Sri Lanka AML laws form the foundation of the country’s anti money laundering and counter-terrorist financing framework. Financial institutions, fintech companies, insurers, and DNFBPs must comply with these regulations to meet both domestic and international AML/CFT standards.
Sri Lanka’s anti money laundering and countering the financing of terrorism regime has undergone significant transformation in recent years. For compliance officers, MLROs, and risk teams at regulated entities operating on the island, a clear understanding of Sri Lanka AML laws is no longer optional; it’s a day-to-day operational requirement.
This guide, written from ZIGRAM’s perspective as a RegTech partner to financial institutions globally, walks through Sri Lanka’s legal framework, regulatory architecture, compliance obligations, and key considerations for institutions preparing for the upcoming mutual evaluation. We also show where ZIGRAM’s “Complete AML System” fits into the picture.
Sri Lanka AML/CFT Framework
Sri Lanka’s aml cft framework is built on three foundational statutes: the Prevention of Money Laundering Act No. 5 of 2006 (PMLA), the Financial Transactions Reporting Act No. 6 of 2006 (FTRA), and the Convention on the Suppression of Terrorist Financing Act No. 25 of 2005 (CSTFA). Together, this anti money laundering (AML) regime comprises the country’s core obligations under Financial Action Task Force standards and Asia/Pacific Group on Money Laundering (APG) requirements. Sri Lanka’s AML framework aligns with international standards and covers the banking, insurance, and fintech sectors, making it one of the more comprehensive regimes in South Asia.
These laws apply across the financial sector, including banks, insurers, securities firms, non-bank financial institutions, and certain Designated Non-Financial Businesses and Professions (DNFBPs) such as lawyers, accountants, and dealers in precious metals.
Sri Lanka was placed on the FATF “grey list” in 2017 due to strategic AML/CFT deficiencies. After the implementation of a corrective action plan, it was removed in October 2019. That experience underscored the cost of non-compliance and the importance of sustained effort. Sri Lanka adheres to Financial Action Task Force standards for AML compliance, and its institutions are now preparing for a third mutual evaluation by APG, scheduled for early 2026.
For compliance teams navigating these requirements, ZIGRAM’s “The Complete AML System” provides a way to operationalise everything from name screening and transaction monitoring to adverse media checks and sanctions compliance configured to Sri Lanka’s regulatory environment.
Key Sri Lanka AML Laws and Regulatory Framework
Sri Lanka’s legal framework for combating money laundering and the financing of terrorism rests on three interconnected statutes, each targeting a distinct dimension of financial crime. Legislation regulates financial crimes in Sri Lanka through this layered structure.
The Prevention of Money Laundering Act No. 5 of 2006, as amended by Acts No. 40 of 2011 and No. 9 of 2018, criminalises the prevention of money laundering offences. Section 3 covers engaging in financial transactions involving property derived from unlawful activity – including receiving, possessing, concealing, or transferring such property. Penalties range from 5 to 20 years of rigorous imprisonment and fines up to three times the value of the property. The act also provides freezing, seizure, and forfeiture powers.
The Financial Transactions Reporting Act No. 6 of 2006 governs AML compliance obligations for reporting institutions. It establishes duties around customer due diligence, record keeping, suspicious transaction reports, and cash transaction reporting. It also created the financial intelligence unit and mandates the appointment of a compliance officer, employee training, and cooperation with law enforcement.
The Convention on the Suppression of Terrorist Financing Act No. 25 of 2005, with amendments in 2011 and 2013, focuses on countering the financing of terrorism. The suppression of terrorist financing is addressed through criminalisation of terrorist financing offences, asset freezing requirements, and mutual legal assistance provisions.
The regulatory bodies overseeing sector-specific AML/CFT compliance include:
The Central Bank of Sri Lanka (CBSL), which houses the FIU
The Securities and Exchange Commission (the exchange commission for capital markets)
The Insurance Regulatory Commission for insurers
The Department of Foreign Exchange for money changers and foreign exchange operations
Role of the Financial Intelligence Unit (FIU Sri Lanka)
The Financial Intelligence Unit (FIU) serves as the central agency for AML/CFT intelligence, supervision, and coordination in Sri Lanka. While embedded within the central bank, FIU Sri Lanka operates with functional independence, a structure designed to separate its supervisory and intelligence functions from monetary policy.
