INDUSTRY

RBI’s actions against regulated entities are aimed at enforcing robust risk management

Kotak Mahindra Bank is the latest financial institution to come under the Reserve Bank of India’s (RBI) lens. The central bank’s recent directive bars the Mumbai-based lender from signing up new customers digitally or issuing new credit cards.

The RBI’s action follows some serious shortcomings at Kotak Bank’s IT systems over the last two years. According to the central bank, there have been serious deficiencies and non-compliance by the bank related to IT inventory, patch and change, user access and vendor risk management. There have also been gaps in data security and data leak prevention strategy, business continuity and disaster recovery rigour and drill, adds the RBI.

The banking regulator discloses that the private sector lender has not built in adequate operational resilience in its IT systems and controls to match the growth in the business. It points out that the less-than-robust infrastructure has resulted in frequent and significant outages over the last two years.

Kotak Bank is the latest addition to the list of financial services entities that have been reprimanded for multiple shortcomings. HDFC Bank, Bank of Baroda, Paytm, JM Financial and IIFL are some of the organisations that have at the receiving end of the RBI’s regulatory strictures.  

The recent crackdown on Kotak Bank poses a substantial challenge to the bank’s high-profile digital arm, Kotak 811. The digital subsidiary is a major driving force for the bank’s credit card and savings account business. Kotak 811 is a critical part of the lender’s digital business, accounting for nearly 95 per cent of personal loan disbursal, 99 per cent of credit card sales and 79 per cent of new business enrolment.

If Kotak fails to address the central bank’s concerns quickly, it can hurt the lender’s digital banking ambitions and put the lender behind aggressive competitors, such as ICICI Bank, HDFC Bank and State Bank of India. Besides, the central bank’s action will impact the lender’s co-branded card deals and the bank’s growth prospects in the short term.

The central bank’s regulatory action may seem to be harsh. But it was a required step. Kotak Bank has failed to fix its IT systems even after having been reminded for two years. So, tough curbs are called for. As banking becomes more technology-driven, the risks associated with it are rising rapidly. Consequently, the regulator has little choice but to be more vigilant and act if it believes that if any lender’s IT system is not secure.

The RBI’s recent actions against regulated entities clearly show that the regulator is very keen to enforce good risk management, compliance with regulatory guidelines, effectiveness of boards, fairness to customers and good governance. Besides, the regulatory measures are not implemented out of the blue. When issues arise, the RBI engages in bilateral discussions with the lenders concerned for at least a year. The central bank further gives enough time for the entities to rectify their shortfalls. It is only after all these opportunities that the RBI puts restrictions on the entities until they comply with its directives.

Banks are today investing heavily in technology, including artificial intelligence. However, they do not seem to be paying adequate attention in beefing up their basic IT infrastructure. It would not be surprising if more entities are pulled up for similar lapses. In their rush to fulfil their ambitious targets and gain market share, banks seem to be forgetting to adhere to basic norms. Kotak Bank sources a very high share of assets and liabilities digitally, and a high number of savings accounts are opened through its 811 account. Kotak Bank must take this regulatory rap seriously and set its house in order.

Report By