Introduction: The Reserve Bank of India (RBI) has taken supervisory action against Kotak Mahindra Bank Limited under Section 35A of the Banking Regulation Act, 1949, due to significant concerns regarding the bank’s IT infrastructure and risk management. This article examines the reasons behind the RBI’s directive, the implications for the bank, and the broader financial ecosystem.
Detailed Analysis: The RBI’s decision to direct Kotak Mahindra Bank to cease new customer onboarding through online and mobile channels, as well as issuing fresh credit cards, stems from a series of deficiencies and non-compliances identified during the RBI’s IT examinations in 2022 and 2023. These deficiencies encompass various critical areas such as IT inventory management, patch and change management, user access management, and data security. Despite repeated engagements and corrective action plans, the bank has failed to address these concerns effectively.
The inadequate IT infrastructure and risk management framework have led to frequent and significant outages in the bank’s core banking system and digital channels, causing disruptions to customer services. The recent service disruption on April 15, 2024, underscores the severity of the situation and the urgency for remedial actions. Furthermore, the exponential growth in digital transactions has exacerbated the strain on the bank’s IT systems, posing additional risks to operational resilience.
The RBI’s decision to impose business restrictions aims to safeguard customer interests and mitigate the potential systemic risks posed by prolonged IT outages. These restrictions will remain in place until the bank undergoes a comprehensive external audit, approved by the RBI, and addresses all identified deficiencies satisfactorily. Additionally, the RBI emphasizes that these restrictions do not preclude further regulatory or enforcement actions against the bank.
Conclusion: The supervisory action against Kotak Mahindra Bank by the RBI underscores the critical importance of robust IT governance and risk management in the banking sector. It highlights the imperative for banks to prioritize investment in resilient IT infrastructure to ensure uninterrupted services and safeguard customer trust. The outcome of the external audit and the bank’s remedial efforts will be crucial in determining the future trajectory of regulatory compliance and operational resilience in the banking industry.
RESERVE BANK OF INDIA
April 24, 2024
Supervisory Action against Kotak Mahindra Bank Limited under Section 35A of the Banking Regulation Act, 1949
The Reserve Bank of India has today, in exercise of its powers under Section 35A of the Banking Regulation Act, 1949, directed Kotak Mahindra Bank Limited (hereinafter referred to as ‘the bank’) to cease and desist, with immediate effect, from (i) onboarding of new customers through its online and mobile banking channels and (ii) issuing fresh credit cards. The bank shall, however, continue to provide services to its existing customers, including its credit card customers.
These actions are necessitated based on significant concerns arising out of Reserve Bank’s IT Examination of the bank for the years 2022 and 2023 and the continued failure on part of the bank to address these concerns in a comprehensive and timely manner. Serious deficiencies and non-compliances were observed in the areas of IT inventory management, patch and change management, user access management, vendor risk management, data security and data leak prevention strategy, business continuity and disaster recovery rigour and drill, etc. For two consecutive years, the bank was assessed to be deficient in its IT Risk and Information Security Governance, contrary to requirements under Regulatory guidelines. During the subsequent assessments, the bank was found to be significantly non-compliant with the Corrective Action Plans issued by the Reserve Bank for the years 2022 and 2023, as the compliances submitted by the bank were found to be either inadequate, incorrect or not sustained.
In the absence of a robust IT infrastructure and IT Risk Management framework, the bank’s Core Banking System (CBS) and its online and digital banking channels have suffered frequent and significant outages in the last two years, the recent one being a service disruption on April 15, 2024, resulting in serious customer inconveniences. The bank is found to be materially deficient in building necessary operational resilience on account of its failure to build IT systems and controls commensurate with its growth.
In the past two years, the Reserve Bank has been in continuous high-level engagement with the bank on all these concerns with a view to strengthening its IT resilience, but the outcomes have been far from satisfactory. It is also observed that, of late, there has been rapid growth in the volume of the bank’s digital transactions, including transactions pertaining to credit cards, which is building further load on the IT systems.
The Reserve Bank, therefore, has decided to place certain business restrictions on the bank as mentioned above, in the interest of customers and to prevent any possible prolonged outage which may seriously impact not only the bank’s ability to render efficient customer service but also the financial ecosystem of digital banking and payment systems.
The restrictions now being imposed will be reviewed upon completion of a comprehensive external audit to be commissioned by the bank with the prior approval of RBI, and remediation of all deficiencies that may be pointed out in the external audit as well as the observations contained in the RBI Inspections, to the satisfaction of the Reserve Bank. Further, these restrictions are without prejudice to any other regulatory, supervisory or enforcement action that may be initiated against the bank by the Reserve Bank.
(Yogesh Dayal)
Chief General Manager
Press Release: 2024-2025/172
