RBI bars Kotak Mahindra Bank from online onboarding of new customers

The Reserve Bank of India (RBI) on Wednesday directed Kotak Mahindra Bank to stop onboarding new customers through its online and mobile banking channels and from issuing fresh credit cards. 

The action was taken after it found that Kotak Mahindra lacked the necessary IT infrastructure and IT risk management framework, Core Banking System (CBS), the central bank said. 

The banking regulator observed that the Bank’s online and digital banking channels have suffered frequent and significant outages in the last two years, with a recent service disruption on 15 April, resulting in serious customer inconveniences. 

Following the RBI action, shares of Kotak Mahindra Bank fell 10% on Thursday in early trading.  

RBI said that it will review its restrictions only after the completion of a comprehensive external audit commissioned by Kotak Mahindra Bank with the prior approval of RBI and remediation of all deficiencies that may be pointed out in the external audit as well as the observations contained in the RBI inspections. 

During the annual IT examination of the bank, RBI found it materially deficient in building necessary operational resilience because it needed to build IT systems and controls commensurate with its growth. 

RBI saod that during its IT examination of the scheduled bank, severe deficiencies and non-compliances were observed in IT inventory management, patch and change management, user access management, vendor risk management, data security, data leak prevention strategy, business continuity, and disaster recovery rigor and drill. 

The apex bank said that during IT checks in 2022 and 2023, Kotak Mahindra was deficient in its IT Risk and information security governance, contrary to requirements under regulatory guidelines. RBI added that during the subsequent assessments, the Bank was found to be significantly non-compliant with the corrective action plans issued by the Reserve Bank for consecutive years, as the compliances submitted by the Bank were either inadequate, incorrect, or not sustained.

“In the past two years, the Reserve Bank has been in continuous high-level engagement with the Bank on all these concerns with a view to strengthening its IT resilience, but the outcomes have been far from satisfactory,” the RBI said.

The banking regulator observed that, of late, there has been rapid growth in the volume of the bank’s digital transactions, including transactions about credit cards, which is building further load on the Kotak Mahindra Bank’s IT systems. 

The central Bank said that certain business restrictions are in customers’ interest and that avoiding prolonged outages may seriously impact the bank’s ability to render efficient customer service and the financial ecosystem of digital banking and payment systems.

RBI said that these actions were necessitated due to significant concerns arising from the Reserve Bank’s IT examination of the Bank in 2022 and 2023 and the Bank’s continued failure to address these concerns comprehensively and timely.

Kotak Mahindra Bank notified the exchange that it has taken concrete steps to adopt new technologies to strengthen its IT systems. It will continue to work with RBI to resolve balance issues swiftly and immediately. 

The bank further said it would like to reassure its existing customers of uninterrupted services, including credit card, mobile, and net banking. Kotak Mahindra Bank said that its branches will continue to onboard new customers, providing them with all the bank’s services, except for issuing new credit cards. 

These directions will not materially impact its overall business, Kotak Mahindra said.