RBI Directs Kotak Mahindra Bank to Halt New Customer Onboarding and Credit Card Issuance
The Reserve Bank of India (RBI) has issued a directive to Kotak Mahindra Bank, instructing it to halt the onboarding of new customers through its online and mobile banking channels, along with the issuance of fresh credit cards. This action comes as a response to concerns identified during the central bank’s IT examinations in 2022 and 2023.
Concerns Raised During IT Examinations
RBI’s decision to take regulatory action against Kotak Mahindra Bank was due to the significant concerns found during the bank’s IT examinations. These concerns primarily revolve around key aspects of IT management, including inventory management, patch and change management, user access control, vendor risk management, data security, data leak prevention strategies, business continuity, and disaster recovery procedures.
The central bank’s assessments over two consecutive years highlighted deficiencies in IT risk management and information security governance within the bank, contrary to regulatory guidelines and expectations. Despite receiving corrective action plans from RBI following the examinations in 2022 and 2023, subsequent evaluations revealed ongoing non-compliance issues at Kotak Mahindra Bank.
Specific Areas of Non-Compliance
The RBI’s directive pointed out specific areas of non-compliance that were of particular concern:
- IT Inventory Management: Inadequate management of IT assets and resources, leading to operational inefficiencies and potential security vulnerabilities.
- Patch and Change Management: Insufficient protocols for implementing software updates and managing changes in IT systems, posing risks related to system stability and security.
- User Access Management: Weaknesses in controlling and monitoring user access to IT systems and data, raising concerns about unauthorized access and data breaches.
- Vendor Risk Management: Ineffective oversight and management of third-party vendors, increasing the risk of supply chain disruptions and security breaches.
- Data Security and Leak Prevention: Lack of robust strategies and measures to safeguard data integrity and prevent unauthorized data leaks or breaches.
- Business Continuity and Disaster Recovery: Deficiencies in ensuring business continuity and implementing effective disaster recovery plans, which are critical for maintaining operational resilience.
RBI Statement
In a statement, RBI invoked its powers under Section 35A of the Banking Regulation Act, 1949, citing concerns raised during the central bank’s IT examinations conducted in 2022 and 2023. The directive emphasizes serious deficiencies and non-compliances observed in various critical areas related to IT governance and information security within Kotak Mahindra Bank. Thus, RBI restricted the bank from issuing new credit cards and onboarding new customers via online channels.
“The restrictions now being imposed will be reviewed upon completion of a comprehensive external audit to be commissioned by the bank with the prior approval of RBI, and remediation of all deficiencies that may be pointed out in the external audit as well as the observations contained in the RBI Inspections, to the satisfaction of the Reserve Bank,” said RBI.
Impact on Kotak Mahindra Bank Customers
Customers who hold Kotak 811 digital accounts can still access their accounts without interruption. They can use Internet Banking or the mobile banking app of Kotak Mahindra Bank
.Existing savings or current account holders with Kotak Mahindra Bank will not experience any disruption in services. The bank has assured its customers that all banking facilities, including credit cards and online banking, will continue as usual.
“We want to reassure our existing customers of uninterrupted services, including credit card, mobile and Net banking,” said the bank in an official statement.
New customers will not be able to open Kotak 811 digital savings accounts due to the RBI’s restrictions on online customer onboarding.
Despite the ban on online channels, Kotak Mahindra Bank can still onboard new customers through its bank branches. So, individuals interested in opening an account can visit their nearest Kotak Mahindra Bank branch .
Existing credit card holders of Kotak Mahindra Bank can renew their cards without any issues. However, the bank is not permitted to issue new credit cards until the RBI lifts the restrictions .
“The current restrictions imposed on Kotak should not have an impact on its existing customers, including those with credit cards, except for the issues faced in accessing online banking services for existing customers due to the lapses in Kotak’s IT infrastructure systems,” Kinjal Champaneria, Partner, Solomon & Co told The Economic Times.
The RBI will review these restrictions once Kotak Mahindra Bank completes a comprehensive external audit and addresses all deficiencies highlighted by the audit and RBI inspections.
How Did Market React To RBI’s Actions Against Kotak Mahindra Bank?
Shares of Kotak Mahindra Bank fell more than 11% after the RBI restricted the bank from issuing new credit cards and onboarding new customers via online channels.
Kotak Mahindra Bank’s shares closed at ₹1630, a 11.56% decline over the previous close. The benchmark S&P BSE Bankex, meanwhile, gained 0.71%.
Click here to read the press release regarding RBI’s Supervisory Action against Kotak Mahindra Bank Limited under Section 35A of the Banking Regulation Act, 1949