1. Governing Texts

1.1. Legislation

Sri Lanka currently does not have any consolidated and/or specific laws on data protection. Despite not having any specific laws, certain legislation contains provisions that could be regarded as being relevant to data protection and rights to privacy in cyberspace.

The Central Bank of Sri Lanka ('CBSL') established under the Monetary Law Act No. 58 of 1949 ('MLA') is the main authority for securing objectives of the financial system. The CBSL issues licences and regulates, administers, and supervises all major financial institutions which include licensed commercial banks ('LCBs'), licensed specialised banks ('LSBs'), finance companies, and finance leasing companies. The CBSL has imposed specific regulations which cover the following areas:

• information security;
• availability of systems; and
• customer protection.

In addition to the specific laws and regulations that govern the finance sector, it is a requirement to comply with the Computer Crime Act No. 24 of 2007 ('CCA') and the Electronic Transactions Act No. 19 of 2006 ('ETA'), which are key legislations governing matters related to information systems and e-transactions.

The CCA addresses, through penal sanctions, matters that involve data that has been unlawfully obtained, the illegal interception of data, and the unauthorised disclosure of information.

The ETA (which came into operation in Sri Lanka by Gazette Extraordinary No.1516/25 of 27 September 2007) was drafted based on the standards established by the United Nations Commission on International Trade Law (UNCITRAL) Model Law on Electronic Commerce of 1996 and the UNCITRAL Model Law on Electronic Signatures of 2001. The ETA does not specify or define what will be recognised as 'data.' However, it states that its provisions will be applicable to any 'data' or 'communications' made via electronic form.

Other key acts include:

• the Banking Act No. 30 of 1988 as amended by the Banking (Amendment) Act No. 33 of 1995 ('the Banking Act');
• the Finance Business Act No. 42 of 2011 ('FBA'); and
• the Finance Leasing Act No. 56 of 2000 ('FLA').

The following guidelines, regulations, and directions have been issued by the Monetary Board of the CBSL in relation to the abovementioned acts and contain general instructions on privacy and data protection. It is worth noting that the regulations do not provide definitions of 'data' or 'information':

• Direction No. 02/04/002/005/001 of 1 December 1999 on Secrecy of Banking Transactions in Terms of Section 77 of The Banking Act (available from page 434 of the CBSL Directions, Determinations, and Circulars issued to Licensed Commercial Banks) ('SBT');
• Banking Act Direction No. 8 of 2011 on Customer Charter of Licensed Banks (available from page 42 of Part III of the CBSL Annual Report (2011)) ('the Charter');
• Banking Act Direction No. 2 of 2012 on Outsourcing of Business Operations of A Licensed Commercial Bank and a Licensed Specialised Bank (available from page 12 of Part III of the CBSL Annual Report (2012)) ('the Outsourcing Direction');
• Finance Business Act Directions No. 1 of 2018 on Financial Customer Protection Framework ('the FBA Direction'); and
• Finance Leasing Act Direction No. 1 of 2018 on Financial Customer Protection Framework ('the FLA Direction').

1.2. Supervisory authorities

The CBSL is responsible for enforcing the above legislation and regulations.

2. Personal and Financial Data Management

The MLA

The monetary system of Sri Lanka was established under the MLA. The MLA provides that every officer and servant of the CBSL, except in the performance of their duties, shall preserve and aid in preserving secrecy with regard to all matters relating to the affairs of any banking institution, of any client of any such institution, or of any matter relating to the affairs of any department of government, corporation, company, partnership, or person that may come to their knowledge in the performance of their duties.

The Banking Act, FBA and FLA

The Banking Act, the FBA, and the FLA, regulating banks, finance leasing businesses, and finance companies, contain provisions stating that every officer employed in the respective financial institution shall observe strict secrecy in respect of all transactions of the financial institution, information, its customers, and the state of accounts of any person, unless otherwise required by a court of law, in the performance of their duties, or in compliance with any other law. The acts do not provide a definition of 'information.'

