The Reserve Bank of India (RBI) has imposed severe restrictions on Kotak Mahindra Bank, the third most valuable private bank in India, due to its failure to address IT system issues over the last two years. The bank was instructed to cease certain operations “immediately” while assuring customers of uninterrupted services. Kotak Mahindra Bank is enhancing its IT systems and remains committed to resolving concerns with the RBI.
The Reserve Bank of India (RBI) prohibited Kotak Mahindra Bank from enrolling new customers via its online and mobile banking platforms, and issuing new credit cards, marking some of the strictest restrictions imposed on a scheduled bank. The regulator stated that Kotak had not rectified its IT systems despite continuous directives over the past two years.
Kotak Mahindra Bank’s Response to RBI Directive and RBI’s Concerns:
Confirming receipt of the RBI order, Kotak Mahindra Bank stated: “We have received an RBI directive to temporarily halt onboarding new customers via our online and mobile banking channels, and issuing fresh credit cards. The Bank is enhancing its IT systems with new technologies and remains committed to promptly resolving outstanding issues with the RBI. We assure our existing customers of uninterrupted services, including credit card, mobile, and net banking.” The bank mentioned that its branches are still accepting new customers and offering all services except for new credit card issuance.
The RBI cited substantial concerns from its IT examination of the bank in 2022 and 2023, coupled with the bank’s persistent failure to comprehensively and promptly address these concerns, as the basis for its decision.
“Significant shortcomings and breaches were noted in IT inventory management, patch and change management, user access management, vendor risk management, data security, data leak prevention strategy, business continuity, and disaster recovery readiness and testing,” stated the RBI in a release.
The banking regulator reported that in subsequent assessments, the bank was notably non-compliant with the corrective action plans prescribed by the RBI for 2022 and 2023; the bank’s submissions were deemed “insufficient, inaccurate, or not maintained.”
“Due to a lack of a sturdy IT infrastructure and IT risk management framework, the bank has experienced frequent and substantial outages in its Core Banking System (CBS) and online/digital banking channels over the past two years, with the latest incident occurring on April 15, 2024, causing significant customer disruptions,” stated the RBI.
Under Section 35A of the Banking Regulation Act, 1949, the RBI has authority to issue directives “to prevent the affairs of any banking company being conducted in a manner detrimental to the interests of the depositors or in a manner prejudicial to the interests of the banking company.” The RBI determined the private sector lender to be “substantially lacking in establishing requisite operational resilience, due to inadequate development of IT systems and controls relative to its expansion.”
RBI’s Efforts and Imposed Business Limitations on Kotak Mahindra Bank:
The RBI has maintained ongoing high-level communication with the bank over the past two years regarding these concerns, aiming to enhance its IT resilience; however, the results have been notably unsatisfactory, the release stated. Additionally, recent growth in the volume of the bank’s digital transactions, including credit card transactions, has added strain on the IT systems, it added.
The RBI announced its decision to impose specific business limitations on the bank to safeguard customer interests and prevent potential extended outages, which could significantly disrupt both the bank’s service efficiency and the financial digital banking and payment systems ecosystem. Nonetheless, the bank affirmed its commitment to serving its current customers, including those with credit cards.
The Reserve Bank of India directed Kotak Mahindra Bank to halt new customer onboarding through its online and mobile banking channels and cease issuing fresh credit cards immediately due to IT deficiencies and non-compliance.
In response to a media report in July 2023 alleging bank employees’ involvement in fraudulent customer onboarding on its “bob World” mobile banking app, RBI instructed Bank of Baroda to cease new customer registrations on the platform.
In December 2020, RBI directed HDFC Bank to halt all launches of digital business activities under the ‘Digital 2.0’ program and acquiring new credit card customers temporarily. This followed incidents of outages in the bank’s internet and mobile banking, and payment utilities over the previous two years. The restrictions were subsequently removed.
You might also be interested in – Anil Ambani faces a setback as SC cancels Rs 8,000 crore arbitral award favoring Rel Infra arm.
