RBI Proposes Stricter Data Governance Framework for Banks and NBFCs
The central bank's draft norms would require lenders to set up board-level data committees, maintain a 'single source of truth' for every data element, and tighten third-party data controls — laying the groundwork for the 2027 expected credit loss regime.
By Naina, 16th July 2026
The Reserve Bank of India (RBI) has proposed a stricter data governance framework for banks and non-banking financial companies (NBFCs), aimed at strengthening how these institutions manage, protect, and use data. In draft norms released this week, the central bank emphasised the need for accuracy, consistency, confidentiality, integrity, and traceability of data across systems and business functions. The framework would require regulated entities to establish comprehensive data governance structures, including board-level oversight, a designated data function, and tight controls over data shared with third parties. The move comes as data has become a critical organisational asset for financial institutions, and ahead of a major change in loan-loss provisioning rules that will demand robust data infrastructure. Here is a detailed look at the RBI's proposed data governance framework and its implications for banks and NBFCs.
The draft norms reflect the growing importance and complexity of data in financial services, driven by rapid digitalisation, interconnected technology ecosystems, third-party arrangements, and the increasing use of advanced analytics and automated decision-making. The RBI has warned that weaknesses in data governance could expose institutions to financial, operational, compliance, and reputational risks. The framework applies broadly across the financial sector, from commercial banks to NBFCs and other regulated entities, and aligns with the country's data-protection laws. The central bank has invited public comments on the draft before finalising the rules. Here is an analysis of the proposed framework, its rationale, the key requirements around board oversight, data management, and third-party sharing, and what it means for the financial sector.
The Proposal
The RBI has released comprehensive draft norms. The central bank published draft guidelines this week proposing a data governance framework for regulated entities, laying down regulatory expectations across governance structures, roles and responsibilities, data architecture, metadata and lineage, data quality, and third-party data-sharing arrangements. The framework would apply to the entire data lifecycle, requiring institutions to manage data as a critical asset. The RBI has invited public comments on the draft by mid-August before finalising the rules. The proposal represents a significant step toward formalising and strengthening data governance across the financial sector, establishing clear standards for how banks and NBFCs should handle the vast and growing volumes of data central to their operations, compliance, and decision-making.
The Rationale
The proposal responds to the rising centrality of data. The RBI noted that data has increasingly emerged as a critical organisational asset for regulated entities, underpinning business operations, customer service, financial reporting, regulatory compliance, risk management, and strategic decision-making. The rapid growth in digital financial services, interconnected technology ecosystems, third-party arrangements, advanced analytics, and automated decision-making has significantly expanded the volume, velocity, and complexity of data that institutions handle. In this context, the central bank stressed that robust governance has become critical to ensure data remains accurate, consistent, secure, and fit for purpose. It warned that weaknesses in data governance could expose regulated entities to financial, operational, compliance, and reputational risks, underscoring the need for a stronger, more structured approach to managing data across the financial system.
The ECL Link
A key driver is an upcoming change in provisioning rules. The draft data governance norms come ahead of the implementation of the expected credit loss framework for loan-loss provisioning, scheduled to take effect from April 2027. This framework represents a major shift in how banks provision for potential loan losses, moving to a forward-looking, model-based approach that relies heavily on high-quality, granular data. To implement it successfully, banks are expected to prioritise strengthening their data infrastructure, ensuring the accuracy, consistency, and traceability of the data feeding their provisioning models. The data governance framework thus lays essential groundwork for this transition, helping ensure that institutions have the robust data foundations needed to comply with the new provisioning regime, making the two initiatives closely linked.
The Board Oversight
The framework places accountability at the top. Under the proposal, the board of a bank or NBFC would be responsible for overseeing the data governance framework. Each regulated entity would be required to establish a dedicated board-level data governance committee or assign the responsibility to an existing board committee. This committee would approve data governance policies, oversee their implementation, review material data breaches, and report key issues to the board. By mandating board-level oversight, the RBI aims to ensure that data governance receives senior management attention and is treated as a strategic priority rather than a purely technical function. This top-down accountability structure is designed to embed strong data governance practices throughout the organisation, from the boardroom to operational teams handling data day to day.
The Single Source of Truth
A central requirement is a single, authoritative data source. The RBI has proposed that every regulated entity maintain a single source of truth for each data element, ensuring that downstream systems, models, and business processes all rely on one authoritative, consistent source rather than fragmented or conflicting data. To operationalise this, institutions would need to establish a dedicated data function headed by a senior executive of appropriate rank, with the authority, competence, and skills to implement the framework and act as a central point of coordination across business, risk, and technology functions. Additionally, each data domain would have a designated data owner accountable for how data is defined, classified, and used. These measures aim to ensure consistency, reliability, and clear ownership of data across the organisation.
The Third-Party Rules
The framework tightens controls over third-party data sharing. Regulated entities would remain responsible for the governance of data shared with third parties, including group entities, ensuring that data is shared only for defined and approved purposes and by designated personnel. Institutions would need to put in place systems and controls governing access to, usage of, and deletion of shared data, taking into account data classification, sensitivity, and, crucially, customer consent in the case of customer data. Data shared with third parties would need to remain traceable to the single source of truth, with metadata and lineage capturing the extent of sharing, and safeguards to prevent unauthorised reuse, sharing, or duplication. These rules address the growing risks associated with the extensive data-sharing arrangements common in modern financial services.
The DPDP Alignment
The framework aligns with data-protection laws. The RBI has specified that the data governance framework should comply with the country's data-protection legislation, including the Digital Personal Data Protection Act and its associated rules, as well as other similar laws. This alignment ensures that the financial sector's data governance practices are consistent with the broader legal regime governing personal data protection and privacy. The emphasis on customer consent for sharing customer data, and on the confidentiality and secure handling of information, reflects these data-protection principles. By integrating regulatory data governance requirements with the country's data-protection framework, the RBI aims to create a coherent approach that safeguards customer data while enabling institutions to use data effectively for legitimate business and regulatory purposes.
The Impact and Scope
The framework has broad application and significant implications. It would apply across a wide range of financial institutions, including commercial banks, small finance banks, payments banks, cooperative banks, regional rural banks, NBFCs, all-India financial institutions, asset reconstruction companies, and credit information companies. For these entities, complying with the framework will require investment in data infrastructure, systems, processes, and skilled personnel, along with organisational changes to establish the required governance structures. The compliance burden may be particularly significant for smaller institutions with more limited resources. However, stronger data governance is expected to enhance the integrity, reliability, and security of data across the financial system, supporting better risk management, regulatory reporting, and decision-making, while reducing the risks associated with poor data quality and management.
The Road Ahead
The RBI's proposed data governance framework marks an important step toward strengthening how India's financial institutions manage their most critical asset: data. With public comments invited before the rules are finalised, the framework is expected to evolve based on industry feedback before implementation. For banks and NBFCs, preparing to comply will involve building robust data governance structures, strengthening data infrastructure, and embedding a culture of data accountability, efforts that also support readiness for the upcoming provisioning regime. As data continues to grow in volume, complexity, and importance, robust governance will become increasingly essential for financial stability, compliance, and trust. The framework, once finalised, is set to raise data governance standards across the sector, with lasting implications for how financial institutions handle data in an increasingly digital world.


POST A COMMENT (0)
All Comments (0)
Replies (0)