In December 2004, the Reserve Bank of India called a meeting of credit card issuing banks in Mumbai. The agenda was blunt: customer complaints about credit cards had become a regulatory concern. Banks were mailing active cards to people who never applied. Interest rates were disclosed monthly — 3.5% per month — without showing the annualised figure of 42%. Billing disputes went unresolved for months while interest accrued on the disputed amount. The press release from that meeting (Dealing with Customer Complaints of Credit Cards:) recorded what the RBI told the banks: be more sensitive to customer complaints. The Indian Banks' Association was directed to evolve a code of conduct for credit card issuing banks.
That was 2004. Two decades later, the rules have become vastly more detailed, but the tension at the heart of credit card regulation remains unchanged: banks want to issue more cards because every swipe generates interchange income, and the interest rate on revolving balances is the highest of any lending product. Customers want the convenience without the traps. The RBI sits between them, writing rules that protect borrowers without killing the product.
See also: Cards, Wallets, and the Tokenisation Revolution: How India Secured Digital Payments | Digital Payments & UPI: The Complete Timeline
Why did the RBI ban unsolicited credit cards — and does the ban actually work?
The ban on unsolicited credit cards is one of the oldest and most straightforward consumer protections in Indian banking regulation. Under the Master Circular on Credit Card, Debit Card and Rupee Denominated Co-branded Pre-paid Card Operations RBI/2015-16/31 (since withdrawn), banks cannot issue credit cards without the explicit consent of the applicant. The rule exists because, in the early 2000s, banks were mailing active credit cards to customers based on their deposit or salary account data, often without any application or consent.
Why was this a problem? Because an active card in the mail creates liability. If the card is intercepted or used fraudulently, the customer — who never asked for it — bears the initial burden of proving she did not authorise the transaction. Banks also charged annual fees on unsolicited cards, creating a charge the customer had to actively dispute rather than actively choose. The economic logic was simple: mail a million cards, and some percentage of recipients will activate them. The ones who do not will mostly not bother disputing the annual fee. The bank profits either way.
The Guidelines for issue of ATM-cum-Debit Cards by UCBs, July 2007 (Guidelines for issue of ATM-cum-Debit Cards by UC) extended card issuance rules to urban co-operative banks, which were beginning to offer debit cards. The principle was the same: no card without consent. Why did UCBs need separate guidelines? Because many UCBs lacked the infrastructure and processes that commercial banks had developed for card issuance — including the consent verification mechanisms that the unsolicited card ban required.
"At a meeting of banks issuing credit cards held today, by the Reserve Bank of India in Mumbai, it was decided that the Indian Banks' Association along with some large credit cards issuing banks would evolve a Code of Conduct." — RBI Meeting on Credit Card Complaints, December 2004 (Dealing with Customer Complaints of Credit Cards:)
Does the ban work? Largely, yes — for physical card issuance. Banks no longer mail active plastic cards to non-applicants. But the ban has been tested by new distribution channels. Pre-approved credit card offers sent through mobile banking apps, where a single tap converts a "pre-approval" into an issued card, operate in a grey area. The customer technically consents by tapping "Accept," but the consent is embedded in a flow designed to minimise friction and maximise conversion. Whether this constitutes "explicit consent" in the spirit of the rule depends on how strictly the regulator interprets the direction.
Why does the annualised percentage rate matter — and how did banks hide the real cost?
Credit card interest is typically quoted as a monthly rate: 2.5% to 3.5% per month. Most customers intuitively understand this as a small number. What they do not intuitively grasp is that 3.5% per month, compounded, translates to an annualised rate of approximately 42% to 49% — higher than any other regulated lending product in India. A home loan charges 8-9%. A personal loan charges 12-18%. A credit card balance, left revolving, costs three to four times as much.
The RBI's direction is clear: the annualised percentage rate must be disclosed prominently. The Master Circular on Credit Card Operations (Master Circular on Credit Card Operations of banks) (since withdrawn) originally established the disclosure requirements. The November 2025 Commercial Banks — Credit Cards and Debit Cards: Issuance and Conduct Directions, 2025 (RBI_MD_13155) consolidated all card-related rules into entity-specific Master Directions.
Why did banks prefer quoting monthly rates? Because consumer psychology works in their favour. "3.5% interest" sounds reasonable. "42% per year" sounds alarming. The same number, presented differently, produces different borrowing decisions. The RBI's insistence on annualised disclosure is a behavioural intervention: it does not change the rate, but it changes how the rate is perceived, and perception drives decisions.
"Reserve Bank of India (Commercial Banks – Credit Cards and Debit Cards: Issuance and Conduct) Directions, 2025." — Card Issuance and Conduct Directions, November 2025 (RBI_MD_13155)
The March 2024 amendment to the Credit Card and Debit Card Directions RBI/2023-24/132 (since withdrawn) fine-tuned specific provisions. The June 2022 extension of implementation timelines RBI/2022-23/74 (since withdrawn) showed that even large banks needed time to comply with the 2022 Master Direction's requirements. Why? Because the direction imposed system-level changes: how interest is computed, how it is disclosed in statements, how minimum payments are calculated and displayed. Compliance was not a policy change — it was a technology implementation.
What are your rights when you dispute a billing charge?
If you find a charge on your credit card statement that you did not authorise or do not recognise, you have the right to dispute it. The bank must acknowledge the dispute, investigate it, and resolve it within a specified timeframe. During the investigation, the bank cannot charge interest on the disputed amount.
