1. Executive Summary
The Reserve Bank of India (RBI) has imposed a monetary penalty on Kotak Mahindra Bank Limited following the Statutory Inspection for Supervisory Evaluation (ISE 2024). The penalty addresses deficiencies in regulatory compliance regarding Basic Savings Bank Deposit (BSBD) accounts, the scope of Business Correspondents (BCs), and Credit Information Company (CIC) reporting.
2. Key Details
| Entity Name | Kotak Mahindra Bank Limited |
|---|---|
| Penalty Amount | ₹61.95 Lakh |
| Order Date | December 11, 2025 |
| Inspection Reference | ISE 2024 (Position as on March 31, 2024) |
| Statutory Provisions | Section 47A(1)(c) read with 46(4)(i) of BR Act, 1949; Section 25(1)(iii) read with 23(4) of CIC (Regulation) Act, 2005. |
3. Violation Analysis & Root Cause (RCA)
The penalty was levied due to three specific areas of non-compliance. Below is the detailed analysis and probable root causes for each.
Violation I: Multiple BSBD Accounts
Observation: The bank opened new Basic Savings Bank Deposit (BSBD) accounts for customers who already held existing BSBD accounts within the bank.
Probable Root Cause (RCA):
- System Logic Failure: The Core Banking System (CBS) likely lacked a “hard stop” or deduplication check at the Customer ID level to detect existing ‘Product Code: BSBD’ tags before opening a new one.
- Sales Process Gaps: Frontline staff may have bypassed existing checks or opened accounts under multiple Customer IDs (UCIC duplication) for the same individual to meet targets.
Violation II: Business Correspondent (BC) Scope
Observation: The bank engaged BCs for activities outside the permitted regulatory scope.
Probable Root Cause (RCA):
- Contractual Ambiguity: Service Level Agreements (SLAs) with corporate BCs may have been drafted too broadly, inadvertently including non-permissible services.
- Vendor Monitoring: Lack of rigorous on-ground audit or “mystery shopping” to verify actual services being rendered by BC agents versus what was approved on paper.
Violation III: Inaccurate CIC Reporting
Observation: Inaccurate borrower information was furnished to Credit Information Companies.
Probable Root Cause (RCA):
- Data Mapping Errors: Mismatch between CBS field definitions and the specific data format required by CICs (e.g., reporting “Days Past Due” or “written-off” status incorrectly).
- Manual Intervention: Reliance on manual data extraction or file conversion processes rather than fully automated straight-through processing (STP) for CIC submissions.
4. Preventive Controls
To mitigate these risks and prevent recurrence, the following controls are recommended:
Technological Controls
- Hard-Stop Logic: Implement a mandatory system check during account opening that queries all existing accounts linked to the PAN/Aadhaar. If a BSBD product code exists, the system must block the creation of another BSBD account.
- UCIC Deduplication: Run nightly batch jobs to identify and merge duplicate Customer IDs based on demographic data to prevent regulatory arbitrage.
Operational Controls
- Automated CIC Reconciliation: Deploy a tool to reconcile data sent to CICs against the CBS data monthly. Any variance >0% should trigger an alert before final submission.
- BC Scope Audits: Institute a quarterly review of BC agreements and conduct random physical audits of BC outlets to ensure they are not cross-selling unapproved third-party products or performing core banking functions restricted to bank employees.
5. Lessons Learnt
For the Banking Sector:
- Financial Inclusion Integrity: BSBD accounts are a specific regulatory vehicle for financial inclusion. Banks must treat them as a unique product class with strict “one-per-customer” rules, not just another savings account variant.
- Vendor Risk Management: Outsourcing to BCs reduces cost but increases compliance risk. The bank remains principal liable; therefore, oversight mechanisms must be as robust for BCs as they are for bank branches.
- Data Integrity is Non-Negotiable: With the RBI increasing focus on credit data accuracy, banks must move away from manual “maker-checker” processes for reporting to automated, validated pipelines.