Kotak Mahindra Bank (KMB) Managing Director and Chief Executive Officer Ashok Vaswani acknowledged that the bank needs to do more the technology-front and said the lender is committed towards allocating resources and commitments in this area.
“At this stage, it is appropriate to address the recent RBI order. Over the last few years, we had completely embraced the notion that leveraging technology is fundamental to growing the business. We had significantly stepped up resources and investments in technology. However, it is evident that we have more to do. Changing customer expectations, the dramatic pace of business growth and the emerging risk landscape have meant that we have to move at a much faster pace,” said Vaswani in a message to shareholders.
“We are absolutely committed to further enhancing our resources and commitments in this area and I am very confident that collectively, as a team – we will deliver and use this as an opportunity to leapfrog,” said Vaswani.
In a major regulatory move, the Reserve Bank of India (RBI) on April 24 barred Kotak Mahindra Bank (KMB) from onboarding new customers through its online and mobile banking channels and issuing fresh credit cards, citing supervisory concerns over its technology platforms. The actions followed an RBI examination of the bank’s IT systems over the last two years and the bank’s “continued failure” to address concerns, the central bank said.
The ban will not impact existing customers and Koak can continue to provide services to them, including its credit card customers, the RBI said.
RBI observations
According to the central bank, serious deficiencies and non-compliance were observed in the areas of IT inventory management, patch and change management, user access management, vendor risk management, data security and data leak prevention strategy, business continuity and disaster recovery rigour and drill, and so on.
Explaining the action, the RBI said for two consecutive years, the bank was assessed to be deficient in its IT Risk and Information Security Governance, contrary to requirements under regulatory guidelines.
During subsequent assessments, Kotak Mahindra was found to be
significantly non-compliant with the corrective action plans issued by the Reserve Bank for the years 2022 and 2023, as the compliances submitted by the bank were found to be either inadequate, incorrect or not sustained, the central bank said.
“In the absence of a robust IT infrastructure and IT Risk Management framework, the bank’s Core Banking System (CBS) and its online and digital banking channels have suffered frequent and significant outages in the last two years, the recent one being a service disruption on April 15, 2024, resulting in serious customerinconveniences,” the RBI said.
During the investigations, the RBI found that the bank is materially deficient in building necessary operational resilience on account of its failure to build IT systems and controls commensurate with its growth.
RBI engagement in last 2 years
In the past two years, the regulator has been in continuous high-level engagement with the bank on all these concerns with a view to strengthening its IT resilience, but the outcomes have been far from satisfactory, the RBI said.
“It is also observed that, of late, there has been rapid growth in the volume of the bank’s digital transactions, including transactions pertaining to credit cards, which is building further load on the IT systems,” the RBI added.
Action in the interest of customers
Explaining the logic behind its move, the RBI said it decided to place certain business restrictions on the bank in the interest of customers and to prevent any possible prolonged outage which may seriously impact not only the bank’s ability to render efficient customer service but also the financial ecosystem of digital banking and payment systems.
However, the RBI said the restrictions now being imposed will be reviewed upon completion of a comprehensive external audit to be commissioned by the bank with the prior approval of RBI and remediation of all deficiencies that may be pointed out in the external audit.
Further, review of the decision will also be based on the observations contained in the RBI Inspections and to the satisfaction of the Reserve Bank, the press release said.
“Further, these restrictions are without prejudice to any other
regulatory, supervisory or enforcement action that may be initiated against the bank by the Reserve Bank,” the central bank added.
Not the first time
Back in 2020, the RBI had announced a similar action against HDFC Bank when it asked the country’s largest private sector lender to put all new digital launches on hold till the bank resolve tech issues. HDFC Bank was barred from launching any new digital products or services and issuing new credit cards as a penalty for repeated instances of outages in its online platforms.
Later, in August 2021, the RBI partially revoked the ban on the bank allowing it to issue new credit cards. Later in March, 2022, the bank informed the exchanges that the RBI has lifted the restrictions that were placed on the fresh digital launches of HDFC Bank.
The RBI had cited similar technology-related concerns as in the case Kotak Mahindra Bank while taking action against HDFC Bank after repeated outages at the lender’s data centre. The restrictions barred HDFC Bank from launching any of the activities planned under the Digital 2.0 programme as well as the sourcing of new credit cards.
The RBI had also asked the bank to fix accountability in the matter pertaining to the data centre outages, and examine reasons behind the lapses. Subsequently, an audit was carried out and the bank submitted a roadmap to the central bank.