🇱🇰 Sri Lanka – AML & Sanctions Compliance Guide 2025

📘 Sri Lanka Country Profile

Sri Lanka maintains a comprehensive AML/CFT framework with strong regulatory oversight. Key regulatory institutions include:

• Financial Intelligence Unit (FIU) - National AML/CFT authority
• Central Bank of Sri Lanka (CBSL) - Central bank and financial regulator
• Securities and Exchange Commission of Sri Lanka (SEC) - Securities regulator
• Insurance Regulatory Commission of Sri Lanka (IRCSL) - Insurance regulator

⚖️ Sri Lanka Regulatory Framework

• Financial Transactions Reporting Act, No. 6 of 2006 (FTRA)
• Prevention of Money Laundering Act, No. 5 of 2006 (PMLA)
• Convention on the Suppression of Terrorist Financing Act, No. 25 of 2005
• CBSL Directions on Prevention of Money Laundering and Countering the Financing of Terrorism

Key compliance requirements:

• Mandatory KYC/CDD procedures for all customers
• Enhanced due diligence for PEPs and high-risk clients
• 6-year minimum data retention period
• Mandatory STR filing for suspicious transactions

🛡️ Sanctions Regime

Sri Lanka implements UN sanctions and maintains domestic sanctions lists.

• Regular screening against UN and local watchlists
• Immediate asset freeze requirements
• Reporting obligations to FIU
• Compliance with both regional and international sanctions regimes

🔍 Risk Environment

Typologies:

• Trade-based money laundering
• Remittance-related financial crimes
• Corruption and bribery
• Politically exposed persons (PEPs)
• Cross-border financial crimes

High-risk sectors: Banking, real estate, gem trading, import/export, tourism

📋 Reporting Requirements

Thresholds and Timelines:

• STR (Suspicious Transaction Report) filing: Within 3 working days of suspicion
• CTR (Currency Transaction Report): LKR 1,000,000 (approx. $3,300)
• PEP reporting: Mandatory for domestic and foreign PEPs
• Annual compliance reports: Due March 31st

Penalties:

• Non-compliance fines: Up to LKR 1,000,000 per violation
• License revocation for repeated violations
• Criminal liability for willful non-compliance

🔐 Data Protection & Privacy

• Personal Data Protection Act, No. 9 of 2022
• Mandatory data localization for financial records
• 6-year retention period for customer records
• Secure storage requirements for sensitive data
• Breach notification within 72 hours

🧩 Compliance Program

• Comprehensive KYC procedures
• Regular staff training programs
• Transaction monitoring systems
• PEP screening and enhanced due diligence
• Regular risk assessments

🧭 Supervisory Trends

• Increased focus on beneficial ownership transparency
• Enhanced scrutiny of cross-border transactions
• Stricter enforcement of KYC requirements
• Regular on-site inspections by regulators

📊 Risk Assessment Framework

Required Elements:

• Customer risk scoring methodology
• Product and service risk assessment
• Geographic risk factors
• Transaction pattern analysis
• Regular risk review cycles (minimum quarterly)

Documentation Requirements:

• Risk assessment methodology documentation
• Risk scoring criteria and thresholds
• Review and approval records

👥 Staff Training Requirements

Mandatory Training Topics:

• AML/CFT laws and regulations
• KYC and CDD procedures
• Sanctions screening
• Red flag indicators
• Reporting obligations

Training Frequency:

• New staff: Within 30 days of joining
• Annual refresher training
• Role-specific training for compliance staff

💻 System Requirements

Recommended Systems:

• Advanced transaction monitoring capabilities
• Automated sanctions screening tools
• Customer risk assessment templates
• Document management system
• Comprehensive reporting tools

Key Considerations:

• Systems should support local language requirements
• Ability to generate reports in required formats
• Comprehensive audit trail functionality
• Secure storage for customer documentation
• Compatibility with local reporting requirements

📝 Record Keeping

Documentation Requirements:

