RBI directs Kotak Bank to cease accepting new clients for credit cards, internet banking, and mobile banking
With immediate effect, the Reserve Bank of India ordered Kotak Mahindra Bank “to cease and desist, from onboarding new customers through its online and mobile banking channels as well as from issuing fresh credit cards,” dealing a serious blow to the bank.
Following similar actions on several other lenders and payment companies in the lending/payments space, the most recent regulatory action targets the fourth-largest private sector lender, whose founder, Uday Kotak, is the wealthiest banker in all of Asia and has been attempting to assume the role of thought-leader in the domestic private sector banking space. However, this is the largest fine imposed on a major commercial bank.
“The Reserve Bank’s IT inspection of the bank for the years 2022 and 2023 raised serious issues, and the bank has been failing to resolve these problems thoroughly and promptly, which is why these steps are necessary. The regulator stated that serious flaws and violations were found in the areas of vendor risk management, business continuity, disaster recovery drills, patch and change management, user access management, data security, and data leak prevention strategy.
The third-largest private sector lending bank, according to the monetary regulator, will keep offering services to its current clients, including those who use credit cards.
“The bank has taken measures for adoption of new technologies to strengthen its IT systems and will continue to work with RBI to swiftly resolve other issues at the earliest,” the bank management said in a late-evening statement.
The bank wants to reassure consumers that services, such as credit cards, mobile banking, and online banking, will continue unabated, according to the statement. With the exception of issuing new credit cards, our offices still greet and enroll new clients and provide other services.
The RBI had earlier, in late January, prohibited Paytm Payments Bank from carrying out almost all of its operations. Initially, it was instructed by the RBI to cease accepting new clients as of March 1. Subsequently, the deadline was moved to March 15, thereby ending its operations due to several regulatory violations, including the crucial KYC standards.
The monetary authorities forbade nonbank participant IIFL Finance from carrying on with its substantial gold loan business in early March. A week later, it forbade JM Financial from carrying on with its loan against shares activity.
The RBI had requested that HDFC Bank, the industry leader in credit card sales, stop accepting new applicants a few years before due to inadequate IT infrastructure; Kotak’s punishment was also related to similar violations.
Uday Kotak started his career as a bill discounting agent in the 1980s. He later moved into stockbroking, NBFC, and commercial banking in the late 1990s. However, his issues with the RBI reached a peak in August 2018, when he was required to reduce his ownership to 20% by the end of the company’s 15-year operation, per banking regulations. However, he chose to issue equity but subordinate securities in the form of nonconvertible permanent noncumulative preference shares.
Earlier in August 2018, Kotak attempted to sell nonconvertible perpetual noncumulative preference shares to a group of investors in an attempt to reduce his position to the required 20 percent.
The approach was rejected by the RBI under Urjit Patel, who said that “it does meet their promoter holding dilution requirement.” However, the bank justified the transaction in a regulatory statement, stating that it thought the stake dilution plan satisfied the RBI criteria and that it would keep in contact with the central bank about the matter.
The bank quickly moved the court, and the case was eventually resolved out of court, giving Kotak additional time to reduce the shareholding.
His abrupt decision to leave the bank in October 2023, only months before his tenure as managing director was set to expire due to RBI restrictions, was another problem. When the RBI rejected every internal candidate put out by the bank management and instead selected Ashok Vaswani, an ex-Citigroup employee who most recently worked at Barclays, in October 2023, the battle with Mint Road resumed.
The RBI went on to provide further justification for the harsh move, stating that the bank had been deemed to have inadequate information security and IT risk governance for the previous two years, which was in violation of regulatory norms. In the course of the ensuing examinations, the bank’s compliances with the corrective action plans issued by the Reserve Bank for the years 2022 and 2023 were determined to be either insufficient, erroneous, or not maintained, resulting in a major non-compliant situation.
The bank’s online and digital banking channels, as well as its core banking system, have experienced frequent and significant outages in the last two years due to a lack of a strong IT infrastructure and IT risk management framework. The most recent outage occurred on April 15, 2024, and caused significant inconveniences for customers, according to the circular.
“The bank is found to be materially deficient in building necessary operational resilience on account of its failure to build IT systems and controls commensurate with its growth,” stated the Bundesbank.
To increase the bank’s IT resilience, the Reserve Bank has been in constant high-level communication with it over the last two years, but the results have been far from ideal, the bank said. Additionally, it said that the amount of the bank’s digital transactions, notably those using credit cards, has recently increased quickly, placing additional strain on the IT infrastructure.
“Therefore, in the interest of customers and to prevent any possible prolonged outage which may seriously impact not only the bank’s ability to render efficient customer service but also the financial ecosystem of digital banking and payment systems, the Reserve Bank has decided to place certain business restrictions on the bank as mentioned above,” the statement read.
Additionally, the bank has to commission “a comprehensive external audit with the prior approval of RBI.” The bank’s management was not immediately reachable for comment.
