The latest deplorable revelations in the Committee on Public Finance (COPF) report ‘The Fraud Linked to Cybercrime in the US Dollar 2.5 Million Debt Repayment to Australia’, presented to parliament on July 10th tells a tale of irresponsibility, incompetence and disregard for the…
The latest deplorable revelations in the Committee on Public Finance (COPF) report ‘The Fraud Linked to Cybercrime in the US Dollar 2.5 Million Debt Repayment to Australia’, presented to parliament on July 10th tells a tale of irresponsibility, incompetence and disregard for the most important of tasks that are bestowed on a Ministry that is of paramount importance to a country striving to come out of a serious economic crisis. Every new crisis adds a burden on the backs of the innocent citizens paying for the sins of those who caused it. This time, as in other times, the crisis was caused by those who sit high above the citizenry, governing the country or running its affairs; by those who perpetrated the fraud deliberately, and no less by those who enabled it through incompetence, inattention and perhaps ignorance. The incredible ease with which the shameful theft of 2.5 million US Dollars occurred in the Ministry of Finance reveals that this theft was facilitated by a series of lapses by those in charge of its processes, as COPF discovered, and was most certainly avoidable. Ten fraudulent transactions had been allowed to pass through the precincts of the Finance Ministry and the Central Bank of Sri Lanka, before it was discovered that they were the unwitting pawns in a straightforward cybercrime. Two institutions that ordinary citizens hold in high trust and esteem had their pockets picked in broad daylight. Transition Errors This whole unsavoury affair starts with a transition. In order to better manage foreign debt, the government, “in keeping with international standards”, decided to institute a new unit to take care of all things to do with foreign debt within the Ministry of Finance. It is called the Public Debt Management Office (PMOD). It took away those duties from the Central Bank (CBSL), which handled the tasks earlier. COPF says that “the fraud linked to cybercrime under consideration happened within this process.” It certainly did. The process of transition from CBSL to PMOD had holes the size of 2.5 million US dollars. And the irresponsible handling of this transition has so far led to the death of a young bureaucrat, so let’s not treat this casually or lightly. Those who undertook to oversee this process to a successful finish must surely examine their own part in this tragic story. Non-Actions Have Consequences The transition took 18 months. November 2024 to March 2026. Long enough to ensure that the CBSL had passed on its processes, training and experience to a new team at the PMOD to a satisfactory standard. One wouldn’t think that an old and respected institution with what we assume were its tested systems and processes, passing on its expertise to a brand-new unit specifically set up to deal with an important set of tasks, would get it wrong. But it did. COPF was not happy: * The Committee found no document that provided a detailed guideline or terms of reference for this complex, multifaceted transition process involving multiple institutions. * There are no KPIs available to judge whether the transition was completed in an adequate manner. * Even the guidelines that govern the operations of the PDMO were only published on 19 September 2025, 10 months after the establishment of the office. * The MoU between the CBSL and PDMO on their areas of collaboration was only signed on 9 March 2026, almost at the end of the official transition period. It looks like there was inadequate planning from the very start. Every mistake, every slipshod move, every skipping of essential steps in the process, is what the citizen ends up paying for, and even dying for. The COPF report shows a 4-step CBSL process through which debt repayments transit, from receiving and checking invoices to confirming payment details through to the final payment. Each is carried out by a separate section. Each stage is part of an internal controls system, where important checks are carried out to prevent errors and/or fraud. After the transition to PDMO, there seems to have been a serious lack of internal controls with the checks necessary to prevent fraud. The COPF specifically faults the PDMO for not securing its IT infrastructure: * PDMO’s outdated IT system which “left it at complete risk of cyberattacks”. * Shortfalls in IT infrastructure and cybersecurity measures at the MoF, including the ERD, were highlighted in a comprehensive audit carried out by KPMG…in December 2024. * Fraud linked to cybercrime in question commenced in mid-November 2025, only a month after the server system stopped receiving Microsoft security updates. Early Warnings The COPF report highlights the fact that early in January 2026 a cybersecurity threat was discovered during a debt repayment to be made to the Export-Import (EXIM) Bank of India: “When CBSL attempted to make payment to the account details provided by the PDMO, with JP Morgan as intermediary, the payment was rejected by JPMorgan’s Global Fraud Prevention Operations team. Contact was made by PDMO officials with an EXIM Bank of India team, allowing the MoF to confirm that fraudulent payment instructions had been provided.” The details of the attempted fraud are an exact copy of the one that succeeded later with the Australian payment, which failed in the case of India: “Payment was then made to the correct account, verified through communication with the EXIM Bank of India. This suspicious activity was reported to the Criminal Investigation Department (CID) and SL-CERT on 9th January 2026. The ERD IT Officer’s complaint to SL-CERT mentioned that