Established under Section 2 of the FTRA in March 2006 and reorganised as a department of the Bank of Sri Lanka in February 2007, the FIU’s core responsibilities include the following:
Receiving and analysing suspicious transaction reports and cash transaction reports
Disseminating financial intelligence to law enforcement agencies
Issuing guidelines and circulars to financial institutions and DNFBPs
Coordinating national AML/CFT policy, including the National Risk Assessment
Conducting risk-based off-site surveillance and on-site examinations
The Financial Intelligence Unit collects and analyzes data on suspicious transactions submitted by reporting institutions. It also publishes regulations, typologies, and enforcement actions. For example, Circular 02/2026 introduced requirements for certification of sanctions screening databases, while Circular 01/2026 mandated updates to institutional risk assessments. Compliance teams should monitor these publications regularly.
Coverage: Financial Institutions and Other Reporting Sectors
Sri Lanka’s AML/CFT laws cast a wide net over reporting institutions. Understanding who is in scope, and what obligations apply, is essential for any entity operating in or transacting with Sri Lanka.
The main categories of reporting institutions include:
Licensed commercial and specialised banks – banks must conduct customer due diligence in Sri Lanka as a baseline obligation
Non-bank financial institutions, including finance companies, leasing companies, and microfinance institutions, which also comply with AML/CFT regulations
Money service businesses and authorized money changers supervised by the Department of Foreign Exchange
Insurance companies, which must adhere to AML/CFT standards like banks and are subject to the same AML standards as banks
Securities brokers, dealers, unit trust managers, and investment managers operating within the securities sector under the Securities and Exchange Commission
Designated Non-Financial Businesses and Professions must implement AML measures as well. This includes casinos, real estate dealers, dealers in precious metals and stones, lawyers, accountants, and company service providers, all facing increasing regulatory expectations.
Emerging sectors are also coming into focus. Virtual asset service providers and cross-border remittance platforms are expected to align with the AML/CFT framework, particularly where they handle foreign exchange or high-risk transactional flows. The FIU has initiated a phased supervisory roll-out for VASPs, with planned amendments to the FTRA to formalise their obligations.
AML Compliance Requirements in Sri Lanka
All reporting institutions in Sri Lanka must adopt a risk-based approach commensurate with their exposure to money laundering and terrorist financing. The effective implementation of these obligations is what regulators will assess during the upcoming mutual evaluation.
Customer due diligence requirements include identifying and verifying customers and beneficial owners using reliable, independent documents. Banks must conduct customer due diligence and report suspicious transactions. Enhanced Due Diligence is required for high-risk customers and politically exposed persons (PEPs), while simplified due diligence may apply where risk is demonstrably low and permitted by guidelines. Insurance companies must adhere to AML reporting standards alongside banks.
Ongoing monitoring duties require institutions to:
Review transactions for consistency with customer profiles
Flag unusual patterns and report suspicious activities
Investigate risk indicators related to money laundering or the financing of terrorism
Conduct customer screening against sanctions and PEP lists
Record keeping obligations require financial institutions to maintain comprehensive records for AML purposes, a minimum of six years for customer identification documents and transaction records under the FTRA. These records must be securely stored and readily retrievable to support audits and investigations.
Reporting obligations are equally specific. Institutions must file suspicious transaction reports to the FIU as soon as practicable when they suspect transactions relate to unlawful activity. Entities must report transactions exceeding one million Sri Lankan Rupees. Cross-border currency movements and negotiable bearer instruments also trigger reporting duties.
Supervision of Authorized Money Changers and Foreign Exchange Activity
Foreign exchange businesses and remittance channels occupy a prominent place in Sri Lanka’s risk profile, driven by labour migration remittances and tourism-related cash flows.
