Today, the Reserve Bank of India, utilizing its authority under Section 35A of the Banking Regulation Act, 1949, has instructed Kotak Mahindra Bank Limited to immediately halt (i) the enrollment of new customers through its online and mobile banking platforms and (ii) the issuance of fresh credit cards. Nevertheless, the bank will continue catering to its existing clientele, including those with credit cards.
These measures stem from significant concerns arising from the Reserve Bank’s IT examinations of the bank for the years 2022 and 2023 and the bank’s persistent failure to comprehensively and promptly address these concerns. Grave deficiencies and non-compliances were identified in various areas, including IT inventory management, patch and change management, user access management, vendor risk management, data security, and business continuity planning.
The bank has been found deficient in IT risk and information security governance for two consecutive years, contrary to regulatory guidelines. Despite continuous engagement by the Reserve Bank to bolster the bank’s IT resilience, recent incidents, such as the service disruption on April 15, 2024, highlight significant shortcomings in the bank’s IT infrastructure and operational resilience.
Given the rapid increase in digital transactions, including credit card transactions, the Reserve Bank has imposed these business restrictions in the interest of customer protection and to mitigate the risk of prolonged outages that could severely impact both the bank’s service delivery and the wider digital banking and payment ecosystem.
These restrictions will undergo review after the bank commissions a thorough external audit, subject to prior approval from the RBI. Remediation of all identified deficiencies in both the external audit and RBI inspections must meet the satisfaction of the Reserve Bank. Additionally, these restrictions do not preclude any other regulatory, supervisory, or enforcement actions that the Reserve Bank may take against the bank.