Banking

RBI Drafts Data Governance Rules For Banks, NBFCs

The proposed framework sets out how banks, NBFCs and other regulated entities should manage, protect and share data as digital financial services continue to expand

Ai generated
RBI Draft's Data Governance Rules for Banks, NBFCs Photo: Ai generated
info_icon
Summary

Summary of this article

  • RBI proposes data governance framework for banks and NBFCs.

  • Draft focuses on customer data, quality and accountability.

  • Rules cover third-party data sharing and stronger oversight.

The Reserve Bank of India (RBI) has released draft guidance on data governance that proposes a common framework for banks, non-banking financial companies (NBFCs) and other regulated entities to improve the way they handle data.

The proposal covers commercial banks, small finance banks (SFBs), payment banks, regional rural banks (RRBs), cooperative banks, and NBFCs across all regulatory layers, asset reconstruction companies, credit information companies, and all-India financial institutions.

According to RBI, financial institutions today generate and process far more data than before because of digital banking, third-party service providers, automated systems, and advanced analytics. While many institutions have improved their data management practices over the years, supervisory assessments have also identified gaps that could lead to operational, compliance and financial risks.

Data Governance Framework

The draft asks every regulated entity to put in place a Data Governance Framework covering the entire lifecycle of data, from its collection and processing to storage, archival and disposal. The framework also has to comply with the Digital Personal Data Protection Act, 2023, and related rules, according to the draft guidelines.

The guidance also requires institutions to clearly assign responsibility for managing data by designating data owners, data stewards and data custodians.

Customer Data and Data Quality

The draft places considerable focus on customer information. It mandates regulated entities to process data related to customers in accordance with the Digital Personal Data Protection Act and seek consent as necessary.

Institutions will also need to classify data based on its sensitivity, business importance and legal requirements. RBI has proposed that each important data element should have a single authorised source so that the same information remains consistent across different systems and business functions.

The guidance also asks regulated entities to regularly assess data quality so that inaccuracies do not affect business decisions, risk management or regulatory reporting.

Third-Party Sharing

The draft also introduces detailed expectations for sharing data with third parties. Even after customer data is shared with technology vendors or group entities, the regulated entity will be held responsible for its governance.

The guidelines further stipulate that data should only be shared for approved purposes and access to data should be limited to authorised personnel. It also includes secure transmission, encryption, confidentiality clauses, periodic audits, and continuous monitoring of third-party relationships.

The draft guidance has been released for consultation and outlines RBI’s expectations for the improvement of internal data governance in the financial sector. It does not add any new right or complaint mechanisms for customers, but addresses how regulated entities should handle and protect customer data.

Published At:
SUBSCRIBE
Tags

Click/Scan to Subscribe

qr-code
CLOSE