The Silent Breach: How the Central Bank of Sri Lanka Fails to Protect Customer and Employee Data in the Banking Sector

1. Introduction – A Digital Economy at Risk

As Sri Lanka pushes toward a digital economy, the financial sector becomes increasingly dependent on data-driven operations. Banks handle vast amounts of sensitive customer and employee data every day National Identity Card numbers, salary details, credit histories, addresses, contact numbers, and more. But while digital services grow, data protection efforts have not kept pace.

Key Point: Despite the introduction of the Personal Data Protection Act (PDPA) in Sri Lanka, most financial institutions still operate without proper data security practices, and the Central Bank the regulator of the sector has shown minimal effort in enforcement.

2. The Data Protection Gap in Sri Lankan Banks

While international banks and financial institutions adopt strict data privacy frameworks, most Sri Lankan banks:

• Do not conduct regular vulnerability assessments.
• Lack incident response plans for cyberattacks.
• Share personal data with third-party vendors without proper encryption or consent.
• Do not notify customers when data breaches occur.
• Banks working with limited but same third-party vendors and partners

There have been several unreported or hushed-up data leak incidents in the past few years—ranging from insider threats to exposed web applications—yet these have gone unpunished.

Example: A reputed Sri Lankan bank was recently found to have exposed thousands of credit card records on a misconfigured cloud server. The issue was fixed quietly without informing affected customers.

3. The Role of the Central Bank – Sleeping Watchdog

The Central Bank of Sri Lanka (CBSL) is supposed to act as the regulator and watchdog of all licensed banks and financial institutions. However, it has failed in:

• Mandating proper cybersecurity standards.
• Auditing banks for data privacy compliance.
• Issuing penalties or warnings to banks after data incidents.
• Providing transparent reporting mechanisms for customers.

Comparative Insight: Countries like India (RBI), UK (FCA), and EU nations (via GDPR regulators) take immediate action during data breaches including publishing incident reports, imposing fines, and offering protection to affected users. Sri Lanka lacks this accountability.

4. Consequences of Weak Data Protection

This inaction can result in serious risks:

• Financial fraud: Customer data can be used for unauthorized credit card transactions and phishing scams.
• Employee data leaks: HR and payroll data can fall into the wrong hands, causing reputational damage.
• Loss of trust: Customers may avoid using digital services if they fear their data isn't secure.
• International non-compliance: Failure to align with global privacy laws (like GDPR) can block international business and investment.

"A digital economy cannot thrive if the guardians of financial data are asleep."

5. Solutions and the Path Forward

If Sri Lanka is serious about building a secure digital economy, urgent steps are needed:

• The Central Bank must enforce the PDPA strictly across all financial institutions.
• Introduce a cybersecurity compliance independent audit for licensed banks.
• Mandatory data breach disclosure policies to inform customers.
• Penalties for non-compliance similar to GDPR (e.g., 4% of annual revenue).
• Training and awareness for bank staff on secure data handling.

6. Conclusion – A Call for Responsibility

Data is the new currency of the digital world. Sri Lankan citizens deserve to know their financial and personal information is safe. The Central Bank cannot remain passive while the rest of the world evolves. Now is the time for accountability, transparency, and action.

Sri Lanka must not wait for a major data disaster to realize the importance of data protection. The silence of the Central Bank today could become tomorrow’s national scandal.