Daily Mirror - Print Edition

NDB’s Rs.13.2bn fraud shock What the crisis revealed about controls, buffers, and banking resilience

10 Apr 2026 - {{hitsCtrl.values.hits}}      

The chronology explains the confidence shock. On 2 April 2026, NDB disclosed an internal fraud incident with an initial impact estimate of about Rs.380 million and warned that the final figure could be higher. On 6 April 2026, after further review, the bank disclosed a fraud exposure of about Rs.13.2 billion. That was roughly 35 times the initial estimate in four days.

The revised number mattered because it exceeded NDB’s FY2025 profit after tax of about Rs.11.0 billion. Even the bank’s own worst-case after-tax loss estimate for the March 2026 quarter, about Rs.4.0 billion after full provisioning for the maximum expected loss, would erase more than a third of the previous year’s earnings. In the same 6 April disclosure, the bank said the incident was confined to a specific operational area, customer balances were unaffected, relevant employees had been suspended, arrests had been made, the cash dividend was suspended, and a forensic audit would follow.

That is why the story is larger than a routine fraud event. It is a test of control architecture, escalation, internal reconciliation, and board-level assurance. The regulator’s threshold question is whether the bank remains compliant and whether the wider system is protected. Investors ask something harder: what kind of control environment allowed the gap to form, how quickly management grasped its size, and whether a longer governance overhang is now unavoidable.

What the pre-shock numbers were already saying

The key caution is this: NDB’s published asset-quality and balance-sheet signals did not prove that the disclosed fraud sat inside the loan book itself. They suggested that NDB entered 2026 as a bank still emerging from an earlier stress cycle while operating with materially thinner buffers than a year earlier. That mattered because thinner buffers leave less room for any large surprise, whether it comes from credit, operations, or governance.

On credit quality, the broad direction had been positive. The impaired-loan ratio was 6.24 percent at FY2022, rose to 8.58 percent at FY2023, then improved to 5.18 percent at FY2024 and 3.75 percent by FY2025. Stage 3 coverage also strengthened over time, from 37.44 percent at FY2022 to 59.10 percent by FY2025. But the repair had not been perfectly smooth. In Q1 2025, the Stage 3 ratio ticked up to 5.53 percent from 5.18 percent at end-2024, while coverage slipped to 53.26 percent from 54.48 percent. That reversal was later corrected, but it showed that the bank had not yet settled into a fully convincing low-risk glide path.

The sharper balance-sheet signal lay elsewhere: growth and headroom. For FY2025, NDB reported normalised net loan growth of 26.7 percent against deposit growth of 10.4 percent. Fast credit growth is not inherently dangerous, but it becomes more sensitive when it arrives before confidence in the earlier repair is fully established and while capital and liquidity buffers are also compressing.

That is exactly what happened. NDB’s Total CAR fell from 19.09 percent at FY2024 to 15.89% by FY2025. Its all-currency LCR fell from 308.26 percent to 208.54 percent over the same span. Those ratios remained above minimum requirements, but the spare headroom narrowed materially. In short, the public numbers did not forecast a fraud; they did show a bank that was still rebuilding, expanding quickly, and entering 2026 with less room for error than the phrase “still above minimums” might imply.
Using FY2025 CET1 capital and the reported CET1 ratio as a simple baseline for implied risk-weighted assets, a Rs.4.0 billion hit to retained earnings would illustratively reduce the CET1 ratio by under 1 percentage point. That still suggests compliance on the bank’s own cited minima, but with visibly less comfort than before.

Where NDB sits in the peer set

The peer comparison is not a regulatory rating or a legal finding. It is a public-disclosure fitness test: how strong each framework looks on paper, how much quantitative headroom it carries, and whether the loan-book evidence suggests the controls are actually working.

On that private-bank reading, HNB and Commercial Bank remain the strongest operating comparators. HNB combines high capital, very low Stage 3 stress, and very strong coverage. Commercial Bank is not as capital-heavy as HNB, but its asset quality and provisioning are among the cleanest in the sample. Sampath also screens strongly, with high capital and liquidity and solid coverage, though its Stage 3 ratio is above NDB’s narrower regulatory impaired-loan ratio.

