RBI Limits Credit Cards and Online Accounts for Kotak Mahindra Bank
The RBI observed that the bank's digital banking channels have experienced frequent disruptions as a result of the lack of a strong IT infrastructure.
New Delhi: The Reserve Bank of India has immediately prohibited Kotak Mahindra Bank from onboarding new clients online and from issuing new credit cards due to data security concerns and inadequate IT infrastructure. Nonetheless, the bank is still able to assist its present customers, which includes credit card holders.
In the exercise of its authority under Section 35A of the Banking Regulation Act, 1949, the Reserve Bank of India has today ordered Kotak Mahindra Bank Limited (henceforth referred to as "the bank") to immediately stop (1) onboarding new customers through its online and mobile banking channels and (ii) issuing new credit cards. However, the bank will keep offering services to its current customers, which includes those who use credit cards," a statement from the central bank stated.
The RBI stated that the measures are motivated by "significant concerns arising out of Reserve Bank's IT Examination of the bank for the years 2022 and 2023 and the continued failure on part of the bank to address these concerns in a comprehensive and timely manner" .
"Serious deficiencies" were found in Kotak Mahindra Bank's data security and IT inventory management systems. IT inventory management, patch and change management, user access management, vendor risk management, data security and data leak prevention plan, business continuity and disaster recovery rigor and drill, etc. were found to have serious flaws and non-compliances. In violation of regulatory norms, the bank was found to have inadequate information security governance and IT risk management for two years in a row, according to the RBI.
"During the subsequent assessments, the bank was found to be significantly non-compliant with the Corrective Action Plans issued by the Reserve Bank for the years 2022 and 2023, as the compliances submitted by the bank were found to be either inadequate, incorrect or not sustained," it stated.
The RBI observed that the bank's digital banking channels had experienced frequent breakdowns and inconvenienced consumers as a result of the lack of a strong IT infrastructure.
"The bank's Core Banking System (CBS) and its online and digital banking channels have experienced frequent and significant outages in the last two years due to a lack of a strong IT infrastructure and IT Risk Management framework. The most recent outage was a service disruption on April 15, 2024, which caused significant inconveniences for customers. Because the bank failed to develop IT systems and controls in line with its expansion, it was determined that it was materially lacking in the development of the operational resilience that was required," the statement read.
"To improve the bank's IT resilience, the Reserve Bank has been in constant high-level engagement with it over the last two years, but the results have been far from sufficient. The volume of the bank's digital transactions, notably those involving credit cards, has also been noticed to have grown quickly recently, the RBI said. This has put additional pressure on the IT infrastructure.
According to the central bank, in the best interests of its clients, it has chosen to impose some restrictions on the bank. "The Reserve Bank, therefore, has decided to place certain business restrictions on the bank as mentioned above, in the interest of customers and to prevent any possible prolonged outage which may seriously impact not only the bank's ability to render efficient customer service but also the financial ecosystem of digital banking and payment systems," said the RBI.
The central bank stated that following an audit and corrective actions, the curbs will be reviewed. "After a thorough external audit, to be commissioned by the bank with RBI's prior approval, is completed and all deficiencies found in the external audit and RBI Inspection observations are addressed to the Reserve Bank's satisfaction, the current restrictions will be reevaluated. Furthermore, the Reserve Bank may take additional regulatory, supervisory, or enforcement action against the bank without prejudice as a result of these limits, the RBI stated.
About Kotak Mahindra Bank
When Uday Kotak established Kotak Capital Management Finance, an investment and financial services firm, in 1985, Kotak Mahindra's journey officially began. The business was renamed Kotak Mahindra Finance after Anand and his father Harish Mahindra made investments in it the next year.
Kotak Mahindra Finance Ltd. became the first non-banking finance company in India to become a bank in 2003 after obtaining a banking licence from the RBI. The bank today provides a wide range of services, including investment banking, mutual funds, stock broking, insurance, and commercial banking.
The bank has 3,239 ATMs, 1,869 branches, and 4.8 crore customers as of December 31 of last year.