Sri Lanka FIU Fines Casinos and State Bank Over Serious AML Failures

Sri Lanka’s Financial Intelligence Unit has imposed a total of LKR 6.5 million in penalties on Bally’s and Bellagio casinos and the state-owned National Savings Bank, citing serious lapses in anti-money laundering controls. Regulators said the cases highlight fundamental weaknesses in threshold reporting, sanctions screening, enforcement of account suspension orders, and recordkeeping, particularly in cash-intensive gaming operations and major financial institutions. Authorities stressed that “robust compliance is mandatory not optional in sectors vulnerable to rapid flows of funds.”

The enforcement actions stem from breaches under the Financial Transactions Reporting Act, No. 6 of 2006, which governs Sri Lanka’s AML framework. The law mandates suspicious transaction reporting, threshold reporting, customer due diligence, sanctions screening, and proper recordkeeping. It also empowers the FIU to issue administrative penalties for noncompliance. Cash or electronic fund transfers that meet or exceed legal thresholds must be reported within specified timeframes, and sanctions screening must be continuously applied against United Nations-mandated lists, with immediate action taken on any matches. Account suspension orders from the FIU or extended by courts must be fully enforced at the system level to prevent any debit activity. Licensed gaming operations fall under designated non-financial businesses and professions and are held to the same FATF-inspired standards as banks.

At National Savings Bank, investigators uncovered failures to report on time transactions exceeding LKR 1 million, both in cash and electronic transfers. The bank’s reporting process suffered from a lack of system-wide consolidation and automated reconciliation, leading to missing or delayed filings. Sanctions screening procedures were also flawed. The bank failed to maintain a single, authoritative, version-controlled source of consolidated sanctions lists, meaning customers may not have been properly screened after updates. In addition, one account suspension order and its court-approved extension were not enforced at the system level, allowing prohibited transactions to occur—an infraction that represented both a legal breach and a failure in core banking controls.

Bally’s and Bellagio casinos were cited for deficiencies in customer due diligence and sanctions screening. Authorities found that operators failed to collect or verify identification documents for remote or online clients, while screening systems failed to detect updated sanctions list matches. Transaction monitoring was minimal or non-existent, allowing structuring, rapid buy-ins and cash-outs, and third-party usage to go unflagged. Recordkeeping was fragmented, which made reconstructing compliance activity or client timelines difficult. While no designated individuals were detected during inspections, regulators stressed that “the absence of true enforcement capabilities matters more than the current match rate.”

Authorities said the solution for both banks and casinos begins with treating threshold reporting “as a data product with full lifecycle controls.” All channels processing cash or electronic transfers should feed into a centralized, automated reporting platform that verifies eligibility, tracks timelines, reconciles reported versus actual transactions, and triggers alerts when expected reports are missing or delayed. On sanctions governance, regulators recommended maintaining “a single authoritative list source under version control” and triggering re-screening of all customers upon each update, with no possibility of overriding matches without formal escalation. Regular audits and attestations should confirm adherence.

Account suspensions must be enforced with hard blocks at the core system level, extended to downstream systems such as ATMs and card networks. Any attempted debit on a suspended account should prompt immediate alerts, and reactivation should require documented clearance from regulators or courts, plus dual sign-off from legal and compliance officers.

In the casino environment, remote and hybrid onboarding should require high-assurance identity capture, secure document storage, and dynamic verification. Sanctions screening must occur before activation and again whenever lists are updated. Risk scoring should influence monitoring, focusing on geography, transaction type, source of funds, and behavioral patterns. Monitoring rules must be tailored to gaming activity—tracking rapid redemption, chip volume irregularities, structuring, and suspicious third-party involvement—and should link directly to escalation and suspicious transaction reporting processes.

Recordkeeping must be centrally managed, indexed, and secure, covering identity documents, correspondence, session logs, and surveillance data. Fragmentation, regulators warned, “undermines exam effectiveness and invites penalty.”

While the monetary penalties may appear modest, officials said they send a powerful warning. Weak automation, inconsistent data handling, flawed screening, and control bypasses are “classic risk signals” that expose firms to regulatory, reputational, and legal dangers. Compliance, they stressed, must be “engineered, not just documented,” with systems built to “detect, alert, enforce, and record.”

“Regulators will hold firms to outcome, not intention,” the FIU cautioned, adding that the only effective response is to “build systems that ensure compliance even under pressure, complexity, and fast-paced environments like gaming floors or high-volume bank branches.”

By fLEXI tEAM