Sri Lanka APG Mutual Evaluation 2026: Banking Considerations

In the last APG Mutual Evaluation Report (MER) report on Sri Lanka in 2015, there were six Recommendations (R) related to Technical Compliance that were rated as Non-Compliant (NC), which affect how banks in Sri Lanka manage money laundering and terrorist financing risks. The Recommendations deemed non-compliant included²; R10.Customer due diligence (CDD), R12.Politically Exposed Persons (PEPs), R13.Correspondent Banking, R16.Wire Transfers, R17.Reliance on Third Parties and 19.Higher-Risk Countries.

The latest follow up report by the APG publicized in 2021 shows that all six of the previously Non-Compliant Recommendations of relevance to banks were deemed Largely Compliant (LC)³ by the first follow up report in 2016. As a result, there is an expectation of banks and other regulated entities to meet obligations in relation to these areas, as well as others in relation to AML/CFT obligations.

Shortcomings noted in the MER when it came to customer due diligence, included amongst a series of findings, that there were no direct obligations to proactively identify and verify the identity of beneficial owners across the financial sector. Equally lacking for PEPs were no specific obligations for putting in place a risk management system to determine whether a customer or the beneficial owner was a foreign PEP and no obligation for obtaining senior management approval for continuing business relationship for existing customers and beneficial owners identified as foreign PEPs.

The report went on to call out shortcomings for Know Your Customer (KYC) and CDD rules that did not include specific requirements for Financial Institutions (FIs) at the time to; understand fully the AML/CFT responsibilities of each institution, to obtain approval from senior management before establishing new correspondent relationships and prohibit shell banks. Wire transfers, something that is closely related to correspondent banking, also saw several findings - one of which was that there were no requirements for all cross-border wire transfers to be accompanied by the necessary beneficiary information.

Whilst Sri Lanka acted to swiftly address shortcomings following the APG MER on the areas within these six Recommendations, attention then naturally turns to the regulated sector, including banks, to meet additional compliance obligations Sri Lanka introduced as a result.

The Financial Intelligence Unit (FIU) of Sri Lanka, which functions as an independent institution within the administrative structure of the Central Bank of Sri Lanka, has issued 30 administrative penalties⁴ on banks and their subsidiaries totaling LKR51,550,000.00 (USD164,960).00 for AML/CTF/Sanctions control shortcomings. The first of these administrative penalties was in 2020, following the APG MER in 2015.

The administrative penalties show that there were several key areas of AML/CTF and Sanctions controls that banks should be paying close attention to. One of these was Sanctions controls. On 15 occasions, reasons for penalties included; failure to screen existing customers against sanctions lists, failure to maintain sanctions lists, establishing business relationships with sanctioned individuals, failing to freeze funds without delay and to report full particulars of sanctioned individual’s funds to the FIU. On one occasion, a bank had even failed to remove the restrictions imposed on the designated individuals even after their delisting⁵, which led the FIU to believe that the bank had not screened their customer database when the existing designation lists were updated.

Another area of AML control shortcomings was in relation to Suspicious Transaction Reports (STRs). Penalties related to the failure to recognize suspicious activities and failing to file STRs and four banks upon which administrative penalties were applied at the same time, all failed to identify transaction patterns and verify the source of income which deviated from customer profiles where the banks should have considered raising suspicious transaction reports.

A further area of AML control failings related to CDD. Here on one occasion, the FIU found that one bank had created and maintained accounts where the account holder could not be identified - the business relationships of these customers could not be traced in the core banking system, in this case using identification data. Other CDD shortcomings included the failure to conduct adequate CDD and failings on customer identification and verification.

A final area of note for AML controls where administrative penalties were applied related to PEP risk management. Some banks had failed to obtain approval from senior management when entering business relationships with PEPs and on occasions this involved significant delays in obtaining the senior management approval.

Despite Sri Lanka addressing many of the Recommendations that were Non-Compliant and administrative penalties issued by the FIU since the APG MER in 2015, AML/CTF risks remain for the financial sector. The most recent National Risk Assessment (NRA) on Money Laundering and Terrorism, conducted in 2025, the assessment identified "Drugs Trafficking" as "High" risk, followed by "Fraud" and "Trade Based Money Laundering" as "Medium High". With banks making up the largest share of the financial sector, by total assets and deposits7, AML/CTF compliance is key in tackling money laundering via drugs, digital fraud and cross-border trade. Past APG MER shortcomings⁶ as a result of them and administrative penalties by the FIU point banks to the key areas that they should be concentrating their compliance efforts on, as Sri Lanka prepares for it’s latest ME this year.

