Indian banks are slipping on a banana peel of tech adoption

The latest casualty is Kotak Mahindra Bank. Last week, the regulator ordered what was until recently India’s fourth-largest lender by market value to stop taking new customers via its online and mobile banking channels and refrain from issuing fresh credit cards. The Reserve Bank of India (RBI) said it had found “serious deficiencies” in how the bank manages user access, vendor risk and data security. This is stiff punishment. More than 98% of the transaction volume in Kotak’s savings accounts were from digital or non-branch methods in the December quarter; 99% of new credit cards and 95% of personal loans it sold were also online. While Kotak says it has already taken some steps and will “swiftly resolve balance issues at the earliest,” the brazenness of last year’s scam at UCO Bank is likely to make RBI cautious in lifting the ban. UCO is a small, state-owned lender based in Kolkata. Last November, it found some customers had got nearly $100 million via interbank electronic fund transfers, but accounts at the sending institutions hadn’t been debited.

This month, investigators said that this was no error, but a scam. A couple of outside engineers had allegedly fiddled with UCO’s servers, creating money out of thin air, and crediting it to different accounts. Several account holders made “wrongful gains by withdrawing the proceeds,” according to the bank’s police complaint.

This is the crux of the issue. RBI’s press release highlighted “frequent and significant outages in the last two years” in Kotak’s services that inconvenienced customers. While these are annoying, the big risk is a UCO Bank-type scenario where the same money can be spent twice because it shows up in two accounts. If something like that happens at scale, it could pose serious risks to financial stability. All benefits from digitization pale in front of such a threat.

Digitization has undoubtedly brought benefits, particularly to non-state-owned lenders. Take Kotak, which now has 8.5% of the deposits of State Bank of India (SBI), compared with less than 6% seven years ago. This gain didn’t take a commensurate expansion in physical presence. SBI has added nearly 5,000 branches since 2016 — 10 times as many as Kotak. Even as they have gained from it, banks paid insufficient attention to tech. In December 2020, RBI barred HDFC Bank, India’s largest private lender, from issuing new credit cards and launching fresh digital initiatives. The card ban was lifted after eight months; the digital blockade lasted over a year.

This isn’t just an Indian problem. Singapore’s DBS Group, which has aspired to rank alongside some of the world’s most admired tech brands, has also stumbled on small things like an overheated data centre.

In India, fintech sped up money transactions, but it has also meant complexity. An otherwise staid banking system, running software on servers on bank premises, faces a tsunami of tiny transactions coming via intermediaries that mostly do cloud computing. A widely used smartphone-based protocol, UPI, logged more than 100 billion transactions last year. There are some 50 million merchants accepting online money via QR codes, but the regulator isn’t sure if all are legit. Fast and furious may have opened the floodgates to fraud.

A rattled RBI is in a mood to punish. Earlier, it instructed Paytm, the homegrown payments pioneer, to freeze its banking business because of persistent non-compliance. Separately, it asked Visa Inc to stop the use of its business cards for commercial payments with a fintech firm in between.

Drastic supervisory steps may be necessary at times, but they will not be enough. The Indian regulator needs to update its own understanding of technology—the last edition of RBI’s 164-page financial stability report devoted a mere four paragraphs to digital safety, even though the central bank’s survey showed cybersecurity as a “high-risk” category.

Threat levels are rising. A 2022 study by DeepStrat, a New Delhi-based consulting firm, had raised concerns about what it called a “fraud stack”—a large number of bank accounts “controlled by crime cartels without their owners being aware of their identities being misused,” as explained by Anand Venkatanarayanan, one of the report’s authors.

In one instance, the customer’s address in a bank’s records was the same as that of the bank branch. When such mule accounts hide in plain sight, attacks become highly probable. ©bloomberg