NDB sits in the middle. Its FY2025 CET1 was 12.35 percent, Total CAR 15.89 percent, LCR 208.54 percent, Stage 3 ratio 3.75 percent, and Stage 3 coverage 59.10 percent. On the narrow regulatory Stage 3 ratio, that screens better than Sampath and DFCC. But that comfort is only partial. NDB’s broader portfolio-staging disclosure still showed Stage 3 loan stock at 10.8 percent of gross loans and Stage 2 at 7.9 percent. Those figures are not interchangeable with the regulatory impaired-loan ratio, but together they justify caution. NDB’s coverage is respectable, yet still below HNB and Commercial Bank, and its capital headroom is thinner than the top private-bank peers.

The state banks are less directly comparable and are best read separately rather than forced into the same visual benchmark. Their public-policy roles, balance-sheet structures, and disclosure formats complicate like-for-like ranking. The broader point is that strong headline capital or formal committee architecture, by itself, does not settle the question of control quality or early detection.

What the case says about supervision in Sri Lanka

The uncomfortable lesson is not only about one bank. It is also about the design of supervision. CBSL’s 2024 corporate governance direction materially strengthened board accountability, risk appetite, related-party controls, disclosure, and the three-lines-of-defence model. In 2025, it also tightened expectations around IT and cybersecurity incident reporting and formal recovery plans. Those are necessary reforms.
But the NDB case shows the limit of structure-led oversight. Capital ratios, liquidity ratios, committee maps, and annual governance narratives are necessary, yet they are mostly lagging indicators. Serious control failures usually surface first in transaction anomalies, internal-account routing, exception clustering, delayed reconciliations, unusual access behaviour, repeated overrides, or suspicious patterns across connected users, accounts, vendors, branches, and counterparties. By the time the balance sheet fully reflects the damage, the control failure is already mature.

The practical supervisory agenda is straightforward:

  • Move from document supervision to data supervision. Banks should still file prudential returns and governance reports, but supervisors also need standardised early-warning feeds on rapid Stage migration, restructuring concentrations, manual overrides, collateral exceptions, privileged-user access breaches, unusual internal transfers, repeated suspense-account usage, and suspicious clustering across staff, branches, accounts, and related parties.
  • Make related-party oversight graph-based rather than form-based. Modern connected risk often hides through beneficial ownership chains, family links, supplier relationships, back-to-back transactions, repeated policy exceptions, or politically adjacent networks.
  • Require faster and more forensic incident reporting for material fraud, cyber compromise, payment-control breaches, and unauthorised-override clusters, so the supervisor sees not only that something happened but what failed, who had access, and how containment was executed.
  • Treat recovery plans as live operating playbooks, not shelf documents, and improve enforcement transparency so markets can see that serious control breaches lead to consequences.


Scenario analysis: shock absorption and system resilience

The missing question after the NDB shock is not only what happened inside one bank, but how far the wider system could absorb escalation if the facts worsen, improve, or settle somewhere in between. On the latest official system numbers, Sri Lanka’s banking sector entered 2026 with capital and liquidity still well above regulatory floors, even after a year in which buffers moderated as credit growth accelerated. That does not eliminate confidence risk. But it does mean the more plausible debate is about the size and transmission of the shock, not about an immediate system-wide solvency break.

Worst-case scenario
The worst case is not simply that NDB takes the full disclosed hit. It is that the forensic review uncovers a longer-running control failure, weaker recoveries than currently hoped, and wider questions about information quality, exception handling, or connected exposures that force the market to re-price not just one bank, but a broader set of institutions with thinner buffers or weaker governance credibility. 

In that world, the system would still start from a position of meaningful formal resilience: CBSL’s latest published banking-sector data show an end-2025 total capital adequacy ratio of 17.9 percent, a Tier 1 ratio of 14.6 percent, a CET1 ratio of 14.4 percent, an all-currency LCR of 249.7 percent, and an NSFR of 154.1 percent, while CBSL has also stated that NDB’s own capital and liquidity remain above minimum requirements. 

