By Shihar Aneez
COLOMBO – The internal fraud at Sri Lanka’s listed lender National Development Bank PLC (NDB), which officially unfolded in early April 2026, represents one of the largest operational risk failures in the history of commercial banking in Sri Lanka.
While the bank and the regulator have moved to stabilize the situation, the timeline of disclosures and the sheer scale of the loss have raised significant questions about oversight and transparency.
What happened in the Rs13.2 billion fraud?
Based on corporate disclosures and Central Bank of Sri Lanka (CBSL) statements, the crisis progressed through two distinct phases of realization.
The first one was the Initial Disclosure on April 2, in which the NDB first informed the Colombo Stock Exchange (CSE) that it had detected an act of fraud committed by certain employees “in connivance with a third party or parties”.
At this stage, the bank downplayed the financial impact, providing a preliminary estimate of just Rs 380 million, though it warned the final amount could be “substantially greater”.
However, four days later, on April 6, a follow-up disclosure revealed a catastrophic increase in the estimated loss. The bank established that the fraud, limited to a “certain area of operations”, actually totalled approximately Rs 13.2 billion, almost 35 times the initial amount disclosed.
Despite the scale of the loss, both NDB and the CBSL have emphasized that customer deposits and account balances remain safe and unaffected. The loss is being absorbed by the bank’s own capital and reserves.
The Central Bank intervened on April 6 to provide a regulatory backstop.
While it confirmed that NDB’s capital adequacy and liquidity ratios remain above minimum regulatory requirements despite the Rs 13.2 billion hit, they imposed strict austerity measures including suspension of dividends.
Cash dividends scheduled for April 6 were cancelled, while all discretionary payments and branch expansions were suspended. The Central Bank explicitly stated that NDB has access to emergency liquidity facilities if needed to prevent a bank run or panic withdrawals.
Unanswered Questions and Disclosure Delays
Despite the official statements, several critical gaps remain in the public’s understanding of the incident:
1. The 3,373% estimate gap
The most glaring question is how the bank’s internal audit and risk management systems initially estimated a Rs 380 million loss, only to revise it to Rs 13.2 billion just 96 hours later. This massive discrepancy suggests either a failure to grasp the scope of the fraud initially or a staggered disclosure strategy that has unnerved investors. The bank failed to explain the figure of Rs 380 million became Rs 13.2 billion four days later. It was not immediately clear how the bank estimated the latest amount during the weekend.
2. The nature of the “area of operations”
NDB has stated the fraud was limited to a “certain area of operations.”
However, they have not specified if this involved the treasury, corporate lending, or digital banking.
For a fraud to reach Rs 13.2 billion (roughly US$ 44 million) without affecting customer accounts, it likely involved the diversion of the bank’s own proprietary funds or complex inter-bank settlements.
The NDB’s statement does not cover why and how this internal fraud took place and why the bank failed to detect in in the initial stage.
3. The delay in disclosure
Under CSE Listing Rules, listed entities are required to disclose “material information” immediately.
As per information available in the market and public domain, news on the fraud has been circulating since late last year, analysts say.
However, NDB never uttered a word or denial about the scam.
Many market players say listed firms nowadays send disclosures even on rumours published in media because of the sensitiveness on stock prices.
However, NDB never reacted to any information including an online news of the Criminal Investigation Department (CID) informing the Colombo Chief Magistrate’s Court of January 7, 2026 of having questioned several senior officials of NDB, including the Managing Director, over an alleged fraud of Rs 290 million from the bank’s general ledger account.
If the fraud was questioned prior to April 2, why the market was only notified then is a question that compromises the bank’s integrity.
If the internal investigation was sophisticated enough to detect the fraud on April 2, the four-day delay in revealing the true Rs 13.2 billion scale suggests that the bank may have been negotiating regulatory support with the CBSL behind closed doors before coming clean to the public.
4. The ‘third party’ identity
The bank has cited “connivance with a third party”.
In the context of Sri Lanka’s current economic climate, the identity of this third party remains the subject of intense speculation in the financial community.
The bank has failed to specify what kind of third party was involved in this fraud and who had benefitted from it. The seriousness of the fraud varies depending on whether a corporate entity, a political figure, or an international actor was involved.
Systems failure
A loss of this magnitude typically requires the bypassing of multiple ‘Red Flag’ systems.
The investigation has yet to explain how such a large sum could be moved without triggering the Automated Risk Management systems mandated by CBSL’s Pillar II Basel III requirements.
-economynext.com
Comments are closed, but trackbacks and pingbacks are open.