The SBT

The SBT prescribes that banks are required to observe strict secrecy in respect of all banking transactions. All LSBs and LCBs are required to include a special clause/condition in software maintenance agreements or service agreements with outside software companies, requiring them to observe strict secrecy in respect of all transactions of the bank, its customers, and the state of accounts of any person, as well as obtaining declarations of secrecy from all persons and organisations who perform services in terms of such maintenance or service agreements.

The Charter

The Charter regulates the manner in which any aspect of the business of such banks is to be conducted, as well as the safeguards of the customers' interests. All licensed banks shall ensure that the customers' rights are protected. The Charter sets key standards of fair banking practices as perceived by customers when they undertake transactions with licensed banks and provides guidance to the licensed banks to adopt a 'Code of Conduct' on customer protection.

Item 5 of the Charter regulates, inter alia, the restriction on agents appointed for customer services by licensed banks from disclosing customer information to others.

The Outsourcing Direction

In terms of Section 3(5) of the Outsourcing Direction, a licensed bank shall ensure in its security policies, procedures, and controls that a service provider exercises a high standard of care and diligence to protect the confidentiality and security of the bank's sensitive information, especially relating to customers, hardware, operating systems, and application software.

The FBA Direction

In terms of Section 6.1 of the FB Direction, as required by the FBA, all licensed finance companies shall take necessary steps to protect customer data and privacy in line with the provisions of the FBA.

The FLA Direction

In terms of Section 6.1 of the FL Direction, all specialised leasing companies shall take necessary steps to protect customer data and privacy in line with the applicable legal provisions.

2.1. Legal basis for processing

Please refer to sections on personal and financial data management and on financial reporting and money laundering below.

2.2. Privacy notices and policies

The Charter

All licensed banks shall publish the 'Customer Charter' on their websites, make copies available for customers on request in their preferred language, and educate them when necessary.

The FBA Direction

In terms of Section 4.3 of the FBA Direction, all licensed financial companies shall publish the 'Financial Customer Protection Framework' on their websites and make copies available for customers on request in their preferred language and educate them when necessary.

The FLA Direction

In terms of Section 4.3 of the FLA Direction, all specialised leasing companies shall publish the 'Financial Customer Protection Framework' on their websites and make copies available for customers on request in their preferred language and educate them when necessary.

2.3. Data security and risk management

Banks

The CBSL has issued directions, circulars, and regulations on different types of risk management. Among the various types of risks faced by the banking sector, market risk, liquidity risk, credit risk, and operational risk are frequently regulated and updated.

The Banking Act Direction No. 4 of 2014 on Amendment to Directions on Integrated Risk Management Framework for Licensed Banks and the Baseline Security Standard for Information Security Management ('the Standard') provides that all banks are required to implement the 'Baseline Security Standard.' It establishes minimum security standards for banks and standardises the information security policies of such banks. However, each bank should ensure the adoption of such standards relative to the size, nature of business activities, and complexity of the respective bank. It prescribes standards on information security policies, information security risk management, communications security, operations security, and maintenance of security of information managed by third parties.

The Standard assumes the application of ISO 27005 to assign risk ratings into information assets that fall within the scope of the information security management system of the organisation concerned.

Item 1.3 of the Standard stipulates that all organisations are required to derive their security requirements to conform to the laws of Sri Lanka, including regulatory requirements set by the respective regulators and the international best practices adopted globally.

Item 2.9 of the Standard defines information security as the preservation of confidentiality, integrity, and availability of information, which can also involve authenticity, accountability, non-repudiation, and reliability.

Finance companies

Section 8(3)(b) of the Finance Companies (Corporate Governance) Direction No. 3 of 2008 (available from page 64 of the CBSL Directions, Rules, Determinations, Notices, and Guidelines Applicable to Licensed Finance Companies) ('the Corporate Governance Direction') provides that the 'Integrated Risk Management' ('IRM') committee shall assess all risks, such as credit, market, liquidity, operational, and strategic risks, to the finance company on a monthly basis through appropriate risk indicators and management information. In the case of subsidiary companies and associate companies, risk management shall be done, both on a finance company basis and a group basis.

Section 1 of the Finance Companies (Information Systems Security Policy) Direction No. 4 of 2012 (available from page 68 of Part III of the CBSL Annual Report (2012)) ('the ISSP Direction') provides that every finance company shall maintain an 'Information Systems Security Policy' ('ISSP') in line with at least the minimum requirements stipulated in the ISSP Direction.