Why is the interest protection during investigation critical? Consider the alternative. Without this rule, a bank could take 90 days to investigate a disputed charge of Rs 50,000 while charging 3.5% monthly interest on it. By the time the investigation concludes — even if it concludes in the customer's favour — the customer has paid Rs 5,250 in interest on a charge that was never legitimate. The interest-free investigation period ensures that the bank's delay does not penalise the customer.
The [Restriction on storage of actual card data (Card-on-File), December 2021 (Restriction on storage of actual card data i.e. C) addressed a related problem: merchants and payment aggregators storing card details, which created fraud risk. When your card data is stored on a merchant's server and that server is breached, fraudulent charges appear on your statement. The tokenisation mandate — requiring merchants to replace stored card numbers with tokens — reduced the incidence of such fraud, which in turn reduced the volume of billing disputes.
The RBI penalty on RBL Bank, March 2023 (RBI imposes monetary penalty on RBL Bank Limited) for Rs 2.27 crore — imposed for non-compliance with multiple directions including the Internal Ombudsman Scheme — shows the enforcement dimension. When a bank's internal complaint resolution fails, the RBI can assess whether the failure is systemic. A penalty for non-compliance with the Internal Ombudsman Scheme suggests that the bank's internal grievance mechanism was not functioning as required — meaning customers with billing disputes may not have had access to the resolution process the regulations mandate.
"The Reserve Bank of India (RBI) has, by an order dated March 06, 2023 imposed a monetary penalty of ₹2,27,25,000 on RBL Bank Limited for non-compliance with certain provisions of the directions issued by RBI." — RBL Bank Penalty, March 2023 (RBI imposes monetary penalty on RBL Bank Limited)
Can you close a credit card — and why did banks make it so difficult?
You can close a credit card at any time, provided you settle all outstanding balances. The direction is explicit: banks must not refuse closure or make the process unreasonably burdensome. The Master Circular on Credit Card Operations RBI/2015-16/31 (since withdrawn) addressed closure practices as part of the comprehensive conduct framework.
Why did closure become a regulatory issue? Because banks discovered that friction at the closure stage retained customers. A customer who calls to close a card is routed through a "retention" process — offered fee waivers, reward points, credit limit increases. If the customer persists, the process involves multiple phone calls, written requests, and waiting periods. Each step in the process is a chance for the customer to give up and keep the card. Banks optimised the closure process not for efficiency but for failure — the failure of the customer to complete it.
The RBI intervened because this practice contradicted the fundamental principle of consent that underpins card issuance. If a customer must consent to receive a card, she must also be able to withdraw that consent without unreasonable obstacles. The closure direction converts a customer service issue into a regulatory obligation: the bank must honour the closure request within a reasonable timeframe, confirm the closure in writing, and ensure that no further charges accrue after the closure date.
The Outsourcing of Financial Services — Responsibilities of regulated entities employing Recovery Agents, August 2022 RBI/2022-23/108 (since withdrawn) addressed a related problem: recovery agents contacting customers for credit card dues using aggressive tactics. The direction made banks responsible for the conduct of their outsourced agents. Why does this connect to closure? Because some customers who tried to close cards with outstanding balances found themselves harassed by recovery agents before the bank had even processed the balance settlement. The outsourcing direction closed this loop by holding the bank accountable for the entire customer relationship, including the actions of its agents.
What does the 2025 consolidated framework change?
The November 2025 regulatory consolidation replaced the legacy Master Direction on Credit Card and Debit Card Issuance and Conduct (2022) with entity-specific directions. The Commercial Banks — Credit Cards and Debit Cards: Issuance and Conduct Directions, 2025 (RBI_MD_13155) covers commercial banks. Separate directions were issued for Small Finance Banks (RBI_MD_13123), Urban Co-operative Banks (Reserve Bank of India (Urban Co-operative Banks –), and Regional Rural Banks (RBI_MD_13052).
"These Directions shall be called the Reserve Bank of India (Commercial Banks - Credit Cards and Debit Cards: Issuance and Conduct) Directions, 2025." — Card Directions, November 2025 (RBI_MD_13155)
Why entity-specific directions instead of one universal direction? Because different entity types have different capabilities and different customer bases. A commercial bank issues millions of credit cards through digital platforms. An RRB might issue a few thousand debit cards through its branches. Applying identical rules to both — including technology infrastructure requirements, real-time fraud monitoring systems, and digital issuance protocols — would be disproportionately burdensome for smaller entities.
The American Express penalty of October 2025 shows the enforcement edge of this framework. The penalty order (RBI imposes monetary penalty on American Express B) cited non-compliance with the 2022 Directions specifically. American Express is a sophisticated global card issuer. If it failed to comply with the Indian card conduct directions, the gap was not about capability — it was about prioritisation. The penalty sends a signal: compliance with Indian card regulations is not optional, regardless of the issuer's global stature.
The IDBI Bank penalty of May 2025 (RBI imposes monetary penalty on IDBI Bank Limited) — while primarily for agricultural lending violations — demonstrates the RBI's willingness to penalise banks across multiple regulatory domains. When the RBI inspects a bank, it does not examine credit card operations in isolation. The inspection covers every aspect of the bank's operations, and failures in one area can trigger broader scrutiny. A bank that fails on card conduct may find its entire compliance framework under review.
The rules that protect you are substantial: no unsolicited cards, annualised rate disclosure, interest-free dispute investigation, closure rights, and recovery agent conduct standards. The rules that do not fully protect you are the ones that depend on your own awareness: reading the Key Fact Statement, understanding the difference between minimum payment and full payment, recognising that "reward points" and "cashback" are marketing tools designed to increase spending. The regulatory framework gives you the information. What you do with it remains your responsibility.
Last updated: April 2026