The Reserve Bank of India has asked private sector lender Kotak Mahindra Bank not to issue new credit cards and barred new customer onboarding through the bank’s online and mobile banking channels.

RBI said the action was necessary as the bank failed to plug gaps in information and technology (IT) systems. There were frequent outages in the bank's core banking system and online channels in the last two years which inconvenienced the customers, the regulator said.

RBI said the bank can provide services to its existing customers, including its credit card customers.

“These actions are necessitated based on significant concerns arising out of Reserve Bank’s IT Examination of the bank for the years 2022 and 2023 and the continued failure on part of the bank to address these concerns in a comprehensive and timely manner,” RBI said.





ALSO READ: Businesses of saving planet, sustainability can prosper: Uday Kotak The regulator said serious deficiencies and non-compliances were observed in the areas of IT inventory management, patch and change management, user access management, vendor risk management, data security and data leak prevention strategy, business continuity and disaster recovery rigour and drill, etc.

“For two consecutive years, the bank was assessed to be deficient in its IT Risk and Information Security Governance, contrary to requirements under Regulatory guidelines,” RBI said.

The bank was found to be significantly non-compliant with the Corrective Action Plans issued by the RBI for the years 2022 and 2023, as the compliances submitted by the bank were found to be either inadequate, incorrect or not sustained.

The regulator further said that in the absence of a robust IT infrastructure and IT Risk Management framework, the bank’s Core Banking System (CBS) and its online and digital banking channels have suffered frequent and significant outages in the last two years, the recent one being a service disruption on April 15, 2024, resulting in serious customer inconveniences.

“The bank is found to be materially deficient in building necessary operational resilience on account of its failure to build IT systems and controls commensurate with its growth,” it said.

RBI said it has been holding high-level engagement with the bank on all these concerns to strengthen its IT resilience for the past two years, but the outcomes have been far from satisfactory.

According to the regulator, there has been rapid growth in the volume of the bank’s digital transactions, including transactions pertaining to credit cards, which is building further load on the IT systems.



