RBI proposes data governance framework for banks and NBFCs.
Draft focuses on customer data, quality and accountability.
Rules cover third-party data sharing and stronger oversight.
RBI proposes data governance framework for banks and NBFCs.
Draft focuses on customer data, quality and accountability.
Rules cover third-party data sharing and stronger oversight.
The Reserve Bank of India (RBI) has released draft guidance on data governance that proposes a common framework for banks, non-banking financial companies (NBFCs) and other regulated entities to improve the way they handle data.
The proposal covers commercial banks, small finance banks (SFBs), payment banks, regional rural banks (RRBs), cooperative banks, and NBFCs across all regulatory layers, asset reconstruction companies, credit information companies, and all-India financial institutions.
According to RBI, financial institutions today generate and process far more data than before because of digital banking, third-party service providers, automated systems, and advanced analytics. While many institutions have improved their data management practices over the years, supervisory assessments have also identified gaps that could lead to operational, compliance and financial risks.
The draft asks every regulated entity to put in place a Data Governance Framework covering the entire lifecycle of data, from its collection and processing to storage, archival and disposal. The framework also has to comply with the Digital Personal Data Protection Act, 2023, and related rules, according to the draft guidelines.
The guidance also requires institutions to clearly assign responsibility for managing data by designating data owners, data stewards and data custodians.
The draft places considerable focus on customer information. It mandates regulated entities to process data related to customers in accordance with the Digital Personal Data Protection Act and seek consent as necessary.
Institutions will also need to classify data based on its sensitivity, business importance and legal requirements. RBI has proposed that each important data element should have a single authorised source so that the same information remains consistent across different systems and business functions.
The guidance also asks regulated entities to regularly assess data quality so that inaccuracies do not affect business decisions, risk management or regulatory reporting.
The draft also introduces detailed expectations for sharing data with third parties. Even after customer data is shared with technology vendors or group entities, the regulated entity will be held responsible for its governance.
The guidelines further stipulate that data should only be shared for approved purposes and access to data should be limited to authorised personnel. It also includes secure transmission, encryption, confidentiality clauses, periodic audits, and continuous monitoring of third-party relationships.
The draft guidance has been released for consultation and outlines RBI’s expectations for the improvement of internal data governance in the financial sector. It does not add any new right or complaint mechanisms for customers, but addresses how regulated entities should handle and protect customer data.