The Reserve Bank of India has issued the guidelines for issuing debit cards
Banks may ensure that all debit cards issued by them are subject to the following guidelines:
a) Board approved policy
Banks may formulate a comprehensive debit cards issuance policy including policy on co-branded debit cards with the approval of their Boards and issue debit cards to their customers in accordance with this policy. Debit cards should be issued to customers having Saving Bank/Current Accounts but not to cash credit/ loan account holders.
b) Types of debit cards
Banks may issue only online debit cards including co-branded debit cards where there is an immediate debit to the customers’ account, and where straight through processing is involved.
c) Offline debit cards
Banks are, henceforth, not permitted to issue offline-debit cards. Banks which are presently issuing offline debit cards may conduct a review of their offline debit card operations and discontinue operations of such cards within a period of six months from the date of this circular. Banks may, however, ensure that customers are duly informed regarding switching over to online debit cards. The review and confirmation regarding discontinuation of issue and operations of offline debit cards should be sent to the Chief General Manager, Department of Banking Operations and Development, Central Office Building, Shahid Bhagat Singh Marg, Mumbai 400001. However, till such time as offline cards are phased out, the outstanding balances / unspent balances stored on the cards shall be subject to computation of reserve requirements.
d) Compliance with Know Your Customer (KYC) Norms / Anti-Money Laundering (AML) Standards / Combating of Financing of Terrorism (CFT) / Obligation of banks under PMLA, 2002
The instructions/ guidelines on KYC/AML/ CFT applicable to banks, issued by RBI from time to time, may be adhered to in respect of all cards issued, including co-branded debit cards.
e) Payment of interest on balances
Payment of interest should be in accordance with interest rate directives as issued from time to time.
f) Terms and conditions for issue of cards to customers
i) No bank shall dispatch a card to a customer unsolicited, except in the case where the card is a replacement for a card already held by the customer.
ii) The relationship between the bank and the card holder shall be contractual.
iii) Each bank shall make available to the cardholders in writing, a set of contractual terms and conditions governing the issue and use of such a card. These terms shall maintain a fair balance between the interests of the parties concerned.
iv) The terms shall be expressed clearly.
v) The terms shall specify the basis of any charges, but not necessarily the amount of charges at any point of time.
vi) The terms shall specify the period within which the cardholder’s account would normally be debited.
vii) The terms may be altered by the bank, but sufficient notice of the change shall be given to the cardholder to enable him to withdraw if he so chooses. A period shall be specified after which time the cardholder would be deemed to have accepted the terms if he had not withdrawn during the specified period.
viii) (1) The terms shall put the cardholder under an obligation to take all appropriate steps to keep safe the card and the means (such as PIN or code) which enable it to be used.
(2) The terms shall put the cardholder under an obligation not to record the PIN or code, in any form that would be intelligible or otherwise accessible to any third party if access is gained to such a record, either honestly or dishonestly.
(3) The terms shall put the cardholder under an obligation to notify the bank immediately after becoming aware:
- of the loss or theft or copying of the card or the means which enable it to be used;
- of the recording on the cardholder’s account of any unauthorised transaction;
- of any error or other irregularity in the maintaining of that account by the bank.
(4) The terms shall specify a contact point to which such notification can be made. Such notification can be made at any time of the day or night.
ix) The terms shall specify that the bank shall exercise care when issuing PINs or codes and shall be under an obligation not to disclose the cardholder’s PIN or code, except to the cardholders.
x) The terms shall specify that the bank shall be responsible for direct losses incurred by a cardholder due to a system malfunction directly within the bank’s control. However, the bank shall not be held liable for any loss caused by a technical breakdown of the payment system if the breakdown of the system was recognizable for the cardholder by a message on the display of the device or otherwise known. The responsibility of the bank for the non-execution or defective execution of the transaction is limited to the principal sum and the loss of interest subject to the provisions of the law governing the terms.
g) Cash withdrawals
No cash transactions through the debit cards should be offered at the Point of Sale under any facility without prior authorization of Reserve Bank of India under Section 23 of the Banking Regulation Act, 1949.
h) Security and other aspects
i) The bank shall ensure full security of the debit card. The security of the debit card shall be the responsibility of the bank and the losses incurred by any party on account of breach of security or failure of the security mechanism shall be borne by the bank.
ii) Banks shall keep for a sufficient period of time, internal records to enable operations to be traced and errors to be rectified (taking into account the law of limitation for the time barred cases).
