Restrictions on Kotak Mahindra Bank Over IT Concerns: No New Customer Onboarding and Credit Card Issuance

The Reserve Bank of India (RBI) has taken significant regulatory action against Kotak Mahindra Bank (KMB), barring the bank from onboarding new customers through online and mobile banking channels and issuing fresh credit cards from April 24. 

This move comes in response to supervisory concerns regarding the bank’s technology platforms, following an examination of its IT systems over the past two years.

Why Action Has Been Taken?

• The RBI’s decision was triggered by significant deficiencies and non-compliances observed during the central bank’s IT examination of Kotak Mahindra Bank for two consecutive years, 2022 and 2023. The bank consistently failed to address these concerns in a comprehensive and timely manner.

• The RBI noted serious shortcomings in areas such as IT inventory management, patch and change management, user access management, vendor risk management, data security and data leak prevention strategy, business continuity and disaster recovery rigour and drill, among others.

• Despite the RBI issuing corrective action plans for both years, subsequent assessments revealed that the bank remained significantly non-compliant, with inadequate, incorrect, or unsustainable compliances submitted by the bank.

While existing customers will not be affected by the ban, the restrictions will impact KMB’s ability to acquire new customers and issue credit cards, especially as a substantial portion of new account openings occur through online channels. The RBI’s action also raises concerns for the bank’s credit card business and co-branded credit card deals.

The central bank’s decision stems from significant deficiencies and non-compliance observed in various areas of IT management, including inventory management, user access management, data security, and disaster recovery. Despite repeated assessments and corrective action plans, Kotak Mahindra Bank failed to address these concerns adequately.

The absence of a robust IT infrastructure has led to frequent outages in the bank’s core banking system and digital channels, causing inconvenience to customers. 

The RBI’s engagement with the bank over the past two years has not yielded satisfactory outcomes, prompting the imposition of business restrictions.

The RBI emphasized that the restrictions will be reviewed upon completion of a comprehensive external audit commissioned by the bank, with remediation of identified deficiencies. Any further regulatory action will be based on the audit findings and RBI inspections, ensuring the bank’s compliance with IT resilience standards.

This is not the first time the RBI has taken such action against a bank for technology-related concerns. In 2020, HDFC Bank faced similar restrictions due to repeated outages in its online platforms, highlighting the regulator’s commitment to ensuring the stability and efficiency of the banking sector’s digital infrastructure.

While KMB’s stock prices remained relatively stable, the RBI’s intervention underscores the importance of robust IT systems and controls in the banking sector, ensuring the security and reliability of digital banking services for customers.