary Fund (IMF) has granted Sri Lanka a waiver of non-observance of a key program performance criterion after a cybercrime incident resulted in a missed external debt payment of approximately $ 2.5 million owed to the Australian Government.

This is in relation to $ 2.5 million phishing scandal that has rocked the Treasury where debt repayments due to Export Finance Australia had been diverted by cybercriminals via ten separate transactions using fraudulent emails to alter bank details. The incident has raised serious questions about processes, checks and balances at the Treasury.

Opposition lawmakers had raised questions as to whether the missed debt repayments amounted to a technical default, which the Government claimed did as it expressed intent and ability to settle Export Finance Australia.

The waiver was approved as part of the combined fifth and sixth reviews under Sri Lanka’s Extended Fund Facility (EFF), with IMF staff concluding that the breach was minor and that authorities had taken appropriate corrective measures.  

According to the IMF, the country’s continuous quantitative performance criterion prohibiting the accumulation of new external payment arrears had not been observed since November 2025 due to the cybercrime incident.

The missed payment amounted to approximately 0.002% of GDP. Authorities only recently identified the issue and investigations are ongoing, including coordination with Australian authorities. 

The IMF said Sri Lankan authorities requested a waiver on the basis that the breach was minor and that corrective actions had already been initiated. Authorities have committed to clearing the arrears as soon as feasible. 

As part of the remedial measures, the Government has undertaken to implement standard operating procedures for debt payments by end-June and operationalise the new Meridien debt management information system by end-August. The IMF said the new procedures, developed with technical assistance from the Fund, would strengthen payment processes and improve verification of account details and payment amounts. 

The waiver was the only quantitative performance criterion breach identified during the review period. The IMF noted that all end-December 2025 quantitative performance criteria and indicative targets were met except for the criterion on new external payment arrears. Fiscal revenue and primary balance targets were exceeded by significant margins, while program performance was assessed as generally strong.  

The Fund also said progress continued on broader corrective actions related to earlier reporting deficiencies involving expenditure arrears. These measures include strengthening fiscal reporting systems and enhancing commitment controls through the Integrated Treasury Management Information System (ITMIS). The IMF noted that previously identified expenditure arrears had been cleared and that no new expenditure arrears were incurred during the second half of 2025. 

In its staff appraisal, the IMF recommended approval of the waiver request, citing the limited scale of the breach and the authorities’ commitment to strengthening debt payment and monitoring systems. The Executive Board subsequently approved the waiver alongside the completion of the fifth and sixth reviews of the EFF program. 

The decision allows Sri Lanka to remain in compliance with program requirements and proceed with the latest IMF disbursement of approximately $ 695 million while continuing implementation of reforms under the four-year EFF arrangement.