The regulator cited “serious deficiencies and non-compliances” by Kotak in a statement shortly after the stock market closed on Wednesday. The third-most valued private bank in terms of market capitalisation was asked to stop the functions cited “with immediate effect”. The stock closed at ₹1,843.05, up 1.64% on the BSE, at a market cap of ₹3.66 lakh crore.
Kotak said it would resolve the matter quickly and assured customers there wouldn’t be any interruption to services.
“The bank has taken measures for adoption of new technologies to strengthen its IT systems and will continue to work with RBI to swiftly resolve balance issues at the earliest. We want to reassure our existing customers of uninterrupted services, including credit card, mobile and net banking,” Kotak said in a statement.
Curbs in the Interest of Customers, says Reserve Bank
The bank said: “Our branches continue to welcome and onboard new customers, providing them with all the bank’s services, apart from issuance of new credit cards.”The curbs will be reviewed after an external audit and ensuring all deficiencies have been remedied, the regulator said. The RBI has been cracking down on regulated entities over non-compliance. In the last three months, it banned Paytm Payments Bank from accepting fresh deposits, IIFL Finance from giving new gold loans and JM Financial Products from undertaking any business related to shares or bond funding. Prior to this, in October 2023, Bank of Baroda was banned from onboarding customers on the Bob World app, a curb that’s yet to be lifted. In December 2020, the RBI had banned HDFC Bank from launching new digital products and issuing credit cards. That restriction was lifted in March 2022.
The action against Kotak follows an examination of the bank’s IT systems in 2022 and 2023 and “continued failure on the part of the bank to address these concerns in a comprehensive and timely manner”.
In 2017, the bank had launched a zero-balance digital bank account, Kotak811, named for November 8, 2016, the day demonetisation was announced. The programme was kicked off on its first-year anniversary. Onboarding was entirely digital and the division was latterly co-headed by Jay Kotak, son of founder Uday Kotak. The latest available public data showed nearly 17.5 million savings accounts were opened under Kotak811, as of March 31, 2023.
In FY23, Kotak811 accounted for 72% of new savings accounts. More than 50% of credit cards, unsecured loans, trading accounts and recurring deposits were cross-sold to Kotak811 customers, the bank’s FY23 annual report stated.
“In the absence of a robust IT infrastructure and IT risk-management framework, the bank’s core banking system (CBS) and its online and digital banking channels have suffered frequent and significant outages in the last two years, the recent one being a service disruption on April 15, 2024, resulting in serious customer inconveniences,” the regulator pointed out. The bank was “materially deficient in building necessary operational resilience on account of its failure to build IT systems and controls commensurate with its growth”.
The restrictions come about four months after Ashok Vaswani took charge as MD and CEO of Kotak Mahindra Bank, although the incidents mentioned in the RBI statement don’t pertain to his tenure. Vaswani replaced Dipak Gupta, who was interim MD and CEO, after Uday Kotak stepped down as head of the bank on September 1, 2023.
The RBI said it imposed the restrictions “in the interest of customers and to prevent any possible prolonged outage which may seriously impact not only bank’s ability to render efficient customer service but also the financial ecosystem of digital banking and payment systems”.
The volume of Kotak’s digital transactions, including credit cards, had grown rapidly recently, adding to the load on the IT system, it said.
According to RBI data, the bank had 5.95 million credit cards and 342,000 debit cards in circulation as of March 2024. “Serious deficiencies and non-compliances were observed in the areas of IT inventory management, patch and change management, user access management, vendor risk management, data security and data leak prevention strategy, business continuity and disaster recovery rigour and drill,” the regulator said.
For two consecutive years, the bank was assessed to be deficient in its IT risk and information security governance, the RBI said. During subsequent assessments, it was non-compliant with corrective action plans issued by the RBI in 2022 and 2023. The compliance statements submitted by the bank were inadequate, incorrect or not sustained, the regulator stated.
Over the past two years, RBI had continuously engaged with high-level bank officials to strengthen its IT resilience, “but the outcomes have been far from satisfactory”, the regulator stated. The bank will undertake a comprehensive external audit with the regulator’s approval, and restrictions will be reviewed based on the “remediation of all deficiencies” pointed out in the external audit and the RBI’s observation in the inspection report.