In yet another strong regulatory action, the Reserve Bank of India (RBI) on Wednesday directed private sector bank Kotak Mahindra Bank to cease and desist from onboarding of new customers through its online and mobile banking channels with immediate effect. Additionally, the RBI also ordered the bank to stop issuing any fresh credit card.
However, the RBI directed the bank to continue providing services to its existing customers, including credit card customers.
The RBI order means that Kotak Mahindra Bank can’t issue any new credit card. But its existing credit card customers will not be impacted, and they can continue using their cards. Regarding the order onboarding new customers, it means that now people can’t open accounts with Kotak Mahindra Bank using its online platform and mobile banking app. This is a relatively new service currently being offered by some banks, letting people open new accounts without visiting a branch of the bank. The accounts are opened through online portal or mobile banking app using Aadhaar-based authentication.
This means that while people can’t open new accounts with Kotak Mahindra Bank using the portal or the mobile app, they can still physically visit a branch of the bank to open a new account. Moreover, the existing customers of the bank will not be impacted by this order.
As a result, the RBI order will not impact the existing banking and credit card customers of the bank. However, now nobody can get a new credit card from the bank, and nobody can open a new account through the bank’s online portal or the mobile banking app.
In a statement issued on 24 April, India’s central bank said that the action was necessary due to continued failure of the bank to improve its IT infrastructure. As per RBI, serious deficiencies and non-compliances were observed in the areas of IT inventory management, patch and change management, user access management, vendor risk management, data security and data leak prevention strategy, business continuity and disaster recovery rigour and drill, etc.
The RBI had done comprehensive IT examination of Kotak Mahindra bank, during which the shortcomings were identified and the bank was asked to rectify the same. But even after two years, the bank failed to implement the corrective action plans issued by the RBI, forcing the regulator to impose the restrictions. RBI stated, “During the subsequent assessments, the bank was found to be significantly non-compliant with the Corrective Action Plans issued by the Reserve Bank for the years 2022 and 2023, as the compliances submitted by the bank were found to be either inadequate, incorrect or not sustained.”
According to the statement, Kotak Mahindra Bank’s Core Banking System (CBS) and its online and digital banking channels have suffered frequent and significant outages in the last two years, due to the absence of a robust IT infrastructure and IT Risk Management framework. The latest such incident took place on 15 April 2024.As per RBI, the bank is found to be materially deficient in building necessary operational resilience on account of its failure to build IT systems and controls commensurate with its growth.
For the last two years, RBI has been in continuous high-level engagement with the bank on all these concerns with a view to strengthening its IT resilience, but the outcomes have been far from satisfactory. Moreover, the bank’s digital transactions have increased significantly recently, including credit card transactions, putting more pressure on the bank’s IT systems.
As a result, RBI has decided to impose the restrictions on the bank, to prevent any serious failure of the IT system of the bank. The restrictions will be reviewed after the completion of a comprehensive external audit to be commissioned by the bank with the prior approval of RBI, and remedial measures taken to resolve all issued identified by the external auditor.