By : Nalinda Indatissa (President’s Counsel)
April 15, LNW (Colombo): When oversight becomes passive, risk becomes systemic—and the cost is borne by the public.
When a bank’s systems fail, the public looks to the bank for answers. But when the warning signs were there and no effective intervention followed, a more uncomfortable question arises: was the regulator merely watching? In a financial system where technology underpins trust, silence, delay, or passive oversight can be just as consequential as the failure itself. The real risk, therefore, may not lie only within banks, but in whether supervision has kept pace with the very threats it is meant to contain.
The Central Bank of Sri Lanka (CBSL), as the apex monetary authority and financial sector regulator, is entrusted with the responsibility of preserving the stability, integrity, and resilience of Sri Lanka’s banking system. In an era where financial services are deeply intertwined with digital infrastructure, this responsibility extends decisively into the realm of technology risk management.
The regulatory framework governing this space, notably Banking Act Directions No. 16 of 2021 (as amended), establishes comprehensive obligations on licensed banks to identify, protect against, detect, respond to, and recover from technology-related risks, including cyber threats and system failures. These regulatory instruments are both necessary and foundational.
The recent issues surrounding National Development Bank PLC (NDB) have brought into sharp focus the question of whether the issuance of directions and circulars is sufficient to discharge the Central Bank’s supervisory mandate, particularly in the face of evolving technology risks.
Supervision is a continuous obligation requiring the Central Bank to move beyond rule-making into active engagement with regulated entities. This encompasses off-site surveillance, on-site examinations, and intervention when necessary. The expectation is that the regulator will identify early warning signals and act in a timely manner.
Modern banking supervision is anchored in a risk-based approach aligned with international standards. This requires evaluating the effectiveness and adequacy of risk management systems within banks. In technology risk, it is insufficient for banks to demonstrate mere compliance; the Central Bank must assess operational effectiveness and real resilience.
The Central Bank’s supervisory engagement necessarily involves direct interaction with bank management and boards, the communication of findings, and the imposition of corrective measures where deficiencies are identified. Enforcement is a critical component of this framework, supported by statutory powers to impose sanctions and mandate remedial action.
In this context, the Public Trust Doctrine assumes particular relevance. Traditionally associated with the stewardship of natural resources, the doctrine has evolved to impose a duty on public authorities to act as trustees of powers held for the benefit of the people. The Central Bank’s supervisory powers can, in this light, be understood as fiduciary in nature—held in trust for the public, including depositors whose financial security depends on a sound and stable banking system.
This perspective underscores that the Central Bank’s obligations extend beyond formal compliance with statutory mandates. It must act with diligence, good faith, and due care, consistently prioritizing the public interest. A failure to exercise supervisory powers effectively—whether through delay, inattention, or inadequate intervention—may therefore give rise to serious questions of accountability.
The NDB incident illustrates the risks inherent in supervisory complacency. In a financial system increasingly dependent on complex and rapidly evolving technological infrastructure, the consequences of delayed or insufficient regulatory action can be significant. It reinforces the need for the Central Bank to adopt a proactive and, where necessary, intrusive supervisory posture, leveraging data, intelligence, and advanced monitoring tools to detect vulnerabilities before they escalate into systemic threats.
Ultimately, the effectiveness of the regulatory framework lies not in the existence of directions and circulars, but in their implementation and enforcement. The Central Bank must continuously adapt its supervisory practices to keep pace with the speed, scale, and sophistication of modern technology risks, ensuring that regulatory expectations translate into actual operational resilience within financial institutions.
In the final analysis, the Central Bank’s failure to act decisively in the face of emerging technology risks cannot be dismissed as a mere regulatory lapse. While inaction does not automatically amount to corruption, it assumes far greater legal and moral significance where there is a clear duty to intervene and protect the stability of the financial system. As the guardian of public confidence and the trustee of powers exercised for the benefit of depositors and the wider public, the Central Bank is bound to act with vigilance, timeliness, and integrity. Any sustained or unexplained supervisory inaction, particularly in a high-risk and rapidly evolving technological environment, raises serious questions of accountability and may, in appropriate circumstances, cross the threshold into misconduct. Ultimately, circulars and directions, however well-crafted, are only as effective as the supervision that enforces them. It is this active, responsible, and trust-driven supervision—not mere rule-making—that will determine whether the Central Bank truly fulfils its mandate to safeguard the resilience and integrity of Sri Lanka’s banking system.
The post Beyond Circulars: Has Supervisory Vigilance Kept Pace with Technology Risks? appeared first on LNW Lanka News Web.
