Banks And NBFCs Get New Data Governance Playbook From RBI

Banks And NBFCs Get New Data

You can set Kotak Neo as a preferred source to receive regular market updates.

Add as preferred source on Google

The Reserve Bank of India on Wednesday released draft data governance guidelines for banks and NBFCs. The proposal calls for stronger board oversight, clear executive accountability and tighter controls on sharing data with third parties. Public comments are due by 17 August.

The Reserve Bank of India (RBI) released draft guidelines on Wednesday, outlining regulatory expectations for data governance at commercial banks, non-banking financial companies (NBFCs) and other regulated entities. RBI has proposed board-level oversight, executive accountability and strict controls over third-party data sharing.

The draft, open for public comment until 17 August, arrives ahead of the expected credit loss (ECL) framework for loan loss provisioning, which is scheduled to take effect from 01 April 2027.

Digital financial services have expanded the volume, velocity and complexity of data flowing through regulated entities at a pace that existing governance structures have not kept up with.

Interconnected technology ecosystems, third-party arrangements, advanced analytics and automated decision-making have all added layers of data risk that the RBI says can expose institutions to financial, operational, compliance and reputational harm if left unmanaged.

The proposed data governance framework (DGF) would need to be proportionate to each entity's size, complexity and business model and cover the full data lifecycle from creation to deletion. Key requirements include:

  • A board-level Data Governance Committee or an existing board committee assigned with oversight responsibility.

  • A dedicated data function headed by an executive of at least chief general manager rank.

  • Appoint data owners for each data domain. They will be responsible for data classification and its proper use.

  • Designated data custodians responsible for access controls and user entitlements.

  • Review the data governance framework at least once a year, or earlier if needed.

  • Alignment with the Digital Personal Data Protection Act 2023 and DPDP Rules 2025.

The section on third-party arrangements is among the most operationally significant parts of the draft. Regulated entities will remain accountable for all data shared with external vendors, group entities and technology providers. Data must be shared only for defined and approved purposes by designated personnel. Access must be granted on a need-to-know basis and non-disclosure agreements must be embedded in all third-party contracts.

Shared data must remain traceable to a single source of truth, with metadata and lineage capturing the extent of all sharing. Unauthorised reuse, duplication or secondary sharing is explicitly prohibited.

Regulated entities must build data quality management processes proportionate to data criticality and sensitivity, classify data based on confidentiality and regulatory relevance and put in place remediation processes to address material data quality issues. Data used for decision-making, risk management and regulatory reporting must meet reliability standards at all times.

Also Read - Foreign Investors Pump $132 Billion Into US Securities In May

This article is for informational purposes only and should not be considered investment advice from Kotak Neo. For compliance T&C and disclaimers, visit https://www.kotakneo.com/disclaimer/

About the Author
Kotak News Desk
Kotak News Desk

Kotak News Desk brings you latest updates, expert insights, and market-ready ideas - helping you stay informed and invest smarter.

Connect on: Linkedin

Did you enjoy this article?

0 people liked this article.