The derivative action now placed before the Commercial High Court over the NDB Bank Rs. 13.2 billion fraud may prove to be one of the most important shareholder-driven governance challenges in Sri Lanka’s recent banking history.
At its core, the petition is not merely about the fraud itself. It is about who gets to investigate it, who controls the investigation, who receives the report, who defines its scope, and whether an inquiry into possible board-level and audit-level failure can credibly be managed by the very board whose conduct may ultimately require scrutiny.
That is the issue now sharply raised in the application filed under the Companies Act by shareholder M. Thiyagaraja, represented by Attorney-at-Law Sanjeewa Kaluarachchi. The petition seeks leave to institute derivative proceedings in the name and interest of National Development Bank PLC against the present and former directors of the bank, the partners of Ernst & Young Chartered Accountants and other necessary parties.
The petition follows NDB’s own disclosures to the Colombo Stock Exchange. On 2 April 2026, the bank disclosed what it described as an act of fraud initially estimated at approximately Rs. 380 million. Four days later, on 6 April 2026, that estimate was revised to Rs. 13.2 billion.
That movement alone, from Rs. 380 million to Rs. 13.2 billion, is precisely the kind of escalation that demands not merely criminal investigation but deep institutional examination.
The petitioner alleges that the fraud was perpetrated over approximately 21 months through the CEFTS settlements unit of the bank’s Payments and Settlements Department.
The pleading further alleges misuse of login credentials, defeat of segregation-of-duties controls, unauthorized access to core banking and CEFTS systems, and diversion of funds through accounts maintained in the name of Buy Today (Private) Limited, followed by conversion into cryptocurrency, including USDT.
Those are grave allegations. They remain allegations unless and until established through due legal process. But the fact that NDB itself disclosed the Rs. 13.2 billion fraud means the central financial event is no longer speculative. The questions now turn to oversight, prevention, detection and accountability.
The petition places particular emphasis on what it describes as an abnormal rise in balances classified under Other Financial Assets, including CEFTS receivables. It alleges that the figure moved from around Rs. 1.427 billion as at 31 December 2023 to approximately Rs. 12.224 billion as at 31 December 2025. The petitioner argues that such an escalation appeared on the face of the audited financial statements and ought to have been identified, queried and investigated by both the board and the external auditors.
And this is where Deloitte India enters the controversy.
The petition states that the petitioner has reason to believe that the NDB board appointed Deloitte Touche Tohmatsu India LLP as the independent forensic auditor in respect of the fraud. It then makes a pointed legal and governance argument: if the conduct of the board itself is among the matters requiring examination, can that same board validly select, instruct, scope, supervise, remunerate or terminate the forensic auditor?
That is not a small technical objection.
It is a foundational independence question.
The petition invokes the principle nemo judex in causa sua, meaning no person should be judge in his own cause. In corporate governance language, the argument is simple: the people whose oversight, diligence and good faith may require investigation should not control the investigation into those very matters.
The petition alleges that such an arrangement would be structurally compromised because Deloitte would be contractually and financially accountable to the board, the scope of the engagement could be defined by the board, access to documents and witnesses could be controlled by the board, and the final report could be delivered to, withheld by or selectively disclosed through the same board.
That is the heart of the concern.
Not necessarily that Deloitte India is incapable.
Not necessarily that Deloitte India has acted improperly. But that the architecture of the appointment may create a serious appearance of conflict at precisely the moment when public confidence requires visible independence beyond argument.
In banking, perception is not decoration. It is part of confidence itself.
The petition therefore seeks, among other reliefs, an order setting aside the Deloitte engagement or alternatively bringing it under the supervision and control of the Court. It also asks that all engagement letters, scoping documents, instructions, working papers, draft reports, interim reports, final reports and communications connected to Deloitte be produced before Court.
That request is significant because it moves the debate from public commentary into judicial supervision. It asks whether the forensic review into one of Sri Lanka’s largest reported banking frauds should remain within the ordinary control of NDB’s board or be placed within a court-monitored framework designed to preserve independence and evidentiary integrity.
The petition also seeks far-reaching interim orders, including preservation of electronic records, CEFTS transaction logs, system access logs, audit logs, CCTV footage, emails, messages, board minutes, internal audit reports, external audit working papers and forensic-audit material. In a case involving alleged system access abuse and digital money movement, such preservation could prove critical.
There is also a broader public-interest dimension.
Banks are not ordinary companies. They hold public deposits, operate within a regulated financial system and depend upon confidence. A fraud of Rs. 13.2 billion inside a licensed commercial bank therefore raises questions not merely for shareholders, but for depositors, regulators, markets and the wider financial system.
The petition is legally ambitious. Some of the reliefs sought, including suspension of directors and appointment of an interim board, are highly significant and may face serious judicial scrutiny on proportionality and necessity.
But the core issue it raises is difficult to dismiss: can an investigation into possible board-level oversight failure be credibly controlled by the board itself ?
That question now sits at the centre of the NDB affair.
Because if this was merely an employee-level fraud, the matter may rest primarily with criminal investigators. But if the fraud also reveals weaknesses in internal controls, audit committee oversight, external audit procedures, prudential supervision and board governance, then the investigation cannot stop at the operational floor.
It must climb the hierarchy.
That is why the Deloitte India appointment has become so sensitive.
The public does not merely need an investigation. The public needs an investigation that is visibly independent, structurally credible and incapable of being dismissed later as too narrow, too managed or too close to the people it was required to examine.
And that, perhaps, is the real warning emerging from this derivative action.
In modern banking scandals, the cover-up need not always be deliberate. Sometimes the damage is done by investigations designed too narrowly, appointed too comfortably and controlled too closely by those with the greatest interest in limiting the blast radius.
The Court may now have to decide whether NDB’s Rs. 13.2 billion fraud is investigated as a contained operational crime or as a full governance failure requiring independent judicially supervised scrutiny.
Either way, one fact is already clear. The numbers were large. The questions are larger.