The Department of Foreign Exchange (DFE) of the central bank of sri is responsible for licensing and supervising authorized money changers under the Foreign Exchange Act, in coordination with the FIU under the FTRA. Authorized Money Changers are supervised for anti-money laundering (AML) compliance and standards through a risk-based supervisory approach that evaluates inherent risks, governance quality, internal controls, staff training, and reporting practices.
AMCs must implement clear procedures on:
Customer due diligence for all foreign exchange dealings
Transaction monitoring for unusual patterns
Suspicious transaction reporting to the FIU
Record keeping aligned with FTRA standards
Non-compliance with AML regulations can lead to penalties, including administrative fines and licence revocation. AMCs are expected to pay special focus to high-risk jurisdictions, cash-intensive transactions, and unusual foreign exchange dealings.
National Risk Assessments and FATF Mutual Evaluation Outcomes
Sri Lanka’s AML/CFT regime is shaped by periodic mutual evaluation exercises and domestic national risk assessments. These assessments provide the foundation for a risk-based regulatory approach and inform supervisory priorities.
Sri Lanka’s AML/CFT framework includes a risk assessment framework. Risk assessment evaluates inherent risks of money laundering and terrorist financing across the financial system. The National Money Laundering, Terrorist Financing & Proliferation Financing Risk Assessment (NRA 2024/25) identified drug trafficking as high risk, with fraud and trade-based money laundering rated medium-high. Risk assessment considers products, customers, and geographic locations, and financial institutions must document their risk assessment processes.
From the previous APG mutual evaluation, Sri Lanka had non-compliant ratings on several recommendations, including those covering CDD and wire transfers. These have since been upgraded to “Largely Compliant,” but technical compliance alone is not enough. The upcoming mutual evaluation in early 2026 will test whether reforms are fully embedded and producing results.
Key ML/TF risk areas flagged by the NRA include:
Cash-based sectors and large cash transactions
Cross-border remittances and foreign exchange operations
Trade-based money laundering
Abuse of legal persons and arrangements
Regulated institutions must consider NRA findings when updating internal risk assessments, policies, and monitoring rules.
Risk-Based Approach for Banks and Non-Bank Financial Institutions
Regulators expect banks and non-bank financial institutions to implement a risk-based approach that prioritises resources toward higher-risk customers, products, and channels. Larger financial institutions face stricter regulatory oversight and are expected to demonstrate more sophisticated controls.
Institutions should categorise risks across four dimensions:
Customer type – PEPs, non-resident customers, complex corporate structures
Product and service risk – private banking, trade finance, correspondent banking, cross-border wire transfers
Delivery channels – online vs. face-to-face onboarding
Geographic risk – high-risk jurisdictions identified by the Financial Action Task Force or local guidance
Enhanced due diligence and intensified monitoring apply to high-risk categories. Institutions are expected to maintain formal enterprise-wide risk assessments, review them regularly, and produce documentation that can be presented to supervisory authorities on request.
Independent testing of AML/CFT controls, through internal audit or external review, is a regulatory expectation. Documented remediation plans for identified weaknesses are essential, particularly ahead of on-site examinations and the upcoming mutual evaluation.
Sanctions, Terrorist Financing and Targeted Financial Sanctions
Sri Lanka’s obligations under UN Security Council Resolutions are implemented domestically through the Convention on the Suppression of Terrorist Financing Act and related regulations. The terrorist financing act creates the legal basis for freezing terrorist assets and enables extradition and mutual legal assistance.
Financial institutions must screen customers, beneficial owners, counterparties, and transactions against UN sanctions lists and any applicable domestic designations – implementing targeted financial sanctions without delay when matches are identified. Actions must be reported to the FIU and relevant authorities.
Regulators expect:
Real-time or near-real-time sanctions screening
Periodic and timely list updates
Strong governance around list management and calibration to reduce false positives
Screening of both new and existing customers
Enforcement data underscores the seriousness of these requirements. Between 2020 and 2025, the FIU imposed approximately 30 administrative penalties on banks and subsidiaries for AML/CFT/sanctions violations, totalling LKR 51,550,000. About half of these actions cited sanctions screening lapses, including failure to update lists and failure to screen existing customers. To combat money laundering and prevent terrorist financing effectively, sanctions controls should be integrated into the broader AML/CFT framework rather than managed as a separate process.
