For the last five years, the capital market in contrast to the Bank Nifty has been signalling a major concern with Kotak Mahindra Bank (KMB), with a stagnant share price and a secular de-rating of the bank’s price-to-book value multiple. But it is only now that sell-side analysts and banking commentators are awakening to the grave governance failure at the highest level in the bank, something the banking regulator has finally and publicly acknowledged. >
Kotak Mahindra Bank price-to-book-value (P/BV) and share price history for last five years>
>
Bank Nifty Index and P/BV>
The uncharacteristically strong language used by the Reserve Bank of India (RBI) in its public rebuke of KMB, and the severe business constraints imposed on the bank (no onboarding of new online/mobile customers and no additional issue of fresh credit cards) are a damning indictment of the entire board of directors of KMB, and in particular its promoter and former CEO Uday Kotak. Kotak stepped down as CEO on September 1, 2023, and at present he is a non-executive, non-independent director of the bank.>
The regulator has described the bank’s information technology (IT) in harsh terms – using language such as “significant concerns”; “continued failure…to address these concerns”; “serious deficiencies and non-compliances” in all aspects of IT; “two consecutive years the bank was assessed to be deficient in IT Risk and Information Security Governance”; the bank was found to be “significantly non-compliant with the Corrective Action Plans” of the RBI; and the compliance reports submitted were “found to be to be either inadequate, incorrect or not sustained.” >
The regulator’s description of its concerns points to not only a non-functional IT but, more worryingly, the inability or unwillingness of the board of directors of KMB to address this issue, which has persisted for two years.
The banking regulator has been giving importance to the board of directors’ direct oversight of IT governance since its April 29, 2011 circular which recommended the setting up of an IT Strategy Committee (ITSC) to ensure IT expertise and board participation at the highest level in a bank. The report laid down the powers, role and responsibilities of this board-level committee. More than 12 years later, on November 7, 2023, the RBI made it mandatory for banks to have an ITSC. >
Most banks including government banks set up their ITSC even prior to November 7, 2023. State Bank of India (SBI) had set up its IT committee in August 2004, many years prior to the RBI’s 2011 guidelines. The ITSC may also have external IT specialists (as, for example, in HDFC Bank) to provide the board the required expertise in this specialised and crucial field. It is therefore shocking that KMB did not have an ITSC, as disclosed in its FY2022 annual report.
KMB’s FY2023 annual report mentions that the bank has an IT Strategy and Digital Payments Promotion Committee (p. 82). However, there is no disclosure of this committee’s particulars or its members in the place one would expect to find it: the dedicated section (p 273-287) in the annual report on the various committees of the board, which provides details of the roles of the committees, their members, members’ attendance track record, and the number of meetings held.
The KMB’s web page mentions the committee and discloses that its members are Uday Shankar (chairman), Eli Leenars (appointed on the board on January 1, 2024) and Ashok Vaswani (CEO, who joined the board on January 1, 2024). Pertinently, both Leenars and Vaswani joined the board only four months ago. By contrast, in a sample of annual reports of SBI, HDFC Bank, ICICI Bank and Axis Bank for FY2022 and FY2023, there are specific disclosures of the members of the ITSC, their attendance record and the number of meetings held during the year.>
The lack of disclosure in KMB’s FY2022 and FY2023 annual reports on the board of directors’ direct oversight of IT through its committee is extremely worrying. In the absence of the ITSC, the KMB board had minimal direct oversight of IT at a time when a substantial share of incremental business was coming from the bank’s ‘811’ digital business, and RBI was finding major problems in the bank’s IT.>
KMB’s 811 Digital Contribution to Incremental Business in FY2023 >
In banks, all communication from the banking regulator is presented to the board of directors by the executive, and significant concerns are normally examined in depth by the specific board committee and the audit and risk committees of the board. In KMB, in the absence of the ITSC in FY2022, and with no details disclosed of its IT Digital Payments Promotion committee in FY2023, it remains a mystery why the audit committee and risk committee were unable to satisfy the RBI on the issues raised by it. The audit committee was chaired by Uday Khanna, and had Ashok Gulati, Ashu Suyash and C Jayaram as its members in FY2022 and FY2023; the risk committee was chaired by Ashok Gulati, and had as its members Prakash Apte (chairman of the board), Ashu Suyash, Uday Kotak (promoter-CEO) and C S Rajan (only in FY2023).>
Kotak Mahindra Bank’s Audit Committee FY2022 and FY2023 >
In FY2022 and FY2023, the KMB board had three directors with a disclosed expertise in IT: Uday Shankar, independent director appointed on the board on March 2019; Dipak Gupta, joint managing director, joined the board in October 1999 and retired on December 31, 2023 as CEO; and KVS Manian, executive director, and appointed to the board on November 2019. It was the responsibility of these three directors to examine the IT issues raised by the RBI, and educate the board on the gravity of the issue and how to manage and resolve the issue. >
Of the two executive directors with an expertise in IT, Dipak Gupta retired in December 2023 while Manian submitted his resignation on April 30, 2024, 6 days after RBI’s censure and Vaswani, CEO, KMB accepted his resignation with immediate effect. Media reports indicated that Manian was joining another bank as CEO, but interestingly, at the press conference for the bank’s 4QFY2024 results on May 4, 2024, Vaswani, responding to a media query regarding Manian’s exit, said, >
“To the best of my knowledge, Manian doesn’t have anything in his hand right now … Obviously, you’ll have to ask Manian that question, but I’m not aware of anything like that.”>
While KMB has reassured stakeholders that the RBI’s punitive action, “will not materially impact its overall business,” it has remained silent on a key tenet of the free market, namely the issue of accountability. Who has to be held accountable for the IT fiasco which has resulted in a loss of US$ 5.2 bn in market capitalisation for shareholders and a loss of reputation? If the RBI’s concerns were placed before the board, then the board is responsible, but ultimately, Uday Kotak as promoter-CEO during FY2022, FY2023 and part of FY2024 has to be held accountable. The IT compliance reports that were going to the RBI had to have had his approval before the board gave its endorsement. Yet the RBI found persistent failure by KMB to address these issues, and the compliance reports approved by the CEO and the board were found by the regulator to be “incorrect, inadequate and not sustained.” In the light of the RBI action, stakeholders in KMB need to reconsider Uday Kotak’s continued presence on the board of directors. >
In the past, when the regulator took punitive action on a regulated entity, the affected company immediately held a conference call with the media and analysts to explain the situation, and talked of possible remedial measures to resolve the regulator’s concerns and reassure stakeholders. But in the case of KMB, after the RBI announced its action on April 24, 2024, the bank did not undertake any special call, and decided to wait for the already announced 4QFY2024 results conference call on May 4, 2024. KMB, under the leadership of Vaswani, who has digital banking expertise could have held a call during the ‘silent period’ as a specific and highly material issue had arisen. In the interim, the share price tanked by 16%, as compared with a 0.3% increase in the Nifty-50 index.
