HDFC Bank’s Digital Disaster: No Recovery Plan?

1
11153
Source: RBI’s guidelines on Business Continuity Planning, the equivalent of a Disaster Recovery Plan

In the first 2-3 working days of December, 2019 Asiamoney’s ‘Best Digital Bank’ for 2019 in India failed its digital customers: they were unable to log onto either the bank’s mobile application or its internet banking platform. The problem recurred on December 7. That India’s number 1 bank by market capitalisation, a favourite of foreign investors, could have such an extended technology breakdown at a time when 92% of their customers initiate transactions through digital indicates that the bank’s much publicised and fabled Digital 2.0 strategy not only has critical infirmities, but, most worryingly, it has an unreliable disaster recovery plan.

For the bank’s digital customers, it was bad enough that they were unable to transact, but it was compounded by a lack of transparency by HDFC Bank. The bank’s highly experienced public communications department took a vow of silence, and did not issue a single press release on the subject to assure customers and the public. The bank deemed it fit instead to communicate through Twitter. To date the bank has not informed depositors of the reasons for the technology breakdown, nor has it provided any assurances to compensate customers who had to make online payments such as mortgages and credit card bills falling due on those dates. This brazen disregard for customers’ losses on account of the bank’s own technology failing is a major reputational risk for the bank, and poses a risk to the economy, as the bank is classified as a systemically important bank with significant market share on payment platforms.

HDFC Bank Press Releases November 27 – December 5, 2019

Source: HDFC Bank

Unfortunately, this breakdown was not an isolated incident. A year ago, the bank launched a new mobile application which failed, causing considerable anguish to the bank’s digital customers. In such cases, the bank’s disaster recovery plan should have kicked in, but, shockingly for HDFC Bank, in both instances it did not, raising a huge red flag. In an earlier article, this writer had highlighted that in the Reserve Bank of India’s onsite inspection of HDFC Bank during FY2013 to FY2015 (reports since then are not yet public) had scored the bank poorly on internal audit and non-IT operational risk. The recent events highlight that the bank’s technology poses a risk to the economy. The RBI has announced an investigation, and credit rating agencies and the capital market need to take cognizance of the bank’s unreliable IT systems and disaster recovery plan. The bank’s customers also need to evaluate whether the bank has a stable and reliable digital platform. These developments do not bode well for the bank’s premium valuation.

The first few working days of December 2019 were dark days for HDFC Bank customers, as they were unable to log onto the bank’s internet banking and its mobile application, thoroughly disrupting the bank’s fabled Digital 2.0 strategy. However, customers could operate their accounts and carry out transactions from the bank’s branches during business timings. Irate HDFC Bank customers vented their fury on social media, and the tag line #hdfcbankdown gained traction on Twitter.


Source: Twitter

HDFC Bank responded to the persistent non-availability of its digital platform only on Twitter

Source: Twitter

Interestingly, and perhaps deliberately, the bank’s public relations (PR) department did not issue a single press release updating or attempting to reassure the public and its customers during this calamity. Press releases issued by the bank from November 27 to December 5 clearly highlight the priorities of its PR department: it issued releases for the bank being selected for ‘Best MSE Bank (Private Sector)’, launch of a co-branded credit card, and partnering with a startup, but studiously avoided any mention of the failure of its digital platform. HDFC Bank also did not provide journalists and analysts like this writer with anything on record to explain the technology problem.

Source: HDFC Bank

The absence of a formal press release by HDFC Bank, and its decision to inform the public only via Twitter in response to a major breakdown in their digital customer-facing platforms, suggests a policy of providing the public with negligible information during a crisis. This practice can provide further fuel to rumour-mongering. Such a strategy is against the guideline recommended by the RBI in its policy on Business Continuity Planning (BCP) in 2011 where it specified a “clear ‘Communication Strategy’.”


Source: Guidelines on Information security, Electronic Banking, Technology risk management and cyber frauds p. 129, RBI

It is shameful for any bank to experience a breakdown of its digital platform for such a prolonged length of time, and more so for HDFC Bank, which has prided itself on being a leader in technology innovations for its customers. Its advertising tagline is

“bank at your fingertips. #ForgetCash…Go Digital!”

