Setback For Kotak Mahindra Bank, RBI Bars It From Onboarding Customers Online, Issuing Credit Cards

Taking strong action over repeated non-compliance with IT norms, the Reserve Bank of India today barred Kotak Mahindra Bank Limited from onboarding new customers through online/mobile banking methods and also from issuing new credit cards with immediate effect. The RBI said it took the action under Section 35A of the Banking Regulation Act, 1949.

The RBI said in a statement, "The Reserve Bank of India has today, in the exercise of its powers under Section 35A of the Banking Regulation Act, 1949, directed Kotak Mahindra Bank Limited (hereinafter referred to as ‘the bank’) to cease and desist, with immediate effect, from (i) onboarding of new customers through its online and mobile banking channels and (ii) issuing fresh credit cards. The bank shall, however, continue to provide services to its existing customers, including its credit card customers."

Why The Action?

Detailing why the action was taken against the private sector bank, the RBI said, "These actions are necessitated based on significant concerns arising out of Reserve Bank’s IT Examination of the bank for the years 2022 and 2023 and the continued failure on the part of the bank to address these concerns in a comprehensive and timely manner. Serious deficiencies and non-compliances were observed in the areas of IT inventory management, patch and change management, user access management, vendor risk management, data security and data leak prevention strategy, business continuity and disaster recovery rigour and drill, etc."

The RBI said that for two consecutive years, the bank was assessed to be deficient in its IT Risk and Information Security Governance, contrary to requirements under Regulatory guidelines. "During the subsequent assessments, the bank was found to be significantly non-compliant with the Corrective Action Plans issued by the Reserve Bank for the years 2022 and 2023, as the compliances submitted by the bank were found to be either inadequate, incorrect or not sustained," said RBI adding that the lack of robust IT infrastructure and IT Risk Management framework in the past led to significant outages, resulting in serious customer inconveniences.

Action After High-Level Engagement: RBI

The central bank further said that in the past two years, the Reserve Bank has been in continuous high-level engagement with the bank on all these concerns with a view to strengthening its IT resilience, but the outcomes have been far from satisfactory. "It is also observed that, of late, there has been rapid growth in the volume of the bank’s digital transactions, including transactions pertaining to credit cards, which is building further load on the IT systems. The Reserve Bank, therefore, has decided to place certain business restrictions on the bank as mentioned above, in the interest of customers and to prevent any possible prolonged outage which may seriously impact not only the bank’s ability to render efficient customer service but also the financial ecosystem of digital banking and payment systems," said the RBI.

It also said that the restriction will be removed once the bank completes all compliance requirements.