• Customer identification records
• Transaction records and supporting documents
• Risk assessment documentation
• Training records and certifications
• Internal audit reports

Retention Periods:

• Customer records: 6 years after relationship ends
• Transaction records: 6 years from date of transaction
• Training records: 6 years
• Audit reports: 6 years

🏦 Financial Sector

Banks & Financial Institutions:

• Enhanced due diligence for correspondent banking
• Special monitoring for high-risk transactions
• Strict wire transfer regulations
• Mandatory reporting of cross-border transactions

Insurance Sector:

• Special focus on life insurance products
• Enhanced monitoring of high-value policies
• Specific requirements for offshore policies

🏢 Other Regulated Sectors

Real Estate:

• Mandatory reporting of property transactions
• Enhanced due diligence for high-value properties
• Special attention to foreign investors

Gem Trading:

• Strict monitoring of gem transactions
• Mandatory reporting of suspicious activities
• Enhanced due diligence for high-value trades

🌍 International Transactions

Key Requirements:

• Enhanced due diligence for cross-border wire transfers
• Mandatory reporting of international transactions above LKR 1,000,000
• Special attention to transactions with high-risk jurisdictions
• Documentation of foreign exchange transactions
• Compliance with both regional and international sanctions regimes

Correspondent Banking:

• Strict due diligence on foreign correspondent banks
• Regular review of correspondent banking relationships
• Monitoring of nested account activities
• Documentation of foreign bank certifications

🔄 Trade Finance

Documentation Requirements:

• Detailed trade documentation for all transactions
• Verification of shipping documents
• Commodity price verification
• Beneficiary verification

Risk Mitigation:

• Regular review of trade finance patterns
• Enhanced monitoring of high-value transactions
• Special attention to dual-use goods
• Documentation of trade finance controls

⚠️ Common Challenges

Operational Challenges:

• Complex corporate structures
• Cross-border transaction monitoring
• Beneficial ownership verification
• Regulatory reporting complexity
• Technological integration

Regulatory Challenges:

• Frequent regulatory updates
• International compliance requirements
• Complex reporting obligations
• Regulatory coordination across jurisdictions

✅ Practical Solutions

Operational Solutions:

• Implement robust KYC/CDD systems
• Develop comprehensive monitoring tools
• Create standardized documentation processes
• Invest in compliance technology
• Build specialized compliance expertise

Regulatory Solutions:

• Regular regulatory updates and training
• Proactive engagement with regulators
• Documentation of compliance decisions
• Implementation of automated reporting systems

🤝 Best Practices

Communication Strategies:

• Regular meetings with regulatory contacts
• Proactive reporting of issues
• Clear documentation of compliance efforts
• Timely response to regulatory inquiries
• Maintenance of regulatory relationship logs

Examination Preparation:

• Maintain organized compliance documentation
• Conduct regular internal audits
• Prepare executive summaries of compliance programs
• Train staff on examination procedures

📋 Regulatory Reporting

Effective Reporting:

• Establish clear reporting timelines
• Implement quality control for reports
• Maintain reporting logs and acknowledgments
• Document any reporting delays or issues

Relationship Management:

• Designate primary regulatory contacts
• Maintain regulator contact database
• Document all regulatory communications
• Regular review of regulatory relationships

💡 Sri Lanka Compliance Tips

Key Red Flags in Sri Lanka:

• Complex corporate structures without clear business purpose
• Unusual cross-border transactions
• Reluctance to provide beneficial ownership information
• Transactions involving high-risk jurisdictions

Sri Lanka-Specific Considerations:

• Understanding local business practices and cultural norms
• Managing cross-border compliance challenges
• Building strong relationships with Sri Lankan regulators
• Navigating language requirements (English, Sinhala, Tamil)

📚 Sri Lanka Regulatory Resources

• Financial Intelligence Unit (FIU)
• Central Bank of Sri Lanka (CBSL)
• Securities and Exchange Commission of Sri Lanka (SEC)
• FATF Evaluation – Sri Lanka
• UN Security Council Consolidated List