NDB’s (gunless) heist: a masterpiece of staff collusion

In its 2022 report, the US based Association of Certified Fraud Examiners (ACFE) evaluated over 2,000 cases of internal fraud across 133 countries, totaling an estimated loss of US$ 3.6b.

Frauds initiated and put into effect by bank employees remain a sizable global problem. Employees are uniquely well placed to discover and take advantage of weaknesses in the internal controls of their organisations by abusing their level of access to the operating systems or by targeting specific accounts, customer and internal.

While the scale of this problem and the different vulnerabilities that internal fraudsters exploit are expanding, advanced anti-fraud technologies are also available that can combat it. FinTech anti-fraud solutions are improving all the time and their ability to identify and block suspicious activity in real time is increasingly becoming the first line of defence against fraud risk in banking.

At the National Development Bank (NDB), the bank was hit by two serious cases of employee-led fraudulent activity in quick succession. One in January 2026 was on its Mastercard payment system while the more recent incident in April 2026 involved the management of its Suspense Account.

As stated by its Chief Executive Officer, Kelum Edirisinghe, the principal culprit was identified as a “junior” executive with approximately 10 years of service, who supervised the reconciliation of the suspense account. He is alleged to have colluded with several colleagues and to have transferred funds from the suspense account via the bank’s SWIFT system to accounts held at other banks.

The suspicious transactions were first identified after an employee lodged a complaint on March 31, 2026 that another employee had access to his password. On April 2, NDB advised the omission/control failure to the Central Bank of Sri Lanka (CBSL) and the Colombo Stock Exchange (CSE). An estimated loss of Rs. 380m was reported to both regulators on the date with a proviso that the amount could increase.

Four days later on April 6, however, a follow-up disclosure revealed the catastrophic nature of the loss – it had escalated from an initial estimate of Rs.380m on April 2 to Rs.13.2b by April 6, an increase of 35 times the initial disclosure.

To pacify and lower the tempo of the impact, the second disclosure revealed that the loss was limited to a “certain area of operations”. Having downplayed the loss at its first disclosure, there was no way out in doing the same via a second disclosure when the size of the loss was in the realm of nightmares and could trigger the unthinkable – a public loss of confidence depriving access to deposits with the New Year around the corner.

The urgency and the gravity of the matter was not lost on either NDB or CBSL. The second disclosure revealed that customer deposits and account balances remain safe and unaffected and that the loss is being absorbed by the bank’s own capital and reserves. CBSL also intervened on April 6 with their liquidity backstop. In doing so it explicitly stated that NDB had access to emergency facilities to prevent a bank run or panic withdrawals.

According to NDB officials, the incident did not occur overnight; it had been continuing for a time, perhaps months or years. It involved a small group of insiders operating within the Shared Services Unit, that exploited the operation of selected internal accounts, mainly Suspense Accounts, to siphon off the looted funds. The transactions were executed in relatively small amounts, often below threshold approval limits and were repeated frequently to gather and accumulate sizable amounts within a managed time frame that was perceived tolerable in escaping detection.

Addressing a limited number of senior journalists in the NDB boardroom, Vice President of Finance at NDB, Azzam Ahamat opined that, in the worst-case scenario, the financial impact on the bank was estimated to result in an unaudited loss after tax for the quarter ended March 31, 2026 of approximately Rs 4 billion, after providing for the maximum loss expected to arise immediately after the incident.

“The bank remains financially strong; notwithstanding this impact, the bank’s Common Equity Tier I, Tier II and Total CAR will continue to remain above the minimum regulatory requirements of 7.0%, 8.5% and 12.5%. The unaudited total asset base of the bank, which was approximately Rs. 990 billion as at March 31, 2026, would be impacted by only 0.7%,” he said.

With neither apology nor remorse, the CEO and CFO resorted to numbers to escape the reality of repeated blunders that befell the bank closing with a loss of Rs.13.2b, a sum which wiped-out their 2025 profit by Rs.2.2b.

In both frauds that occurred at NDB, the impairment seemed to have been identified, recognised and disclosed. Equally the culprits were identified and arrested by law enforcement authorities. Disclosure seemingly occurred as soon as the incident was discovered and advised to the regulators, CBSL and the CSE.

