New customer consent requirements under RBI Credit Card Directions: What you need to know

On April 21, 2022, the Reserve Bank of India issued a new Master Direction - Credit Card and Debit Card - Issuance and Conduct Directions, 2022 (“Directions”). These Directions bring about significant changes for card-issuers in matters relating to issuance/renewal of credit, debit and co-branded cards, billing, telemarketing, underwriting, amongst others.

A significant focus of these Directions has been to strengthen and prioritise consent and information rights of the card holder, making it necessary for credit card issuers to have proper processes to ensure that consent of the card holder is captured, recorded and stored appropriately. 

These Directions will be effective from July 1, 2022, meaning you have less than 2 months left to comply with all the changes. 

In  this blogpost we will discuss the changes related to customer consent,  the legal/operational implications for credit card companies AND how credit card companies can solve for this.

Is this applicable to me?

This is applicable to you if:

• You are a Scheduled Bank (other than Payments Banks, State Co-operative Banks and District Central Co-operative Banks) or a Non-Banking Financial Company (NBFC) operating in India AND
• You want to issue credit cards OR Are already issuing credit cards

What are the operational implications of these changes for credit card companies?

Currently, a large number of existing credit card businesses rely heavily on internet/ mobile banking to capture the consent of the customer before issuing credit cards. This is to avoid physical correspondence.  Physical correspondence of consent and documents is a logistics nightmare that delays credit card issuance and  increases chances of customers dropping off  - hobbling the growth of your credit card vertical

In the current digital process, “digital consent” by credit card companies is often obtained via a simple “checkbox” otherwise known as “click-wrap” - for authorizations as well as agreements.  This process is no longer permitted in its current form under the new RBI regulations because two critical requirements:

1. Multi-factor authenticated digital consent
2. Signed agreement between customer and credit card issuer

What is multi-factor authenticated consent?

Under the new RBI Directions, credit card companies will need to take explicit consent from their customers for a slew of authorizations:

• customer acquisition and issuance of a card
• upgradation of card or enhancing credit limits
• breach of the sanctioned and advised credit limit to the cardholder
• issue of replacement card in lieu of a card blocked at the customer’s request
• any change in the terms and conditions of the issued card
• sharing of confidential information with third parties
• renewal of an existing card
• levying any charge that was not explicitly indicated to the cardholder at the time of issue of the card
• providing bills and statements of accounts through internet/mobile banking
• offering other products/ services along with the card
• for offering insurance cover to take care of the liabilities arising out of lost cards, card frauds, etc
• adjusting credit amount beyond a cut-off, one percent of the credit limit or ₹5000, whichever is lower, arising out of refund/failed/reversed transactions or similar transactions against the credit limit for which payment has already been made by the cardholder

Under the Directions, this explicit consent must either be obtained:

• Via written consent i.e physical mode
• Via digital consent that is backed by multi-factor authentication 

If your credit card company is already using multi-factor authenticated digital consent for the above items - then you may not need to worry.

If your credit card company is using a simple click-wrap with single-factor authentication - then you will need to transform this into a multi-factor authenticated digital consent process from July 1.

What’s the signed agreement between the card issuer and card holder about?

In an effort to curb the practice of unsolicited credit cards, the Directions have a new requirement for agreements:

1. The agreement between the card issuer and the card holder must be signed i.e the agreement must capture the signature of the customer.
2. The copy of the signed agreement must be sent to the registered email ID OR postal address of the customers - based on their choice. 

What has been left unsaid here in the regulations - but is quite clear from Indian stamping laws -is that this agreement will also need to be stamped.

Does the signed agreement requirement force me to have physical agreements?

No. Under the IT Act, you can execute documents via electronic signature instead of a physical signature. 

When a document is required by law to be signed (as is the case here), then by virtue of Section 5 of the Information Technology Act, 2000, it can instead be signed electronically via  IT Act compliant electronic signatures (read more about this in our Laws of eSign book). 

So for credit card companies that want to avoid “signing physical agreements” for each customer - they will need to incorporate a digital paperwork process that involves IT Act compliant electronic signatures.

While some credit card issuing companies (like SBI Cards and BOB Financial)are already following this eSign driven process many others aren’t. 

To know more about how companies like SBI Cards and BOB Financial are already moving towards compliance with these Directions read the next section.

How can I stay compliant with these new changes?

Here’s where we make our plug.

Leegality’s Document Infrastructure platform is a comprehensive, battle-tested platform used by 500+ top BFSI companies to digitally transform their paperwork processes. SBI Cards and BOB Financial are already using Leegality for credit card related paperwork. With Leegality, you can ensure a smooth transition to digital consent and electronic credit card agreements in a legally compliant manner. Here’s how

1. Leegality Multi Factor Authentication for Digital Consent

Leegality’s Secure Virtual Signature - backed by our Multi-Factor Authentication capabilities can be used in place of your existing click-wrap for capturing consent digitally.

You can collect Secure Virtual Signatures - with OTP via mobile and email in the same flow as digital consent wherever required under the new RBI regulations.

2. All legally valid eSigns under one roof

Leegality BharatSign is the only eSign stack that offers ALL eSign types currently permitted by the Information Technology Act - including Aadhaar Online eSign, Aadhaar Biometric eSign, PAN eSign, Aadhaar XML eSign, eSign via NeSL, DSC Token eSign among others.  

You can offer more than 14 different eSign options to your customers with a easy to use, mobile-friendly UI/UX that prevents customer drop offs. All our clients report success rates HIGHER than their old physical flows when it comes to signatures via BharatSign.

Plus, once a document is eSigned via Leegality - an automatic copy (along with Audit Trail) is sent to all parties via email and/or SMS - ensuring compliance with the Credit Card regulations.

3. Secure Audit Trail

Digital processes - especially regulated ones - are useless unless you have a verifiable record that they happened. Leegality’s Secure Audit Trail ensures this in two ways:

1. Capturing the entire details of the signature and consent transaction in a single document
2. Leegality Secure Audit Trails meet the criteria for “secure electronic records” under the IT Act. This means they enjoy presumptions of validity under the Evidence Act

The audit trail is instantly stored in your servers and can easily be produced in any regulatory audit or enforcement proceedings.

4. Plugs into Leegality Document Infrastructure

For your electronic agreement flows you will need a variety of other capabilities as you scale. With Leegality, you get an entire document infrastructure under one roof. 

This includes (among many other features):

1. Legally compliant digital stamping across 25+ States/Union Territories
2. Plug and play integration with NeSL DDE and IU
3. The ability to collect and send supporting documents
4. The ability to collect digital rubber seals (for corporate credit cards)
5. Custom branding - to ensure the entire journey happens with your brand, front and centre
6. A team of former lawyers across product and business teams - constantly enhancing the platform based on the latest regulatory requirements

Seems like a big switch to shift to Leegality - my team doesn’t have bandwidth or time.

We understand the concern. Here’s something that may make you change your mind:

• Your business and operations teams can setup a Leegality Digital Document Process in a few hours - with just a mouse and a keyboard
• Your tech team can integrate Leegality’s API in less than a day
• We provide you free, end-to-end testing, integration support to help you go live as soon as possible
• We provide you an account manager and round-the-clock support even after you go live
• You can go live with Leegality - with a fully digital consent and agreement flow in less than 21 days
• With Leegality, we don’t charge you for API calls - but only for successfully signed documents. If the sign fails - you don’t pay

Click here to book a quick consultation with us to discuss how you can become compliant with the new RBI consent requirements for credit card customers in less than 21 days.