iii) The cardholder shall be provided with a written record of the transaction after he has completed it, either immediately in the form of receipt or within a reasonable period of time in another form such as the customary bank statement.
iv) The cardholder shall bear the loss sustained up to the time of notification to the bank of any loss, theft or copying of the card but only up to a certain limit (of fixed amount or a percentage of the transaction agreed upon in advance between the cardholder and the bank), except where the cardholder acted fraudulently, knowingly or with extreme negligence.
v) Each bank shall provide means whereby his customers may at any time of the day or night notify the loss, theft or copying of their payment devices.
vi) On receipt of notification of the loss, theft or copying of the card, the bank shall take all action open to it to stop any further use of the card.
vii) With a view to reducing the instances of misuse of lost/stolen cards, banks may consider issuing cards with photographs of the cardholder or any other advanced methods that may evolve from time to time.
i) Compliance with DPSS instructions
The issue of debit cards as a payment mechanism would also be subject to relevant guidelines including guidelines on security issues and risk mitigation measures, card-to-card fund transfers, merchant discount rates structure, failed ATM transactions, etc, issued by the Department of Payment and Settlement Systems under the Payment and Settlement Systems Act, 2007, as amended from time to time.
j) Issue of International Debit Card
Issue of international debit cards will also be subject to directions issued under Foreign Exchange Management Act, 1999, as amended from time to time.
k) Review of operations
The banks should undertake review of their operations/issue of debit cards on half-yearly basis. The review may include, inter-alia, card usage analysis including cards not used for long durations due to their inherent risks.
l) Reporting requirements
The report on the operations of smart/debit cards issued by banks required to be submitted on a half yearly basis to the Department of Payment and Settlement Systems (DPSS) with a copy to the concerned Regional Office of Department of Banking Supervision in whose jurisdiction the Head Office of the bank is situated, as prescribed in paragraph 14.1 of the Master Circular on Para Banking Activities is discontinued with immediate effect.
m) Redressal of grievances
Banks may ensure to put in place an effective mechanism for redressal of customer complaints. The grievance redressal procedure of the bank and the time frame fixed for responding to the complaints should be placed on the bank's website. The name, designation, address and contact number of important executives as well as the Grievance Redressal Officer of the bank may be displayed on the website. There should be a system of acknowledging customers' complaints for follow up, such as complaint number / docket number, even if the complaints are received on phone. If a complainant does not get satisfactory response from the bank within a maximum period of thirty (30) days from the date of his lodging the complaint, he will have the option to approach the Office of the concerned Banking Ombudsman for redressal of his grievance/s. DPSS guidelines on timeframe for reconciliation of failed transactions at ATMs as amended from time to time should be complied with in this regard.
n) Co-branding arrangement
Co-branded debit cards issued by banks will be subject to the following terms and conditions, in addition to the above:
Board approved policy
The co-branding arrangement should be as per the Board approved policy of the bank. The policy may specifically address issues pertaining to the various risks associated with such an arrangement including reputation risk and put in place suitable risk mitigation measures.
Banks should carry out due diligence in respect of the non-banking entity with which they intend to enter into tie-up for issue of such cards to protect themselves against the reputation risk they are exposed to in such an arrangement. Banks may ensure that in cases where the proposed co-branding partner is a financial entity, it has obtained necessary approvals from its regulator for entering into the co-branding agreement.
Outsourcing of activities
The card issuing bank would be liable for all acts of the co-branding partner. The bank may ensure adherence to the guidelines on “Managing Risks and Code of Conduct in outsourcing of financial services by banks” as contained in the circular DBOD.No.BP.40/21.04.158/2006-07 dated November 3, 2006, as amended from time to time.
Role of non-bank entity
The role of the non-bank entity under the tie-up arrangement should be limited to marketing/ distribution of the cards or providing access to the cardholder for the goods/services that are offered.
Confidentiality of customer information
The card issuing bank should not reveal any information relating to customers obtained at the time of opening the account or issuing the card and the co-branding non-banking entity should not be permitted to access any details of customer’s accounts that may violate bank’s secrecy obligations
Banks, which have been granted specific approvals for issue of co-branded debit cards in the past, are advised to ensure that the co-branding arrangement is in conformity with the instructions mentioned above. In case, the co-branding arrangement is between two banks, the card issuing bank may ensure compliance with the above conditions.