RBI proposes stricter data governance framework for banks, NBFCs
Mumbai, Jul 15, 2026
The RBI has proposed a comprehensive data governance framework for banks and NBFCs, focusing on customer consent, data quality, third-party sharing and board oversight
The Reserve Bank of India (RBI) on Wednesday released draft norms on a data governance framework for regulated entities such as commercial banks and non-banking financial companies (NBFCs), emphasising the need for accuracy, consistency, confidentiality, integrity, and traceability of data across systems and business functions.
The draft norms on data governance come ahead of the implementation of the expected credit loss (ECL) framework for loan loss provisioning, scheduled from April 1, 2027. Banks are expected to prioritise strengthening their data infrastructure to successfully implement the ECL framework.
“The rapid growth in digital financial services, interconnected technology ecosystems, third-party arrangements, advanced analytics, and automated decision-making processes has significantly expanded the volume, velocity, and complexity of data being generated, processed, shared, and stored by regulated entities,” the draft norms said.
The norms propose that regulated entities put in place a data governance framework (DGF) applicable to all data and align it with their risk management framework, while ensuring that it is proportionate to their size, complexity, business model, and information technology and information security setup.
Moreover, the framework should be comprehensive and cover all aspects of data governance, including organisational structure, policies and processes, risk management, including data privacy and security, technological infrastructure, and audit mechanisms across the data lifecycle.
The framework should comply with the Digital Personal Data Protection (DPDP) Act, 2023, the DPDP Rules, 2025, and all other applicable laws and rules. “The DGF should be reviewed annually or more frequently, if required,” it said.
On third-party arrangements, the RBI said the regulated entity should be responsible for the governance of data shared with third parties, including group entities, while ensuring that data is shared only for defined and approved purposes and by designated personnel.
Regulated entities have been asked to put in place systems and controls governing access to, usage of, and deletion of data shared with third parties, taking into account data classification, sensitivity, and, importantly, customer consent in the case of customer data. “Regulated entities should ensure that data shared with third parties remains traceable to the designated single source of truth, and metadata and lineage capture the extent of such sharing,” the draft norms said.
The norms said data sharing should not result in unauthorised reuse, sharing, or duplication.
The norms said the board of a bank or NBFC should oversee the framework and review the reports and metrics placed before it. Regulated entities should establish a board-level Data Governance Committee or assign the responsibility to an existing committee of the board.
The committee will oversee the implementation of the DGF. The board committee should formulate data governance policies covering the scope of data governance, data architecture, management of data risk, ownership, accountability and responsibility for data across the data lifecycle, data quality management, the data classification framework, and arrangements with third parties.
Moreover, the regulated entity should establish processes to manage data risk as part of its overall risk management framework, the draft norms said. While defining roles and responsibilities within the organisation, the draft norms said regulated entities should establish a data function headed by an executive of no less than the rank of chief general manager, or an equivalent officer, with adequate authority and the necessary competence and skills to implement the DGF. The data function should develop metrics to monitor the effectiveness of the DGF.
“The data function should act as the central point of coordination to ensure consistent interpretation and implementation of the DGF and related policies thereunder across business, risk, technology, and other relevant functions," it said. Moreover, there should be a designated data owner for each data domain, accountable and responsible for ensuring that data within the domain is defined, classified, and used in a manner consistent with the DGF.
There should also be a designated data custodian responsible for enforcing access controls and user entitlements in line with data classification and approved usage.
The norms also proposed that regulated entities establish data quality management processes proportionate to data criticality, sensitivity, and classification, and ensure that data is fit for its intended use and that material issues are identified and remediated in a timely manner.
Key proposals
• Regulated entities should align data governance framework with risk management rules
• The framework should be proportionate to size, complexity, business model, and IT setup of the regulated entities
• The norms released by the RBI noted that the framework should be comprehensive in nature
• The framework should be in compliance with DPDP Act, 2023, the DPDP Rules, 2025, and other similar laws
[The Economic Times]
