In March and May 2026, the Sri Lankan government published and tabled three Bills/ proposed legislation that, taken together, represent the most significant overhaul of the country's anti-money laundering and counter-terrorism financing (AML/CFT) framework in two decades:

• The Financial Transactions Reporting (Amendment) Bill (Bill No. 21 of 2026, Gazetted 17 March 2026, placed on the Order Paper of Parliament on 9 April 2026);
• The Convention on the Suppression of Terrorist Financing (Amendment) Bill (Bill No. 18 of 2026, Gazetted 11 March 2026, also placed on the Order Paper on 9 April 2026); and the
• Prevention of Money Laundering (Amendment) Bill (tabled in Parliament on 5 May 2026).

The government's stated rationale is straightforward. Sri Lanka is undergoing its fourth-round Mutual Evaluation by the Asia/Pacific Group on Money Laundering (APG), acting on behalf of the Financial Action Task Force (FATF), with the on-site assessment having taken place through 2025 and the Mutual Evaluation Report (MER) due to be adopted around July 2026. Sri Lanka has been placed on the FATF "grey list" twice before, in 2010–2012 and again in 2017–2019 and the Central Bank of Sri Lanka and the Financial Intelligence Unit (FIU) may feel a third grey-listing, layered on top of the country's ongoing IMF programme, would be economically painful. Against that backdrop, these three bills are presented as the legislative price of staying off the list.

All three bills have already been before the Supreme Court for a determination on their constitutionality, as required under Article 121 of the Constitution when a citizen petitions within the statutory window. Whilst this article does not revisit the constitutional determinations, it sets out to explore what the Bills actually change, who it affects and how the drafting has left wide discretion for authorities with comparatively few explicit safeguards. Further, questions may arise regarding its intersection with the Data Protection law and Sri Lanka’s FATF Compliance itself. The question for the latter arises as to whether these measures are likely to be seen by assessors as closing genuine gaps, or whether their breadth could itself become a new source of concern in the "effectiveness" part of the assessment of FATF which is described in detail below.

The Financial Transactions Reporting (Amendment)

The Financial Transactions Reporting Act, No. 6 of 2006 (FTRA) is the foundational law requiring banks, finance companies, insurance companies, money or value transfer services, real estate agents, dealers in precious metals and gems, casinos, and certain professionals (collectively as the "reporting institutions") to identify customers, conduct due diligence, keep records, and file Suspicious Transaction Reports (STRs) and Cash Transaction Reports (CTRs) with the FIU, which operates within the Central Bank of Sri Lanka.

Bill No. 21 of 2026 amends the FTRA across a substantial number of clauses including the amendments the following:

• They widen the categories of "reporting institutions" and the transactions that must be reported, extending obligations further into sectors such as virtual asset service providers and a broader range of designated non-financial businesses and professions (DNFBPs) that were previously only loosely covered.
• They expand the FIU's powers to obtain information, conduct inquiries, and direct reporting institutions, including the ability to require production of records, explanations, and ongoing monitoring of specified accounts or customers, on the FIU's own determination of risk.
• They significantly increase the penalties for non-compliance by reporting institutions and their officers, including for failures to report, failures to maintain records, and breaches of confidentiality obligations connected to STRs.
• They strengthen "tipping-off" prohibitions which are the rules that prevent a bank or professional from informing a customer/client that they have been reported to the FIU (which can be considered as a standard FATF requirement in Recommendation 21), but which, combined with the broadened reporting triggers, means a much larger volume of customer relationships could become subject to silent reporting without the customer ever being told why their account is being scrutinised, frozen, or closed.

Given these overbroad measures what does it mean in practice:

• For banks and financial institutions, compliance departments will need to recalibrate onboarding, ongoing monitoring, and STR-filing thresholds across a wider customer base, including segments such as remittance-dependent households, small exporters, and NGOs that have historically been the first casualties of "de-risking" by banks acting defensively. The amendment's heavier penalty regime creates a strong institutional incentive to over-report and to terminate relationships with any customer profile perceived as elevated risk, even where the underlying activity is entirely lawful.
• For DNFBPs (Designated Non Financial Business or Profession) and professionals such as real estate agents, gem and jewellery dealers, company service providers, and, depending on the final scope of the definitions, also include accountants and lawyers acting in specified capacities the Bill extends statutory reporting obligations to businesses that, in many cases, have limited compliance infrastructure. A small accountancy practice or law firm that becomes a "reporting institution" for the first time faces a steep, immediate compliance burden, in the absence of any phased out implementation, with significant new penalties if there are gaps in their internal implementation
• For ordinary customers, the practical effect is that more transactions, across a wider range of institutions, will generate reports to the FIU, generally without the customer's knowledge and the threshold at which "suspicion" is triggered remains, as in the original Act, a matter substantially defined by FIU guidance rather than by the statute itself.

