Regulatory Alerts2022-01-28 | Finance Business Act Directions No.01 of 2022Technology Risk Management and Resilience
The Monetary Board of the Central Bank of Sri Lanka has issued binding directions requiring Licensed Finance Companies to implement comprehensive technology risk management and resilience frameworks across all operations, including agents and third-party providers. The regulations mandate robust governance structures, such as board-level committees and a dedicated Chief Information Security Officer, alongside stringent information security controls covering data encryption, access management, security operations centers, and continuous vulnerability testing. Furthermore, the framework enforces fair customer data usage, high system availability targets, and strict disaster recovery protocols with recovery time objectives under six hours to ensure operational continuity and cyber resilience.