The Reserve Bank of India (RBI) directed Kotak Mahindra Bank Limited (KMBL) to cease with immediate effect from onboarding new customers through online and mobile banking channels and issuing fresh credit cards. The reason given by the RBI for such an action is because serious deficiencies and non-compliances in certain specified areas were observed.
“As per the RBI press release, the action against Kotak Mahindra Bank may have been taken more around the information technology security aspects,” says Ashok Hariharan, Co-Founder and CEO, of IDfy, an identity verification company.
What did RBI say about the handling of customer’s banking data?
As per the RBI’s press release, serious deficiencies and non-compliances were observed in the areas of IT inventory management, user access management, vendor risk management, data security, data leak prevention strategy, business continuity and disaster recovery rigour and drill, etc.
How do the top 10 banks in India handle customer data?
Banks deal with sensitive personal data of account holders and need to ensure their privacy and safety. “As per the Information Technology Act and Digital Personal Data Protection Act, 2023, (DPDP) Banks and other financial institutions have to make sure that the data of the customer is used in the right way, the data is being stored using a particular security standard, the way you use the data and the way the data is stored needs to follow certain standards,” says Hariharan.
However, as per a recent report by IDfy titled ‘DPDPA Compliance & Indian Banks’ which analysed 25 digital journeys of the top 10 banks in India, it was found that 9 out of 10 banks did not mention the Personally Identifiable Information (PII) collected in their privacy policy. “70% of all cookies found on a leading bank’s website were for Marketing & Analytics. 0 out of 10 Banks asked for explicit consent for marketing and cross-selling cookies,” mentioned the report cited above.
How serious are banks on the Digital Personal Data Protection Act?
The Digital Personal Data Protection Act, of 2023 has laid out a comprehensive guideline about how the data of customers be handled. “I don’t know whether Kotak Mahindra Bank violated any law or not. But generally speaking, as per the DPDP Act there are three important things to take care of customer’s data. First is that the data should be protected and secured, second is the processes used i.e. the fiduciary who is processing the data must only process that data for a specific purpose that you have consent for, third is that there must be a way for the data principal to be able to revoke consent.”
An example of usage of data for specific purposes includes a situation where an institution is collecting data for KYC purposes then the data must be used for KYC purposes only and not marketing purposes.
According to Nazneen Ichhaporia, Partner, ANB Legal, under the DPDP Act 2023 (which is not yet effective), banks are likely to be classified as ‘Significant Data Fiduciaries’ due to the large volume of sensitive personal data that they process. “Accordingly, as Significant Data Fiduciaries, they would be required to conduct periodic Data Protection Impact Assessment – a systematic process aimed at identifying and minimising the data protection risks associated with the storage and processing of data, and to adopt various privacy enhancing technologies,” she said.
What did the RBI say about information technology governance at banks?
On November 7, 2023, the RBI released its Master Directions on Information Technology Governance, Risk, Controls, and Assurance Practices, which became effective from April 1, 2024. This Master Direction was specifically applicable to regulated entities (REs), including banks and non-banking financial companies.
“The Master Direction on Information Technology Governance, Risk, Controls and Assurance Practices issued by the RBI provides comprehensive directions to banking companies, NBFCs, Credit Information Companies, and other banking market participants on dos and don’ts in the realm of information technology (IT) Governance, information technology (IT) Infrastructure and Services Management and other important aspects such as cybersecurity,” says Biju Varghese, Partner, Counselence, a law firm.
How serious is RBI on this data privacy and safety issue?
The RBI has taken action against Kotak Mahindra Bank under section 35A of the Banking Regulation Act, 1949. This Act empowers the RBI to impose fines on banks for various non-compliances.
“However, the extent of these fines can sometimes be less than what might be considered impactful for larger banks. For instance, under various provisions, the RBI can impose fines ranging from a few lakh rupees to a few crore rupees, depending on the severity and nature of the non-compliance. This is relatively small compared to the banks’ revenues and the potential risk to public and depositor funds. Thus, the RBI might resort to more stringent actions like restrictions on business operations or specific directives to address systemic issues effectively, beyond just financial penalties,” says Tribhuvann.
(Press the bell 🔔 Icon, for all latest updates)
