Kotak Mahindra Bank: The Reserve Bank of India (RBI) has imposed restrictions on Kotak Mahindra Bank from using mobile and internet channels for onboarding new clients and issuing new credit cards for failing to create IT systems and controls in line with its growth, resulting in major inadequacies and non-compliance with regulatory obligations.
According to the RBI’s press statement, “these actions are necessary due to major concerns raised by the Reserve Bank’s IT examination of the bank for 2022 and 2023, as well as the bank’s continuous failure to address these problems thoroughly and swiftly.”
The Reserve Bank’s IT Examination of the bank for 2022 and 2023 raised serious issues, and the bank has continued to fail to address these problems thoroughly and promptly, according to the press statement from the Reserve Bank. This has made these steps necessary. Because the bank failed to develop IT systems and controls in line with its expansion, the RBI stated in a press release that the bank is determined to be materially weak in establishing the essential operational resilience.
It also found serious deficiencies and noncompliances in Kotak Mahindra Bank’s IT inventory management, patch and change management, user access management, vendor risk management, data security and leak prevention strategy, business continuity and disaster recovery rigor and drill. Interestingly, the press notice stated that the bank was found to be lacking in its IT Risk and Information Security Governance in comparison to regulatory criteria for two years in a row.
After the bank’s compliance were determined to be insufficient, inaccurate, or not sustained, the bank was judged to be severely non-compliant with the Corrective Action Plans that the Reserve Bank had issued for 2022 and 2023. The order also stated that in the absence of a strong IT infrastructure and an IT Risk Management framework, the bank’s core banking system, as well as its online and digital banking channels, have experienced frequent and significant outages over the last two years, the most recent of which was a 10-hour service disruption on April 15, 2024.
Section 35A of the Banking Regulation Act was the legal basis for the restrictions. This section is used instead of the public interest, banking policy interests, or when a bank’s operations harm depositors or the bank’s interests. According to the RBI’s press release, the action against the bank was taken to avoid a possible extended outage that might have a negative impact not only on the bank’s capacity to provide efficient customer service, but also on the financial ecosystem of digital banking and payment systems.
Imposed as a ‘stop and desist’ order, any deviation or noncompliance would result in severe penalties from the regulator. The limits may be removed following a full external audit conducted by the bank with RBI clearance and the completion of the corrective activities identified therein to the satisfaction of the RBI.
In response to the RBI decision, Kotak Mahindra Bank stated that it has made steps to enhance its IT systems by adopting new technology, and it will continue to cooperate with the RBI to fix balance issues as soon as possible.We would like to reassure our current clients that their net banking, credit card, and mobile services will not be affected. The bank states that its branches are still accepting new customers and onboarding them, providing them with all of the bank’s services, with the exception of issuing new credit cards.
Past cases
This is the third instance of imposing business limits among banks (see table), and interestingly, after the curbs placed on IIFL Finance and JM Financial earlier this year, Kotak Bank is the third incidence of bans imposed on regulated firms so far in 2024.
However, in comparison to the situations involving HDFC Bank and Bank of Baroda’s mobile banking app (bob World), the penalty taken against Kotak Bank appears to be the most rigorous. Curbs on Bob World have yet to be eliminated, and it took HDFC Bank nearly two years to address the faults identified by the regulator.