>
RBI Action on Banks and Conference Calls Held by the Concerned Banks >
Even as the RBI was engaging with KMB on its persistent unresolved concerns regarding all aspects of IT, and finding the bank to be “deficient in its IT Risk and Information Security Governance” in FY2022 and FY2023, KMB in its FY2023 annual report was stating, >
The Bank has committed significant resources to manage technology risk. A layered technology architecture is implemented to manage risks due to system failures, cyber-attacks etc. Disaster recovery and Business Continuity Plans (BCP) have been established and various functional and technology initiatives have been taken to enhance system resiliency.>
Not only did KMB and its board of directors not have direct oversight of IT in FY2022 as it lacked an ITSC and minimal oversight in FY2023, it failed to provide the slightest inkling to shareholders that the regulator had major issues with the bank’s entire IT infrastructure, instead the bank even complimented itself on corporate governance and said (p. 263 FY2023 annual report)>
The Bank is committed to achieving and adhering to the highest standards of Corporate Governance and ethical practices and constantly benchmarks itself with best practices, in this regard, strengthening its governance practices. The Bank’s philosophy on Corporate Governance is, therefore, based on the core principles of Accountability and Responsibility, Integrity, Independence, Leadership, Excellence, Fair, Transparent and timely dealings and disclosures, Equality, Sustainability and Social Responsibility.>
Needless to say, after the RBI’s strong rebuke and the steep fall in the share price, all stakeholders in the bank are fully aware of the extent of KMB’s commitment to the highest standards of governance, accountability, transparency and best practices. When there is a wide divergence between the commentary in the annual report (which is endorsed by the board of directors) and actual events, the credibility of both the executive and the board of directors is suspect.>
While some stakeholders may interpret RBI’s punitive action for KMB’s inadequate IT systems and protocols as restricted to only what is specified by the regulator, the last sentence of RBI’s press release is quite ominous. It states,>
Further, these restrictions are without prejudice to any other regulatory, supervisory or enforcement action that may be initiated against the bank by the Reserve Bank.>
The regulator is cautioning stakeholders that there may be a possibility of further punitive regulatory action, either for some other inadequacies or for continued failure by the board of directors to take the IT issues seriously. In the case of RBL Bank in December 2021, the RBI appointed a serving RBI officer under Section 36AB of the Banking Regulation Act, 1949 as a director on the bank. In such a case, the RBI effectively takes operational control of the bank, and the CEO and the rest of the board of directors’ relevance becomes less. >
This analyst has repeatedly maintained that the major risk in KMB is in its board room, and the undue influence of the promoter. The KMB board of directors openly defied the RBI when the regulator wanted Uday Kotak to reduce his equity stake in the bank, and even took the regulator to court in December 2018. KMB managed to obtain an out of court settlement on terms favourable to the promoter. In a brazen display of nepotism, the KMB board of directors in January 2021 endorsed the appointment of the then 32-year old Jay Kotak (the son of Uday Kotak), with only 3 years relevant work experience, as a co-business head of the bank’s 811 digital initiative, the technology performance of which the RBI has thoroughly exposed. In the electoral bonds disclosure, a Kotak family entity in which the bank had a 49% equity stake, and the bank’s Chief Financial Officer was a director, donated Rs 1.3 bn (FY2019-FY2022) to political parties, of which a minimum of Rs 600 mn was given to the ruling BJP at the Centre. It is not known whether the KMB board was informed that a company related to the bank and where the promoter family had a majority stake was making substantial monetary donations to political parties. Perhaps the board was aware, but did not seem to mind that such donations are undertaken for securing benefits in return.
>
Sell-side Analyst Consensus Recommendations on KMB>
The RBI’s action on KMB’s abysmal IT systems and protocols exposes the poor governance standards at the highest levels of the bank. While the banking regulator has publicly acknowledged it, sell-side analysts, media and credit rating agencies still choose to remain oblivious to the huge governance risk residing in KMB’s board room. The secular de-rating of KMB’s price to book value ratio in the last five years is indicative that the capital market senses something is rotten. Whether the KMB board of directors detects and addresses the stench before it is too late, and the RBI steps in, remains to be seen. >
Note: A questionnaire was sent to KMB but the bank declined to respond. >
Hemindra Kishen Hazari, is a Securities and Exchange Board of India (SEBI) registered independent research analyst. He owns equity shares in all the banks mentioned in the article.>