On the back of concerns involving data security and inadequate IT infrastructure, The Reserve Bank of India (RBI) on April 24 barred Kotak Mahindra Bank from onboarding new customer’s online and issuing new credit cards with immediate effect. However, the bank is allowed to maintain services for its existing customers, which include people with credit cards. The RBI said in a press release: “The Reserve Bank of India has today, in the exercise of its powers under Section 35A of the Banking Regulation Act, 1949, directed Kotak Mahindra Bank Limited (hereinafter referred to as 'the bank') to cease and desist, with immediate effect, from (1) onboarding of new customers through its online and mobile banking channels and (II) issuing fresh credit cards. The bank shall, however, continue to provide services to its existing customers, including its credit card customers,”
The RBI said the actions are based on "significant concerns arising out of Reserve Bank's IT Examination of the bank for the years 2022 and 2023 and the continued failure on the part of the bank to address these concerns in a comprehensive and timely manner".
It also said there were “serious deficiencies” in the way Kotak Mahindra Bank manages its IT inventory and secures its data. “Serious deficiencies and non-compliances were observed in the areas of IT inventory management, patch and change management, user access management, vendor risk management, data security and data leak prevention strategy, business continuity and disaster recovery rigour and drill, etc. For two consecutive years, the bank was assessed to be deficient in its IT Risk and Information Security Governance, contrary to requirements under Regulatory guidelines," the RBI said.
"During the subsequent assessments, the bank was found to be significantly non-compliant with the Corrective Action Plans issued by the Reserve Bank for the years 2022 and 2023, as the compliances submitted by the bank were found to be either inadequate, incorrect or not sustained," the release added.
RBI also said that owing to the absence of a robust IT infrastructure and IT risk management framework, the bank’s Core Banking System (CBS) and its online and digital banking channels have suffered frequent and significant outages in the last two years, the recent one being a service disruption on April 15, 2024, resulting in serious customer inconveniences.
In the past two years, the RBI Bank has been in continuous high-level engagement with the bank on all these concerns with a view to strengthening its IT resilience, but the outcomes have been far from satisfactory. It is also observed that, of late, there has been rapid growth in the volume of the bank's digital transactions, including transactions pertaining to credit cards, which is building further load on the IT systems.
The RBI has said that it has put some restrictions on the bank in the interest of the customers. “The Reserve Bank, therefore, has decided to place certain business restrictions on the bank as mentioned above, in the interest of customers and to prevent any possible prolonged outage which may seriously impact not only the bank's ability to render efficient customer service but also the financial ecosystem of digital banking and payment systems," the RBI said.
The RBI also said that the restrictions would be reviewed after an audit and corrective steps. “The restrictions now being imposed will be reviewed upon completion of a comprehensive external audit to be commissioned by the bank with the prior approval of RBI, and remediation of all deficiencies that may be pointed out in the external audit as well as the observations contained in the RBI Inspections, to the satisfaction of the Reserve Bank. Further, these restrictions are without prejudice to any other regulatory, supervisory or enforcement action that may be initiated against the bank by the Reserve Bank," the RBI said.
In response to RBI, Kotak Mahindra Bank, said, in a statement: “We have received an order from the RBI which directs us to temporarily pause onboarding of new customers through our online and mobile banking channels and issuance of fresh credit cards. The Bank has taken measures for the adoption of new technologies to strengthen its IT systems and will continue to work with RBI to swiftly resolve balance issues at the earliest. We want to reassure our existing customers of uninterrupted services, including credit card, mobile and net banking. Our branches continue to welcome and onboard new customers, providing them with all the Bank’s services, apart from issuance of new credit cards.”
Impact On Customers: According to experts, it is the image, that would really get impacted the most. “The biggest issue in this case is image. Building an image takes time and it would take a major hit. We are already getting comments from clients like: Should I change my bank? They did charge us a high rate. They did fraud, etc.,” Anant Ladha, founder, of Invest Aaj For Kal, a financial advisory firm said.
“While existing customers will continue to be there, the new customers would be cautious, and might not take credit cards or open new accounts,” Wriju Ray, Chief Business Officer, of IDfy, a Mumbai-based identity verification and digital onboarding platform said.
Arjun Syal, Partner, Syal & Co, a New Delhi-based law firm, said that when a bank’s reputation takes a hit, it could spell big losses. “Customers might lose trust, leading to rumours and even a switch to other banks. Trust is key in banking, and losing it can be costly,” he added.
According to experts, in today’s time, when data privacy and data security are of paramount concern to all persons, a restraining order of this nature would be highly alarming and a major cause of concern, especially for the Bank’s customers, whose data may be at a potential risk based on the RBI’s statement.
“The lack of adequate safety measures and observed non-compliance over a significant period of two years with respect to the IT inventory and data management is a major red flag and will raise multiple questions on the security measures adopted by such reputed banks. It is extremely alarming as a customer to learn that the bank may have compromised your sensitive personal data when they are in fact to act as the custodians and safeguard such data. Such news would definitely be a severe blow to the customer’s trust and confidence reposed with the bank,” Nazneen Ichhaporia, Partner, ANB Legal, a Mumbai-based law firm said.
Incidents like these highlight the urgency of implementing at the earliest – the Digital Data Protection Regime in India which was enacted last year in 2023 to address such lacunas. With such data privacy safeguards in place, data fiduciaries like banks who regularly collect and process large volumes of sensitive financial and personal data of their customers would be compelled to undertake periodic audits and reviews of their technology, IT infrastructure and safety measures and report the same on a periodic basis to the concerned authorities.
“Customers who rely heavily on these channels for their banking needs may face inconvenience. Further, this restriction will potentially lead to a loss of trust in the bank's digital banking infrastructure, which will lead the customers to move back to traditional banking methods and alternative banking options, which could result in longer wait times and slower transaction processing, potentially leading to frustration among customers,” Piyush Tiwari, an associate at TAS Law, a New Delhi-based boutique law firm said.
“Additionally, the firm action by the central bank, RBI, is beneficial for customers who trust India's banking systems. When RBI acts vigilantly, it helps ensure that banks operate correctly, which safeguards customers' interests. As the banking system moving digitally very fast, the IT Infrastructure shall be one of the most important parts of the system to help customer to safeguard their interest,” Tiwari added.