Section 3 of the ISSP Direction provides that every finance company shall classify all information and data within the finance company to reflect its level of confidentiality or importance to the organisation and implement security measures according to the level of confidentiality needed.

Finance leasing companies

Section 8(3)(b) of the Corporate Governance Direction provides that the IRM committee shall assess all risks, such as credit, market, liquidity, operational, and strategic risks, to the relevant establishment on a monthly basis through appropriate risk indicators and management information. In the case of subsidiary companies and associate companies, risk management shall be done, both on the relevant establishment basis and group basis.

2.4. Data retention/record keeping

The MLA

Section 26 of the MLA provides that the Director of Economic Research or any officer of the department of economic research authorised for the purpose by the Director may require any person to furnish to him or her such information as he or she considers necessary to obtain for the purposes of the proper discharge of the functions and responsibilities of the CBSL, or require any person to produce for inspection any books or records in their possession containing or likely to contain such information.

Section 5(3) of Circular No. 02 /04/004 / 0012/ 001 of 3 December 2001 on Customer Due Diligence Know Your Customer Procedures (available from page 220 of the CBSL Directions, Determinations, and Circulars issued to Licensed Commercial Banks) ('the CDD Guidelines') provide that all evidence of identification should be maintained for a minimum period of five years even after an account is closed.

3. Financial Reporting and Money Laundering

The FTRA

The rules of the Financial Transactions Reporting Act No. 6 of 2006 ('FTRA') apply to licensed banks and registered finance companies and sets out the information to be obtained regarding customer identification data or information relating to its customers who may be natural or legal persons. Every financial institution shall retain copies of all identification and address verification documents.

In accordance with Section 7 of the FTRA, when an institution has reasonable grounds to suspect that any transaction or attempted transaction may be related to the commission of any unlawful activity or any other criminal offence under the FTRA, the Convention on the Suppression of Terrorist Financing Act No. 25 of 2005 ('CSTF'), or the Prevention of Money Laundering Act No. 5 of 2006 ('PML'), the said institution shall, as soon as practicable after forming of the suspicion or receiving relevant information, report the transaction, the attempted transaction, or the information to the Financial Intelligence Unit ('FIU').

Section 2 of the FTRA provides that no institution shall open, operate, or maintain an account, where the holder of such accounts cannot be identified, including any anonymous accounts, or any account identified by number only, or any account which to the knowledge of the institution is being operated in a fictitious or false name.

Section 15(2) of the FTRA provides that where the FIU has reasonable grounds to suspect that a transaction or attempted transaction may involve proceeds that are attributable to any unlawful activity, be it connected to a money laundering offence under the PML, or preparatory to the commission of an offence under the CSTF, the FIU may direct an institution not to proceed with the carrying out of that transaction or attempted transaction or any other transaction in respect of the funds affected by that transaction or attempted transaction for a period to be determined by the FIU in order to allow the FIU:

• to make any necessary inquiries concerning the transaction or attempted transaction; and
• if the FIU deems it appropriate, to consult or advise the relevant law enforcement agency in the inquiries.

In accordance with the requirements of the FTRA, the compliance officer of every institution should establish and maintain procedures and systems to implement the reporting requirements under Section 7 of the FTRA and train its officers, employees, and agents to recognise suspicious transactions.

The Credit Information Bureau of Sri Lanka ('CRIB') collects information on all credit facilities of both corporations and individuals, with no restrictions on the amount or type of credit. In terms of the Credit Information Bureau of Sri Lanka Act No. 18 of 1990, all LCBs, LSBs, registered finance companies, and leasing companies are required to report all types of credit to CRIB within 30 days of granting it. Such information must be updated monthly. The CRIB and lending institutions are required to observe strict secrecy on such credit information.

All LCBs and LSBs are requested to submit reports on cybersecurity events to the CBSL, as per Instructions No. 02/17/150/0095/001 of 25 January 2016 on Reporting on Cyber Security Events (available from page 1 of Part III of the CBSL Annual Report (2016)). However, 'cybersecurity event' has not been defined.

