In a recent development, the Reserve Bank of India (RBI) has exercised its authority under Section 35A of the Banking Regulation Act, 1949, to instruct Kotak Mahindra Bank Limited to immediately cease onboarding new customers via its online and mobile banking channels and to discontinue the issuance of fresh credit cards.
This decision comes as a result of grave concerns arising from the RBI’s IT examination of the bank for the years 2022 and 2023, coupled with the bank’s failure to comprehensively address these concerns in a timely manner. The RBI identified serious deficiencies and non-compliances in various critical areas, including IT inventory management, patch and change management, user access management, vendor risk management, data security, and business continuity.
Furthermore, despite the issuance of corrective action plans by the RBI for the aforementioned years, Kotak Mahindra Bank was found to be significantly non-compliant, with submitted compliances being deemed inadequate, incorrect, or unsustainable.
The bank’s lack of a robust IT infrastructure and risk management framework has led to frequent and substantial outages in its Core Banking System (CBS) and digital banking channels over the past two years, culminating in a disruptive service outage on April 15, 2024.
In response to these issues, the RBI has imposed certain business restrictions on the bank to safeguard customer interests and prevent prolonged outages that could adversely impact not only the bank’s ability to provide efficient customer service but also the broader financial ecosystem of digital banking and payment systems.
These restrictions will remain in place until the completion of a comprehensive external audit commissioned by Kotak Mahindra Bank, with RBI approval, and the remediation of all identified deficiencies to the satisfaction of the Reserve Bank. Additionally, the imposed restrictions are independent of any other regulatory or enforcement actions that the RBI may undertake against the bank.
The RBI’s directive underscores the critical importance of robust IT infrastructure and risk management practices in ensuring the stability and resilience of banking operations, particularly in the digital era.