[By Nakshatra Gujrati]
The author is a student of National Law University, Odisha.
Introduction
The Reserve Bank of India (“RBI”) on April 24, 2024 directed Kotak Mahindra Bank Limited (“Bank”) to suspend the onboarding of new customers through online channels and the issuance of new credit cards (“action”). The action resulted from significant deficiencies and non-compliances on the part of the bank. The RBI in its press release stated “…Serious deficiencies and non-compliances were observed in the areas of IT inventory management, patch, and change management, user access management, vendor risk management, data security, and data leak prevention strategy…”. These compliances are of pivotal importance under the newly notified “Reserve Bank of India (Information Technology Governance, Risk, Controls and Assurance Practices) Directions, 2023” (“IT Directions”)
This post aims to analyze the RBI’s actions against Kotak Bank, encompassing its new IT Directions, and their impact on stakeholders. It begins by reviewing the events precipitating the RBI’s intervention. Subsequently, it examines the recent IT Directions and regulatory requirements set forth by the RBI. Thirdly, it investigates the impact of the RBI’s actions on stakeholders, namely banks and customers. Lastly, it offers recommendations to maximize the benefits derived from these IT Directions.
Background of RBI’s Move against Kotak
RBI conducts a Statutory Inspection for Supervisory Evaluation (“ISE”) to assess compliance of regulations by the banks. In 2018-19 an ISE of Kotak Bank was conducted by RBI and it was observed that among non-compliance of its directives, Kotak bank failed to “…credit (shadow reversal) the amount involved in the unauthorized electronic transactions to the customers’ account within 10 working days from the date of notification by the customer, in certain cases…”. This was in contravention of Regulation 9 of the RBI’s directions on “Customer Protection – Limiting Liability of Customers in Unauthorised Electronic Banking Transactions”. The RBI imposed a monetary penalty of ₹1,05,00,000/- on Kotak Bank for non-compliance with its directives vide an order dated July 04, 2022.
In October 2023, again a penalty of ₹3.95 crore was imposed on Kotak bank by RBI for non-compliance with its directives. Further, Kotak bank had failed to ensure minimum standards of customer service as stipulated in the RBI’s directions on “Customer Service in Banks”.
On April 15, 2024, several users of Kotak Bank complained that they were not able to use its mobile banking services. Some customers were not able to make payments through the bank’s debit card and UPI services as well. In light of this, several customers via social media expressed their dissatisfaction with the bank’s services. The RBI took cognizance of this issue and as per Section 35A of Banking Regulation Act, 1949, it is empowered to make directions on its own motion in public interest, in the interest of banking policy or prevent banks to act in prejudicial manner.
RBI’s Directions on IT Governance and Risk Management
RBI has from time to time via circulars provided directions pertaining to Information Technology (IT) Governance and Risk Management. In November 2023, the RBI consolidated all the circulars on IT Governance and notified “Reserve Bank of India (Information Technology Governance, Risk, Controls and Assurance Practices) Directions, 2023” (“IT Directions”) that came into force on April 1, 2024.
These directions are applicable on all banking companies, non-banking financial companies, credit information companies and foreign banks operating in India. The directions are uniform for these entities, but the post discusses its applicability on banks only.
Analysis of RBI’s IT Directions
Over time, banking has significantly transitioned to e-Banking, making it hard to imagine a bank today without substantial IT involvement in its key processes. The growing customer base has compelled banks to digitalize processes for registrations, transactions, and timely provision of other financial services. While IT in banking offers numerous advantages, potential concerns must not be overlooked. For instance, vast amounts of customer data are stored on cloud servers for centralized and quick access, which poses a risk of breaches and theft of sensitive customer information. In 2022, BharatPe, a digital financial services provider, experienced a significant data breach, with data from around 150 million customers reportedly stolen.
