The Reserve Bank of India (RBI) has taken decisive action against Kotak Mahindra Bank, directing the institution to halt onboarding new customers through its online and mobile banking channels. Additionally, the bank is prohibited from issuing fresh credit cards with immediate effect. This regulatory move comes in response to significant deficiencies identified in the bank’s IT risk management practices.

Compliance and Risk Management Concerns in Kotak Mahindra

The RBI’s decision was triggered by observations made during the central bank’s IT examination of Kotak Mahindra Bank over two consecutive years, specifically in 2022 and 2023. Despite corrective action plans issued by the RBI, the bank consistently failed to address these concerns comprehensively and in a timely manner.

The deficiencies spanned various critical areas, including:

1. IT Inventory Management: The bank exhibited shortcomings in managing its IT assets effectively.
2. Patch and Change Management: Inadequate processes for handling software patches and changes were noted.
3. User Access Management: The bank’s practices related to user access control were found lacking.
4. Vendor Risk Management: The assessment revealed gaps in managing risks associated with third-party vendors.
5. Data Security and Leak Prevention: Strategies for safeguarding data and preventing leaks were deemed insufficient.
6. Business Continuity and Disaster Recovery: Rigorous planning and drills in these areas were not up to par.

Existing Customers Unaffected

Existing customers of Kotak Mahindra Bank, including credit card holders, need not worry about service disruptions. The bank will continue to provide services to its current clientele. However, the RBI’s directive aims to ensure that new customers are not onboarded until the bank rectifies its IT risk management practices.

In an official statement, the RBI clarified its stance: “The Reserve Bank of India has today, in exercise of its powers under Section 35A of the Banking Regulation Act, 1949, directed Kotak Mahindra Bank Limited to cease and desist, with immediate effect, from (i) onboarding of new customers through its online and mobile banking channels and (ii) issuing fresh credit cards. The bank shall, however, continue to provide services to its existing customers, including its credit card customers.”

Way Forward

Kotak Mahindra Bank now faces the challenge of addressing the identified deficiencies promptly. The RBI’s vigilance underscores the importance of robust risk management practices in the banking sector. As the bank works towards compliance, existing customers can rest assured that their services remain unaffected while the institution rectifies its processes.

For more details, refer to the official RBI statement¹.