The CDD Guidelines

The CDD Guidelines provide that all licensed banks shall conduct due diligence on all customers involved in cross-border financial transactions and ensure that all requirements under the relevant statutes, including the FTRA, the PML, and the CSTF. The CDD Guidelines prescribe the type of information that should be obtained from all prospective customers.

The FBA Direction

In accordance with Section 3 of the FBA Direction, licensed finance companies and appointed agents shall gather and record sufficient information relating to its customers prior to providing appropriate products/services to customers. The level of information gathered shall be appropriate to the nature and complexity of the product/service being sought by the customer.

The FLA Direction

In accordance with Section 3 of the FLA Direction, licensed finance companies and appointed agents shall gather and record sufficient information relating to customers prior to providing appropriate products/services to customers. The level of information gathered shall be appropriate to the nature and complexity of the product/service being sought by the customer.

4. Banking Secrecy and Confidentiality

Section 34B(1) of the Banking Act stipulates that every officer of an LCB operating accounts on behalf of customers and any person, who by reason of their capacity or office, has any access to the records, registers, correspondence, or any other material of the bank relating to such accounts, shall keep absolute secrecy with regard to the contents thereof in the interests of the customer to whom the account relates.

Section 34B(2) of the Banking Act provides that every officer of an LCB shall not give, divulge, or reveal any information whatsoever regarding the name or identity of the owner of such an account to any individual, corporation, bank, court, institution, entity, department, official, agent, representative of the Government of Sri Lanka, or any other government, legal or natural person, or judicial or military authority, unless:

• the owner of the numbered account gives their permission to do so;
• legal proceedings are instituted by, or against the LCB by, or against, the owner of the numbered account relating to a banking transaction arising from the numbered account; or
• they are required to do so:
  • by any provision of any law giving effect to an international convention on narcotics or hijacking, in any criminal proceedings instituted under that law, in any court; or
  • by an order of the Supreme Court of Sri Lanka, made on application, on the ground that money in the account has been, or is being, used in furtherance of an act which constitutes an offence under the Prevention of Terrorism Act No. 48 of 1979.

Section 77(1) of the Banking Act provides that every director, manager, officer, or other person employed in the business of any LCB or LSB shall observe strict secrecy in respect of all transactions of the bank, its customers, and the state of accounts of any person and all matters relating thereto, and shall not reveal any such matter except when required to do so:

• by a court of law;
• by the person to whom such matter relates;
• in the performance of the duties of a director, manager, officer, or another person; or
• in order to comply with any of the provisions of the Banking Act or any other written law.

In addition, Section 45 of the MLA imposes a duty of secrecy on the CBSL. It provides that every officer and servant of the CBSL, except in the performance of their duties, shall preserve and aid in preserving secrecy with regard to all matters relating to the affairs of any banking institution, of any client of any such institution, or of any matter relating to the affairs of any department of government, corporation, company, partnership, or person that may come into their knowledge in the performance of their duties.

Furthermore, no officer or servant of the CBSL shall be required to produce in any court any book or document or to divulge or communicate to any court any matter or thing coming under their notice in the performance of his/her duties except as may be necessary for the purpose of carrying into effect the provisions of the CBSL.

5. Insurance

Not applicable.

6. Payment Services

The Payment and Settlement Systems Act No. 28 of 2005 provides for the regulation, supervision, and monitoring of payments, clearing, and settlement systems, as well as the regulation of providers of money services and the electronic presentment of cheques in Sri Lanka.

In accordance with the Money Payment, Clearing and Settlement Service Providers Regulations No. 01 of 12 June 2007, the CBSL shall be the supervisory, regulatory, and monitoring authority for all service providers and any category of service providers, including any person who provides money services, or operates a payment system, and is responsible for directives, directions, rules, instructions, guidelines, and definitions to service providers.

7. Data Transfers and Outsourcing

Outsourcing

In accordance with the Outsourcing Direction, an 'outsourcing arrangement' is an agreement between a licensed bank and a third-party service provider, whereby the service provider performs an activity, function, or process connected with the operations of a licensed bank. A 'service provider' includes the head office, parent institution, another branch or related company of a licensed bank, or an unrelated institution, whether located in Sri Lanka or elsewhere.

