Supervisory Action against Kotak Mahindra Bank Limited under Section 35A ofthe Banking Regulation Act, 1949

The Reserve Bank of India has today, in exercise of its powers under Section 35Aof the Banking Regulation Act, 1949, directed Kotak Mahindra Bank Limited(hereinafter referred to as ‘the bank’) to cease and desist, with immediate effect,from (i) onboarding of new customers through its online and mobile bankingchannels and (ii) issuing fresh credit cards. The bank shall, however, continue toprovide services to its existing customers, including its credit card customers.

These actions are necessitated based on significant concerns arising out ofReserve Bank’s IT Examination of the bank for the years 2022 and 2023 and thecontinued failure on part of the bank to address these concerns in a comprehensiveand timely manner. Serious deficiencies and non-compliances were observed in theareas of IT inventory management, patch and change management, user accessmanagement, vendor risk management, data security and data leak preventionstrategy, business continuity and disaster recovery rigour and drill, etc. For twoconsecutive years, the bank was assessed to be deficient in its IT Risk andInformation Security Governance, contrary to requirements under Regulatoryguidelines. During the subsequent assessments, the bank was found to besignificantly non-compliant with the Corrective Action Plans issued by the ReserveBank for the years 2022 and 2023, as the compliances submitted by the bank werefound to be either inadequate, incorrect or not sustained.

In the absence of a robust IT infrastructure and IT Risk Management framework,the bank’s Core Banking System (CBS) and its online and digital banking channelshave suffered frequent and significant outages in the last two years, the recent onebeing a service disruption on April 15, 2024, resulting in serious customerinconveniences. The bank is found to be materially deficient in building necessaryoperational resilience on account of its failure to build IT systems and controlscommensurate with its growth.

In the past two years, the Reserve Bank has been in continuous high-levelengagement with the bank on all these concerns with a view to strengthening its ITresilience, but the outcomes have been far from satisfactory. It is also observed that,of late, there has been rapid growth in the volume of the bank’s digital transactions,including transactions pertaining to credit cards, which is building further load on theIT systems.

The Reserve Bank, therefore, has decided to place certain business restrictionson the bankmentioned above, in the interest of customers and to prevent anypossible prolonged outage which may seriously impact not only the bank’s ability torender efficient customer service but also the financial ecosystem of digital bankingand payment systems.

The restrictions now being imposed will be reviewed upon completion of acomprehensive external audit to be commissioned by the bank with the prior approvalof RBI, and remediation of all deficiencies that may be pointed out in the externalaudit as well as the observations contained in the RBI Inspections, to the satisfactionof the Reserve Bank. Further, these restrictions are without prejudice to any otherregulatory, supervisory or enforcement action that may be initiated against the bankby the Reserve Bank.