Ticking Boxes, Missing Risks: The compliance Illusion in Sri Lankan banks

By Poornima Ranawaka
Sri Lanka’s banking sector is not short of regulations. Banks operate under the close supervision of the Central Bank of Sri Lanka, with extensive frameworks governing risk management, corporate governance, and compliance. 
On paper, the system appears robust, comprehensive, and increasingly aligned with international standards. Yet, inspection after inspection reveals a recurring and uncomfortable truth: compliance failures persistnot because the rules are inadequate, but because their application is inconsistent. The issue is not regulatory design. It is organisational mindset.
Compliance often treated as a function
From both academic study and practical engagement within the financial sector, one observation remains strikingly consistent. Compliance is often treated as a function, rather than a responsibility. One of the most persistent and damaging misconceptions within Sri Lankan banks is the belief that compliance rests primarily with a single individualthe compliance officer. This belief is not only flawed, it is structurally dangerous.
Compliance is not a job title. It is a collective obligation that must be embedded across all levels of the institution, from front-line staff to senior management and ultimately the board. When responsibility is concentrated within a single function, business units gradually disengage. Decision-makers assume that risks will be “picked up” elsewhere. Ownership becomes diluted, and accountability weakens. When failures occur, they are often labelled as compliance failures. In reality, they are failures of management oversight.
In practice, this manifests in subtle but significant ways. Transactions are processed without full appreciation of regulatory implications. Business units proceed on commercial urgency, assuming that compliance review is a secondary checkpoint rather than an integrated part of decisionmaking. This reactive approach creates systemic vulnerability. Compliance functions are not designed to act as safety nets for operational behaviour. They are meant to guide, challenge, and strengthen it.
The breakdown becomes even more pronounced at board level. In many institutions, compliance and risk reports are regularly presented to boards. However, the presence of reporting should not be mistaken for effective governance. The critical issue is not whether boards receive information, but how they engage with it.
Too often, reports are noted, recorded, and filed with limited interrogation. Questions, when raised, tend to focus on completeness rather than substance. This culture of passive oversight represents one of the most significant weaknesses in banking governance today. Regulators are no longer satisfied with boards that are merely informed. Increasingly, they expect boards to demonstrate active engagementto challenge assumptions, probe inconsistencies, and demand evidence of effectiveness.
Visible shift
In recent supervisory approaches within Sri Lanka, there has been a visible shift. Regulatory focus is no longer limited to the existence of frameworks. It extends to how boards respond to them. Silence is no longer neutral. It may be interpreted as a gap in governance oversight.
Another critical vulnerability lies in documentation practices. Regulatory inspections do not rely on verbal assurances. They rely on evidence. Yet, many institutions continue to face challenges in producing clear, consistent, and up-to-date documentation.
Policies may exist but remain outdated. Procedures may be followed but are not formally recorded. Discussions may occur at senior levels but are not adequately minuted. From a regulatory perspective, the principle is uncompromising: if it is not documented, it did not happen.
This principle has had real consequences in the Sri Lankan context. Institutions have, on occasion, faced adverse findings not because controls were absent, but because they could not demonstrate their operation through adequate records. A control that exists in practice but cannot be evidenced is treated, for regulatory purposes, as ineffective. This highlights a deeper issuenot merely a documentation gap, but a lack of institutional discipline.Perhaps the most pervasive challenge, however, is the persistence of what may be described as “tick box compliance.” On the surface, systems appear functional. Policies are drafted. Training sessions are conducted. Reports are submitted. Audit checklists are completed. Yet beneath this structured appearance, compliance often lacks depth.
Training is attended but not internalised. Policies are adopted from templates without sufficient alignment to the institution’s specific risk profile. Controls are established but not regularly tested for effectiveness. Risk assessments become routine exercises rather than meaningful evaluations. The result is an illusion of controlone that may withstand superficial review but collapses under deeper scrutiny.
This becomes particularly evident when a simple but critical question is raised: How does this operate in practice?
Comprehensive frameworks only on paper
In several observed instances within the Sri Lankan banking sector, institutions have maintained comprehensive frameworks on paper, yet struggled with practical implementation. Transaction monitoring systems have existed but were not calibrated effectively to identify unusual patterns in a timely manner. Governance structures have been formally established, yet the depth of discussion and challenge within those structures has remained limited. These are not failures of regulation. They are gaps in execution.
The regulatory landscape in Sri Lanka has evolved significantly in recent years. Supervisory approaches are increasingly riskbased and outcomefocused. The Central Bank of Sri Lanka has placed growing emphasis on governance quality, accountability, and the effectiveness of internal control systems. Institutions are no longer assessed solely on whether frameworks exist, but on whether they function as intended.
This shift is exposing a fundamental structural issue. Many banks have invested considerable effort in building compliance frameworksappointing officers, establishing committees, and formalising policies. However, comparatively less attention has been given to building a culture in which those frameworks operate effectively.
Structures can be implemented within defined timelines. Culture cannot. It requires consistent leadership behaviour, clear accountability, and a sustained commitment to ethical conduct.
The underlying issue, therefore, is not technical. It is behavioural. When compliance becomes siloed, it reflects a gap in leadership accountability. When boards adopt a passive role, it reflects a weakness in governance culture. When documentation is inconsistent, it reflects a lack of operational discipline. When compliance becomes a checklist exercise, the effectiveness of the entire system is undermined.
These are not isolated occurrences. They are indicators of a broader organisational tendency to prioritise form over substance. In such environments, success is often measured by the absence of regulatory findings rather than the strength of internal systems. This creates a misplaced incentiveto prepare for inspections rather than to manage risk effectively.
Regulatory framework
Addressing this issue does not require additional regulation. Sri Lanka already has a comprehensive and evolving regulatory framework. Introducing further rules will have limited impact if underlying behaviours remain unchanged. What is required is a shift in approach at the highest levels of institutional leadership.
Boards must transition from passive recipients of information to active participants in governance. They must engage meaningfully with risk and compliance matters, challenge management where necessary, and seek evidence of effectiveness rather than mere assurance. Senior management must take ownership of compliance responsibilities rather than delegating them. Compliance functions must be positioned as strategic partners rather than isolated control units.
More importantly, institutions must begin to ask different questions. Not “Do we have a policy?” but “Does it work?” Not “Have we conducted training?” but “Is it understood and applied?” Not “Have we submitted reports?” but “Do they reflect operational reality?”
Compliance today extends beyond regulatory adherence. It is closely linked to credibility, governance integrity, and institutional trust. In a sector that depends heavily on public confidence, these are not optional attributes. They are essential foundations.
Sri Lanka’s banking sector operates within an environment of increasing complexity, heightened regulatory expectations, and growing public scrutiny. In such an environment, superficial compliance is not merely insufficientit introduces risk. The consequences of failure extend beyond regulatory action to reputational impact, stakeholder confidence, and long-term institutional resilience.
Trust cannot be built on documentation alone. It must be built on accountability, engagement, and genuine commitment. Until institutions move beyond ticking boxes, they risk overlooking the very issues those boxes were designed to address.
(This article reflects sector-wide observations and does not refer to any specific institution. The writer is an Attorney-at-Law (Former Chief Compliance Officer at Pan Asia Bank and Axis Bank) and Non Independent Non Executive Director at HNB Life, Senior Lecturer in Law)