The Reserve Bank of India (RBI) on Wednesday barred private sector lender Kotak Mahindra Bank from onboarding new customers through its online portal and mobile app, and restricted it from issuing fresh credit cards, due to “serious deficiencies” in the bank's IT system.
RBI said it found deficiencies and non-compliances in IT inventory management, patch and change management, user access management, vendor risk management, and data security among others for the years 2022 and 2023.
The regulator said even as the restrictions are in place, Kotak Mahindra Bank will continue to provide services to its existing customers, including its credit card customers.
As of March-end, the bank had 5.9 million credit cards, adding about a million cards in the last 12 months. India’s largest lender HDFC Bank added 3 million credit cards in the same period, showed data from RBI.
“The bank has taken measures for adoption of new technologies to strengthen its IT systems and will continue to work with RBI to swiftly resolve balance issues at the earliest,” a Kotak Mahindra Bank spokesperson said in a statement.
The regulatory stricture comes seven months after founder and former chief executive Uday Kotak stepped down ahead of his scheduled retirement. The bank’s new chief executive Ashok Vaswani joined in January.
Interestingly, the regulator had also imposed business restrictions on the largest private lender HDFC Bank in 2020, two months after former chief executive Aditya Puri’s tenure ended and Sashidhar Jagdishan was elevated as the CEO. After facing technology troubles in 2018 and 2019, RBI in December 2020 curbed fresh digital launches and ordered it to halt issuing new credit cards. These were finally lifted in March 2022.
Public sector lender Bank of Baroda (BoB) too faced RBI’s wrath when in October, the regulator barred it from adding new customers on its mobile app, citing “material supervisory concerns”. This was a little over three months after new CEO Debadatta Chand took over from erstwhile chief Sanjiv Chadha.
“For two consecutive years, the bank (Kotak) was assessed to be deficient in its IT risk and information security governance, contrary to requirements under regulatory guidelines,” it said.
During the subsequent assessments, the bank was “significantly non-compliant” with the corrective action plans for 2022 and 2023. The compliances submitted by the bank were also found to be either “inadequate, incorrect or not sustained”, the regulator said.
With Indian customers reluctant to visit bank branches, Kotak Mahindra Bank, like its peers, had been onboarding them online.
A person aware of the development said that the digital banking platform Kotak 811 was adding a lot of customers to the bank. Though these customers did not have large balances, it added to the volume. Kotak 811 boasts of having over 17 million savings accounts and allows customers to open a zero-balance digital savings account with the help of video KYC.
"811 was the largest acquisition channel. These customers were using Kotak 811 to link with UPI and more such customers meant more load on digital channels,” said the person cited above.
Virat Diwanji, group president and head of consumer bank at Kotak Mahindra Bank had told analysts on 20 January that the lender continues to scale up sourcing of savings and current accounts using an “assisted-digital journey”. This helped it reduce the account opening turnaround time, Diwanji had said.
“This digital on-boarding journey also allows customers to choose other financial products offered by the bank. This eventually will help us better cross-sell at the time of on-boarding,” he had said.
The person cited above said that the curbs on onboarding customers may not have a big impact on the bank as profitable customers came through branch and offline channels, while volumes came from digital channels. “The biggest impact will be due to the ban on credit cards,” the person added.
Business restrictions seem to be RBI’s weapon of choice against errant entities, moving a step ahead of paltry fines for such deviations. According to a former central banker, RBI has been doing it of late, sending strong signals that non-compliance would not be tolerated.
“When there are restrictions on business, everyone sits up and takes notice. In a connected banking system, it is no longer just about one lender, it is about a systemic risk that non-compliance could create,” said the former RBI official cited above.
On Wednesday, RBI said that in the absence of a robust IT infrastructure and IT risk management framework, Kotak Bank’s core banking system (CBS) and its online and digital banking channels have suffered frequent and significant outages in the last two years, the recent one being a service disruption on 15 April.
“The bank is found to be materially deficient in building necessary operational resilience on account of its failure to build IT systems and controls commensurate with its growth,” it said.
According to the regulator, it has been in continuous high-level engagement with the bank on all these concerns in the past two years with a view to strengthening its IT resilience, but the outcomes have been “far from satisfactory”.
“It is also observed that, of late, there has been rapid growth in the volume of the bank’s digital transactions, including transactions pertaining to credit cards, which is building further load on the IT systems,” it said.
These restrictions, RBI said, will be reviewed after a “comprehensive external audit” that will be commissioned by the bank with the prior approval of the regulator, with deficiencies that could be found in the audit corrected. The bank would also have to heed observations in the RBI inspections, “to the satisfaction of the Reserve Bank”.
In 2022, the bank had appointed Milind Nagnur as its president and chief technology officer (CTO). He joined from Early Warning Services, a fintech company that operates Zelle Network, and is owned by seven major US banks. In February, Nagnur was appointed the chief operating officer, effective April, but continues to be the bank’s chief technology officer and responsible for operations of the bank and the group technology architecture and cyber security.
Experts see RBI’s actions as having a significant impact on the bank. Analysts at Bernstein believe that the inability of the lender to onboard new customers through its online and mobile banking channels could severely impact the new retail customer additions for the bank given its smaller branch network compared to peers and higher reliance on digital channels.
“(The ban on) issuing fresh credit cards…could impact the bank’s planned shift towards a higher share of unsecured loans given the important role played by credit cards in achieving that target,” analysts at Bernstein said in a note on Wednesday.
Nikita Prasad contributed to this article.
Catch all the Corporate news and Updates on Live Mint. Download The Mint News App to get Daily Market Updates & Live Business News.