What are the Laws Governing Credit Cards in India?

Credit cards have become one of the most popular financial tools in today’s digital economy. From shopping for groceries to booking international flights, Indians are increasingly relying on credit cards for convenience, rewards, and flexibility. According to industry estimates, India processed more than 356 crore credit card transactions in FY 2024, and this number is expected to rise to 900 crore by FY 2029.

While the use of credit cards has grown rapidly, so have concerns relating to fraud, hidden charges, data misuse, and unfair recovery practices. Recognising these issues, the Reserve Bank of India (RBI) — the country’s central banking authority — has issued detailed guidelines to regulate credit card operations. 

Alongside, several other laws such as the Indian Contract Act, 1872, the Information Technology Act, 2000, the Credit Information Companies (Regulation) Act, 2005, and consumer protection rules also play an important role.

This article explains the laws and regulations governing credit cards in India, focusing on issuance, consumer rights, security, liability in fraud cases, and the latest RBI updates.

Who Can Issue Credit Cards in India?

Credit cards are not issued by every financial institution. In India, the following are authorised:

• Scheduled Commercial Banks (excluding payments banks).
• Regional Rural Banks (RRBs), in tie-up arrangements with card-issuing banks.
• Urban Cooperative Banks and Non-Banking Financial Companies (NBFCs), subject to prior RBI approval.
• Prepaid Cards can also be issued by eligible banks and authorised non-banks.

A bank must have a minimum net worth of ₹100 crore to directly engage in the credit card business. It can operate either as a department within the bank or through a subsidiary company.

This structure ensures that only institutions with adequate financial stability, compliance mechanisms, and oversight capacity engage in credit card operations.

The Issuance Process: KYC and Eligibility

When a person applies for a credit card, banks and NBFCs follow a strict procedure before granting approval.

Application and Documentation

• Proof of identity (Aadhaar, Passport, Voter ID, etc.).
• Proof of address.
• PAN card.
• Income or employment proof.
• References.

Verification and Credit Check

• Verification of submitted documents.
• Checking credit history through credit bureaus like CIBIL, Equifax, Experian, or CRIF High Mark.
• Evaluation of repayment capacity.

Approval

If satisfied, the issuer sets a credit limit based on income, debt-to-income ratio, and past credit behaviour.

This process is governed by RBI’s Know Your Customer (KYC) Directions (2016) and the Credit Information Companies (Regulation) Act, 2005, ensuring responsible lending and prevention of misuse.

The Role of Consent for Issuance of Credit Cards

Under the Indian Contract Act, 1872, Section 10 requires free consent for any contract to be valid, and Section 14 defines “free consent.”

• Consent of the customer is required at every stage of credit card operations — from issuance, to activation of facilities, to increasing the credit limit.
• Implied consent is not acceptable. Consent must be explicit and informed.
• Issuers cannot unilaterally activate add-on services, EMI conversions, or upgrades.

This protects consumers from being trapped into financial commitments they did not willingly agree to.

Unsolicited Cards and Unfair Practices

RBI’s guidelines strictly prohibit the issuance of unsolicited credit cards or activation of facilities without customer request.

• If an unsolicited card is issued and misused, the customer will not be held liable.
• The issuer must reverse charges and pay a penalty twice the reversed amount.
• Customers can also approach the Banking Ombudsman for compensation relating to harassment, financial loss, or mental agony.

This regulation ensures that consumers are not burdened with debts or liabilities they never agreed to.

Unsolicited Commercial Communication

To protect cardholders from telemarketing harassment, issuers must comply with:

• Telecom Commercial Communications Customer Preference Regulations, 2010 by TRAI: No commercial calls or SMS between 9 PM and 9 AM.
• RBI Master Directions (2022): Representatives may only contact customers between 10 AM and 7 PM.

Cardholders can also register under the Do Not Call Registry (DNCR) to avoid marketing communications.

Protection of Personal Data

Credit card issuers hold sensitive personal and financial data. The following laws ensure data protection:

• Section 43A of the IT Act, 2000: Entities handling sensitive data must implement reasonable security measures. Failure results in liability to pay compensation.
• Issuers must secure transactions using PINs, CVV, OTPs, and electronic chips.
• RBI also mandates Card-on-File (CoF) tokenisation — replacing sensitive card details with tokens to enhance security in online payments.

