RBI proposes stricter data governance framework for banks, NBFCs | Finance News
The draft norms come ahead of the implementation of the expected credit loss (ECL) framework for loan-loss provisioning, scheduled from April 1, 2027. Banks are expected to prioritise strengthening their data infrastructure to successfully implement the ECL framework.
“The rapid growth in digital financial services, interconnected technology ecosystems, third-party arrangements, advanced analytics, and automated decision-making processes has significantly expanded the volume, velocity and complexity of data being generated, processed, shared and stored by REs,” the draft norms said.
The norms propose that regulated entities should put in place a data governance framework (DGF) applicable to all data and align it with their risk management framework, while ensuring that the framework is proportionate to their size, complexity, business model, and information technology (IT) and information security (IS) set-up.
Moreover, the framework should be comprehensive and cover all aspects of data governance, including organisational structure, policies and processes, risk management, including data privacy and security, technological infrastructure, and audit mechanisms across the data lifecycle.
The framework should comply with the Digital Personal Data Protection (DPDP) Act, 2023, the DPDP Rules, 2025, and all other applicable laws and rules.
“The DGF should be reviewed annually or more frequently as required,” it said.
On third-party arrangements, the RBI said REs should remain responsible for the governance of data shared with third parties, including group entities, while ensuring that data is shared with third parties only for defined and approved purposes and by designated personnel.
The REs have been asked to put in place systems and controls for access, usage and deletion of data shared with third parties, taking into account data classification, sensitivity and, importantly, customer consent in the case of customer data.
“RE should ensure that data shared with third parties remains traceable to the designated SSOT (single source of truth), and metadata and lineage capture the extent of such sharing,” the draft norms said.
The norms added that data sharing should not result in unauthorised reuse, sharing or duplication.
The draft norms said the board of a bank or NBFC should oversee the framework and review the reports and metrics placed before it. REs should establish a board-level Data Governance Committee (DGC) or assign the responsibility to an existing committee of the board.
The committee will oversee the implementation of the DGF.
The board committee should formulate policies for data governance, including the scope of data governance, data architecture, management of data risk, ownership, accountability and responsibility for data across the data lifecycle, data quality management, a data classification framework, and arrangements with third parties.
Moreover, regulated entities should establish processes to manage data risk as part of their overall risk management framework, the draft norms said.
While defining roles and responsibilities within the organisation, the draft norms said REs should establish a Data Function headed by an executive of at least the rank of chief general manager or equivalent, with adequate authority and the necessary competence and skills for implementing the DGF.
The Data Function should develop metrics to monitor the effectiveness of the DGF.
“The Data Function should act as the central point of coordination to ensure consistent interpretation and implementation of the DGF and related policies thereunder across business, risk, technology, and other relevant functions,” it said.
Moreover, there should be a designated Data Owner for each data domain, accountable and responsible for ensuring that data within the domain is defined, classified and used in a manner consistent with the DGF.
There should also be a designated Data Custodian responsible for enforcing access controls and user entitlements in line with data classification and approved usage.
The draft norms also propose that REs should establish data quality management processes proportionate to the criticality, sensitivity and classification of data, and ensure that data is fit for its intended use, with material issues identified and remedied in a timely manner.