The Convention on the Suppression of Terrorist Financing (Amendment) Bill

The Convention on the Suppression of Terrorist Financing Act, No. 25 of 2005 ("CSTFA") domesticates Sri Lanka's obligations under the 1999 International Convention for the Suppression of the Financing of Terrorism. Bill No. 18 of 2026 introduces a new investigative chapter into this Act.

The centrepiece of the amendment is a new provision which authorises law enforcement and investigating authorities to use a defined set of "special investigative techniques" in terrorist-financing investigations, including:

• Covert surveillance and observation
• Undercover operations
• Interception of communications
• Access to computer systems and stored computer data
• The formation of joint investigation teams, which read together with the equivalent provisions in the PMLA amendments (discussed further below) can include both domestic agencies and foreign investigative authorities

However, it does not, by itself, tell a bank, a business, or an NGO what operational safeguards, judicial pre-authorisation thresholds, data retention periods, destruction protocols for material that turns out to be irrelevant, or independent oversight of how these techniques are used will actually govern day-to-day use of these powers. Those details, where they exist, are more likely to sit in subsidiary regulations and internal FIU/Police directives that have not yet been made public, rather than in the body of the Act itself and may be changed or adapted from time to time.

So what does this mean for business and non profit actors in the ecosystem?

• For banks and telecommunications/payment infrastructure providers, this creates a distinct legal channel separate from the FTRA's reporting framework, through which servers, transaction logs, and communications metadata could become subject to direct access by investigators pursuing a terrorist-financing inquiry, on a basis that is defined in the Act primarily by reference to the offence under investigation rather than by a detailed, codified procedural code.
• For businesses and individuals, electronic communications and computer data can be accessed under these powers. Because the trigger is "terrorist financing", a category that, under both the CSTFA and the broadened "unlawful activity" definitions in the PMLA amendments, can extend to a wide range of underlying conduct and the practical reach of this provision may extend well beyond cases that most people would intuitively recognise as terrorism-related.
• For the not-for-profit sector, this provision sits on top of an existing regulatory posture reflected in practice by the FIU. An organisation already subject to enhanced due diligence as an NPO (Non-Profit Organisation), and now potentially within scope of these investigative powers if its activity is characterised as touching on "terrorist financing" in the broad sense as provided in the amended Acts, faces a cumulative layer of scrutiny with limited visibility into the manner in which the criteria is being applied.

The Prevention of Money Laundering (Amendment) Bill

The Prevention of Money Laundering Act, No. 5 of 2006 (PMLA) is the principal statute criminalising money laundering and providing for the freezing, seizure and forfeiture of criminal assets. The amendment bill tabled on 5 May 2026 which the government has linked explicitly to the Proceeds of Crime Act of 2025 makes the following changes, among others:

• Money laundering becomes an autonomous offence. The amended Act removes the requirement that a person first be convicted of the underlying (predicate) crime before being prosecuted for money laundering. A person can be charged with, and convicted of, money laundering on the basis that property is shown to derive from "unlawful activity," even where no one has ever been convicted of that underlying unlawful activity. This is consistent with the approach FATF recommends internationally (Recommendation 3) and is a feature of many other countries' AML laws but it also means the evidentiary anchor for a money laundering charge becomes the prosecution's characterisation of the source of funds, not a prior judicial finding on the predicate offence.
• A dramatically broadened definition of "unlawful activity" and "criminal property," now expressly extending to cybercrime, virtual asset and blockchain-related offences, corruption, environmental offences, tax and customs offences, human trafficking, intellectual property offences, terrorist financing, and as a catch-all any offence punishable by death or by imprisonment of five years or more. Given how many offences in the Penal Code and other statutes carry a maximum of five years or more, this catch-all alone brings a very large share of Sri Lankan criminal law within the scope of "unlawful activity" for money laundering purposes.
• A police officer not below the rank of Assistant Superintendent of Police (ASP) may issue a Freezing Order on "reasonable grounds" of suspicion that a person is involved in money laundering and that assets need to be preserved. The initial freezing period is extended from 7 days to 14 working days, and the maximum period for which a court may extend a freeze is extended from 2 years to 3 years. The Bill also empowers the High Court to publish notices of confirmed Freezing Orders in the Gazette and in Sinhala, Tamil and English newspapers, to allow bona fide third parties to come forward.
• It provides for a detailed statutory definition of “beneficial ownership” capturing individuals who have ultimate ownership or control of companies, trusts and other legal arrangements including through indirect or intermediaries which addresses the only FATF recommendation which was outright ‘non compliant’ rating for Sri Lanka.
• It has the same suite of "special investigative techniques" as in the CSTFA amendments such as surveillance, undercover operations, listening devices, controlled deliveries, and access to computer systems which are written into the PMLA framework, with court authorisation required for certain measures.
• There is a steep across-the-board increase in penalties for breach of freezing orders and unlawful disclosure of an investigation.

