The maximum fine for anti-money laundering non-compliance by a financial institution in Sri Lanka is Rs1 million — for some it was cheaper to pay than fix. But the cost of that inaction is rising: a Rs13.2 billion fraud at a listed bank and a $2.5 million cyber heist at the Finance Ministry, both in the space of months, have made financial crime impossible to ignore. Dossiers, a Colombo startup founded in late 2024, helps financial institutions verify who their customers are and stop fraud before it happens.
The startup began with non-banking financial institutions (NBFIs) — securities firms, wealth managers, finance companies. “We first got the NBFIs because that is where the gap was really in the market,” says Mudith Uswatte, Chief Commercial Officer at Dossiers.” Now we are going after the banks.” Asia Securities was its first client, followed by Asha Securities, Sampath Securities, NDB Wealth Management, Mercantile Finance and Singer Finance. Implementations are underway at Koko and Capital Alliance.
It has found backing too with nVentures leading a raise of about $100,000, alongside Mangala Karunaratne, founder of Calcey Technologies, and a senior official at one of the largest payment networks. Google has separately awarded the company $350,000 in computing credits. Nisal Periyapperuma, Chief Executive at Dossiers, says another round is now underway because, “We want to take this outside of Sri Lanka.”
The idea for Dossiers came from a compliance officer who wanted to buy a spreadsheet. Periyapperuma, then running Watchdog, an investigative news organisation, had mapped the country’s government hierarchy — cabinet, departments, state-owned enterprises — as a side project. When he showed it to people in the financial sector, one asked if the dataset was for sale. The only local resource for identifying politically exposed persons, Transparency International’s peps.lk, had been taken down. There was nothing else. Rather than selling a spreadsheet, Periyapperuma interviewed compliance departments. Dossiers grew from those conversations.
At its core, Dossiers is a fraud prevention platform — starting with KYC (Know Your Customer) to verify who a financial institution’s customers are, and then watching whether they behave like themselves. The problem, Periyapperuma says, is that most institutions are doing each of those things separately, with disconnected tools that cannot talk to each other. A compliance officer typically works across a CRM from one vendor, an onboarding system from another, and a core banking platform from a third. “They’re going after really sophisticated threats with a spear,” he says.
Dossiers’ answer is DossiersOS, a unified interface that runs parallel to an institution’s existing systems, pulling screening results, transaction data, and customer records into one place. It connects three of its own products — Onboard, Screen, and Monitor — and gives compliance teams a single view of every customer’s history, from the moment they were onboarded to the present.
“AI tools have made impersonation, document forgery, and identity fraud cheaper and faster to execute than at any previouspoint, and the organised crime networks behind them are growing more sophisticated, not less.”
Onboard handles customer verification when someone opens an account, confirming documents are genuine, running a short video check to establish the person is real, and assigning an initial risk rating. Screen runs continuous checks against sanctions lists, PEP databases, and negative news coverage, because a customer’s risk profile can change long after they have opened an account. Monitor watches both directions — what customers do, and what employees do. It tracks transactions, device usage and behaviour to flag activity inconsistent with a customer’s profile, and separately monitors staff behaviour against role-based expectations.
Powering all three is Cosmos, a knowledge graph, a system that maps individuals and the relationships between them. Cosmos is trained on millions of documents: court records, parliamentary transcripts, corporate filings, news archives. “Obituary notices are among the most reliable sources of family data available,” Periyapperuma says. “A death notice will name a spouse, children, siblings.” Beyond mapping connections, Cosmos builds a behavioural baseline for every customer, learning what they spend, where, how much, and when. A cluster of purchases in wedding-related categories signals a customer preparing for a wedding. A standing order to an international school signals children of school age. When behaviour breaks from that baseline, Monitor flags it for a compliance officer to review. The result is a system that knows not just who a customer is, but how they normally behave, and notices when something does not fit.
Selling that proposition has not been straightforward. Compliance teams, Periyapperuma says, are typically impressed. The harder conversation is with the board. “One question they always ask is: who else is using you?” With a handful of named clients and a product iterated on real customer feedback, Dossiers can now answer that question. But getting a budget allocated in institutions that spent years treating compliance as a tick-box exercise requires more than a good product, it requires proof that the risk of not acting now outweighs the cost of acting.
Dossiers has found a way in. Rather than displacing existing vendors wholesale, the company leads with a single product — screening has been the most common entry point — and expands from there as client relationships deepen and legacy contracts expire. One client coming on board next month is switching specifically because their existing screening provider’s contract is ending. The central bank’s scrutiny, Periyapperuma says, is also shifting the conversation. “The pressure to fix the systematic issues is helping us.”
The Central Bank’s latest National Risk Assessment — a periodic evaluation of the local financial system’s exposure to money laundering, terrorist financing, and related risks — rated the banking sector MediumHigh for money laundering risk and named gaps in customer verification and transaction monitoring as live vulnerabilities. The report noted that AI tools have made impersonation, document forgery, and identity fraud cheaper and faster to execute than at any previous point, and that the organised crime networks behind them are growing more sophisticated, not less.
The threat Dossiers is building against is not standing still. AI tools have made impersonation, document forgery, and identity fraud cheaper and faster to execute than at any previous point, and the organised crime networks behind them are growing more sophisticated, not less. Uswatte points out that any financial institution managing more than $100 million in assets is now a target for nation-state level actors with the resources and patience to match. Most Sri Lankan banks clear that threshold. “You could get a social engineering attack from North Korea,” he says, “and there’s no way to stop it unless you also adapt your system.”