© The Indian Express Pvt Ltd
Tags:
Journalism of Courage
THE RESERVE Bank of India (RBI) on Wednesday directed Kotak Mahindra Bank to stop onboarding of new customers through its online and mobile banking channels and also barred it from issuing fresh credit cards with immediate effect, citing “serious deficiencies” and “non-compliance” by the private bank in its IT (information technology) risk management and information security governance for 2022 and 2023.
Confirming that it had received the RBI order, Kotak Mahindra Bank said in a statement: “We have received an order from the RBI which directs us to temporarily pause onboarding of new customers through our online and mobile banking channels and issuance of fresh credit cards. The Bank has taken measures for adoption of new technologies to strengthen its IT systems and will continue to work with RBI to swiftly resolve balance issues at the earliest. We want to reassure our existing customers of uninterrupted services, including credit card, mobile and net banking.” The lender said its branches continue to onboard new customers, providing them with all services, other than issuance of new credit cards.
The RBI said its decision was based on significant concerns arising out of its IT examination of the bank for 2022 and 2023, and the bank’s continued failure to address these concerns in a comprehensive and timely manner.
“Serious deficiencies and non-compliances were observed in the areas of IT inventory management, patch and change management, user access management, vendor risk management, data security and data leak prevention strategy, business continuity and disaster recovery rigour and drill,” the RBI said in a release.
The banking regulator said that during subsequent assessments, the bank was found to be significantly non-compliant with the corrective action plans issued by the RBI for 2022 and 2023; the compliances submitted by the bank were found to be “either inadequate, incorrect or not sustained”.
“In the absence of a robust IT infrastructure and IT risk management framework, the bank’s Core Banking System (CBS) and its online and digital banking channels have suffered frequent and significant outages in the last two years, the recent one being a service disruption on April 15, 2024, resulting in serious customer inconveniences,” the RBI said.
The action on Kotak was taken under Section 35A of the Banking Regulation Act, 1949, according to which the RBI has the power to give directions “to prevent the affairs of any banking company being conducted in a manner detrimental to the interests of the depositors or in a manner prejudicial to the interests of the banking company”. The RBI found the private sector lender to be “materially deficient in building necessary operational resilience, on account of its failure to build IT systems and controls commensurate with its growth”.
Over the past two years, the RBI has been in continuous high-level engagement with the bank on all these concerns with a view to strengthening its IT resilience, but the outcomes have been far from satisfactory, the release said.
It is also observed that, of late, there has been rapid growth in the volume of the bank’s digital transactions, including transactions pertaining to credit cards, which is building further load on the IT systems, it said.
The RBI said it has decided to place certain business restrictions on the bank in the interest of customers and to prevent any possible prolonged outage, which may seriously impact not only the bank’s ability to render efficient customer service but also the financial ecosystem of digital banking and payment systems.
The bank, however, will continue to provide services to its existing customers, including its credit card customers, it said.
According to RBI data, the bank’s current credit cards (till March 2024) total 59.54 lakh.
The bank’s scrip closed at Rs 1,843.05 apiece, up 1.64 per cent, on Wednesday.
In the past, RBI has taken action against some banks, including barring them from onboarding new customers, for non-compliance of various regulatory guidelines.
Last year, RBI asked Bank of Baroda to suspend any further onboarding of customers on its “bob World”, the lender’s mobile banking application. The action came after a media report in July 2023, which said that some bank employees were involved in fake onboarding of bank customers on “bob World”.
In December 2020, RBI asked HDFC Bank to temporarily stop all launches of its digital business generating activities under ‘Digital 2.0’ programme, and sourcing of new credit card customers. This came after the RBI observed certain incidents of outages in the bank’s internet banking, mobile banking and payment utilities over the last two years. The restrictions were later lifted.
