The RBI on Wednesday barred Kotak Mahindra Bank from taking new customers through its online and mobile banking channels and issuing fresh credit cards with immediate effect due to deficient IT risk management.
These actions have been taken based on significant concerns arising out of RBI’s IT examination of the bank for 2022 and 2023 and the continued failure on part of the bank to address these concerns in a comprehensive and timely manner.
“Serious deficiencies and non-compliances were observed in the areas of IT inventory management, patch and change management, user access management, vendor risk management, data security and data leak prevention strategy, business continuity and disaster recovery rigour and drill, etc,” the RBI’s statement said.
For two consecutive years, the bank was assessed to be deficient in its IT Risk and Information Security Governance, contrary to requirements under Regulatory guidelines, RBI said.
The bank shall, however, continue to provide services to its existing customers, including its credit card users.
In the absence of a robust IT infrastructure and IT Risk Management framework, the bank’s Core Banking System (CBS) and its online and digital banking channels have suffered frequent and significant outages in the last two years, the recent one being a service disruption on April 15, 2024, resulting in serious customer inconveniences. The bank is found to be materially deficient in building necessary operational resilience on account of its failure to build IT systems and controls commensurate with its growth, RBI said.
In the past two years, the Reserve Bank has been in continuous high-level engagement with the bank on all these concerns with a view to strengthening its IT resilience, but the outcomes have been far from satisfactory. It is also observed that, of late, there has been rapid growth in the volume of the bank’s digital transactions, including transactions pertaining to credit cards, which is building further load on the IT systems.
The restrictions will be reviewed upon completion of a comprehensive external audit to be commissioned by the bank with the prior approval of RBI.