The Reserve Bank of India on Wednesday restricted Kotak Mahindra Bank with immediate effect from adding new customers through its online and mobile banking channels and issuing fresh credit cards after finding deficiencies in its information technology system.

Kotak Mahindra Bank can continue to provide services to its existing customers, the central bank said.

The Reserve Bank’s statement said that the directions were necessitated based on significant concerns arising out of its information technology examination of the Kotak Mahindra Bank for the years 2022 and 2023 and the “continued failure on part of the bank to address these concerns in a comprehensive and timely manner”.

“Serious deficiencies and non-compliances were observed in the areas of IT inventory management, patch and change management, user access management, vendor risk management, data security and data leak prevention strategy, business continuity and disaster recovery rigour and drill, etc,” the Reserve Bank said in a statement.

The central bank said that Kotak Mahindra Bank “was assessed to be deficient in its IT Risk and Information Security Governance, contrary to requirements under regulatory guidelines” for two consecutive years. This encompasses the way a company manages its information security requirements.

“In the absence of a robust IT infrastructure and IT Risk Management framework, the bank’s Core Banking System (CBS) and its online and digital banking channels have suffered frequent and significant outages in the last two years, the recent one being a service disruption on April 15, 2024, resulting in serious customer inconveniences,” the central bank said.

On April 15, customers of the private bank were not able to access banking services for almost 12 hours, NDTV reported.

In its statement on Wednesday, the Reserve Bank said that Kotak Mahindra Bank had been “materially deficient” in building necessary “operational resilience” because of its failure to build information technology systems and controls that were in tune with its growth.

The central bank said that it had been in “continuous high-level engagement” with Kotak regarding the concerns. However, the outcomes had been “far from satisfactory”, it added.

“It is also observed that, of late, there has been rapid growth in the volume of the bank’s digital transactions, including transactions pertaining to credit cards, which is building further load on the IT systems,” the statement said.

Therefore, the Reserve Bank said, it has decided to place business restrictions on the bank, “in the interest of customers and to prevent any possible prolonged outage which may seriously impact not only the bank’s ability to render efficient customer service but also the financial ecosystem of digital banking and payment systems”.

The statement said that the restrictions imposed on Kotak Mahindra Bank would be reviewed after an external audit. The private bank would also have to ensure that the deficiencies that come up in the external audit as well as the observations of the Reserve Bank are remedied, it said.