The story so far: The Reserve Bank of India (RBI) on April 24 barred Kotak Mahindra Bank (KMB) from onboarding new customers on its online and mobile banking channels, and issuing fresh credit cards. It would however be allowed to provide these services to its existing customers. The RBI stated the actions were necessitated because of deficiencies observed in the private lender’s IT systems and controls commensurate to its growth. KMB’s CEO Ashok Vaswani stated recently the bank was in continuous dialogue with RBI to attain the desired compliance outcomes.
What are these actions based on?
RBI observed “serious deficiencies and non-compliances” concerning KMB’s IT inventory and user access management, data leak and leak prevention strategy, business continuity and disaster recovery rigour and drill, among other things. This was based on the regulator’s examination of the private bank’s systems for two years, that is, 2022 and 2023. The regulator said KMB continually failed to address concerns in a “comprehensive and timely manner”. The bank was also deemed non-compliant with RBI’s subsequent recommendations or ‘Corrective Action Plans’ (CAPs). CAPs are part of an intervention scheme of the RBI to ensure robustness of regulated entities.
As per the RBI, the compliances submitted by KMB were either “inadequate, incorrect or not substantiated”. Further, in the absence of robust IT infrastructure and risk management systems, its online and digital banking channels have suffered “frequent and significant outages in the last two years”. The latest incident happened on April 15. In a post on ‘X’, the bank’s customer care representative informed that its technical servers were experiencing “intermittent slowness”. The current measures would be reviewed in an external audit to be commissioned by the bank with RBI’s approval to assess remediation undertaken.
Is this a first?
No. The RBI, like its peers world over, has been particularly wary of how digital banking and the overall financial landscape functions. In December 2020, the regulator had ceased HDFC from launching any new digital products and sourcing new credit card consumers. This was also based on a two-year assessment that had come across recurrent incidents of outage in its internet and mobile banking platforms, alongside payment utilities. The restrictions were lifted more than a year later in March 2022 after a successful remediation.
On similar lines, the RBI in October 2023 directed the Bank of Baroda to suspend any fresh onboarding of customers onto its ‘bob World’ mobile application. This was also based on “certain material supervisory concerns” with the RBI demanding the rectification of observed deficiencies.
What about the bank’s financials?
According to S&P Global Ratings, the regulatory action may set back the bank’s credit growth and profitability. It added that credit cards are among the higher-yielding target growth segment of the bank. The portfolio grew 52% YoY as on December 31 last year compared with a total loan growth of 19%. “Action by the Reserve Bank of India (RBI) this week could push the bank to rely more on physical branch network expansion to supplement growth thus entailing higher operating costs,” its note read. However, the agency maintained that RBI’s action will not “materially affect” its ratings. This is because credit cards accounted for only 4% of the bank’s total loans at the end of the year and it would still be able to cross-sell its products.
The banks’ net profit in the fourth quarter rose 18% to ₹4,133 crore from ₹3,496 crore in the year-ago period. This was on the back of a 13% YoY growth in net interest income at ₹6,909 crore. Importantly however, the CEO Mr. Vaswani stated that while the financial impact (from the RBI action) is expected to be minimal, he was more worried about the “reputational impact”. Earlier, Mr. Vaswani had listed previous efforts taken by the bank to up their tech resilience, including capacity building and addressing risk and resilience. Importantly, he stated that technology expenses accounted for about 10% of their total operating expense.
Kotak Mahindra however had plans to continue investing in their card franchise. As stated in an investor call earlier, its overall credit card advances grew by over 50% on a YoY basis. The plan may now be put on hold. Brokerage services provider Motilal Oswal observed that the ban would bother the growth trajectory of the bank’s retail products. It would also adversely impact their margins and profitability. Its note explained that KMB’s growth trajectory for retail products was aided by a higher mix of digital sourcing and a thrust on unsecured products.
For perspective, the private lender sold 95% of their personal loans and 99% of their (fresh) credit cards by digital means. On the profitability front, Shivaji Thapliyal, Head of Research and Lead Analyst at YES Securities, observed that HDFC ended up losing market share in credit card spends during the time it was barred. S&P anticipates KMB to potentially take a year to fully address RBI’s key concerns. It observed that while the bank has made “significant progress” on technological enhancements, implementing changes and the external audit will take time.