RBI Bars Kotak Mahindra Bank For Digital Onboarding and Credit Card Issuance

On April 24, 2024, the Reserve Bank of India (RBI) took corrective action against Kotak Mahindra Bank due to concerns identified during IT examinations conducted in 2022 and 2023. The bank’s failure to adequately address these concerns further amplified them. The action was taken under Section 35A of the Banking Regulation Act 1949.

Reasons for the Action

IT Infrastructure Deficiencies: The RBI identified serious shortcomings in Kotak Mahindra Bank’s IT infrastructure, including:

• Weak IT inventory management
• Inadequate patch and change management procedures
• Poor user access management controls
• Deficient vendor risk management practices
• Insufficient data security and data leak prevention strategies
• Lack of robust business continuity and disaster recovery plans

Non-compliance with Regulatory Guidelines: For two consecutive years, Kotak Mahindra Bank failed to meet the RBI’s IT Risk and Information Security Governance requirements.

Inadequate Corrective Action: The bank’s attempts to address the issues identified by the RBI in 2022 and 2023 were deemed insufficient, incorrect, or unsustainable.

Consequences of Deficiencies:

Frequent Outages: The bank’s IT infrastructure weaknesses have resulted in frequent and significant outages of its Core Banking System and online/mobile banking channels. This culminated in a service disruption on April 15, 2024, causing significant customer inconvenience.

Operational Resilience Concerns: The bank’s IT systems and controls failed to keep pace with its growth, leading to a lack of operational resilience.

RBI’s Past Engagement

The RBI has been actively engaged with Kotak Mahindra Bank over the past 2 years, aiming to improve its IT resilience. However, these efforts have not yielded satisfactory results.

Looking Ahead

The restrictions on new online customer onboarding and credit card issuance will be reviewed based on the following:

• Comprehensive External Audit: With RBI’s approval, the bank will commission a comprehensive external audit to identify further deficiencies.
• Remediation of Deficiencies: All deficiencies identified through the external audit and RBI inspections must be addressed to the RBI’s satisfaction.

Disclaimer: This blog has been written exclusively for educational purposes. The securities mentioned are only examples and not recommendations. It is based on several secondary sources on the internet and is subject to changes. Please consult an expert before making related decisions.