the suspected fraudulent email address used the domain eximbenkindia.in (while the correct domain appears to be eximbankindia.in).” This was not the end of it. There was more! When the cybersecurity threat regarding the Indian payment was reported to the Secretary of the Treasury triggering an investigation by the Director General of the ERD, a veritable treasure trove of fraudulent emails was discovered: “Payment instructions received via email for several other due payments, including for payments to the United Kingdom (USD 1,294,605.99), Germany (EUR 4,059,987.81) and Belgium (EUR 60,974.88) were further identified as fraudulent.” What would have happened if not for the JP Morgan team in India? Would these also have gone through, to a thieving scammer? In the event, the report says: “UK was suspended immediately. Communications initiated by the suspicious party were identified and investigative authorities were alerted. The payment related to Belgium was made to the correct account.” That’s two saved. What happened to the German payment of Euro 4,059,987.81? Did we pay it to a scammer? So, it is in the process of verifying these fraudulent payment details that the Ministry of Finance was “alerted on 23rd March 2026 to communications from Export Finance Australia of non-receipt of debt repayments due in previous months.” The report reproduces the email exchanges on the same set of Australian invoices from 3 different email addresses: * @exportfinance.gov.au * @exportfinance-au.com * @exportfinanceau.com The communications from these different email accounts were on-going from October 2025, but the fraud was discovered only in March 2026. By then the damage was done. Payments had already been made to the fraudulent account. This is especially worrying because the COPF report says that after the debt restructure in October 2025, “The MoF officials said in Committee that the existing account details for Export Finance Australia repayments had not been changed in the revised agreement.” The COPF makes the important observation that the system of internal controls at the MoF are grossly inadequate, citing one example: “The final payment authorisation within MoF has historically been done by a Director with authority over the Debt Servicing function, at ERD and now PDMO, without any verification process by more senior officials, highlighting weak internal controls.” The report lists some measures that have been taken by the MoF to prevent any recurrence. However, they add: “These measures pertain to establishing and strengthening internal controls and ensuring basic cybersecurity within the Ministry of Finance. They should have been in place as a baseline…” Me Sir? No Sir, Not I Sir! The views expressed by both the MoF and the CBSL as to who was responsible for these blunders make interesting reading because they reveal more about them than they realize. COPF says that at the 8th June discussions: “The Ministry of Finance was of the view that the CBSL should have been more vigilant and taken proactive measures…CBSL was of the view that there was no legal responsibility under the FTRA for its role as banker to the government.” The practiced passing of the buck between these two institutions is unsavoury, if revealing. Shouldn’t they have carried out an immediate review of their own conduct to discover where each might have failed, individually and together? The AG has concurred with the CBSL in its view regarding CBSL’s legal responsibility. However, since CBSL had been doing the job until now, had undertaken the training of the new team and transition of the processes, they had a professional responsibility to ensure that adequate systems were in place to mitigate the risks that they, rather than a brand-new team, were far more experienced at identifying. Isn’t it fair and reasonable to expect that the CBSL would regard it as their responsibility to give adequate training which includes the right internal controls and monitoring, and to see the process through to implementation to their total satisfaction? As for the MoF, COPF says: “The MoF was of the view that during the period in which the PDMO officials created the SSIs for the repayments on fraudulent invoices in November 2025, PDD-CBSL officials continued to oversee the process.” Why did the MoF think they were ready to takeover from the CBSL and run the show, when they admitted to COPF that “PDMO staff did not have a proper understanding of international fund transfer processes and AML concerns, which limited their ability to act upon limited information provided by CBSL staff on such matters.” Shouldn’t they have dealt with this before they went ‘live’, as it were? It gets even more alarming when the CBSL tells COPF that * “internal controls within the MoF for payment verification are dysfunctional” * “CBSL cannot ensure verification through its payments process, acknowledging that even the CBSL PDD would have failed to prevent a fraud linked to cybercrime in such a scenario.” What were the Ministers doing, while their systems got so dysfunctional that according to CBSL, a fraud couldn’t have been prevented? What happened in this inadequately conceived and planned transition resulted in more than a substantial financial loss. The MoF suspended 4 officials pending investigations into the fraud. One of those officials, Ranga Rajapaksa, an Assistant Director of the External Resources Department (ERD) was found dead on April 30, 2026, at his residence in Kuliyapitiya. A post-mortem ruled the death a suicide.
[Sanja de Silva Jayatilleka was a member of the team that transitioned GlaxoSmithKline UK’s Financial Services from Britain to India, overseeing the training, testing, final transitioning and post-transition support of the Compliance and Control function.] by Sanja de Silva Jayatilleka

