The Reserve Bank of India’s Reserve Bank of India (Commercial Banks – Credit Cards and Debit Cards: Issuance and Conduct) Directions, 2025 set a comprehensive framework to strengthen cardholder protection, enhance transparency and tighten governance of credit and debit card operations by commercial banks. Effective immediately, these Directions apply to all commercial banks and cover credit, debit and co-branded cards alongside prudential, payment and technology-related rules.
At the governance level, issuers must adopt Board-approved policies available publicly that address interest rate ceilings, charges, default reporting, discretionary card blocking, grievance redressal and co-branding arrangements. An Audit Committee review of card operations must occur biannually, focusing on frauds, complaints, customer service and underused cards. Boards are responsible for ensuring underwriting standards and operational controls are robust.
Customer acquisition rules emphasize fairness and consent. Applicants must receive a one-page Key Fact Statement and the Mandatory Important Terms & Conditions (MITC) at onboarding and on any contract modification. Unsolicited card issuance or unilateral upgrades are prohibited — if an unsolicited or upgraded card is billed, issuers must refund charges and pay twice the reversed amount as penalty; recipients may also approach the RBI Ombudsman. Activation requires explicit OTP-based consent; inactivated cards must not be reported to credit bureaus.
Underwriting guidance requires issuers to independently assess applicants and consider total credit exposure across providers. Conversions to EMIs must transparently disclose principal, interest and merchant discounts; “no-cost EMI” marketing that conceals interest is banned. Interest rates should align with RBI directions and be justified and auditable; APRs for different situations must be displayed prominently and illustrative examples provided. Late payment treatment is restricted: accounts become ‘past due’ for reporting or levying penalties only after three days past due, and charges apply only to outstanding amounts.
Billing and closure protections strengthen consumer convenience: statements must be timely, consumers given at least a fortnight to pay, and closure requests honored within seven working days (₹500 per day penalty for unjustified delay). Idle cards (unused for one year) may be closed after notice. Debit card rules mirror many protections for issuance, board oversight and customer consent; debit cards are only for deposit accounts and cannot be forced on customers.
Co-branding norms require transparent branding, revenue-sharing disclosure and strict limits on partner access to transaction data. New form factors such as wearables are permitted with explicit consent and equivalent safeguards. Outsourcing, data sharing, confidentiality, KYC/AML compliance and grievance redressal processes are tightly regulated — issuers remain ultimately liable for partners’ actions. Overall, the Directions aim to balance innovation in card services with stronger consumer rights, clearer disclosures and stricter operational accountability.