The CBSL, in turn, stated the bank was stable and, in a position, to serve its customers without interruption. The statement avoided a bank run, as CBSL was ready to provide the necessary liquidity. NDB and CBSL assured the event involved internal accounts and had no impact on customer balances.

Misguide some or all of us

NDB, together with CBSL and CSE, can be credited with taking swift action that placated depositors and the equity market, potentially preventing a disastrous outcome. However, did they mislead some or all stakeholders? Concerns remain. The discrepancy in reported losses is significant, rising from Rs. 380 million on April 2 to Rs. 13.2 billion by April 6. Questions persist over what changed within four days, while allegations about affected customer balances continue to surface.

A branch of another bank in the Eastern Province is now thought to have been a major location for encashment. Thus, being rather coy having implied that other banks are involved in the “scheme of things” leaves much to be desired. Allegations by at least one bank to the CBSL of “suspicious encashments” seem to have been ignored.

Equally, the first fraud pointing to its Mastercard System estimated at nearly Rs. 300m in January 2026 looked lost in translation. Various on-line messages referred to investigation by the CID with NDB staff providing statements at the Colombo Magistrate’s Court.

In contrast to the eagerness to disclose the first and second disclosures, there was no reaction whatsoever by the NDB to such news circulating on-line. Wether the on-line news item was disclosed and known to either the CBSL and CSE or both is unknown. It places both regulators and the NDB at some disadvantage or suspicion, all playing with a not so straight bat.

Next is reference to “connivance with a third party” as disclosed by NDB. To know and not disclose “the third party” is as damaging as conniving with the party itself thus ruining the reputation of NDB. It could be an individual, local or foreign or a corporate entity, again local or foreign, with the arrest of such parties much in the news.

The size of the defalcation and time taken to engage in perpetrating it means bypassing some automated controls that are mandatory in the Risk Management and Operating Systems prescribed by regulation under BASEL as well as CBSL rules.

Capacity to bypass such critical system attributes over an extended period opens the possibility of NDB investing in rather low-quality, cheap untested systems as well as collusion of the reporting chain perhaps involving KMPs (Key Management Personnel) and even the Board.

Finally, if the defalcation extended over a period, then the item may appear on its audited and published financials i.e. the Balance Sheet dated December 31, 2025 and possibly 2024. As Sherlock Holmes reputedly put it, “Elementary dear Watson, elementary”, the balance sheet carries an item with a value of Rs.16.2 bn listed under “Other Assets” that could have revealed all or much.

The Board, KMPs, Internal Auditors, Ernst & Young as well as the Director, Bank Supervision within CBSL, Rating Agencies and other so-called analysts and market experts “missed it”, to put it mildly. The item would have brought the matter to a head much earlier. Not only did all stakeholders fail utterly, many are now burying their heads or pointing the finger at each other.

Any banking system operates on public trust. The main role of banks is to manage the money of other people i.e. that of depositors, including the funds of shareholders while earning a reasonable return for both. They operate in a regulated environment due to the singular characteristic of the business of banking i.e. the wide disparity between the high value of deposits compared to the rather low level of capital of the banking institutions. Thus, active regulation and tangible trust is fundamental to the highly leveraged business of banking. Thus, the key role of CBSL, as the lead regulator and the NDB Board including KMPs, in the equally key role of upholding public trust.

Thus, even though all processes were followed without deviation, validity of the documentation and reports submitted for review up the chain were neither sufficiently tested nor examined. Such an outcome exhibits an overreliance on compliance with process rather than substantive investigative verification.

A senior banker told Sunday Observer Business that effective internal controls require not merely verification that process was followed but also questioning whether the outcomes make sense.

Audits and CBSL examinations

For instance, do transaction patterns align with expected business activity? Are suspense account balances unusually high, persistent and unresolved? Do repeated low-value transactions indicate structuring to avoid detection?

The absence of such analytical scrutiny creates blind spots that can persist for years.

The repeated incidents at NDB point to the failure of its internal and external audit processes. Internal and external audit as well as the periodic CBSL examination are considered independent assurance functions.