Given that the APG report published in 2021 shows that all six of the previously Non-Compliant Recommendations of relevance to banks were now deemed Largely Compliant (LC)⁷, there is now an even greater expectation on banks to meet their AML/CFT obligations. Banks need to review their AML/CFT compliance systems and controls to ensure they remain compliant with current AML/CFT obligations. In order to do this, they should focus on the following critical areas, for which actions they can take include:

• CDD/EDD: Banks should ensure that robust and adequate CDD and Enhanced Due Diligence (EDD) policies and procedures are in place⁸. This includes not only obtaining sufficient but also accurate information on customers. Furthermore, CDD and EDD records should be maintained and retained, especially as inadequate and inaccurate customer information has and can lead to implications in ongoing money laundering and terrorist financing investigations. Bank compliance teams should review their existing policies and procedures against requirements as set out in the Central Bank of Sri Lanka’s ‘Financial Institutions (Customer Due Diligence) Rules, No. 1 of 2016⁹.
• STRs: Suspicious transaction reports provide valuable intelligence to authorities on financial crime and the crimes connected to it; therefore, it is critical that all staff across banks are trained to identify suspicious activity and correctly report it internally to the financial crime team(s). In addition to this, financial crime investigators within banks should be provided with additional training on how to conduct effective investigations, using not only internally held information but in how to conduct external open sources searches for information that may help their investigations. This is to ensure suspicious activity is not missed internally and to ensure it is sufficiently reported externally to authorities.
• Sanctions Controls: Sanctions controls can have sudden and international implications both internally and externally given they can involve individuals and entities connected to geopolitical-related events and global risks. Where confirmed sanctions matches are found, banks need to ensure they freeze funds without delay. Banks can do this by having robust customer screening and payment screening systems in place in order to detect sanctioned parties and entities and freeze funds in order to comply with sanctions. A key element of this is using a quality sanctions data provider and robust sanctions systems - banks need to ensure they are screening against the most up to date sanctions lists and the systems they have in place are working correctly. Sanctions systems should be regularly tested to ensure they are not only able to pick name matches but also correctly calibrated to pick up fuzzy matches and name variations.
• PEPs: Banks should ensure they have robust screening systems in place to detect matches against PEP lists, therefore a quality screening provider is key, like sanctions screening. Other ways of identifying PEPs can also include researching customers or where a customer has self-declared their PEP status. The FIU of Sri Lanka has previously published guidelines on identification of PEPs¹⁰, which can be particularly useful of bank compliance teams and front-line staff in banks. Bank staff need to understand not only who a politically exposed person can be but also the different categories of PEPs. Bank’s need to document their classification and review of PEPs and maintain sufficient records of such review throughout the relationship and should have a system that can easily identify all PEP relationships within the bank, should the be asked to provide records of such relationships. Other key areas banks need to ensure they focus on when managing PEP risks include: establishing a PEPs Source of Wealth (SoW) and Source of Funds (SoW) and ensuring all PEP relationships are not only approved by senior management but reviewed and approved in a timely manner without delay. Banks need to ensure they have robust policies and procedures that are followed strictly to avoid potential compliance shortcomings in managing PEP risks.
• Internal and External Audits: Whilst bank internal audits of AML/CTF compliance programmes can prove useful for identifying potential compliance gaps, bank’s may also want to consider and external independent audit of their AML/CTF compliance programme. An independent third party may provide the additional benefit of an extra layer of impartiality and may observe areas of the compliance programme with deficiencies not picked up previously internally.
• Trade: Banks would strengthen controls in trade finance to detect risks such as over/under-invoicing and mismatches in trade documentation. This includes closer coordination between trade and compliance teams, use of external trade data, and training staff to identify TBML red flags.
• Fraud Risk Management: Banks could adopt an integrated approach to fraud and financial crime, using real-time monitoring, behavioral analytics, and stronger collaboration between fraud and AML teams. Ongoing staff training and customer awareness are also key to addressing evolving fraud threats.

Considering new ways to strengthen your AML and financial crime compliance framework? LexisNexis® Risk Solutions offers a comprehensive suite of risk intelligence and decisioning solutions to support effective customer due diligence, sanctions screening, transaction monitoring, and ongoing risk assessment. We help organizations enhance compliance outcomes while maintaining a seamless and trusted customer experience.

References:

¹ https://apgml.org/about-us/members/members/sri-lanka
² https://apgml.org/sites/default/files/documents//Sri_Lanka_MER_2015_-_published_version.pdf (pages 15-19)
³ https://apgml.org/sites/default/files/documents//Sri_Lanka_FUR_2021.pdf (pages 8-9)
⁴ https://fiusrilanka.gov.lk/press_releases.html
⁵ https://fiusrilanka.gov.lk/docs/press_releases/2024/FIU_2024_02_19/FIU_2024_02_19_E.pdf (page 3)
⁶ https://fiusrilanka.gov.lk/docs/press_releases/2023/FIU_14_09_2023/NRA_E.pdf (page 1)
⁷ https://apgml.org/sites/default/files/documents//Sri_Lanka_FUR_2021.pdf (pages 8-9)
⁸ https://fiusrilanka.gov.lk/docs/Circulars/2024/Circular_02_2024.pdf
⁹ https://fiusrilanka.gov.lk/docs/Rules/2016/1951_13/1951_13_E.pdf
¹⁰ https://fiusrilanka.gov.lk/docs/Guidelines/2019/Guideline-03-2019.pdf