AML Software and Compliance Technology in Sri Lanka
There is a growing regulatory expectation that financial institutions deploy robust technology solutions for name screening, transaction monitoring, and adverse media checks. Manual processes alone are insufficient given the volume, velocity, and complexity of modern financial transactions and the penalties for getting it wrong.
Key system capabilities regulators in Sri Lanka expect include the following:
Risk-based transaction monitoring with configurable alert scenarios
Sanctions and PEP screening with audit trails
Case management for investigations
Comprehensive reporting aligned with FIU formats
Secure record keeping and retrieval
ZIGRAM’s “The Complete AML System” brings these capabilities together in a unified platform with:
PreScreening.io handles name screening against sanctions, PEP, and watchlist databases.
Transact Comply provides configurable transaction monitoring aligned with local thresholds and risk scenarios.
Entity Hero delivers entity risk assessment and management.
The platform can be configured to Sri Lanka-specific requirements, including local reporting formats, CDD rule thresholds, NGO-specific enhanced due diligence, and integration with sanctions lists relevant to the Sri Lankan financial sector. This kind of technical assistance helps institutions ensure compliance while reducing false positives and manual workload.
If you're a compliance officer or MLRO preparing for the upcoming mutual evaluation, now is the time to evaluate your technology stack. Book a demo with ZIGRAM to see how our Complete AML System can strengthen your operations.
Governance, Training, and Record-Keeping Expectations
Effective AML/CFT compliance in Sri Lanka depends on strong governance, informed staff, and meticulous documentation. Regulators assess these elements during on-site examinations and will scrutinise them closely during the mutual evaluation.
Governance expectations include the following:
Board and senior management approval of AML/CFT policies
Appointment of a compliance officer or MLRO with clear reporting lines
Regular reporting to governance bodies on compliance status and risk exposure
Compliance officers must oversee AML/CFT procedures in firms, ensuring that policies are current, controls are functioning, and gaps are being remediated.
Staff training is mandatory. Initial and periodic AML/CFT training should cover typologies, red flags, sanctions obligations, and internal reporting channels. All staff in high-risk functions like front office, trade finance, and foreign exchange need targeted, role-specific training.
Record-keeping standards under the FTRA and related rules require minimum retention of six years for CDD documents, transaction records, internal investigation files, and STR/CTR submissions. Clear policies, version control, and accessible documentation are critical during supervisory inspections. Preventing money laundering requires not just good controls but the ability to prove those controls are working.
Practical Compliance Tips for Sri Lanka-Based Institutions
This section offers a checklist-style set of recommendations for day-to-day AML/CFT compliance in Sri Lanka. Think of these as key considerations for any institution looking to monitor compliance effectively.
Tailor your policies to Sri Lanka’s risk environment are in tourism, remittances, trade finance, and cash-intensive sectors all carry distinct risk profiles
Incorporate NRA findings into your institutional risk assessment, and update it in line with FIU Circular 01/2026
Track regulatory circulars from the FIU and the central bank, which evolve frequently and carry enforcement weight
Focus on high-risk sectors including foreign exchange dealers, cross-border payments, real estate, and gems and jewellery
Integrate local typologies into your transaction monitoring rules and scenarios
Benchmark your framework against FATF mutual evaluation reports, peer practices, and RegTech tools like ZIGRAM
Test your controls independently, either through internal audit or external review, and document remediation plans
Ensure your systems can report suspicious transactions to the FIU in the prescribed format and within required timelines
With the APG mutual evaluation scheduled for early 2026, proactive compliance is not just about avoiding penalties, it’s about building trust with regulators, correspondent banks, and customers. Institutions that fall behind risk not only financial penalties but reputational damage and potential de-risking by international partners.
To explore how automation can enhance your Sri Lanka AML/CFT compliance posture, schedule a discovery call with ZIGRAM and see our “Complete AML System” configured for your regulatory environment.