Source: HDFC Bank

Indeed, as a business strategy, HDFC Bank has made a concerted effort to shift it delivery channels to initiate customer transactions from physical platforms such as branches, phone banking, ATMs to digital, such as the internet and its mobile application. In a decade, internet and mobile, which accounted for 29% of customer initiated transactions in 2009, rose to 92% by 2019.

Source: HDFC Bank

With digital having such an overwhelmingly dominant share of customer initiated transactions in HDFC Bank, having a stable, reliable digital platform is top priority.

Source: RBI

HDFC Bank is also classified by the banking regulator as a systemically-important bank, and the bank has significant market share on a range of payment platforms. It is the market leader in Real Time Gross Settlement (RTGS), which is an electronic form of funds transfer where the transmission takes place on a real time basis. In India, transfer of funds with RTGS is done for high value transactions, the minimum amount being Rs 200,000 (US$ 2,805). In National Electronic Funds Transfer (NEFT) too, where there is no minimum amount, but the maximum limit per transaction is Rs 1,000,000 (US$ 14,025), it dominates the market. It is also the market leader in credit cards in value of transactions and number of credit cards issued. As the bank has a commanding position in the payments segments, any failure of its digital platform for a length of time has systemic implications for the economy.

Market Share in Various Payment Products By Value

Normally, when a bank’s systems go down, the bank’s disaster recovery plan is meant to take over, but, most worryingly, the bank’s disaster recovery plan did not kick in, resulting in widespread grief for its customers. The RBI’s guidelines on Business Continuity Planning, the equivalent of a Disaster Recovery Plan, are explicit in that the recovery time objective (RTO),

“must ensure that the Minimum Tolerable Period of Disruption (MTPD) for each activity is not exceeded.”

Source: Guidelines on Information security, Electronic Banking, Technology risk management and cyber frauds p. 131, RBI

With such a massive systems failure of 2-3 days exceeding the RTO, it was no surprise that M.K. Jain, deputy governor, RBI on December 6, 2019 stated,

“We are cognizant of the problem. It happened on 2nd of December due to technical glitches and restored on Tuesday” said the deputy governor MK Jain at Monetary Policy press conference responding to a query on whether the regulators will penalize banks such incidences. “Our team has gone to identify the reasons (for the breakdown) and find out what we can give as directions (to the bank).”

The magnitude of the problem (it again repeated itself on December 7) shows 3 major fault lines in HDFC Bank of which stakeholders, the regulator, credit rating agencies and the capital market have to take cognisance.

  1. The bank has a major technology problem which is persisting and preventing the functioning of internet and mobile application banking.
  2. Despite having an experienced public relations department, the bank lacks transparency in communicating to its customers and the public during a crisis.
  3. Most worryingly, the bank’s disaster recovery plan has failed to seamlessly take over digital banking operations when there is a technological failure.  

That India’s number 1 bank by market capitalisation, a supposed leader in digital banking and a dominant player in payment transactions, is experiencing such problems is a wake-up call to all stakeholders and does not bode well for its premium valuation on the stock exchanges.

DISCLOSURE

I, Hemindra Hazari, am a Securities and Exchange Board of India (SEBI) registered independent research analyst (Regd. No. INH000000594). I own equity shares in HDFC Bank. Views expressed in this Insight accurately reflect my personal opinion about the referenced securities and issuers and/or other subject matter as appropriate. This Insight does not contain and is not based on any non-public, material information. To the best of my knowledge, the views expressed in this Insight comply with Indian law as well as applicable law in the country from which it is posted. I have not been commissioned to write this Insight or hold any specific opinion on the securities referenced therein. This Insight is for informational purposes only and is not intended to provide financial, investment or other professional advice. It should not be construed as an offer to sell, a solicitation of an offer to buy, or a recommendation for any security.

SOURCEHKH Research
Previous articleWill a Desperate RBI Allow Shadowy Investors to Take Over Yes Bank?
Next articleFive Dodgy Accounts in the Last Seven Years: SBI’s Remarkable Record

1 COMMENT