Allegations of fraud, internal controls in doubt, and mounting calls for regulatory scrutiny? Is the Central Bank on the ball? 4-Eyes rules clearly failed!
Be that as it may, Sri Lanka’s banking sector now finds itself confronting a question it has long sought to avoid: what happens when internal controls fail in a system built on trust? Allegations of fraud linked to NDB Bank have begun to circulate widely, raising concerns not only about the incident itself, but about the mechanisms that were supposed to prevent it.
At the centre of these concerns is the suggestion drawn from multiple industry sources that funds may have moved through accounts not immediately visible within standard customer-facing operations. In banking practice, these are often referred to as “suspense accounts” temporary holding accounts used to park transactions pending reconciliation. They are not, in themselves, unusual. But when used improperly, they can become opaque channels through which irregularities are masked.
That is where the scrutiny now lies.
The more troubling question being asked within industry circles is not simply how the alleged fraud occurred, but how it was allowed to pass through layers of control. The long-standing “four-eyes” principle requiring dual authorisation for sensitive transactions exists precisely to prevent such breakdowns. If, as is being suggested, transactions moved through without effective oversight, then the issue may extend beyond individual misconduct into systemic weakness.
And that, in the current climate, carries consequences.
Sri Lanka’s economic recovery remains fragile. Public trust in institutions financial and otherwise has been rebuilt slowly, and often painfully. Against that backdrop, any suggestion that internal banking controls may have been circumvented is likely to attract far more than routine attention. The environment has shifted. There is now a far lower tolerance for opacity, and a far greater expectation of accountability.
TRANSPARENCY IS DEMANDED FROM PRIVATE SECTOR TOO:
The government itself has signalled that shift. Under the administration of Anura Kumara Dissanayake, there has been repeated emphasis on tightening governance, increasing transparency, and confronting fraud more directly than in the past. Whether that translates into concrete action in this instance remains to be seen—but the expectation is clearly there.
What happens next is likely to depend on the response of the regulator.
The Central Bank of Sri Lanka faces a familiar but difficult task. It must determine whether the matter is contained an isolated breach or whether it reflects deeper vulnerabilities within the institution’s control environment. That distinction will shape the nature of any intervention.
In more serious cases globally, regulators have not hesitated to step in appointing oversight teams, restricting operations, or, in extreme scenarios, temporarily assuming control of management functions. Such measures are not routine. But neither are they unprecedented.
For now, NDB Bank has not publicly detailed the full extent of the issue, and it is important to note that allegations remain subject to investigation. But the questions are no longer confined to private conversations within the banking community. They have moved into the public domain.
And once there, they demand answers.
The broader issue is unavoidable. Banking is built not only on capital, but on confidence. When that confidence is tested, the response must be decisive enough to restore it. Anything less risks allowing doubt to take hold not only in one institution, but across the system.
THE STING
In banking, it is not the transaction that breaks trust. It is the failure to see it.
NDB BANK FRAUD: WHAT IS A “SUSPENSE ACCOUNT”?
A routine banking tool – until it isn’t
In banking practice, a suspense account is not, in itself, unusual. It is a temporary holding account used when a transaction cannot immediately be assigned to its final destination. Payments that are unclear, unmatched, or pending verification are often parked in such accounts until they can be properly reconciled. In theory, it is a housekeeping tool designed to ensure that discrepancies are resolved rather than ignored.
However, the very feature that makes a suspense account useful its temporary and internal nature also makes it sensitive. These accounts do not always sit in the direct line of customer visibility. They operate within the internal accounting framework of a bank, which means their integrity depends entirely on strong internal controls, clear audit trails, and timely reconciliation.
When properly managed, funds should not remain in suspense accounts for long. They are meant to be cleared, matched, and transferred without delay. Prolonged balances, unexplained movements, or repeated use of such accounts for similar transactions can become red flags within internal audit systems.
It is for this reason that suspense accounts are subject to strict oversight in well-governed institutions. They are monitored, reconciled regularly, and reviewed during audits. Because when funds begin to move through these channels without clear explanation, the issue is no longer operational it becomes one of control and accountability.
THE “FOUR-EYES” PRINCIPLE:
HOW IT IS SUPPOSED TO WORK
A basic safeguard that should not fail
The “four-eyes” principle is one of the most fundamental safeguards in banking and financial systems. At its core, it is simple: no single individual should be able to execute and approve a critical transaction alone. Every significant movement of funds, adjustment, or override must be reviewed and authorised by at least two independent parties.
