RBI cracks down on Kotak Mahindra Bank; bars onboarding new customers through online, mobile banking and issuing new credit cards

RBI's action came after Kotak Mahnidra Bank didn't address the concerns raised by RBI in the past 2 years.

Trade

• Watchlist
• Portfolio
• Message
• Set Alert

 

 

live

• bselive
• nselive

Volume

Todays L/H

More

×

In a major regulatory move, the Reserve Bank of India (RBI) on April 24 barred Kotak Mahindra Bank (KMB) from onboarding new customers through its online and mobile banking channels and issuing fresh credit cards, citing supervisory concerns over its technology platforms. The actions followed an RBI examination of the bank's IT systems over the last two years and the bank’s “continued failure” to address concerns, the central bank said.

The ban will not impact existing customers and Koak can continue to provide services to them, including its credit card customers, the RBI said.

The action will likely impact new customer acquisition of Kotak Mahindra Bank as a significant portion of new account openings happen through online and mobile banking channels. Also, the RBI action is bad news for KMB's credit card business as well. As per experts, the central bank's ban on issuing new credit cards could impact the bank’s co-branded credit card deals.

"These actions are necessitated based on significant concerns arising out of
Reserve Bank’s IT Examination of the bank for the years 2022 and 2023 and the continued failure on part of the bank to address these concerns in a comprehensive and timely manner," RBI said.

According to the central bank, serious deficiencies and non-compliance were observed in the areas of IT inventory management, patch and change management, user access management, vendor risk management, data security and data leak prevention strategy, business continuity and disaster recovery rigour and drill, and so on.

Explaining the action, the RBI said for two consecutive years, the bank was assessed to be deficient in its IT Risk and Information Security Governance, contrary to requirements under regulatory guidelines.

What triggered the RBI action?

During subsequent assessments, Kotak Mahindra was found to be
significantly non-compliant with the corrective action plans issued by the Reserve Bank for the years 2022 and 2023, as the compliances submitted by the bank were found to be either inadequate, incorrect or not sustained, the central bank said.

"In the absence of a robust IT infrastructure and IT Risk Management framework, the bank’s Core Banking System (CBS) and its online and digital banking channels have suffered frequent and significant outages in the last two years, the recent one being a service disruption on April 15, 2024,  resulting in serious customerinconveniences," the  RBI said.

During the investigations, the RBI found that the bank is  materially deficient in building necessary operational resilience on account of its failure to build IT systems and controls commensurate with its growth.

RBI engagement in last 2 years

In the past two years, the regulator has been in continuous high-level engagement with the bank on all these concerns with a view to strengthening its IT resilience, but the outcomes have been far from satisfactory, the RBI said.

"It is also observed that, of late, there has been rapid growth in the volume of the bank’s digital transactions, including transactions pertaining to credit cards, which is building further load on the IT systems," the RBI added.

Action in the interest of customers

Explaining the logic behind its move, the RBI said it decided to place certain business restrictions on the bank in the interest of customers and to prevent any possible prolonged outage which may seriously impact not only the bank’s ability to render efficient customer service but also the financial ecosystem of digital banking and payment systems.

However, the RBI said the restrictions now being imposed will be reviewed upon completion of a comprehensive external audit to be commissioned by the bank with the prior approval of RBI and remediation of all deficiencies that may be pointed out in the external audit.

Further, review of the decision will also be based on the observations contained in the RBI Inspections and to the satisfaction of the Reserve Bank, the press release  said.

"Further, these restrictions are without prejudice to any other
regulatory, supervisory or enforcement action that may be initiated against the bank by the Reserve Bank," the central bank added.

Not the first time

Back in 2020, the RBI had  announced a similar action against HDFC Bank when it asked the country's largest private sector lender to put all new digital launches on hold till the bank resolve  tech issues. HDFC Bank was barred from launching any new digital products or services and issuing new credit cards as a penalty for repeated instances of outages in its online platforms.

Later, in August 2021, the RBI partially revoked the ban on the bank allowing it to issue new credit cards. Later in March, 2022, the bank informed the exchanges that the RBI has lifted the restrictions that were placed on the fresh digital launches of HDFC Bank.

The RBI had cited similar technology-related concerns as in the case Kotak Mahindra Bank while taking action against HDFC Bank after repeated outages at the lender's data centre. The restrictions barred HDFC Bank from launching any of the activities planned under the Digital 2.0 programme as well as the sourcing of new credit cards.

The RBI had also asked the bank to fix accountability in the matter pertaining to the data centre outages, and examine reasons behind the lapses. Subsequently, an audit was carried out and the bank submitted a roadmap to the central bank.

Shars of KMB ended at Rs 1842.95 apiece on BSE, up 1.65 per cent from previous close, while benchmark sensex ended nearly flat.