It is noteworthy that the Supreme Court determination required the clause which deals with freezing of property by the court on application to be passed only on special majority of parliament and not by way of simple majority. This signals that the expansion of freezing powers engages constitutional thresholds according to the Court’s assessment.

So what does it mean for our ecosystem?

• For banks, the broadened predicate-offence net and the autonomous money laundering offence mean that transaction monitoring and STR-filing decisions will need to account for a much wider universe of potential underlying conduct, increasing both the volume of reportable activity and the institutional risk of getting the call wrong in either direction.
• For businesses, including SMEs and exporters, the combination of an ASP-level freezing threshold, a 14-day initial freeze, and up to a 3-year court-ordered extension means that operating accounts can be frozen before any conviction, and on the basis of "reasonable grounds" of suspicion for a period long enough to be commercially fatal for many smaller enterprises, even if the suspicion is later not borne out. It can also be fatal for mid to larger enterprises as well.
• For DNFBPs, the fifty-fold increase in penalties for breaching a Freezing Order, and the tenfold increase for failure to disclose information, are not calibrated to the size of the business. A penalty of Rs. 5 million for breaching a Freezing Order is a materially different proposition for a systemically important bank than for a small gem dealer or real estate agent and yet the Bill, as reported, applies the same ceiling across the board.

The overarching collection of data and reporting of it by multiple actors listed in the proposed legal framework brings in the intersection of what does it mean for our privacy. Sri Lanka recently passed the Personal Data Protection Act No. 9 of 2022 (PDPA) which sets out the rights for individuals over the collection, processing, storage and cross border transfer of their personal data and establishes the Data Protection Authority to regulate and oversee these processes. Like most data protection statutes, the PDPA contains exemptions for processing carried out for the prevention, investigation, or prosecution of crime and for national security purposes, and invariably, the AML/CFT investigations would generally fall within such exemptions in most jurisdictions.

The practical question raised by the FTRA, CSTFA and PMLA amendments together is one of:

1. a much larger volume of STRs and customer data flowing to the FIU under the FTRA amendments;
2. a covert collection of communications and computer data under the CSTFA and PMLA "special investigative techniques" provisions; and
3. sharing of information, including, under the joint investigation team provisions, with foreign authorities for AML/CFT purposes.

None of the three bills, as reported, appears to contain its own detailed data-handling regime (retention periods, destruction protocols for data found to be irrelevant, audit trails for access, or a mechanism by which a person can later learn that their data was collected and seek correction). Where such detail is absent from the primary legislation, it typically falls to subsidiary regulations, which means that, for the time being, the practical data-protection posture of these new powers is largely undefined.

The most important question for Sri Lanka is whether all these efforts will make us FATF Compliant. This would require a complex analysis whether the tradeoffs of fundamental freedoms will “pay off” in terms of improving Sri Lanka’s FATF review. In the upcoming in view of a technical compliance assessment the proposed legislations might be considered as measurable upgrades. However, FATF’s methodology is not only limited to technical compliance but it also assess “effectiveness”. Critically Recommendation 8 and FATF’s own Best Practices Paper on Combatting the abuse of Non Profit organisations explicitly directs countries to apply a risk based targeted approach to the NPO (Non Profit) sector. This in practice would mean there is a need for legislation and systems to identify specific subsets of organisations that present a genuine risk based on actual evidence rather than subjecting the sector as a whole to blanket enhanced due diligence or investigative exposure. FATF has separately, through its work on "unintended consequences," acknowledged that overly broad or blanket AML/CFT measures can themselves generate effectiveness problems where most visibly through bank de-risking, financial exclusion, and the chilling of legitimate NPO activity are more probable outcomes that FATF has said run counter to its own objectives.

Reading the proposed legislations against that backdrop, a legislative package that

a) layers new investigative powers and enhanced due diligence on top of an NPO sector already subject to enhanced due diligence regime;

b) defines "unlawful activity" broadly enough to capture a very large share of ordinary criminal offences; and

c) gives an ASP-level officer the power to freeze accounts for up to 14 days which is extendable to 3 years by a court on reasonable suspicion alone is not self-evidently "more compliant" in the effectiveness sense. Any NPO investigations that are disproportionate to Sri Lanka’s actual evidence based Terrorism Financing risk profile could itself be flagged as an effectiveness deficiency by FATF.