To address such events, the IT Directions mandate the creation of IT Governance frameworks in banks. Banks should establish IT Governance frameworks and IT strategy committees comprising board members, and technical experts having experience in IT and Cybersecurity. The objective should be to develop an effective IT strategy. The committee should convene quarterly to assess IT-related risks periodically. This involves analyzing existing IT-related risks and proactively preparing strategies to mitigate them.
Additionally, a Disaster Recovery policy should be implemented to ensure business continuity in the event of disruptive incidents. Disaster Response sites must be established in geographically distinct locations from the primary operating sites to avoid being affected by the same threat. These sites should be equipped with necessary e-Surveillance measures. To ensure data security during transmission, the IT Directions prescribe the use of strong encryption and cryptographic controls in accordance with international standards.
Banks are required to establish a Change and Patch Management policy. This involves identifying system features that can be improved or fixed, primarily focusing on security updates, bug fixes, and minimizing downtime. Additionally, banks must ensure that their systems support business functions and maintain service availability. A vendor risk assessment process must also be implemented to ensure that third-party vendors comply with the prescribed standards for safeguarding consumer data.
Impact on Stakeholders
The IT directions directly impact the banks and customers and therefore it is crucial to analyze the directions from the viewpoint of both stakeholders.
Impact on Banks
The RBI has repealed 12 circulars to introduce the IT Directions and hence made it easier to comply with one consolidated direction. As many foreign banks operate in India through their branches, they will be subjected to a ‘comply or explain’ approach instead. This provides certain discretion to foreign banks with respect to non-mandatory provisions of IT Directions as they merely need to explain the reasons behind non-compliance. This is to ensure that foreign banks are not put in a disadvantageous position.
As Indian banks aim to enter foreign markets, these regulations, based on global best practices, ensure their readiness to comply with IT standards in foreign jurisdictions. Additionally, data breaches are not only detrimental to customers but also harm the goodwill of the banks and their customer base. These directions support the growth of e-banking services by enhancing security and trust.
Impact on Customers
E-banking services and IT have played a crucial role in financial inclusion, making these services accessible to customers and providing banks with a large, stable pool of retail deposits that contribute to their financial robustness. The unavailability of e-banking services can be critical, especially for customers attempting to make payments in hospitals. Cyberattacks and data breaches have become common due to non-adherence to cybersecurity practices, underscoring the importance of these regulations
In August 2022, reports surfaced disclosing a massive data breach in Bharat Pe’s database, which included sensitive financial information of customers and personally identifiable data. The new directions call for cryptographic encryption, ensuring that even if the data is leaked, it would be unusable because it would be encrypted by a cryptographic code.
Recently, in January 2024, SEBI conducted its operations from a Disaster Response site which was successful and no compromise in services was observed. The same model has been prescribed by the IT Directions which will ensure continuity in business by the banks in the event of a disaster that can affect its primary site of business.
Suggestions
Banks should conduct Disaster Response drills as mandated under the IT directions to ensure readiness in the event of any threat or disaster. While the IT directions are promising, they do not address the training of staff employed in banks. Banks should conduct training sessions to educate their employees about modern cyber threats and potential disasters affecting businesses. This training should focus on raising awareness and instilling a sense of responsibility so that employees can promptly identify and report any threats to the authorities. Further, The IT Strategy and Planning Committee has a pivotal role to play and thus it becomes imperative to have right people in the committee. The members must not be reluctant to delve into technical details of cyber incident as it helps in better understanding of incident and devise a proper approach. External resources that help in identifying gaps in cyber risk frameworks and provide solutions that align with international best practices must be leveraged.
Conclusion
The RBI’s action against Kotak Bank underscores the critical importance that the RBI has begun to attach to the IT practices of banks. The increasing frequency and severity of RBI’s enforcement actions against banks’ laxity towards IT practices suggests that banks will start allocating a higher percentage of their spend on IT resources. It remains to be seen whether this alone will help banks in ensuring the safety of customers’ data and efficiency of digital transactions