RBI’s Regulatory Action on Kotak Mahindra Bank: Strengthening IT Governance and Corporate Ethics

The Reserve Bank of India (RBI), exercising its powers under Section 35A of the Banking Regulation Act, 1949, recently directed Kotak Mahindra Bank to cease onboarding new customers through its online and mobile banking channels and to stop issuing new credit cards. This significant regulatory intervention follows persistent deficiencies observed in the bank’s IT risk management and information security systems over the years 2022 and 2023. At the heart of this action is the failure of the bank to build an IT infrastructure capable of supporting its rapid digital growth. The RBI noted that the bank’s systems were frequently plagued by outages, severely impacting customer service. Despite continuous regulatory engagement and warnings, the bank’s remedial actions were found to be inadequate or non-compliant with the regulator's 'Corrective Action Plans.' This highlights a critical gap in corporate governance, where the drive for business expansion seemingly outpaced the commitment to maintaining a secure and robust operational foundation.