An official directive from the Reserve Bank of India (RBI) came as a significant setback for Kotak Mahindra Bank—one of India’s prominent private banking institutions. On a recent Wednesday, the RBI issued an order that enforced stringent restrictions on the bank’s day-to-day operations. Citing “serious deficiencies” and continual “non-compliance” related to the management of IT risks and maintaining information security, the RBI compelled the bank to halt the onboarding of new customers via its online and mobile platforms. Furthermore, the bank received a prohibition from issuing any new credit cards, effective immediately.
Kotak Mahindra Bank, responding to the RBI’s imposition, acknowledged the regulator’s order in a public statement. The bank confirmed the interim cessation on welcoming new customers through their digital avenues as well as the suspension on the issuance of new credit cards. In an endeavor to rectify the scenario, the bank emphasized its commitment to fortify their IT infrastructure by adopting cutting-edge technologies. Determined to resolve the existing issues posthaste, the bank assured its current customers that services such as credit card access and online banking would remain uninterrupted. However, new credit card services would be on hold, though their branches would still be operational, onboarding clients with all other banking functionalities intact.
The Reserve Bank clarified that its unprecedented move stemmed from considerable issues found during the IT assessment of Kotak Mahindra Bank for the years 2022 and 2023. There was a clear emphasis on the bank’s persistent inability to address these concerns effectively or in a timely manner. Specific shortcomings were pinpointed in areas such as IT inventory management, patch and change management, user access management, vendor risk management, data protection, leakage prevention strategies, and the rigor of disaster recovery processes, as per RBI’s findings.
Further assessments revealed the bank’s significant deviations from compliance with the corrective action plans imposed by the RBI for the said years, with the bank’s responses being dismissed as “either inadequate, incorrect or not sustained.” Moreover, the RBI highlighted that Kotak Mahindra Bank faced several considerable disruptions over the past two years. One of the most recent incidents was a service outage on April 15, 2024, which severely impaired customer services.
The RBI’s action against Kotak Mahindra Bank was taken under Section 35A of the Banking Regulation Act, 1949, granting the RBI authority to intervene when a banking company’s operations are deemed detrimental to the interests of depositors or preemptively if they compromise the interests of the banking institution itself. Kotak Mahindra Bank was found “materially deficient in building necessary operational resilience,” a critical fault attributed to the bank’s failure to construct IT systems and controls that scaled with its growth.
Despite engaging continuously at high levels with Kotak Mahindra Bank to enhance the robustness of its IT infrastructure, the RBI found the results unsatisfactory. Furthermore, there was concern over the sharp escalation in the bank’s digital transactions, inclusive of those related to credit cards, adding stress on their IT systems.
This recent action by the RBI echoes its intent to safeguard the banking customers and preempt any potential prolonged outages that could disrupt not only the bank’s ability to deliver customer service but also the broader financial ecosystem of digital banking and payment systems. Nonetheless, the RBI made it clear that Kotak Mahindra Bank could still cater to the requirements of its existing client base, including credit card holders. Current figures indicate that as of March 2024, the bank held a total of 59.54 lakh credit cards.
The bank managed to close its scrip at Rs 1,843.05 apiece, registering an increase of 1.64 percent on the day the news broke.
The Reserve Bank of India has a history of taking decisive actions against various banking entities for non-adherence to regulatory requirements. Examples include when RBI directed Bank of Baroda to halt customer onboarding on its “bob World” mobile application in response to reports of fraudulent client registrations. Similarly, in December 2020, RBI temporarily froze all new digital initiatives and credit card sourcing of HDFC Bank, due to repeated incidents of system outages spanning two years—a decision later reversed following remedial measures. These interventions by the central bank reinforce its vigilant approach in overseeing the banking sector and ensuring compliance with guidelines with an underlying objective of protecting the interests of bank customers and maintaining the stability of the financial industry.
