Banks often claim OTP fraud ends the conversation, but evolving law, AI scams, and security obligations in 2026 give victims powerful ways to challenge that narrative and recover lost money.
By 2026, most Sri Lankans are effectively living inside their smartphones. Banking is almost entirely digital, fast and convenient. Yet this convenience carries a growing fear. Many people wake up to discover their bank balance has vanished overnight. When they contact the bank, the response is often blunt: “You gave the OTP, it was your mistake, we are not responsible.”
The reality, however, is far more complex. The legal story does not end there.
- Is the story “If you give the OTP, it is over” true?
This question is not as simple as banks suggest. If a customer voluntarily and knowingly shares an OTP number, what lawyers call voluntary disclosure, the bank does gain a stronger defense. That much is true. However, the bank is not automatically free from responsibility.
In 2026, digital banking systems are expected to identify unusual transactions through fraud detection mechanisms. If a customer normally spends a few thousand rupees and suddenly hundreds of thousands are transferred abroad within minutes, the bank’s system is expected to flag this activity. If it fails to do so, the customer can argue negligence in the bank’s security framework. - Is there a legal answer to AI and Deepfake technology?
Today’s fraudsters use voice cloning to sound exactly like friends or relatives. Some even make deepfake video calls impersonating bosses or officials. This has introduced the “reasonable person standard” into modern legal arguments.
Legal experts increasingly argue that deception using advanced AI technology in 2026 is something an ordinary person can fall for, not deliberate carelessness. Although “Deepfake” is not explicitly written into Sri Lankan law, victims can still argue before a court or the Ombudsman that “this is not my negligence, this is a technical attack.” - Bank’s duty of care regarding security
App based authentication is widely accepted as more secure than SMS OTPs. If a bank continues to rely on outdated security methods and fraud becomes easier as a result, this can be shown as a failure of duty. Even if not clearly stated in law, banks have a duty to protect customer funds using reasonable and modern safeguards. - What you must do to save your money
When fraud happens, documentation is critical. Always request a complaint reference number when contacting the bank. Follow up with an email and preserve any auto replies or acknowledgements. Report the incident to the nearest police or CCID and ensure it is reported to Sri Lanka CERT at 101. - “Financial Ombudsman” who will help if you bypass the bank
If the bank does not resolve the complaint fairly within four weeks, victims can approach the Sri Lanka Financial Ombudsman. The Ombudsman can recommend compensation up to three million rupees, for a small cost, provided the complaint is filed within one year.
2026 is an age of rapid technology. “Suspicion” remains the strongest defense. But if fraud occurs, remember that “what the bank says is not the final truth.”