Section 3 of the Outsourcing Direction provides that a licensed bank may outsource its functions/operations or activities other than, inter alia, customer due diligence ('CDD') and Know Your Customer ('KYC') procedures, and risk management and IT-related services.

Section 3(4) of the Outsourcing Direction further details the functions that come under IT-related services which include, inter alia, electronic banking systems, technology infrastructure management, and data entry operations.

In terms of Section 2(1) of the Finance Business Act Direction No. 7 of 2018 on Outsourcing of Business Operations ('FBAD No. 7'), a licensed finance company may outsource its functions/operations or activities other than, inter alia, CDD and KYC procedures and risk management and IT-related services.

Section 7(1) of FBAD No. 7 further details the functions that come under IT-related services which include, inter alia, electronic banking systems, and technology infrastructure management.

Section 12 of FBAD No. 7 defines an 'outsourcing arrangement' as an arrangement in which a service provider performs a function/operation on a continuing basis where the activity is normal or could be undertaken by the licensed finance company.

Section 12(1) of FBAD No. 7 defines 'service provider' as an entity, including a parent company or another related company of the licensed finance company providing services to a licensed finance company under an outsourcing arrangement.

Data transfer

In terms of Section 3.2(f) of the Charter, the customer specifically has the right to know regarding any disclosure of customer information to a party legally authorised to obtain such information.

The SBT provides that banks are required to observe strict secrecy in respect of all banking transactions. All LSBs and LCBs are required to include a special clause/condition in software maintenance agreements or service agreements with outside software companies, requiring them to observe strict secrecy in respect of all transactions of the bank, its customers, and the state of accounts of any person, and obtain declarations of secrecy from all persons and organisations who perform services in terms of such maintenance or service agreements.

In terms of Section 6(2) of the FBA Direction and the FLA Direction, customers shall be appropriately informed regarding the sharing of personal data related to them with CRIB and the exact purpose and conditions of collection processing and distribution of data held about them and on the related confidentiality rules.

8. Breach Notification

There is no breach notification requirement for the financial sector in Sri Lanka.

9. Fintech

Currently, there are no sector-specific requirements for financial institutions using Fintech. Such institutions would be subject to the present laws and regulations issued by the Monetary Board of CBSL.

Sri Lanka is at a very early stage of FinTech development. Currently, the CBSL has established a regulatory sandbox (press release available here) to run innovative FinTech experiments which can be released to the market after testing and gaining approval and to identify the existing laws that hinder the development of such technologies.

10. Enforcement

Section 26 of the MLA provides that if a person fails to comply with any requirements made under this Section they shall be guilty of an offence.

Section 45 of the MLA provides that if any officer or servant of the CBSL communicates any such matter to any person, other than the Monetary Board or an officer of the CBSL authorised on that behalf by the Governor of the CBSL, or suffers or permits any unauthorised person to have access to any books, papers, or other records relating to any banking institution, department of Government, corporation, company, partnership or person, they shall be guilty of an offence.

A person guilty of an offence recognised under the MLA will be tried before a magistrate and a fine may be imposed.

Under Section 79 of the Banking Act, any person who fails to observe strict secrecy in respect of all transactions of the bank shall be guilty of an offence and shall be liable on conviction after summary trial before a magistrate to a fine not exceeding LKR 1 million (approx. €4,520), or to imprisonment of either description (simple or rigorous) for a term not exceeding three years, or to both such a fine and imprisonment.

11. Additional Areas of Interest

The Data Protection Drafting Committee of the Ministry of Digital Infrastructure and Information Technology and the Legal Draftsman's Department has drafted the Bill to provide for the Regulation of Processing of Personal Data (2021) ('the PDP Bill'). The PDP Bill has as its objectives the regulation and processing of personal data by establishing a data protection authority to safeguard the rights of citizens referred to as 'data subjects' and to regulate the dissemination of unsolicited messages using personal data of individuals held by banks, telecom operators, hospitals, and other personal data aggregating and processing entities.

The PDP Bill is currently under debate in the Parliament of Sri Lanka.

Manjula Sirimane Partner
[email protected]
D. L. & F De Saram, Colombo