Saturday Jul 11, 2026
Saturday, 11 July 2026 09:42 - - {{hitsCtrl.values.hits}}
|
Chairman MP Dr. Harsha de Silva
|
The Parliamentary Committee on Public Finance (CoPF) has concluded that systemic governance, procedural and operational failures across multiple State institutions significantly heightened the risk of the $ 2.5 million cyber fraud involving Sri Lanka’s sovereign debt repayments.
It found that governance lapses at both the Finance Ministry and the Central Bank of Sri Lanka (CBSL) likely contributed to the theft of public funds during repayments to Export Finance Australia.
The Committee’s 169-page report, tabled in Parliament yesterday, found that the fraud was not an isolated incident but the consequence of longstanding weaknesses in internal controls, outdated IT infrastructure and shortcomings during the transition of debt management responsibilities to the Public Debt Management Office (PDMO).
It concluded that the cyber fraud resulted in the loss of $ 2.5 million to the Treasury and caused Sri Lanka to fall into arrears with Export Finance Australia, while stressing that determining criminal liability falls outside Parliament’s oversight mandate.
“The Committee concludes that the risks of a fraud linked to cybercrime were heightened due to systematic lapses in internal controls of the debt repayments process and by outdated email infrastructure. This was not an isolated lapse, but a consequence of governance, procedural, and operational failures across multiple institutions,” the report states.
A central finding of the report is that the transition of debt management functions from the CBSL to the PDMO lacked an adequate governance framework.
CoPF found there was no detailed terms of reference to guide the complex transfer of responsibilities, no key performance indicators to assess whether the transition had been properly completed, while the PDMO’s operational guidelines were issued only 10 months after its establishment.
A memorandum of understanding between the CBSL and the PDMO governing their cooperation was signed only in March 2026, almost at the end of the official transition period.
The report identifies dereliction of duty in maintaining effective internal controls and robust IT systems, together with inadequate escalation of issues to senior officials. It further concludes that mid-level officers acted negligently and failed to exercise appropriate judgment, while weaknesses in the foreign debt repayment process had persisted for years.
The Committee found the fraud first came to light in January 2026 after a debt repayment to the Export-Import Bank of India failed when JPMorgan’s Global Fraud Prevention Operations rejected the transaction.
Verification with the Indian lender confirmed that fraudulent payment instructions had been submitted, prompting the Ministry of Finance to alert the Criminal Investigation Department (CID) and Sri Lanka Computer Emergency Readiness Team (SL-CERT).
Following the Indian incident, the Ministry scrutinised other recent debt repayments and uncovered similarly fraudulent payment instructions relating to creditors in the United Kingdom, Germany and Belgium. The UK payment was suspended before funds were transferred, while Belgium was ultimately paid using the correct account details.
It was during this wider review that officials were alerted on 23 March 2026 that Export Finance Australia had not received several debt repayments made during the previous months, exposing the $ 2.5 million fraud.
The report also notes that internal controls within the CBSL identified anomalies during one of the Australia-related transactions.
After revised payment instructions sought to redirect funds to a UAE bank account, officials in the CBSL Finance Department warned that the beneficiary was not Export Finance Australia’s address, raised potential anti-money laundering concerns and instructed that the lender’s account details be independently reconfirmed before payment was made. The Committee nevertheless concluded that governance lapses at both the Finance Ministry and the CBSL likely contributed to the fraud.
CoPF was equally critical of the Finance Ministry’s cybersecurity environment. It found that the External Resources Department (ERD) and later the PDMO continued to rely on Microsoft Exchange Server 2016 after Microsoft’s extended security support ended in October 2025.
Independent cybersecurity assessments by SL-CERT and KPMG had repeatedly identified serious vulnerabilities, including weak passwords, the absence of multi-factor authentication and poorly defined IT responsibilities, yet many recommendations remained unimplemented.
The Committee noted that the fraud commenced about a month after Microsoft’s security support ended, describing the timing as “far more than a coincidence”.
According to the report, attackers infiltrated genuine email correspondence by using fraudulent domains closely resembling those of Export Finance Australia, enabling false invoices and payment instructions to be inserted into legitimate email chains.
The Committee also found that the ERD maintained a separate email and server environment outside the Treasury’s central IT management framework and observed that “there appears to have been no coordination between the two IT teams”, describing this as a deeply concerning breakdown in governance and procedure.
Among its principal recommendations, CoPF called for an immediate special audit by the National Audit Office covering the entire foreign debt repayment process, urgent implementation of outstanding SL-CERT cybersecurity recommendations across the public sector, a comprehensive overhaul of the financial regulations governing Treasury financial processes and stronger verification procedures with external creditors.
CoPF Chairman Dr. Harsha de Silva said the Committee had established that a cybercrime-linked fraud had occurred and that multiple institutional failures had contributed to it, but stressed that only a criminal investigation could determine whether public officials were complicit.
“We find clearly that a fraud linked to cybercrime did take place. We find that lapses at the governance level at both the Ministry of Finance and the CBSL likely contributed to this fraud. We find dereliction of duty at the highest level at PDMO and ERD on internal controls and IT systems. We find negligence and incompetence at the operational level at the Ministry of Finance,” he said.
“Criminal investigations must determine whether there had been internal collusion in perpetrating this fraud. It is beyond the scope of our Committee. Only then can it be confirmed if the cyber criminals stole Rs. 825 million equivalent of public funds with any collusion with officials or purely due to their negligence, incompetence and ignorance,” Dr. de Silva added.