The Reserve Bank of India (RBI) has taken strict action against Kotak Mahindra Bank Limited by prohibiting it from onboarding new customers through its online and mobile banking platforms and from issuing new credit cards with immediate effect. However, the bank is permitted to continue offering services to its existing customers, including credit card services.
This decisive action stems from grave concerns raised during RBI’s IT examination of the bank for the years 2022 and 2023. Despite persistent efforts by the RBI to address these concerns through corrective action plans, Kotak Mahindra Bank has failed to rectify the situation comprehensively and promptly.
The RBI’s examination revealed severe deficiencies and non-compliances in crucial areas such as IT inventory management, patch and change management, user access management, vendor risk management, data security and data leak prevention strategy, business continuity and disaster recovery preparedness, and more.
For two consecutive years, the bank has been deemed inadequate in its IT Risk and Information Security Governance, falling short of the requirements set forth by regulatory guidelines. Subsequent assessments have shown the bank to be significantly non-compliant with the RBI’s Corrective Action Plans for 2022 and 2023, with the bank’s submissions found to be either unsatisfactory, inaccurate, or unsustainable.
The RBI has expressed concern that the bank’s Core Banking System (CBS) and its online and digital banking channels have experienced frequent and significant outages in the last two years due to the absence of a robust IT infrastructure and IT Risk Management framework. The most recent outage occurred on April 15, 2024, causing significant inconvenience to customers.
The RBI has identified Kotak Bank’s shortcomings in establishing the necessary operational resilience due to its failure to develop IT systems and controls that are commensurate with its growth. Despite ongoing engagement with the bank to enhance its IT resilience, the outcomes have been unsatisfactory. The RBI has also observed a rapid surge in the volume of the bank’s digital transactions, including credit card-related transactions, which is straining its IT systems further.
To safeguard customers and avert any potential prolonged outage that could severely impair the bank’s service delivery and the digital banking and payment systems’ ecosystem, the RBI has decided to impose these business restrictions on the bank. The restrictions will be reassessed upon completion of a comprehensive external audit commissioned by the bank with the RBI’s prior approval. The audit will identify and address all deficiencies and the concerns raised in the RBI’s inspections to the satisfaction of the Reserve Bank.
These restrictions are imposed without prejudice to any other regulatory, supervisory, or enforcement actions that the RBI may take against the bank.