By The Pulseline News Desk
A parliamentary investigation into the controversial $ 2.5 million foreign loan repayment that went missing has painted a troubling picture of institutional failure, weak governance, and systemic negligence, concluding that the incident was not merely an administrative error, but a sophisticated fraud linked to cybercrime.
The report by Parliament’s Committee on Public Finance (COPF) argues that while criminal investigators must determine whether public officials actively colluded in the fraud, the failures that allowed public money to be stolen were embedded across multiple levels of Sri Lanka’s public financial management system.
The findings go beyond identifying operational mistakes. They raise broader questions about accountability within the Ministry of Finance and the Central Bank of Sri Lanka (CBSL), the effectiveness of internal controls, and the country’s preparedness to protect billions of dollars flowing through increasingly digital financial systems.
More than an email scam
COPF leaves little doubt about the nature of the incident.
“A fraud linked to cybercrime has clearly taken place. US$2.5 million of public funds has been stolen,” the committee states, while emphasising that law enforcement agencies, including the Criminal Investigation Department (CID), must determine whether any officials inside the relevant institutions knowingly facilitated the crime.
The committee distinguishes between its own oversight role and the responsibility of criminal investigators. While COPF examines failures in governance and financial management, it says only criminal investigations can establish whether there was deliberate collusion or whether officials were simply “ignorant, incompetent, and negligent.”
That distinction is significant because it shifts the focus from a single fraudulent payment to the institutional environment that enabled it.
Leadership under scrutiny
One of the report’s strongest criticisms is directed at the highest levels of financial administration.
COPF says both the Secretary to the Treasury and the Governor of the CBSL bear responsibility for governance failures during the transition to the newly established Public Debt Management Office.
According to the committee, the absence of a formal Memorandum of Understanding (MoU) governing the 18-month transition created uncertainty over responsibilities, reporting structures and performance expectations.
Such an agreement, the report argues, should have established clear terms of reference, measurable performance indicators, training requirements and timelines.
While COPF stops short of saying the lack of an MoU directly caused the fraud, it believes the omission significantly weakened institutional accountability.
Ironically, months before the fraud became public, COPF had already questioned coordination between the Ministry of Finance and the CBSL regarding external debt repayments.
In a joint letter dated April 4, 2026, both institutions assured Parliament that existing coordination mechanisms were sufficient.
The committee now concludes that those assurances were misplaced.
A breakdown in internal controls
The report identifies perhaps its most serious operational finding: routine safeguards that should have prevented the fraud were either absent or ignored.
Senior officials within both the External Resources Department (ERD) and the Public Debt Management Office are accused of displaying what COPF describes as an “absolute dereliction of duty.”
Among the failures identified were:
- Inadequate verification of lender invoices against original loan agreements;
- Failure to use secure and verified communication channels;
- Poor monitoring of email domains used for official correspondence;
- Failure to maintain critical information technology systems; and
- Insufficient internal controls throughout the repayment process.
The committee notes that if these relatively basic verification procedures had been followed, the fraudulent transactions could almost certainly have been prevented.
Repeated errors, not a single mistake
Rather than describing the incident as an isolated lapse, COPF concludes that repeated failures occurred over an extended period during the transition of debt management responsibilities.
This finding suggests that weaknesses persisted long enough for multiple fraudulent transactions to occur before detection.
At the operational level, the report criticises mid-level officials across the ERD, Public Debt Management Office and Public Debt Department for failing to exercise sound professional judgement.
One example highlighted by the committee is the failure of officials to notice inconsistencies in email domains during communications with lenders – an elementary cybersecurity precaution that should have raised immediate concerns.
Questions over accountability
Despite identifying system-wide failures extending from senior management to operational staff, COPF notes that only four mid-level employees from the Ministry of Finance have so far been suspended.
The committee also records the “most unfortunate” sudden death of one of those suspended officers.
COPF cautions against assigning personal blame before criminal investigations are completed, arguing that disciplinary and financial liability should ultimately depend on evidence gathered by law enforcement authorities.
The report therefore calls for a comprehensive criminal investigation to determine whether officials merely acted negligently or knowingly participated in the fraud.
Outdated rules in a digital age
One of the report’s broader observations concerns weaknesses in Sri Lanka’s financial regulatory framework.
COPF notes that the foreign debt repayment process currently falls outside existing Financial Regulations because debt repayments are treated as non-discretionary expenditure.
The committee argues that this regulatory gap demonstrates the urgent need to modernise financial governance under the Public Financial Management Act.
Without updated regulations that reflect modern electronic payment systems and cybersecurity risks, similar incidents remain possible.
Recommendations for reform
The committee has proposed several reforms aimed at strengthening accountability and preventing future losses.
Among its key recommendations are:
- A special audit by the National Audit Office (NAO) covering the entire foreign debt repayment process;
- Accelerated implementation of revised Financial Regulations within three months;
- Stronger verification procedures for lender invoices and loan agreements;
- Mandatory use of approved communication channels;
- Improvements to information technology systems supporting debt management; and
- Recovery of public losses under Financial Regulation 105 if investigations establish official responsibility.
The committee stresses that strengthening internal controls should become a permanent feature of Sri Lanka’s public finance management system rather than a temporary response to the latest crisis.
Beyond one missing payment
Although the immediate financial loss amounts to $ 2.5 million, the report suggests the larger concern is confidence in the institutions responsible for managing Sri Lanka’s sovereign debt.
External debt repayments involve billions of dollars and require close coordination among multiple government agencies, international lenders and financial institutions. Weak governance, poor cybersecurity practices and unclear lines of responsibility can undermine not only financial security but also international credibility.
COPF’s investigation therefore frames the incident as more than an isolated cyber fraud. It is presented as a warning that institutional weaknesses, if left unaddressed, can expose the public purse to significant risk.
Whether the CID uncovers evidence of criminal collusion or concludes that the losses stemmed solely from negligence, the parliamentary committee’s message is unequivocal: the fraud was enabled by failures in governance, procedure and oversight that require urgent reform if similar breaches are to be prevented in the future.
Leave a comment