In the case of NDB, the internal and external auditors failed to detect the irregularities over a period of time, particularly after the previous Mastercard failure only a few weeks earlier. In the circumstances, one may reasonably raise questions as to the quality of the audits and if they were sufficiently risk-based. Did the auditors have access to real-time data analytical tools? Was there sufficient independence from operational units?

When such malpractices bypass multiple lines of defence undetected, it signals that those defensive lines are either poorly structured or insufficiently executed. The two incidents provide a strong eye-opener that audit and examination functions must expand beyond checklist-driven reviews and become dynamic, data-driven functions to detect anomalies within the system in real time.

Corporate governance

The 10-member NDB Board carries accounting and audit veterans plus assorted business and banking luminaries with local and international experience but could not prevent two episodes of fraud, almost back-to-back, from occurring and laying the bank low. The same can be said of the KPMs who must also be vetted by the regulator prior to confirmation in their posts.

The two episodes together provides a strong warning that corporate governance principles, the “fit and proper” test applied by CBSL and training provided by the likes of Sri Lanka Institute of Directors (SLID) or Sri Lanka institute of Bankers (IBSL) in arriving at such appointments is rather inadequate and perhaps unfit for purpose on their own.

Among core competencies, the Board and Corporate Management should exhibit deep engagement with operational matters, IT systems, well-rounded experiences and capacity for day-to-day oversight. Perhaps the CBSL should consider providing some focused training for those selected.

In the aftermath of two fraud episodes, all interested parties are likely to call for “stronger” boards, “more” independent directors, “strengthened” audit committees, or the introduction of new governance codes. Such measures are for the most part knee-jerk reactions and carry little merit when what is available is simply ignored or poorly applied.

The case shows that governance failures occur at both below and at board level. Directors are not in the business of monitoring transactions unless their contours border or exceed “house” limits by amount, tenor, risk rating or other set parameters. Their responsibility instead is to ensure robust and tested systems are in place together with an independent and an empowered “up to the mark” internal audit function reporting only to the Board Audit Committee. Chairman and CEO having clean unfettered access to the Chief Internal Auditor and staff should not occur. Responsibility lies with the directors to question systems, processes and irregularities that arise from time to time, deeply and expeditiously. What matters is the “value add” via the quality of oversight exercised.

“red signals”

In the case of NDB, the prolonged time over which the fraud was in play brings doubt as to whether the Board actually exercised such oversight. That the fraud overturned or skipped mandatory “red signals” repeatedly to run for an extended time, points in the direction of investing in cheap systems, low level of user testing and low level of user training. The Board simply underperformed in their duty of care as regards managing the integrity of operating systems and undertaking a heightened level of oversight after the first fraud episode.

The delivery of good results for 2025 by the NDB and other banks in Sri Lanka came in handy. The results strengthened capital buffers and avoided any impact on customer balances although the fraud exceeded 2025 profits. For good measure the regulator suspended the cash dividend along with all discretionary expenses as well as any branch expansion for the time being.

Irrespective of current profitability and capacity via capital buffers to ride a hit, the banking system of any country is subject to regulation by its Central Bank or a dedicated supervisory unit. Its job is cut and dry. It is plainly to ensure the financial wellbeing of the banks that by definition carry heavy leverage.

A double whammy only a few weeks apart coupled to a defalcation several times its initial disclosure and in excess of the latest annual profit, perpetrated over an extended time frame, involving other banks in the system that had complained previously, reeks not only of poor supervision by the lead regulator but being aloof from the market.

Many said that CBSL should have been more alert given the disclosure by NDB in their published year-end financials as regards the large amounts reported under “Other Assets”. No ear on the ground and oblivious to market noises, it looks like CBSL simply stayed within its ivory tower pontificating on pushing its latest idea, the consolidation of the banking system. There is little doubt that the CBSL failed not only in its handling of NDB but also in its review of a failing board.

