The Reserve Bank of India (RBI) has instructed Kotak Mahindra Bank Limited (KMBL) to stop immediately with the process of adding new customers through online and mobile banking platforms, as well as issuing new credit cards. This directive comes as a result of the RBI’s identification of significant deficiencies and non-compliances in specific areas within the bank’s operations.
As stated in the RBI’s announcement, Kotak Mahindra Bank was found to have serious shortcomings and failures in managing IT inventory, overseeing user access, handling vendor risks, securing data, implementing data leak prevention strategies, ensuring business continuity, and conducting disaster recovery exercises.
According to a recent IDfy report titled ‘DPDPA Compliance & Indian Banks,’ which examined 25 digital interactions from the top 10 banks in India, it was discovered that 9 out of 10 banks did not specify the Personally Identifiable Information (PII) they gathered in their privacy policies. The report also noted that 70% of cookies discovered on a prominent bank’s website were for Marketing & Analytics purposes. Additionally, none of the 10 banks sought explicit consent for marketing and cross-selling cookies. This indicates a potential gap in how these banks handle customer data, particularly concerning privacy and consent.
Banks are expected to take the Digital Personal Data Protection Act of 2023 seriously, as it provides detailed guidelines on handling customer data. For instance, if an institution collects data for KYC (Know Your Customer) purposes, that data should be strictly used for KYC purposes and not for marketing or other purposes.
However, some experts argue that the bank’s failure may lie in its implementation of the ITIL framework, which is an internationally recognized standard offering a structure for managing end-to-end information technology (IT) services.
The RBI issued its Master Directions on Information Technology Governance, Risk, Controls, and Assurance Practices on November 7, 2023. These guidelines, effective from April 1, 2024, were designed for regulated entities (REs) such as banks and non-banking financial companies.
The RBI’s seriousness regarding data privacy and safety is evident in its recent actions against Kotak Mahindra Bank under section 35A of the Banking Regulation Act, 1949. This provision grants the RBI authority to levy fines on banks for different types of non-compliance issues.
Let’s see what the DPDP Act and the ITIL framework are.
The Digital Personal Data Protection (DPDP) Act, enacted in August, is legislation in India designed to balance individuals’ rights to safeguard their personal data with the need for lawful data processing. This Act imposes specific responsibilities on Data Fiduciaries, the entities processing the data, and delineates the rights and duties of Data Principals, the individuals to whom the data belongs. Additionally, it establishes financial penalties for violations of its provisions.
The DPDPA 2023 impacts the financial sector in several significant ways, including:
- Increased Transparency and Accountability – Financial institutions will be required to enhance transparency in their data collection and processing practices. They will also need to take greater accountability for the security of personal data.
- Enhanced Customer Control – The Act grants customers more control over their personal data, allowing them to access, correct, delete, and restrict the processing of their information.
- New Safeguards for Sensitive Personal Data – The Act introduces additional protections for sensitive personal data, such as financial information and medical records.
- Increased Compliance Costs – Financial institutions will face new compliance costs as they will need to invest in new systems and processes to meet the requirements of the Act.
Despite these challenges, the DPDPA 2023 is a positive development for India’s financial sector. It will help protect customer privacy and build trust in the financial system, while also creating a more level playing field for financial institutions.
The Information Technology Infrastructure Library is a comprehensive set of best practices aimed at helping businesses deliver IT services to their customers. This widely adopted framework was originally created by the Central Computer and Telecommunications Agency (CCTA), a government entity in Great Britain, and is currently managed by AXELOS Ltd.
ITIL enables organizations to enhance the value they provide to their customers by aligning IT resources with business objectives. It aids in cost reduction through the measurement, monitoring, and optimization of IT services and service provider performance. Furthermore, ITIL provides a framework for standardizing service management across an organization. Despite the unique nature of each organization’s IT infrastructure and governance, ITIL’s flexible guidelines are designed to assist any organization in achieving its service management goals.
The RBI’s stringent actions against Kotak Mahindra Bank underscore the critical importance of robust IT governance and compliance with data protection laws, such as the DPDP Act. Adherence to frameworks like ITIL can significantly enhance service management and data security, thereby ensuring customer trust and regulatory compliance in the financial sector.
