Sri Lanka’s Financial Intelligence Unit just slapped a total of LKR 6.5 million in penalties on Bally’s and Bellagio casinos and National Savings Bank over glaring failures in anti-money laundering processes. These cases lay bare critical weaknesses in threshold reporting, sanctions screening, account suspension enforcement, and recordkeeping across cash-intensive gaming environments and a major state-owned bank. Regulators extended the message that robust compliance is mandatory not optional in sectors vulnerable to rapid flows of funds.

This article dives into the specifics of the enforcement actions, the underlying legal framework, the deficiencies identified, and the practical control improvements that compliance professionals ought to implement immediately.

The regulatory framework and its AML levers

The Financial Transactions Reporting Act, No. 6 of 2006 underpins Sri Lanka’s AML supervision, defining obligations such as suspicious transaction reporting, threshold reporting, customer due diligence, sanctions screening, and recordkeeping. It empowers the FIU to issue administrative penalties for noncompliance.

The law mandates reporting of cash or electronic fund transfers meeting or exceeding specified thresholds within set timeframes. Sanctions screening must be applied continuously against United Nations-mandated lists, and institutions must act upon matches. Account suspension orders issued by the FIU or extended by courts must be honored at a system level, preventing any debit activity. Licensed gaming establishments fall under the umbrella of designated non-financial businesses and professions, and they must meet the same FATF-inspired standards as banks in these respects.

What went wrong in each case

In the National Savings Bank case, the FIU found failures in timely reporting of transactions exceeding LKR 1 million, both in cash and electronic fund transfers. The reporting pipeline lacked system-wide consolidation and automated reconciliation, leading to missing or delayed filings.

Sanctions screening issues were also identified. The bank did not maintain an authoritative, version-controlled source of consolidated sanctions lists, leading to risks that customers were not properly screened after updates. Alarmingly, an account suspension order and its court-issued extension were not enforced at the system level, allowing prohibited transactions to occur. That represented both a legal breach and a control failure in core banking systems.

Among the Bally’s and Bellagio casinos, failures centered on customer due diligence and sanctions screening. Operators failed to collect or verify identity documents for remote or online clients, and the screening mechanism did not catch updated sanctions list hits. Transaction monitoring was weak or absent, enabling structuring, rapid buy-ins and cash-outs, or third-party usage without alert generation. Recordkeeping was fragmented, making it hard to reconstruct compliance actions or client timelines.

Although on-site examinations did not detect designated individuals, the absence of true enforcement capabilities matters more than the current match rate. The weakness lies in the control setup, not the temporary outcome.

Reinforcing threshold reporting and sanctions controls

For banks and casinos alike, these enforcement actions underscore the need to treat threshold reporting as a data product with full lifecycle controls. Every channel running cash or electronic transfers must feed into a centralized, automated reporting system that verifies eligibility, tracks timelines, and reconciles reported versus actual transactions. Alerts should trigger when expected reports are missing or delayed.

Sanctions governance must rest on a single authoritative list source under version control, fully auditable. Updates should trigger re-screening across all customer records with outcome tracking. No system or user override of matches should be allowed without documented escalation. Regular attestation and audit confirmation are essential.

On account suspension, the system must enforce hard blocks, enforced at core system levels and propagated to all downstream platforms such as ATM networks or card systems. Attempted debit activity on suspended accounts should generate immediate alerts. Resuming account activity must require documented regulatory or legal clearance plus dual sign-off from legal and compliance.

Fortifying casinos: identity, monitoring, and records

In the gaming context, remote or hybrid onboarding must mandate high-assurance identity capture, secure document storage, and live or dynamic verification. Sanctions screening must be precondition to activation, and triggered again on list updates. Risk-based scoring must influence monitoring, emphasizing geography, transaction modality, source of funds, and behaviour patterns.

Monitoring rules tailored to gaming behaviour—rapid redemption, chip volume anomalies, cash structuring, irregular third-party activity—must feed alerts with clear timelines and contextual data for triage. Alerts should link to internal escalation, suspicious transaction reporting, and case closure metrics.

Recordkeeping deserves deliberate design. Identity documents, business correspondence, session logs, and surveillance data must be centrally indexed, secured, and retrievable. Fragmented filing systems undermine exam effectiveness and invite penalty.

Final thoughts on the compliance gap exposed

These enforcement actions may look modest in dollar terms but they pack a potent warning. Weak or absent automation, inconsistent data management, poor screening, and control bypass are classic risk signals. They expose institutions to regulatory, reputational, and legal consequences.

Crucially, these cases demonstrate that compliance must be engineered, not just documented. Institutions must shift from policies to proven systems that detect, alert, enforce, and record. Real time insights, reliable thresholds, and robust suspensions are not extras, they are foundational controls.

The message is clear: regulators will hold firms to outcome, not intention. The right response is to build systems that ensure compliance even under pressure, complexity, and fast-paced environments like gaming floors or high-volume bank branches. These cases provide a blueprint for what to fix and how.

---

Related Links

• Financial Transactions Reporting Act, No. 6 of 2006 (official legislation)
• FIU Sri Lanka administrative penalties announcement (official release)
• UN-mandated Sanctions Regulations under UN Security Council Resolution frameworks (official rules)
• FATF guidance for DNFBPs including casinos (FATF site)
• Core Banking System AML and sanctions enforcement standards

Other FinCrime Central Articles About Sri Lanka

• Sri Lanka’s Renewed Focus on AML/CFT Measures to Avoid Financial Blacklisting
• Sri Lanka’s Central Bank’s New MOU on Money Laundering
• Strengthening Sri Lanka’s AML/CFT Framework for the Mutual Evaluation

Source: Economy Next

Some of FinCrime Central’s articles may have been enriched or edited with the help of AI tools. It may contain unintentional errors.

Want to promote your brand, or need some help selecting the right solution or the right advisory firm? Email us at info@fincrimecentral.com; we probably have the right contact for you.