RBI floats proposal for stricter data governance for banks and NBFCs, seeks feedback by August 17
New Delhi: The Reserve Bank of India, as part of its overall risk management systems, has proposed a comprehensive data governance framework requiring banks, non-banking financial companies (NBFCs) and other regulated entities to strengthen data risk management. In the draft titled “Guidance on Regulatory Expectations for Data Governance [pdf]”, the central bank has invited public comments on the draft until August 17.
According to the RBI draft, “Data has increasingly emerged as a critical organisational asset for regulated entities (REs), underpinning business operations, customer service, financial reporting, regulatory compliance, risk management, and strategic decision-making.”
The draft framework establishes the regulatory expectations on data governance, which include governance structures, roles and responsibilities, data architecture, metadata and lineage, data quality, and third-party data-sharing arrangements. It will apply to commercial banks, small finance banks, payments banks, cooperative banks, regional rural banks, NBFCs, all-India financial institutions, asset reconstruction companies (ARCs) and credit information companies.
According to the RBI, the increase in “volume, variety and velocity of data” has become all the more important to ensure that data remains accurate, consistent, secure and fit for purpose across business functions and systems. The RBI believes that if data governance and management fall weak, they could expose regulated entities to financial, operational, compliance and reputational risks.
The draft proposal requires REs to implement a data-governance framework (DGF) that spans the complete data lifecycle and must be aligned with the entity’s broader risk management framework. RBI’s guidance specifies that this framework should apply comprehensively across all data.
To ensure proper oversight, RBI wants boards directly involved in governing this framework. Each regulated entity would need to either set up a dedicated data-governance committee (DGC) at the board level, or delegate this responsibility to one of its existing board committees.
Whichever committee takes on this role would handle several key functions, such as signing off on data governance policies, monitoring how well the framework is being implemented, examining any significant breaches that occur, and keeping the board informed on major issues.
Additionally, RBI wants each regulated entity to designate a “single source of truth” for every data element in its systems. This would ensure that all downstream processes, models, and business operations pull from one authoritative, consistent data source rather than potentially conflicting versions.