Kotak Mahindra Bank Faces RBI Clampdown: New Customers, Credit Cards Frozen

Kotak Mahindra Bank Hit by RBI Restrictions with Pause on New Online Customers, Credit Cards

The RBI pointed out that the bank has faced recurring outages in its digital banking channels due to a lack of a strong IT infrastructure.

Data Security Risk

Citing concerns about data security and the bank’s inadequate IT infrastructure, the Reserve Bank of India has prohibited Kotak Mahindra Bank from enrolling new customers online and issuing new credit cards immediately. However, the bank is allowed to maintain services for its current customers, including those with credit cards.

According to a statement from the central bank, issued under Section 35A of the Banking Regulation Act, 1949, Kotak Mahindra Bank is directed to halt new customer onboarding via its online and mobile banking platforms and to stop issuing fresh credit cards.

The RBI’s decision stems from significant worries highlighted in its IT Examination of the bank for the years 2022 and 2023, coupled with the bank’s ongoing failure to address these concerns comprehensively and promptly.

Statement From Kotak Mahindra Bank

Kotak Mahindra Bank’s statement highlighted its efforts to enhance its IT systems through the adoption of new technologies, aiming to swiftly address any balance issues in collaboration with the RBI.

The bank acknowledged receiving an order from the RBI to temporarily halt new customer onboarding via online and mobile banking channels and the issuance of fresh credit cards.

Despite these restrictions, Kotak Bank reassured its existing customers of uninterrupted services, including credit card, mobile, and net banking. It also mentioned that its branches remain open for new customer onboarding, offering a full range of services except for issuing new credit cards.

RBI Concern

The RBI highlighted “serious deficiencies” in how Kotak Mahindra Bank manages its IT inventory and secures data. These deficiencies encompassed various critical areas such as IT inventory management, patch and change management, user access management, vendor risk management, data security, data leak prevention strategy, business continuity, disaster recovery rigour, and drills. Over two years, the bank was found deficient in IT Risk and Information Security Governance, contrary to regulatory guidelines.

In subsequent assessments, the bank was notably non-compliant with Corrective Action Plans issued by the Reserve Bank for 2022 and 2023. Compliance submissions were often inadequate, incorrect, or unsustainable according to the RBI’s findings.

The RBI emphasized that the bank’s digital banking channels frequently suffered outages due to the absence of a robust IT infrastructure. These outages have inconvenienced customers, highlighting the urgent need for improvements in the bank’s IT systems.

The bank stated that due to a lack of a strong IT infrastructure and IT Risk Management framework, its Core Banking System (CBS) and digital banking channels experienced frequent and significant outages over the past two years, with a recent disruption on April 15, 2024, causing substantial inconvenience to customers. This deficiency has led to a failure in establishing necessary operational resilience, considering the bank’s growth trajectory.

The RBI has maintained consistent high-level engagement with the bank over the past two years to address these concerns and enhance its IT resilience. However, the outcomes have fallen short of expectations.

Additionally, the bank has witnessed a rapid surge in digital transactions, including credit card transactions, adding further strain to its IT systems.

The RBI has announced that it is placing restrictions on the bank to safeguard customer interests. These measures are aimed at preventing potential extended outages that could severely impact both the bank’s ability to provide efficient customer service and the overall digital banking and payment systems within the financial ecosystem.

These restrictions, the RBI clarified, will undergo a review after a comprehensive external audit, which the bank will commission with prior approval from the RBI. The bank must address all deficiencies highlighted in the external audit and RBI inspections to the satisfaction of the Reserve Bank. These measures are separate from any other regulatory or enforcement actions that the RBI may initiate against the bank.