All others involved

In the final analysis, all those involved in the wellbeing of NDB capitulated — employees, management, the board, external auditors, and key regulators such as the Securities and Exchange Commission of Sri Lanka (SEC) and the Central Bank of Sri Lanka (CBSL), the lead regulator. Not only should a public inquiry be conducted and those responsible be punished, but the lessons and outcomes should also receive wide publicity to ensure that an episode of such magnitude is unlikely to occur again.

Both fraud episodes indicate the need for continuous job rotation in operational areas to reduce the concentration of controls among selected officers. It is also important to strengthen whistleblower policies, whether through formal or informal anonymous reporting channels and to provide strict guidance on ethics and compliance. Leadership commitment to accountability and transparency is vital. A Board-approved whistleblower policy is in operation at NDB but how widely it is publicised is unknown.

The lessons from these incidents indicate that strengthening the governance of financial institutions goes beyond board members and balance sheets. Due to the complexities of the banking environment, fraud can arise through any loophole in the system. A vigilant system is vital beyond smooth day-to-day routine operations. It means reinforcing internal controls with real-time monitoring and analysis. Transforming the traditional internal audit system into a proactive, risk-based function, encouraging whistleblowing and questioning culture at all levels of the organisation.

Government and Parliament

President Anura Kumara Dissanayake has been briefed on the matter. That indeed should be expected, given that Government–related entities collectively own nearly 34 percent of NDB. This includes the Employees’ Provident Fund (EPF) with a 9.46 per cent stake and direct links to the Central Bank of Sri Lanka (CBSL); the Bank of Ceylon (BoC) with 9.71 percent; the Sri Lanka Insurance Corporation (SLIC) General Fund with 6.05 percent; the SLIC Life Fund with 5.03 percent; and the Employees’ Trust Fund (ETF) with a 3.38 percent holding, also with direct links to the CBSL.

Given reports that the IMF, is observing the matter with much interest, we trust the Finance Secretary as “Virtual Owner” of the Government stake, has made its view known to all parties including CBSL. Equally an ex-Finance Minister in Parliament as well as the Committee on Public Finance (COPF) and Committee on Public Enterprises (COPE) has taken up the NDB issue. Not to be outdone, the SEC has also met the NDB Board. It is hoped that all will place their full weight on arriving at the truth of what occurred and undertake corrective action and speak with a singular voice without gaps.

Recovery at NDB

In terms of recovery, full investigation is mandatory. The role of each and all involved need scrutiny as soon as possible when events can be readily recollected. Soon some will inevitably ask “What robbery at NDB?” similar to the bond scam at CBSL a some time ago . The destination of the Rs.13.2 b may be in a single location “fully spent” if routed to a crypto vehicle seeking a quick gain. It could also be elsewhere subject to prolonged recovery effort which may involve some off-set negotiations with the accused and those in custody.

NDB as constituted cannot continue as that would be to simply reward preventable mistakes and wrongdoing but anything is possible in the “Wild West /Frontier Market” of Sri Lanka. The victim bank has been re-rated and may have to re-negotiate its operating agreements with external parties. NDB may obtain some compensation for the employee rooted defalcations via claims under insurance cover provided via the banker’s blanket bond.

A phased program should be initiated to install new Board Members as well as KMPs and External Auditors. A forensic audit is inevitable to understand exactly the modus operando employed rather than the managed evidence currently leaked to the public. Given the closed nature of the work of external auditors in a small limited contaminated market available in Sri Lanka, a firm from abroad unrepresented in Sri Lanka should be assigned the job after a bidding process.

Whatever measures NDB, CBSL and other stakeholders may now adopt, the damage is done and likely to reverberate across the country and perhaps even be copied. Equally likely it may be forgotten as events arise, each succeeding the one before in magnitude. A Rs.13.2b unconventional banking heist minus the usual guns is, however, unlikely to re-occur soon in the scheme of things and hence interest in it may prevail perhaps rather longer than the New Year celebrations.

All will acknowledge that prevention is far better than waiting for the arrival of any corrective action. Given the nature of such matters in Sri Lanka, prevention and corrective action is likely to be a fudge, and hence the initiation of the next fraud is probably under way. Equally, it may not, given the opportunity to act differently and take a different path this time.

Source: Sunday observer