RBI asks Kotak Mahindra Bank to stop issuing fresh credit cards, onboarding fresh customers via mobile banking

The Reserve Bank of India (RBI) on Wednesday asked Kotak Mahindra Bank to cease issuing new credit cards and onboard new customers through its online and mobile banking channel.

This directive comes as part of regulatory actions taken by the RBI in response to concerns regarding compliance and risk management at the bank.

The RBI, however, directed the bank to continue providing services to its existing customers, including its credit card customers.

"The Reserve Bank of India has today, in exercise of its powers under Section 35A of the Banking Regulation Act, 1949, directed Kotak Mahindra Bank Limited (hereinafter referred to as ‘the bank’) to cease and desist, with immediate effect, from (i) onboarding of new customers through its online and mobile banking channels and (ii) issuing fresh credit cards. The bank shall, however, continue to provide services to its existing customers, including its credit card customers," the RBI statement read.

Why did RBI stop Kotak Mahindra Bank from issuing new credit cards?
The Reserve Bank of India (RBI) has taken decisive action against the bank following significant concerns arising from the central bank's IT examination for two consecutive years i.e. 2022 and 2023. The RBI has noted continued failures on the part of the bank to comprehensively and promptly address these concerns.

For two consecutive years, Kotak Mahindra Bank fell short in its IT Risk and Information Security Governance, contrary to regulatory requirements. Despite corrective action plans issued by the RBI for the years 2022 and 2023, subsequent assessments found the bank to be significantly non-compliant. The compliances submitted by the bank were deemed inadequate, incorrect, or unsustainable.

"Serious deficiencies and non-compliances were observed in the areas of IT inventory management, patch and change management, user access management, vendor risk management, data security and data leak prevention strategy, business continuity and disaster recovery rigour and drill, etc. For two consecutive years, the bank was assessed to be deficient in its IT Risk and Information Security Governance, contrary to requirements under Regulatory guidelines," said RBI.

In light of these findings, the RBI directed Kotak Mahindra Bank to halt the issuance of fresh credit cards and the onboarding of new customers via mobile banking.