Select Page

After being saddled for years with the biggest bundle of bad loans anywhere in the world, the Indian financial system had only recently found its footing. But with profitability at a decade high and capitalization well in excess of the regulatory minimum, the country’s banks have begun slipping again. This time, they’re falling on the banana peel of technology.

The latest casualty is Kotak Mahindra Bank Ltd. Last week, the regulator ordered what was until recently India’s fourth-largest lender by market value to stop onboarding new customers through its online and mobile banking channels and refrain from issuing fresh credit cards. The Reserve Bank of India said it had found “serious deficiencies” in how the bank manages user access, vendor risk and data security.

This is a pretty stiff punishment: More than 98% of the transaction volume in Kotak’s savings accounts were from digital or non-branch methods in the December quarter; 99% of new credit cards and 95% of personal loans it sold were also online.

While Kotak says it has already taken some measures and will “swiftly resolve balance issues at the earliest,” the sheer brazenness of last year’s scam at UCO Bank is likely to make the RBI very cautious in lifting the ban. UCO is a small, government-owned lender based in the eastern city of Kolkata. Last November, it discovered that some customers had received nearly $100 million via interbank electronic fund transfers, but accounts at the sending institutions hadn’t been debited.

Also Read: Kotak Mahindra Bank is the latest student in RBI’s classroom

This month, federal investigators said that this was no error, but a scam. A couple of outside engineers had allegedly fiddled with UCO’s servers, creating money out of thin air, and crediting it into different accounts. Several of the account holders have made “wrongful gains by withdrawing the proceeds,” according to the police complaint filed by UCO Bank.

This is the crux of the issue. The RBI’s press release highlighted “frequent and significant outages in the last two years” in Kotak’s services that inconvenienced customers. While these are indeed annoying, the bigger risk is a UCO Bank-type scenario where the same money can be spent twice because it shows up in two accounts. If something like that starts happening at scale because of malfeasance or negligence, it could pose serious risks to financial stability. All benefits from digitization pale in front of such a threat.

And digitization has undoubtedly brought benefits, particularly to non-state-owned lenders. Take Kotak, which now has 8.5% of the deposits of State Bank of India, compared with less than 6% seven years ago. This increase in market share hasn’t required a commensurate expansion in physical presence. SBI, the largest deposit-taking institution, has added nearly 5,000 branches since 2016 — 10 times as many as Kotak.

Even as they have gained from it, banks have not paid as much attention to technology as they should have. In December 2020, the RBI barred HDFC Bank Ltd., the largest private-sector lender, from issuing new credit cards and launching fresh digital initiatives. The card ban was lifted after eight months; the digital blockade lasted more than a year.

This isn’t just an Indian problem. Singapore’s DBS Group Holdings Ltd., which under Chief Executive Officer Piyush Gupta has aspired to rank alongside some of the world’s most admired technology brands, has also stumbled on small things like an overheated data center. Recurrent glitches have become such a serious issue with customers, regulators and investors that even after delivering a return on equity of 18%, Gupta took a 30% cut in his variable pay.

In India, fintech has sped up money transactions, but it has also introduced complexity. An otherwise staid banking system, running its software on servers stored on its premises, is suddenly having to cope with a tsunami of small transactions coming via intermediaries that do most of their computing in the cloud. A widely used smartphone-based protocol, known as Unified Payments Interface, logged more than 100 billion transactions last year. There are some 50 million merchants accepting online money via QR codes, but the regulator isn’t sure if all of them are legit. Fast and furious may have opened the floodgates to fraud.

A rattled RBI is in a mood to punish. Earlier this year, it instructed Paytm, the homegrown payments pioneer, to freeze its banking business because of persistent non-compliances. Separately, it also asked Visa Inc. to stop the use of its business cards for commercial payments where a fintech is in the middle.

Drastic supervisory steps may be necessary at times, but they won’t be enough. The regulator needs to update its own understanding of technology — the last edition of the RBI’s 164-page financial stability report devoted a mere four paragraphs to digital safety even though the central bank’s survey showed cybersecurity as a “high-risk” category.

The threat levels are indeed rising. A 2022 study by DeepStrat, a New Delhi-based consulting firm, had raised concerns about what it called a “fraud stack” — a large number of bank accounts “controlled by crime cartels without their owners being aware of their identities being misused,” says Anand Venkatanarayanan, one of the report’s authors. In one instance, the customer’s address in a bank’s records was the same as that of the bank branch. When such mule accounts hide in plain sight, attacks become highly probable.

Customers deserve better, as do investors in India’s banks.

(Disclaimer: The opinions expressed in this column are that of the writer. The facts and opinions expressed here do not reflect the views of www.economictimes.com.)

  • Published On Apr 30, 2024 at 01:38 PM IST

Join the community of 2M+ industry professionals

Subscribe to our newsletter to get latest insights & analysis.

Download ETBFSI App

  • Get Realtime updates
  • Save your favourite articles

icon g play

icon app store


Scan to download App
bfsi barcode

Share it on social networks