India bank banned from opening new accounts over IT risks • The Register
India’s central bank has banned Kotak Mahindra Bank from signing up new customers for accounts or credit cards through its online presence and app.
The ban came after what the Reserve Bank of India described as “Serious deficiencies and non-compliances … in the areas of IT inventory management, patch and change management, user access management, vendor risk management, data security and data leak prevention strategy, business continuity and disaster recovery rigour and drill, etc.”
Kotak Mahindra Bank has over 41 million customers and more than $500 billion in assets under management. The Bank’s FY 22/23 annual report [PDF] states that it emphasized “strengthening our security measures” during the year.
The Reserve Bank of India took a dim view of those efforts.
“For two consecutive years, the bank was assessed to be deficient in its IT Risk and Information Security Governance,” the central bank found. Worse still, Kotak Mahindra’s efforts to follow a corrective action plan failed.
“Compliances submitted by the bank were found to be either inadequate, incorrect or not sustained,” according to the Reserve Bank.
Kotak Mahindra’s woes didn’t just annoy the Reserve Bank: customers have been impacted by outages.
The central bank has therefore assessed Kotak Mahindra as “materially deficient in building necessary operational resilience on account of its failure to build IT systems and controls commensurate with its growth.”
And that growth is rapid: Kotak Mahindra won three million new customers for a single credit card product in FY 22/23, and its annual report is replete with mentions of new products and services.
India’s Reserve Bank yesterday decided Kotak Mahindra poses a risk to customers and to “the financial ecosystem of digital banking and payment systems.”
Preventing it from signing new customers so that it can focus on tech improvements was therefore felt necessary.
If Kotak Mahindra can survive an external audit of its systems, the Reserve Bank will consider lifting restrictions.
In a stock market filing Kotak Mahindra bank acknowledged the Reserve Bank’s actions, and promised it has “taken concrete steps to adopt new technologies to strengthen its IT systems and will continue to work with RBI to swiftly resolve balance issues at the earliest.”
The filing also states: “The Bank believes that these directions will not materially impact its overall business.” Investors appear to have liked that – the bank’s share price rose around 1.65 percent yesterday.
The Register has spotted other eyebrow-raising FinTech in India, such as the bank that operated without intrusion detection or prevention systems or a licensed firewall, and another that was censured for failing its obligations to prevent money laundering.
And who could forget that in neighbouring Pakistan, the Federal Board of Revenue admitted it ran on pirated software? ®