These measures aim to reduce data breaches and cyber fraud.

Credit Information and CIBIL

Every borrower’s credit history is maintained by credit bureaus like CIBIL, Experian, Equifax, and CRIF High Mark.

• Under CICRA, 2005, bureaus must register with the RBI and follow privacy principles when handling data.
• They provide credit scores that determine eligibility for loans and cards.
• Section 25 of CICRA empowers RBI to impose penalties on violators.

A healthy credit score not only helps in card approval but also ensures higher credit limits and better terms.

KYC, Money Laundering, and Terror Financing

Credit cards can be misused for money laundering and terror financing. To counter this:

• RBI mandates strict KYC procedures.
• Customer records are continuously monitored for suspicious activity.
• Under Section 51A of the Unlawful Activities Prevention Act (UAPA), the government can freeze or seize assets linked to terror-listed individuals or entities.

This framework ensures that credit cards are not misused for unlawful purposes.

Credit Cards as Unsecured Loans

A credit card is essentially an unsecured loan facility. Since there is no collateral, issuers extend cards only to persons with regular income and reliable repayment history.

• Banks rely heavily on CIBIL scores to determine eligibility.
• High-risk customers are usually denied cards or given lower limits.
• Interest rates on unpaid balances are typically 18–36% per annum, reflecting the unsecured nature of the loan.

Courts have also intervened to curb unfair practices. In Awaz Punita Society Jagrut v. RBI & Ors. (2008), the court observed that charging 30% annual interest with repeated penal charges was unfair.

Fraudulent Transactions and Liability

RBI has provided clarity on liability in case of fraudulent or unauthorised transactions:

1. Bank at fault → Customer has zero liability.
2. Third-party breach (neither bank nor customer at fault) → Customer has zero liability if they report within 3 working days.
3. Delay beyond 3 days but within 7 days → Limited liability, as per bank’s approved policy.
4. Customer negligence (e.g., sharing PIN/OTP) or delay beyond 7 days → Customer bears the liability.

Banks are required to send instant SMS/email alerts for all card transactions. Customers must report suspicious activity immediately.

Liabilities of Cardholders

The primary cardholder remains responsible for all dues, including those incurred through add-on cards issued to family members.

• If dues remain unpaid, issuers can initiate civil or criminal proceedings.
• However, RBI requires banks to first try amicable settlement methods.
• For dues below ₹10 lakh, cases may be referred to Lok Adalats for speedy resolution.
• Recovery agents, if engaged, must be trained, non-intimidating, and customer-friendly, as per RBI’s 2008 circular.

Key Provisions of Credit Card Laws

The following core provisions apply across issuers:

• Interest rates and fees must be disclosed transparently.
• Cooling-off period: Cardholders have 15 days to cancel a new card without charges.
• Minimum payment: Mandatory each month, usually a fixed percentage of outstanding balance.
• Monthly statements: Must include total dues, interest charges, and due date, and be sent at least 15 days before the due date.
• Dispute resolution: Banks must promptly investigate and resolve billing disputes within 60 days.
• Debt collection: Harassment, intimidation, or abusive practices are prohibited.
• Data protection: Customer identity and information cannot be disclosed without explicit consent.

Consumer Protection and Credit Cards: Six Key Rules

Summarising RBI’s consumer-centric guidelines (2024–25):

1. Interest must be reasonable and transparent.
2. Accurate billing; disputes to be resolved in 60 days.
3. Fair debt collection, without intimidation or threats.
4. Privacy safeguards; no unsolicited cards or upgrades without consent.
5. Confidentiality of user data; no disclosure without permission.
6. Fraud reporting rules; zero liability if reported within 3 working days.

Conclusion

Credit cards have transformed the way Indians spend, borrow, and manage money. However, their convenience comes with risks of misuse, fraud, and debt traps. Recognising this, the Reserve Bank of India has established a comprehensive legal framework supported by laws such as the Indian Contract Act, 1872, the IT Act, 2000, the CICRA, 2005, and consumer protection rules.

From eligibility criteria and consent, to data protection, billing accuracy, dispute resolution, liability in frauds, and ethical debt collection, the laws governing credit cards aim to balance the interests of consumers and issuers.