RBI forbids Kotak Mahindra Bank from providing new credit cards and enrolling new clients online

The RBI on Wednesday prohibited Kotak Mahindra Bank from accepting new clients through its online and mobile banking channels and from issuing new credit cards with immediate effect, taking action against the lender’s persistent noncompliance with IT regulations. The regulator discovered “serious deficiencies” in the lender’s IT risk management.

The Reserve Bank’s IT inspection of the bank for the years 2022 and 2023 raised serious issues, which the RBI stated made these steps necessary. The bank has been failing to address these problems thoroughly and promptly.

In the meantime, Kotak Mahindra Bank released a statement stating that it has strengthened its IT systems by adopting new technologies and that it will keep collaborating with RBI to promptly address balance concerns as soon as possible.

After many instances of technology failures at the firm, the RBI banned HDFC Bank from issuing new cards and starting new digital ventures in December 2020, in a move that was almost identical. In March 2022, the limitations were subsequently removed.

“Serious deficiencies and non-compliances were observed in the areas of IT inventory management, patch and change management, user access management, vendor risk management, data security and data leak prevention strategy, business continuity and disaster recovery rigour and drill, etc.” the RBI stated in a statement about the supervisory action against Kotak Mahindra Bank.

With immediate effect, Kotak Mahindra Bank has been instructed “to cease and desist” from onboarding new clients via its mobile and internet banking platforms and from providing new credit cards.

But the bank will keep offering services to its current clientele, which includes credit card holders, according to the RBI.

According to regulatory criteria, the bank was found to have inadequate information security governance and IT risk management for two years in a row, the RBI said.

“The bank’s compliances were found to be either inadequate, incorrect, or not sustained during the subsequent assessments, which revealed the bank to be significantly non-compliant with the Corrective Action Plans issued by the Reserve Bank for the years 2022 and 2023,” the RBI said.

The RBI said that the bank’s Core Banking System (CBS) and its online and digital banking channels have experienced frequent and significant outages in the last two years due to a lack of a strong IT infrastructure and IT Risk Management framework. The most recent outage was a service disruption on April 15, 2024, which caused significant inconveniences for customers.

“Due to its inability to develop IT systems and controls in line with its expansion, the bank is determined to be significantly lacking in constructing the essential operational resilience,” the central bank said.

The RBI said that while it has been in constant high-level contact with the bank over the last two years on all of these issues in an effort to increase its IT resilience, the results have been far from ideal.

The Reserve Bank said that there has also been a noticeable increase in the amount of digital transactions made by the bank recently, notably credit card-related transactions, which is placing further strain on the IT infrastructure.

“Therefore, in the interest of customers and to prevent any possible prolonged outage which may seriously impact not only the bank’s ability to render efficient customer service but also the financial ecosystem of digital banking and payment systems, the Reserve Bank has decided to place certain business restrictions on the bank as mentioned above,” the statement read.

“We have received an order from the RBI which directs us to temporarily pause the onboarding of new customers through our online and mobile banking channels and the issuance of fresh credit cards,” Kotak Mahindra Bank said in a statement. The Bank will keep collaborating with RBI to expeditiously address balance concerns as soon as possible. The Bank has made steps to fortify its IT infrastructure via the use of new technology.

Additionally, the bank guaranteed that its current clientele will continue to get credit card, mobile, and online banking services.

“Aside from issuing new credit cards, our branches continue to welcome and onboard new customers, providing them with all the Bank’s services,” said Kotak Mahindra Bank.

The Reserve Bank of India (RBI) states that the restrictions will be reviewed after a thorough external audit, which the bank will commission with the RBI’s prior approval, is completed and all deficiencies found in the audit and inspection observations are addressed to the Reserve Bank’s satisfaction.

The Reserve Bank said that these limitations do not preclude the Reserve Bank from taking further regulatory, supervisory, or enforcement actions against the bank in the future.

On May 4, Kotak Mahindra Bank Limited is expected to release the consolidated and standalone audited financial statements for the fiscal year 2023–2024 and the quarter ending in March 2024.