That suggests the system could probably absorb a severe idiosyncratic shock. But the absorption would be costly. It would likely come through deposit migration toward the strongest franchises, a higher funding premium for weaker names, tighter supervisory intervention, slower credit creation, and a prolonged confidence overhang. If the episode were to widen from a single-bank control breach into evidence of multi-bank concealment or a broader governance pattern, the issue would stop being a capital story and become a system-confidence story. That is the scenario Sri Lanka is best positioned to resist, but cannot afford to dismiss. 

Best-case scenario
The best case is that the event remains operationally ring-fenced: the exposure does not materially widen beyond what has already been disclosed, recoveries prove substantial, the forensic audit confirms a concentrated fraud rather than a broader cultural failure, and customers continue to treat the episode as an internal control breach rather than a signal of balance-sheet fragility. In that outcome, the wider banking system would absorb the shock with relative ease. 
The sector-level capital and liquidity cushions would remain ample, the retail safety net would remain credible, and the episode would settle into the category of a painful but contained one-bank governance failure. NDB would still suffer reputational damage, management scrutiny, and some loss of strategic flexibility. But the system consequence would be limited: a supervisory tightening, some re-pricing of governance quality, and a reminder that strong reported ratios do not substitute for strong internal controls. 
 

Most likely scenario
The most likely path lies between those two extremes. The public facts so far still point more strongly to a serious but contained institutional failure than to a systemic banking event. That means the likeliest outcome is a large realised loss for NDB, partial but not complete recoveries, heavier regulatory oversight, a slower near-term risk appetite at the bank, and a period in which investors and larger depositors become more discriminating across the sector. In that middle case, the system should be able to absorb the event without a generalised stability break, precisely because sector-level capital, liquidity, and funding metrics remain above minimum thresholds and the formal safety net has been strengthened in recent years. 
But absorption will not mean invisibility. It will probably show up instead through market discipline: weaker banks will be judged more harshly, governance quality will matter more in pricing, and supervisors will face greater pressure to move from ratio-based comfort to signal-based intervention. That is why the most realistic conclusion is neither complacency nor panic. It is that Sri Lanka’s banking system appears strong enough to absorb this event as presently disclosed, but only if the authorities use it as a trigger to upgrade detection, escalation, and control assurance before the next shock arrives.

Bottom line

The most defensible reading is not that the public record proves the loan book caused the fraud. It is that NDB entered the scandal with a profile that warranted more scepticism than a simple recovery narrative suggested. Asset quality had improved, but not from a long-settled base. Loans were growing much faster than deposits. Capital and liquidity buffers were still above minimums, but materially thinner than a year earlier. Peer comparison placed the bank in the middle of the field rather than the safest tier.
That is why the Rs.13.2 billion disclosure matters so much. It turned a latent vulnerability into an open governance crisis. For NDB, the next stage is not reassurance alone. It is forensic credibility: a clear account of what happened, how long it ran, what failed, how much can be recovered, and why the market should believe that the control architecture has been rebuilt rather than merely patched. 
Sri Lanka needs a supervisory model that is faster, more forensic, more data-led, and far less satisfied by paperwork alone. In the current era, good governance is not the number of committees a bank can list in its annual report. Good governance is how quickly a bank detects a problem, how hard it is to override controls, how honestly losses are recognised, how thick the buffers are once stress appears, and how rapidly both bank and regulator act before a control failure becomes a public crisis.

(The writer is a Senior Economist, Researcher, and Investment Analyst with over twelve years of experience in capital markets and financial modeling)

 

  • The confidence shock came from the speed of the revision: about Rs.380 million on 2 April 2026, about Rs.13.2 billion on 6 April 2026
  • NDB and CBSL said customer balances or deposits were unaffected and that prudential ratios remained above minimum requirements, which supports a containment reading rather than a depositor-run reading
  • The pre-shock warning lights were not proof of fraud; they were balance-sheet and credibility signals: recent credit repair, a brief Q1 2025 relapse, loan growth far ahead of deposit growth, and thinner capital and liquidity buffers by end-2025
  • On private-bank comparators, HNB and Commercial Bank remain the cleanest operating benchmarks; Sampath sits close behind; NDB screens as serviceable but not top-tier