India’s central bank on Wednesday ordered Kotak Mahindra Bank to immediately cease onboarding new customers via its online and mobile banking channels and to stop issuing fresh credit cards, citing serious deficiencies in the bank’s IT systems and risk management practices.
Kotak Mahindra Bank is India’s fourth most valuable bank. It’s also one of the key partners for many fintech startups — including KredX and Rupeek — in the country. The lender, also an investor in many startups, additionally works with many fintech firms to extend credit to SMEs and MSMEs and to issue co-branded credit cards.
The lender operates Kotak811, a digital offering that has emerged as its strongest customer acquisition tool in recent years. Kotak811, which allows onboarding of customers digitally and within “three minutes” without paperwork, serves nearly 20 million customers.
The Reserve Bank of India (RBI) said it was imposing the restrictions on Kotak Mahindra Bank because of significant concerns stemming from its IT examinations of the bank for the years 2022 and 2023. The central bank found serious deficiencies and noncompliance in areas such as IT inventory management, patch and change management, user access management, vendor risk management, data security, and business continuity planning, it said.
Existing customers aren’t impacted by the restrictions.
The new restrictions could “severely impact the new retail customer additions for the bank given its smaller branch network vs. peers and higher reliance on digital channels,” analysts at Bernstein noted. The inability to issue fresh cards could impact the bank’s planned shift toward a higher share of unsecured loans “given the important role played by credit cards in achieving that target,” the analysts added.
Despite being under close scrutiny and engaging in high-level discussions with the RBI over the past two years, Kotak Mahindra Bank failed to adequately address these issues and implement satisfactory corrective measures, the central bank said. The bank’s core banking system and digital channels have experienced frequent and significant outages, with the most recent disruption occurring on April 15, 2024, causing severe inconvenience to customers, the RBI added.
The RBI stated that the rapid growth of digital transactions at the bank, including credit card transactions, has put additional strain on the lender’s already weak IT systems. Without a robust IT infrastructure and risk management framework, prolonged outages could seriously impact the bank’s ability to provide efficient customer service, and potentially harm the broader digital banking and payment ecosystem, the central bank cautioned.
The restrictions imposed on Kotak Mahindra Bank will be reviewed upon completion of a comprehensive external audit, commissioned by the bank with prior RBI approval, and the satisfactory remediation of all identified deficiencies, the RBI said.