The Reserve Bank of India has barred Kotak Mahindra Bank from onboarding new customers through its online and mobile banking channels and issuing fresh credit cards for failing to build IT systems and controls commensurate with its growth leading to serious deficiencies and non-compliances with regulatory requirements.

According to RBI’s press release, “These actions are necessitated based on significant concerns arising out of Reserve Bank’s IT Examination of the bank for 2022 and 2023 and the continued failure on part of the bank to address these concerns in a comprehensive and timely manner”.

RBI’s press note specified that the bank is found to be “materially deficient in building necessary operational resilience on account of its failure to build IT systems and controls commensurate with its growth”.

It further added that serious deficiencies and non-compliances were observed in Kotak Mahindra Bank’s IT inventory management, patch and change management, user access management, vendor risk management, data security and data leak prevention strategy, business continuity and disaster recovery rigour and drill. Interestingly, the press note pointed out that for two consecutive years, the bank was seen deficient in its IT Risk and Information Security Governance vis-à-vis the regulatory requirements.

“During the subsequent assessments, the bank was found to be significantly non-compliant with the Corrective Action Plans issued by the Reserve Bank for 2022 and 2023, as the compliances submitted by the bank were found to be either inadequate, incorrect or not sustained”. The order also noted that in the absence of a robust IT infrastructure and IT Risk Management framework, the bank’s core banking system and its online and digital banking channels have suffered frequent and significant outages in the last two years with the recent one being 10-hour service disruption seen on April 15, 2024.

Ban implications

The curbs have been imposed under section 35A of the Banking Regulation Act. This section is invoked in lieu of public interest, interest of banking policy or when affairs of a bank are detrimental to depositors or prejudicial to the interest of the bank. RBI’s press release notes that the action on the bank was to prevent any possible prolonged outage which may seriously impact not only the bank’s ability to render efficient customer service but also the financial ecosystem of digital banking and payment systems.

Imposed as a ‘cease and desist’ order, any deviation or non-compliance would attract very high penal action by the regulator. The curbs may be removed post a comprehensive external audit conducted by the bank with RBI’s approval and the remedial actions pointed out therefrom are complied with to RBI’s satisfaction.

Reacting to the RBI order, Kotak Mahindra Bank said it has taken measures for adoption of new technologies to strengthen its IT systems and will continue to work with RBI to swiftly resolve balance issues at the earliest. “We want to reassure our existing customers of uninterrupted services, including credit card, mobile and net banking. Our branches continue to welcome and onboard new customers, providing them with all the bank’s services, apart from issuance of new credit cards,” the bank said.

Past cases

This is the third instance of imposing business restrictions among banks (see table) and incidentally, following the curbs placed on IIFL Finance and JM Financial earlier this year, Kotak Bank is the third instance of bans imposed on regulated entities so far in 2024.

However, compared to HDFC Bank and Bank of Baroda’s mobile banking app (bob World) instances, action taken on Kotak Bank seems to be the most stringent. Curbs on bob World are yet to be removed while it took HDFC Bank almost two years to remedy the deficiencies pointed out by the regulator.