Sri Lanka’s public financial governance is under intense scrutiny following revelations of a sophisticated cyber fraud that siphoned approximately USD 2.5 million from the Treasury’s External Resources Department (ERD).
The incident has triggered an official probe by the Committee on Public Finance (CoPF), which has summoned top officials including the Treasury Secretary and the Central Bank Governor.
While the investigation is ongoing, the episode raises deeper concerns about accountability and transparency within the Ministry of Finance and the Central Bank institutions ultimately answerable to Parliament and the public.
According to submissions made by the Criminal Investigation Department (CID) before the Colombo Fort Magistrate’s Court, the fraud involved the diversion of loan repayment funds intended for Export Finance Australia.
Payments were processed based on invoices sent from what appeared to be an official email domain. However, investigators later revealed that a deceptive, lookalike domain had been used to mislead officials into transferring funds to cybercriminals.
Critically, a system provider had reportedly issued a warning about the suspicious domain prior to the transaction. However the payment proceeded regardless. This raises immediate questions: who received this warning, and why was it not escalated or acted upon?
In an environment where millions of dollars in sovereign debt repayments are handled, such alerts should trigger urgent, high-level intervention not be treated as routine correspondence.
The failure to halt the transaction suggests more than a simple procedural lapse. It points to systemic weaknesses in internal controls and a troubling disconnect between technical safeguards and financial decision-making.
Senior ERD officials may not possess advanced cybersecurity expertise, but that is precisely why institutional frameworks must ensure that critical warnings are understood, verified, and acted upon decisively.
Parliamentary oversight mechanisms exist to prevent such failures. Yet, the delayed response and the reactive nature of the current investigation indicate that both the Ministry of Finance and the Central Bank may have fallen short in proactively safeguarding public funds. Transparency demands not only disclosure after the fact, but also robust preventive systems and clear lines of responsibility.
The imposition of travel bans on five officials and the court-approved inspection of their financial records signal the seriousness of the incident. However, accountability must extend beyond identifying individual culpability. It must address whether institutional negligence—or even tacit complicity allowed this breach to occur.
Ultimately, this incident is not just about a cybercrime. It is a test of Sri Lanka’s financial governance architecture. Parliament must ensure that its oversight is not merely symbolic, and that institutions entrusted with managing public debt operate with the highest standards of vigilance, transparency, and responsibility. Without such reforms, public confidence in the country’s financial stewardship will remain fragile.
By a Special Correspondent