This principle exists to prevent precisely the kind of risk now being discussed. It ensures that errors are caught early, irregularities are questioned, and no single point of control can be exploited. In practice, this means segregation of duties one officer initiates, another verifies; one processes, another approves.
But the effectiveness of the four-eyes principle depends not only on structure, but on discipline. If roles overlap, if overrides become routine, or if controls are treated as procedural rather than substantive, the system weakens. What is designed as a safeguard becomes a formality.
When breaches occur in environments where four-eyes controls are in place, the question is not simply whether the rule existed. It is whether it was meaningfully applied. Because in banking, controls that exist only on paper do not prevent failure they merely delay its discovery.
NDB BANK FRAUD: WHAT CAN THE REGULATOR DO?
From inquiry to intervention
When concerns arise within a licensed financial institution, the responsibility shifts to the regulator. In Sri Lanka, that role rests with the Central Bank, which is empowered to oversee, investigate, and, where necessary, intervene in the operations of banks under its supervision.
The first step is typically inquiry. The regulator may call for internal reports, conduct examinations, and assess whether the issue is isolated or indicative of broader control weaknesses. This stage is critical, as it determines the scale and nature of any further action.
If deficiencies are identified, the Central Bank has a range of options. It may require corrective measures, strengthen reporting requirements, or impose supervisory conditions. In more serious situations, it can appoint independent auditors, restrict certain operations, or place the institution under closer regulatory oversight.
In extreme cases particularly where systemic risk or governance failure is evident regulators in many jurisdictions have gone further, stepping in to oversee management functions or temporarily assume control to stabilise operations. Such actions are not taken lightly, as they carry implications for confidence and continuity. But they remain part of the regulatory toolkit.
Ultimately, the objective is not punishment alone. It is stability. The financial system depends on trust, and where that trust is tested, the response must be sufficient to restore it.
WHAT WE KNOW — AND WHAT IS ALLEGED
Separating confirmed fact from industry claims
At the time of writing, there are serious concerns circulating within industry and public discourse regarding irregular transactions linked to NDB Bank. However, it is important to distinguish clearly between what has been formally established and what remains subject to investigation.
What is known is that questions have been raised regarding internal controls, transaction oversight, and the movement of funds within the institution. These concerns have gained sufficient traction to enter the public domain and are now the subject of scrutiny both within the banking sector and beyond.
What is not yet formally established, at least in the public domain, is the full mechanism by which any alleged irregularities may have occurred. References to the use of “suspense accounts,” control failures, or procedural breaches are drawn from industry sources and informed commentary, but remain unverified pending regulatory or forensic findings.
No final determination of liability has been made, and no individual or institution has been found guilty in a court of law in relation to these matters at this stage.
According to a confidential source the funds may have been moved from treasury-linked accounts into selected customer accounts within the bank, and that the mastermind behind the fraud has left the country and hiding in Chenni, India. However, these claims remain unverified, and neither the bank nor CID have issued an official response so far.
As such, the situation remains under examination, and conclusions must ultimately rest on the findings of competent authorities, including the Central Bank of Sri Lanka and any formal investigative process that may follow.
COLLUSION, COERCION — OR A SYSTEM UNDER STRAIN?
Understanding how such breakdowns can occur
Be that as it may, when irregularities of this nature are discussed within banking circles, the question inevitably turns to how such activity could have passed through established controls. Two broad explanations are typically considered: collusion or coercion. Neither is mutually exclusive, and in some cases, elements of both may be present.
Collusion implies cooperation. It suggests that more than one individual, across different points of a process, may have acted in concert whether to bypass controls, delay detection, or facilitate transactions that would otherwise have been flagged. In systems built on layered oversight, collusion is often the only way multiple safeguards can be neutralised simultaneously. It requires alignment, intent, and, crucially, silence.
Coercion, on the other hand, points to a different dynamic. It raises the possibility that individuals within the system may have acted under pressure whether direct or indirect to approve, overlook, or process transactions they might otherwise have questioned. Such pressure need not always be explicit. It can take the form of hierarchy, urgency, or implied consequence, particularly in environments where authority is concentrated or where escalation pathways are unclear.
What complicates matters further is that systems under operational strain whether due to volume, complexity, or resource limitations can become more vulnerable to both. Controls may exist, but vigilance weakens. Exceptions become routine. Oversight becomes procedural rather than substantive.
At this stage, it would be premature to conclude which of these dynamics, if any, may apply. But the framework matters. Because understanding whether a failure arose from deliberate coordination, structural pressure, or systemic weakness is central to determining both accountability and remedy.
