India’s Banks And Banking System Are Strong And Stable, Until They Are Not

Just over a week after the RBI effectively ordered Paytm Payments Bank to wind down its operations, Governor Shaktikanta Das assured everyone on February 8 that India's financial sector is “very strong”. The Paytm Payments Bank fiasco was a one-off and limited to a minute fraction of the entire domestic financial system.

On April 24, the central bank said its action against Kotak Mahindra Bank, which came in less than three months from the time it had moved against Paytm Payments Bank (on January 31), was triggered by significant concerns about the private bank’s IT infrastructure and security.

Kotak Mahindra Bank was materially deficient in building necessary operational resilience due to its failure to build IT systems and controls commensurate with its growth, RBI said.

Remarkably, the RBI said it had been forced to act against Kotak Mahindra Bank after two years of “continuous high-level engagement” did not result in the desired outcomes — a pattern similar to what had been the case with Paytm Payments Bank. 

This puts to bed the theory that only the new-age fintech firms are tripping over the RBI’s regulations in their hot pursuit of growth.

Penalties And Bans

Just in the week leading up to the ban on Kotak Mahindra Bank, the RBI penalised as many as 15 co-operative banks with fines totaling Rs 80 lakh for various violations, ranging from those related to Know-Your-Customer norms to directions on basic cyber security framework.

Of course, one can argue that co-operative banks are a minor component of the Indian financial system and are penalised rather regularly. But looking past that whataboutery, we find several large institutions have also been under the RBI’s scanner.

In March, the central bank ordered JM Financial Products to stop lending against shares and debentures after a review found that the company “repeatedly helped a group of its customers to bid for various IPO and NCD offerings by using loaned funds” with “perfunctory” underwriting practices.

A day earlier, on March 4, the central bank had told IIFL Finance to stop sanctioning gold loans or selling any of its gold loans after it discovered several problems with the non-bank’s gold loan portfolio.

In November 2023, sector leader Bajaj Finance was ordered to stop giving loans through two of its products as they didn’t adhere to the digital lending guidelines. The previous month, public sector giant Bank of Baroda saw its mobile app ‘Bob World’ attract the ire of the RBI. 

Key Question

Why is there a surge in regulatory actions? In fact, a better question to ask would be why are the banks running foul of the RBI’s guidelines and expectations, and why are there no resolutions even two years, as the RBI claims, after the deficiencies are found?

The origin of the problem lies in how technology-led banking has evolved in the last decade.

From Internet banking to mobile banking and now to digital payments, the front-ends or the customer-facing interfaces have changed dramatically, whereas core banking has not really changed. 

The volume of transactions has surged in recent years, overloading the core banking backend of banks. System outages have only surged as a consequence and have invited regulatory actions.  

A significant amount of investment would be needed by banks to change their processes and improve their core banking to improve efficiencies. 

If India is to grow the way it intends to in the Amrit Kaal and become a developed country in the next 25 years, the banking sector will be the key cog in getting India there, as its economy will need to grow at least 6 to 7 per cent every year.

The banks will need to make heavy investments in technology across the value chain, which means the bank boards must agree to a glide path for their banks to sacrifice some EBIDTA and even the market share to ensure that required investments are committed to technology in building a future-ready IT backbone. 

The markets should also learn to reward those banks that are ready for the future by tracking banks’ technology-investments-to-revenue ratio instead of just cost-to-revenue ratio. 

At analyst meets, the bankers should be grilled about the details of their technology investments instead of about the fancy digital products they launch. 

If a bank is clearing loan applications in a matter of seconds through its digital channels or is onboarding credit card customers, is the backend ready to take the load?  

In the interim, banks could also consider reducing the load they put on core banking by cleaning up unnecessary data sets stored within it, which leads to lags, transaction pile-ups, and, eventually, outages that inconvenience customers. 

A process called “hollowing the core” is an option where many of the processes to clear a transaction, such as a KYC check, can be done outside of core banking. Only fully cleaned-out information goes to core banking for clearing, so there are no gridlocks.

The challenge is the volume, and the present systems are stretched as a result.

Opaque Orders

A common theme of the RBI’s penalties and banning orders has been the lack of information on the offending entities' violations. Take, for instance, the January 31 winding down order issued to Paytm Payments Bank, which only listed “persistent non-compliance and continued material supervisory concerns” as the reasons for the action.

Even when quizzed on the subject at the post-monetary policy press conference on February 8, Governor Das and his deputies were tight-lipped, saying they did not wish to comment on the actions of any particular regulated entity.

There is good reason for the RBI not to speak publicly about regulatory issues at the entities it presides over, chief among them being the lasting damage that can be caused to a deposit-taking institution's reputation.

However, it is also worth asking why the RBI does not disclose all the relevant information when taking supervisory action against the entities customers choose as worthy of patronage. In contrast, orders of the Securities and Exchange Board of India are far more detailed.

Perhaps the RBI could consider sharing the details after a lag of a few months, which could prove to be instructive for the customers and the banking industry. In the interest of transparency, it could also list out the matrix of likely offences and the graded action they would attract. 

One may wonder why the RBI is imposing monetary penalties on some entries, like PSU banks, and restricting business activities in the case of other banks. 

One only has to spend time on social media platforms to encounter numerous complaints of outages at the digital platforms of some of India’s largest PSU banks.

The RBI should restrict banks' business activities only for security-related issues or severe noncompliance. It should impose monetary penalties for other deficiencies, like outages. 

It is also possible for the RBI to have a system for seeking real-time disclosures from banks regarding their IT infrastructure on a given set of key parameters so that remedial measures and actions can be more prompt than a two-year exchange at the end of which a bank is found guilty of non-compliance through an opaque press release. 

Although software and even hardware are not the same across banks, their functions are similar. The RBI can have a system of real-time monitoring to minimise severe measures against banks and inconvenience to customers.

The policy push for UPI, in addition to banks’ aggressive push for market share, has been creating problems related to security and outages. 

The RBI should release a whitepaper on what it expects from banks on IT infrastructure that has to be fixed in the next 2-3 years before transaction volumes pick up even more. This could be instructive to the banks’ boards and even the markets. It could cover all areas of IT infrastructure in banking. 

It does appear that top technology officials at many are under constant pressure from the regulator and their boards. If there is no reset with a holistic approach from the regulator to the bank boards and to the markets, it could be difficult for banks to retain technology talent.  

It may be worth considering the idea of having a deputy governor with a 5-year term who is exclusively responsible for banks’ IT-related regulation, supervision, and development. This person could be a lateral recruit who understands technology architecture.  

Banks must do a lot, and the RBI must do a lot, too.  

(Kalayan Ram is a Mumbai-based journalist with 30 years of experience in driving coverage of central banking and macroeconomy. Siddharth Upasani has been writing on the same topics for more than a decade. Views expressed are personal)