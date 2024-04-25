Mumbai: In response to persistent IT non-compliance, the Reserve Bank of India (RBI) has imposed sanctions on Kotak Mahindra Bank, prohibiting the addition of new customers via digital channels and the issuance of new credit cards, effective immediately. According to RBI, this decision follows the discovery of critical shortcomings in the bank’s IT risk management during the RBI’s 2022 and 2023 IT evaluations, and the bank’s ongoing inability to adequately address these issues.



Similar to actions taken against HDFC Bank in December 2020, which were later revoked in March 2022, the RBI has identified severe lapses in Kotak Mahindra Bank’s IT governance, including inventory, patch and change management, user access, vendor risk management, data security, and business continuity planning.

While existing customers, including credit card holders, will continue to receive services, the bank must halt the onboarding of new customers and the issuance of new credit cards. The RBI’s assessment revealed the bank’s IT Risk and Information Security Governance to be lacking for two years in a row, contrary to regulatory guidelines.

Subsequent evaluations showed significant non-compliance with the RBI’s Corrective Action Plans for 2022 and 2023, with the bank’s responses deemed insufficient, incorrect, or unsustainable. The bank’s Core Banking System and digital channels have experienced frequent outages, including a recent disruption on April 15, 2024, highlighting the need for improved operational resilience.

Despite ongoing discussions aimed at enhancing IT resilience, the RBI has found the bank’s efforts unsatisfactory. The bank’s rapidly increasing digital transaction volume, particularly in credit card transactions, has placed additional strain on its IT systems.

To safeguard customers and the broader digital banking ecosystem, the RBI has implemented the aforementioned business restrictions. These will be reassessed following a comprehensive external audit, approved by the RBI, which will address all identified deficiencies and RBI inspection observations to the regulator’s satisfaction.

The restrictions do not preclude further regulatory, supervisory, or enforcement actions by the RBI. Kotak Mahindra Bank Limited is set to release its audited financial results for the quarter and fiscal year ending March 31, 2024, on May 4.