The New RBI Guidelines For Credit Card and Bank Account Holders In 2022-2023

Credit and debit card holders are always at the risk of exposing their personal information when paying for goods online on third-party merchant’s gateways. Bank lockers are not like savings accounts and people do not often respond to communication regarding them. Due to the recent onset of cybersecurity attacks and threats to the safety of bank lockers, the Reserve Bank of India has sought to enforce safety regulations and mandate new locker agreements with existing users.

It will also ensure that banks have updated information regarding their locker holders.


Key takeaways from RBI’s new regulations

The Reserve Bank of India has introduced new locker regulations, credit card usage, and GST rules that are set to come into effect from 1 January 2023. The revisions to the RBI’s standards were first brought to the public on 8 August 2021, with the new rules coming into effect on 1 January 2022.

Here’s a quick breakdown of the most important takeaways from the RBI’s new mandate.


  • Credit card users have to use up their reward points by 31 December 2022. New reward point facilities will be offered from 1 January 2023 to credit card holders.
  • Credit card owners have to activate their cards with a One-Time Password (OTP). If the cardholder has not activated their card for over 30 days, the card company must cancel their credit card within 7 working days.
  • Almost every Scheduled Commercial Banks (SCB) with a net worth of over INR 100 crores can issue credit cards. Urban Cooperative Banks (UCBs) can also issue credit cards but with a few limitations like they can issue credit cards only for their members. Non-Banking Financial Companies (NBFCs) with a net worth of over INR 100 crores can generate credit cards if they are registered under the RBI. Only Regional Rural Banks (RRBs) have to collaborate with other financial institutions to generate credit cards. 
  • Traditional banks can issue co-branded credit cards, however, UCBs cannot issue co-branded credit cards and can only give out unsecured loans that do not exceed 10% of a member’s assets.
  • Card owners have to specify their consent multiple times before making a purchase. Digital platforms will require one to go through multifactor authentication processes to protect their personal information.
  • Card companies can no longer increase credit limits or grant unsolicited loans without the explicit consent of the card owners. If unsolicited cards are sent to the owner, any payments made with that card will be reversed and an additional penalty will have to be borne by the card issuers.
  • Card companies have to provide a one-page Key Fact statement along with the credit card application detailing the fees, billing details, minimum amount payable, withdrawal charges, credit limits, grievances, and what to do in case one decides to terminate or loses their cards, and procedures for default.
  • Inactive credit cards that have not been used in over a year can be closed by card companies within a notice of about 30 days.
  • If credit card transactions are converted into monthly EMIs, the card companies have to provide detailed information on the processing fees, charges, principal, and interest breakdown.
  • If you own a credit or debit card, you have to review your statements from time to time to check if there have been any wrong transactions. If any error is found, card issuers have to provide documentary evidence within 30 days of making the complaint. Only then card companies will settle or reimburse their lost amount.
  • Card issuers must review their credit card transactions on a half-yearly basis by the Audit Committee of the Board of Directors. This report will check the statements for fraudulent transactions and address customer grievances.
  • The Reserve Bank of India has also declared that in their new regime, merchants will no longer be allowed to store their customer’s card details on their platform. If any person’s card information is already saved on a merchant’s platform, it will automatically be deleted after 1 October 2022. One has to enter their card details every time they want to make a payment.
  • To make e-payments safer for everyone, the Reserve Bank of India has declared that all operating banks have to create tokens for card details. In other words, all in-app, online, and point-of-sale transactions that were done by credit and debit cards will have to be replaced with bank-issued tokens. It means that you do not have to punch in the 16-digit identification number anymore when using your card.
  • All individuals currently holding lockers in any operating bank in the country have to provide proof of eligibility to renew their locker arrangement. The locker renewal agreement must be signed by 1 January 2023. This rule would apply to every individual who uses safe deposit lockers in any bank in the country.
  • The Reserve Bank of India has asked all lending institutions to utilize the IBA-drafted Model Locker Agreement, in accordance with the Supreme Court’s most recent guidelines.
  • The RBI has also made it compulsory for banks to install security cameras inside their locker rooms. The financial institutions have to store the recordings for at least a minimum of 180 days.
  • In the new agreement, it is clearly stated that banks will have to bear some liability in cases of burglary, fire, theft, and building collapse. The bank’s liability will be for an amount equivalent to 100 times the prevailing annual rent of the bank locker.
  • Account integrators (AAs) are non-lending NBFCs that are licensed by the RBI in September 2021. They are a safe medium through which account holders share their card information with merchants. It adds a layer of security to prevent scammers and fraudsters from accessing your personal data.  AAs have reduced the risk of financial fraud, for they do not store the user’s information on their server, but use an OTP to fetch the data from your account and share it with the merchant.
  • Businesses with a turnover of over INR 5 crore or above will have to generate electronic bills for the RBI has reduced the GST e-invoicing limit from INR 20 crores to INR 5 crores.


Why the need for the sudden change in RBI rules?

Since the pandemic, more and more people have begun managing their accounts, making transactions, and paying bills online. This has enabled fraudsters to steal card information. Also, due to inactivity, the bank lockers of many account holders were inactive. Rajshekhar Rajaharia, a cybersecurity researcher, said that the personal information of 7 million credit and debit card holders in India is at risk of being compromised, as of December 2020. 


Bank tokenizations will ensure that a person’s card details, KYC information, even expiry dates, and CVV codes will not be displayed on any Payment Gateway or third-party merchant’s platform. And, renewed locker agreements give customers a chance to evaluate their clauses and address their grievances. Hence, the RBI has implemented a new rule that locker agreements have to be renewed with existing users and that banks have to issue tokens for all credit and debit card holders in the country. 


To conclude

In today’s digital age, it is not just enough for business conglomerates to avail of cyber insurance. RBI’s new tokenization guidelines, locker agreements, and GST rules will make sure that one’s personal information remains as safe as possible. Being aware of these guidelines helps you stay ahead of the curve as a DSA agent. If you want to apply as a credit card or loan DSA in Andromeda Loans,