The Reserve Bank of India has instructed Kotak Mahindra Bank, a private sector lender, to stop issuing new credit cards and to suspend onboarding new customers through its online and mobile banking platforms. The RBI cited the bank’s failure to address deficiencies in its information and technology systems as the reason for this action. Over the past two years, the bank experienced frequent outages in its core banking system and online channels, causing inconvenience to customers, according to the regulator.
The RBI stated that the bank remains authorized to serve its existing customers, including those with credit cards. The directive comes as a result of significant concerns raised during the Reserve Bank’s IT examination of the bank for the years 2022 and 2023, coupled with the ongoing failure of the bank to address these concerns in a comprehensive and timely manner.
The regulatory authority noted significant deficiencies and non-compliances across various areas, including IT inventory management, patch and change management, user access management, vendor risk management, data security, data leak prevention strategy, and business continuity and disaster recovery procedures.
“For two consecutive years, the bank’s IT Risk and Information Security Governance were deemed deficient, in contravention of regulatory guidelines,” stated the RBI.
“The bank demonstrated significant non-compliance with the Corrective Action Plans outlined by the RBI for both 2022 and 2023. The submissions made by the bank were found to be either insufficient, inaccurate or not maintained,” the statement continued.
The regulator emphasized that due to the absence of a robust IT infrastructure and IT Risk Management framework, the bank has experienced frequent and significant outages in its Core Banking System (CBS) and online banking channels over the past two years, with the most recent disruption occurring on April 15, 2024, resulting in considerable inconvenience to customers.
“The bank’s failure to develop IT systems and controls commensurate with its growth has led to a significant deficiency in establishing necessary operational resilience,” stated the RBI.
The RBI noted that it has engaged in high-level discussions with the bank regarding these concerns for the past two years to enhance its IT resilience, but the results have been unsatisfactory.
As per the regulator, there has been a swift expansion in the volume of the bank’s digital transactions, encompassing activities related to credit cards, thus intensifying the strain on the IT systems.
Kotak Mahindra Bank
Kotak Mahindra Bank Limited, based in Mumbai, is an Indian banking and financial services firm. It provides a range of banking products and financial services to both corporate and retail clients, covering personal finance, investment banking, life insurance, and wealth management sectors. With a market capitalization ranking it as India’s third largest private sector bank, following HDFC Bank and ICICI Bank, as of December 31, 2023, the bank operates 1,869 branches and 3,239 ATMs, along with branches in GIFT City and DIFC (Dubai).
Kotak Mahindra Bank’s Remark on RBI’s Instructions
In a statement, Kotak Mahindra Bank acknowledged receiving an RBI order directing a temporary pause in onboarding new customers via online and mobile banking channels and issuing fresh credit cards. The bank affirmed its commitment to enhancing IT systems through new technologies and collaborating with the RBI to resolve outstanding issues promptly.
“We assure our existing customers of uninterrupted services, including credit card, mobile, and net banking. Our branches remain open to welcome and serve new customers with all the bank’s services, except for issuing new credit cards,” the statement further emphasized.
Also Read: India’s Private Sector Surges: Record Growth and Optimism Amidst 14-Year High PMI
