The Reserve Bank of India has given a directive to Kotak Mahindra Bank Limited, barring it from taking on board new online customers and issuing new credit cards, with immediate effect. The bank shall, however, continue to provide services to its existing customers, including its credit card customers," the RBI said in a release.
The RBI has cited grave concerns stemming from its examinations conducted over the past two years, revealing "serious deficiencies" and non-compliances across various crucial areas of IT governance. These areas were identified as IT inventory management, patch and change management, user access management, vendor risk management, data security and dataleak prevention strategy, business continuity and disaster recovery rigour and drill, etc.
Despite continuous engagement and high-level discussions aimed at bolstering IT resilience, the bank's persistent failure to address these concerns in a timely and comprehensive manner necessitated decisive action from the regulator. All this highlights the critical importance RBI places on robust and sustainable IT systems that are at the core of the accelerating growth of digital banking.
The RBI's action against Kotak Mahindra Bank, following similar actions taken earlier against HDFC Bank and Paytm, amongst others, clearly demonstrates that the regulator does not hesitate to intervene against errant entities, regardless of their size or prominence in the sector. This is reassuring for it shows that no institution is above the law and that safeguarding the integrity of the financial system is paramount.
Other banks are expected to take a cue from the intervention and put their house in order. This move also highlights a fundamental concern: the evolution of banking must be paralleled by the evolution of IT and digital infrastructure. While new-age private banks initially established strong IT frameworks to carve out niche markets and attract customers, the urgency for system upgrades is now imperative. In today's landscape marked by the proliferation of cyber threats, data confidentiality imperatives, and exponential digital transaction growth, the stakes for robust IT systems and procedures have never been higher.
The RBI's statement highlights a worrisome scenario where consumers are placed at risk due to the bank's significant non-compliance with Corrective Action Plans issued for the years 2022 and 2023. This failure not only undermines the integrity of the bank's operations but also erodes consumer trust in the concept of digital banking. Most banks possess the capability to invest intechnology and digital assets, yet the successful operation of banking functions in the digital era necessitates more than just technological acquisitions. It requires the development of innovative operational processes that prioritise consumer service within the regulatory framework. This entails continuous training of personnel to understand consumer preferences and adapt to evolving consumer behaviour.
Furthermore, the challenge lies in recognising that the sanctity of the banking sector cannot be assumed without remaining relevant to consumers. Thus, the Indian banks must continuously strive to meet the ever shifting needs of their customers to maintain their position in the industry. But why wait for two years to decide if the regulated entity is complying with its regulatory requirements or demands imposed for better systemic behaviour? While it's understandable that regulatory supervision may lag behind regulatory developmental speed to an extent without compromising financial stability, the rapid escalation of consumer and transaction volumes in the digital era makes even minor delays disconcerting. It is worrying that regulatory actions are delayed until significant shortcomings emerge.
While it's crucial for supervisory actions to undergo thorough scrutiny and objective assessment evaluation by the RBI, the potential cost to consumers of delayed intervention could become a pressing concern in today's digital landscape. In social media era, consumer complaints online should also act as input for RBI to seek information from its regulated entities. Call it suo-motu supervision.
RBI has been the chief catalyst of digital finance in India, starting with digital payments. By no means is the RBI lax, but it needs to improve speed of its supervisory actions on errant entities. It is important for the RBI to strike a balance between thorough supervision and swifter regulatory action, particularly in an environment where consumer and transaction volumes are accelerating at an unprecedentedpace.
Dr Srinath Sridharan is a policy researcher and corporate adviser. X: @ssmumbai
