RBI observed significant deficiencies and non-compliances in the bank’s IT risk management, user access management, vendor risk management, data security and data leak prevention strategy, and disaster recovery, among others
ATM of Kotak in Shyambazar in Kolkata, West Bengal, India. (Credit: Indrajit Das/Wikipedia)
The Reserve Bank of India (RBI) has directed Kotak Mahindra Bank (Kotak) to immediately stop onboarding new customers through its online and mobile banking channels.
The central bank also held back Kotak from issuing fresh credit cards, allowing it to continue providing services to its existing customers, including credit card customers.
RBI has taken action under Section 35A of the Banking Regulation Act 1949, based on significant concerns emerging from its IT Examination of Kotak for 2022 and 2023.
The regulator observed significant deficiencies and non-compliances in the bank’s IT risk management and the bank failed to address the concerns on time.
It has also identified flaws in the areas of user access management, vendor risk management, data security and data leak prevention strategy, and disaster recovery, among others.
Kotak was found to be deficient in its IT Risk and Information Security Governance for two consecutive years, against the requirements under Regulatory guidelines.
During the subsequent regulatory assessments, the bank was found to be significantly non-compliant with its Corrective Action Plans issued for 2022 and 2023.
RBI said that the compliances submitted by the bank were either inadequate or incorrect.
RBI in its statement said: “In the past two years, the Reserve Bank has been in continuous high-level engagement with the bank on all these concerns with a view to strengthening its IT resilience, but the outcomes have been far from satisfactory.
“It is also observed that, of late, there has been rapid growth in the volume of the bank’s digital transactions, including transactions pertaining to credit cards, which is building further load on the IT systems.
“The Reserve Bank, therefore, has decided to place certain business restrictions on the bank as mentioned above, in the interest of customers and to prevent any possible prolonged outage which may seriously impact not only the bank’s ability to render efficient customer service but also the financial ecosystem of digital banking and payment systems.”
Due to the lack of proper IT infrastructure and IT Risk Management framework, Kotak’s Core Banking System (CBS) and its online and digital banking channels suffered frequent outages.
The recent one was a service disruption earlier this month, which resulted in serious customer inconveniences.
Based on its failure to build IT systems and appropriate controls, the bank is found to be materially deficient in building necessary operational resilience.
The current restrictions will be reviewed upon completion of a comprehensive external audit, which will be commissioned by the bank with the prior approval of RBI.
Also, the review will follow the remediation of all deficiencies pointed out in the external audit, along with the observations made in the past inspections, said the Indian regulator.