RBI Orders Kotak Mahindra Bank to Halt New Customer Sign-ups Online and via Mobile Apps, as well as Stop Issuing New Credit Cards. This Directive Takes Immediate Effect. However, the Bank Will Maintain Services for Existing Customers, Including Those with Credit Cards.
In a statement, the RBI highlighted that its actions against the bank stemmed from significant concerns identified during the Reserve Bank’s IT Examination for the years 2022 and 2023. These concerns persisted due to the bank’s ongoing failure to comprehensively and promptly address them.
The RBI outlined serious shortcomings and breaches observed in various areas, including IT inventory management, patch and change management, user access management, vendor risk management, data security, data leak prevention strategy, business continuity, and disaster recovery preparedness and testing. The RBI emphasized that for two consecutive years, the bank fell short in its IT Risk and Information Security Governance, contrary to regulatory guidelines.
Subsequent assessments revealed significant non-compliance by the bank with the Corrective Action Plans issued by the Reserve Bank for the years 2022 and 2023. The bank’s submissions were deemed inadequate, incorrect, or unsustainable. Due to an inadequate IT infrastructure and IT Risk Management framework, the bank’s Core Banking System (CBS) and its online and digital banking channels experienced frequent and substantial outages over the past two years, with the most recent occurring on April 15, 2024, resulting in considerable inconvenience to customers.
Furthermore, the bank failed to establish necessary operational resilience due to deficiencies in building IT systems and controls. Despite ongoing high-level engagement between the Reserve Bank and the bank over the past two years to address these concerns and enhance its IT resilience, the outcomes have been unsatisfactory.
The Reserve Bank has observed a recent surge in the volume of the bank’s digital transactions, including those involving credit cards, adding significant strain to its IT systems. Consequently, the Reserve Bank has opted to impose specific business limitations on the bank, as detailed earlier, to safeguard customer interests and mitigate the risk of potential extended outages. Such disruptions could not only impede the bank’s capacity to provide effective customer service but also jeopardize the stability of the digital banking and payment systems within the financial ecosystem, as stated in the RBI’s announcement.