The Reserve Bank of India (RBI) on Wednesday restricted Kotak Mahindra Bank from onboarding new customers through online and mobile banking channels. It also directed the bank to stop issuing new credit cards.
The bank was under scanner after the central bank conducted an examination of its IT systems in the last two years. The RBI noted that the bank’s “continued failure” to address concerns.
However, the central bank clarified that the ban will not impact existing customers and Kotak can continue to provide services to them, including its credit card customers.
Explaining this further, Kotak Mahindra Bank Ltd issued a statement and said that it has taken measures for adoption of new technologies to strengthen its IT systems.
“We have received an order from the RBI which directs us to temporarily pause onboarding of new customers through our online and mobile banking channels and issuance of fresh credit cards. The Bank has taken measures for adoption of new technologies to strengthen its IT systems and will continue to work with RBI to swiftly resolve balance issues at the earliest. We want to reassure our existing customers of uninterrupted services, including credit card, mobile and net banking. Our branches continue to welcome and onboard new customers, providing them with all the Bank’s services, other than the issuance of new credit cards,” the bank said in the statement.
In a press release dated April 24, 2024, the RBI stated,”…Serious deficiencies and non-compliances were observed in the areas of IT inventory management, patch, and change management, user access management, vendor risk management, data security, and data leak prevention strategy, business continuity and disaster recovery rigour and drill, etc. For two consecutive years, the bank was assessed to be deficient in its IT Risk and Information Security Governance, contrary to requirements under Regulatory guidelines. During the subsequent assessments, the bank was found to be significantly non-compliant with the Corrective Action Plans issued by the Reserve Bank for the years 2022 and 2023, as the compliances submitted by the bank were found to be either inadequate, incorrect or not sustained.”
Here is what the RBI said:
These actions are necessitated based on significant concerns arising out of Reserve Bank’s IT Examination of the bank for the years 2022 and 2023 and the
continued failure on part of the bank to address these concerns in a comprehensive and timely manner.
Serious deficiencies and non-compliances were observed in the areas of IT inventory management, patch and change management, user access management, vendor risk management, data security and data leak prevention strategy, business continuity and disaster recovery rigour and drill, etc.
For two consecutive years, the bank was assessed to be deficient in its IT Risk and Information Security Governance, contrary to requirements under Regulatory guidelines.
During the subsequent assessments, the bank was found to be significantly non-compliant with the Corrective Action Plans issued by the Reserve Bank for the years 2022 and 2023, as the compliances submitted by the bank were found to be either inadequate, incorrect or not sustained.
In the absence of a robust IT infrastructure and IT Risk Management framework, the bank’s Core Banking System (CBS) and its online and digital banking channels have suffered frequent and significant outages in the last two years, the recent one being a service disruption on April 15, 2024, resulting in serious customer inconveniences.
The bank is found to be materially deficient in building necessary operational resilience on account of its failure to build IT systems and controls commensurate with its growth.
What happended on April 15, 2024
Many customers of the Kotak Mahindra Bank could not access the bank’s mobile application on April 15, 2024. The users express their dissatisfaction on social media platforms and said that the services such as net banking, UPI, and debit card transactions not going through as well.
In reply, the bank said: “We regret to inform you that our technical servers are currently experiencing intermittent slowness. We are working diligently to resolve the issue & restore services as soon as possible. We apologise for any inconvenience this may cause & appreciate your patience & understanding.”
“The supervisory action against Kotak Mahindra Bank Limited is part of RBI’s overall supervision, under their corrective action plan framework, where RBI has observed certain issues related to IT infrastructure. The present ban on Kotak should not impact its existing customers including its credit card customers and the operations would ordinarily continue. That being said, owing to Kotak’s IT infrastructure systems, existing customers may be impacted by the online banking services. Further, Kotak will not be able to open a bank account through Kotak’s online and mobile banking channels, although continue to enroll new customers for their bank account through its offline banking channels. For credit cards, Kotak will not be able to issue new cards altogether but continue to service existing customers, including renewals of credit cards. These restrictions generally continue until Kotak upgrades its IT infrastructure and IT risk management framework to the satisfaction of RBI,” said Kinjal Champaneria, Partner, Solomon & Co.
“In its rigorous oversight of compliance and risk management, the Reserve Bank of India has mandated Kotak Mahindra Bank to temporarily suspend the onboarding of new customers and issuance of fresh credit cards. This decisive action underscores the critical importance of adhering to stringent IT security measures and regulatory guidelines to safeguard the integrity of banking operations and protect the broader financial ecosystem. The RBI’s intervention highlights the necessity for continuous improvement in governance frameworks to ensure robust and resilient digital banking services,” said Nilesh Tribhuvann, Managing Partner, White & Brief – Advocates & Solicitors.