In a tough disciplinary action, the Reserve Bank of India (RBI) on Wednesday barred Kotak Mahindra Bank from issuing fresh credit cards and onboarding new customers through online and mobile banking channels.
The RBI cited “serious deficiencies” in the private lender’s IT system and repeated failures to fix them as the reason for its action. In 2022 and 2023, the central bank’s IT examination of Kotak had thrown up these “significant concerns”.
However, services to existing customers, including credit card holders, will not be impacted, RBI said.
“The Reserve Bank of India has today, in exercise of its powers under Section 35A of the Banking Regulation Act, 1949, directed Kotak Mahindra Bank Limited (hereinafter referred to as ‘the bank’) to cease and desist, with immediate effect, from (i) onboarding of new customers through its online and mobile banking channels and (ii) issuing fresh credit cards. The bank shall, however, continue to provide services to its existing customers, including its credit card customers,” the RBI statement read.
Significant step
The action is significant because digital channels have become the primary means for private lenders to conduct business.
According to the bank’s investor presentation in the third quarter of 2023-24, 95% of its new personal loans, 99% of new credit cards, and 79% of its new business loans are done digitally. The bank has also booked 90% of its new investment accounts through digital or do-it-yourself channels.
The RBI’s decision was triggered by significant deficiencies and non-compliances observed during the central bank’s IT examination of the bank for two consecutive years, 2022 and 2023. The bank failed to address these concerns.
Serious shortcomings
The RBI noted serious shortcomings in areas such as IT inventory management, patch and change management, user access management, vendor risk management, data security and data leak prevention strategy, business continuity and disaster recovery rigour and drill, among others.
Despite the RBI issuing corrective action plans for both years, the bank remained non-compliant, with inadequate, incorrect, or unsustainable compliances submitted by the bank.
In the past two years, the RBI has been in continuous high-level engagement with the bank on all these concerns with a view to strengthening its IT resilience, but the outcomes have been far from satisfactory, the bank stated.
There has been rapid growth in the volume of the bank’s digital transactions, including transactions pertaining to credit cards, which is building further load on the IT systems, the RBI noted.
Independent audit
The RBI has mandated that the current limitations will undergo a thorough assessment following the conclusion of an extensive independent audit. This audit will be initiated by the bank, subject to prior authorisation from the RBI.
Further, all shortcomings identified during the audit, as well as the findings outlined in the RBI Inspections, must be adequately addressed and rectified to the satisfaction of the RBI before the restrictions can be lifted, the central bank has said.
Also Read: Navsari Varsity Grows Less Sweet Mangoes Preferred In West