MUMBAI: In a major blow to Kotak Mahindra Bank, the Reserve Bank of India on Wednesday ordered it “to cease and desist, with immediate effect, from onboarding new customers through its online and mobile banking channels as well as from issuing fresh credit cards.”
The latest regulatory action on the fourth largest private sector lender, whose founder Uday Kotak is the richest banker in the whole of Asia and has been trying to play the role of the thought-leader of the domestic private sector banking space, comes after similar actions on a number of others in the lending/payments space. But this is the biggest punitive action on a large commercial bank.
“These actions are necessitated based on significant concerns arising out of Reserve Bank’s IT examination of the bank for the years 2022 and 2023 and the continued failure on its part to address these concerns in a comprehensive and timely manner. Serious deficiencies and non-compliances were observed in the areas of IT inventory management, patch and change management, user access management, vendor risk management, data security and data leak prevention strategy, business continuity and disaster recovery rigour and drill etc” the regulator said.
The monetary authority, however, said the third largest private sector lender bank shall continue to provide services to its existing customers, including its credit card customers.
In a late evening statement, the bank management said, “The bank has taken measures for adoption of new technologies to strengthen its IT systems and will continue to work with RBI to swiftly resolve other issues at the earliest."
The statement further said the bank wants to reassure customers of uninterrupted services, including credit cards, mobile and net banking. Our branches continue to welcome and onboard new customers, providing them with all services, apart from issuance of new credit cards.
Earlier, in late January, the RBI had banned Paytm Payments Bank from continuing with nearly all of its business. First, the RBI asked it to stop onboarding customers from March 1. Later, the deadline was extended to March 15, virtually shutting it out of business for a slew of regulatory breaches including the all important KYC norms.
Come early March, the monetary authority has banned nonbank player IIFL Finance from continuing with its large gold loan business, and within a week, it banned JM Financial from continuing its loan against shares business.
A few years ago, the RBI had asked HDFC Bank not to onboard new credit card customers, where it is the market leader, citing poor IT infrastructure and the action on Kotak is also for similar breaches.
For Uday Kotak, who began as a bill discounting agent as a young man in the 1980s and then moved to stockbroking and then into NBFC and finally into commercial banking in the late 1990s, trouble with the RBI peaked in August 2018 when under the banking regulation norms, he was supposed to pare his stake to 20 percent by the 15th year of operation. But the route he adopted was to issue nonconvertible perpetual noncumulative preference shares, which is equity but subordinate securities.
In August 2018, Kotak sought to lower his stake to 20 percent, as stipulated, by selling nonconvertible perpetual noncumulative preference shares to a group of investors earlier in August.
The RBI under Urjit Patel rejected the method saying "it does meet their promoter holding dilution requirement." But in a regulatory filing, the bank defended the sale saying it believed that the stake dilution plan met the RBI requirement, and assured to continue engaging with the central bank over the issue.
Soon the bank moved the court and later the matter was settled out of court, wherein Kotak got more time to pare the stake.
Another issue was his sudden decision to exit the bank in October 2023 as the managing director months before his RBI-curtailed term was to end in December. The tussle with the Mint Road again continued when the RBI rejected all the inside names suggested by the bank management and chose to get a complete outsider in Ashok Vaswani who is an ex-Citigroup and more recently at Barclays, in October 2023.
Further explaining the reasons for the drastic action, the RBI said that for two consecutive years, the bank was assessed to be deficient in its IT risk and information security governance, contrary to the requirements under regulatory guidelines. During the subsequent assessments, the bank was found to be significantly non-compliant with the corrective action plans issued by the Reserve Bank for the years 2022 and 2023, as the compliances submitted by the bank were found to be either inadequate, incorrect or not sustained.
In the absence of a robust IT infrastructure and IT risk management framework, the bank’s core banking system and its online and digital banking channels have suffered frequent and significant outages in the last two years, a recent one being a service disruption on April 15, 2024, resulting in serious customer inconveniences, the circular said.
"The bank is found to be materially deficient in building necessary operational resilience on account of its failure to build IT systems and controls commensurate with its growth," the central bank said.
In the past two years, the Reserve Bank has been in continuous high-level engagement with the bank on all these concerns with a view to strengthening its IT resilience, but the outcomes have been far from satisfactory, it said. It is also observed that, of late, there has been rapid growth in the volume of the bank’s digital transactions, including transactions pertaining to credit cards, which is building further load on the IT systems, it added.
“The Reserve Bank, therefore, has decided to place certain business restrictions on the bank as mentioned above, in the interest of customers and to prevent any possible prolonged outage which may seriously impact not only the bank’s ability to render efficient customer service but also the financial ecosystem of digital banking and payment systems,” it said.
The bank has also been ordered to get “a comprehensive external audit commissioned with the prior approval of RBI.” The bank management was not available for comment immediately.