Loading Now

RBI wants banks and non-banks to have a data governance framework

RBI wants banks and non-banks to have a data governance framework

RBI wants banks and non-banks to have a data governance framework


The Reserve Bank of India (RBI) on Wednesday proposed that banks and non-banks implement a data governance framework (DGF) aligned with their risk management policies.

It said that this framework should be proportionate to the size of the regulated entity, its complexity, and its business model, among other factors.

It should cover all material aspects of data governance, including its lifecycle, quality, classification, metadata, lineage, and third-party arrangements; and should be in line with the Digital Personal Data Protection (DPDP) Act, 2023, the DPDP Rules, 2025, and all other applicable laws.

“The DGF should be reviewed annually or more frequently as required. The Board should oversee the DGF of the regulated entity and review the reports and metrics placed before it,” said the RBI draft guidelines.

RBI said that a regulated entity should establish a data function headed by a sufficiently senior officer not below the rank of chief general manager or equivalent, having adequate authority and with necessary competence.

Data security

RBI said that data has increasingly emerged as a critical organizational asset for regulated entities (REs), underpinning business operations, customer service, financial reporting, regulatory compliance, risk management, and strategic decision-making.

“The rapid growth in digital financial services, interconnected technology ecosystems, third-party arrangements, advanced analytics, and automated decision-making processes has significantly expanded the volume, velocity and complexity of data being generated, processed, shared and stored by REs,” it said.

The regulator said that banks and non-banks should establish a board-level Data Governance Committee (DGC) or assign responsibility to an existing board committee.

The committee responsible should oversee the implementation of the DGF and formulate policies for data governance, including the scope of data governance, data architecture, and management of data risk.

An entity regulated by RBI should be responsible for the governance of data shared with third parties, including group entities.

“It should ensure that data is shared with third parties only for defined and approved purposes and by designated personnel. It should put in place systems and controls for access, usage, and deletion of data shared with third parties…” read RBI draft guidelines.

Post Comment