Blog Details

Data as a Regulatory Asset: RBI’s Emerging Framework for Data Governance

On 15 July 2026, the Reserve Bank of India (“RBI”) released the draft Guidance on Regulatory Expectations for Data Governance (“Draft Guidance”), setting out a comprehensive framework for how regulated entities (“REs”) are expected to create, own, classify, protect and dispose of data across its lifecycle. Comments on the draft are invited until 17 August 2026.

Earlier regulatory measures touching data have largely operated at one remove — through cybersecurity directions, information technology frameworks, or outsourcing regulations. The Draft Guidance departs from that pattern by placing data governance itself at the centre of regulatory oversight. It draws on RBI’s supervisory observations and on international practice, including the Basel Committee on Banking Supervision’s Principles for Effective Risk Data Aggregation and Risk Reporting (BCBS 239), and proposes institution-wide governance structures, defined accountability and lifecycle-based controls intended to ensure that data remains accurate, traceable and fit for both business and regulatory purposes.

Applicability 

The Draft Guidance is proposed to apply to a broad cross-section of RBI-regulated entities: Commercial Banks, Small Finance Banks, Payments Banks, Local Area Banks, Regional Rural Banks, and both Urban and Rural Co-operative Banks. It extends to Non-Banking Financial Companies across all four layers (Base, Middle, Upper and Top) as well as the five All India Financial Institutions (EXIM Bank, NABARD, NaBFID, NHB and SIDBI), Asset Reconstruction Companies, and Credit Information Companies.

Comments may be submitted through the “Connect 2 Regulate” portal on RBI’s website.

Governance Moves to the Boardroom

Every RE will be required to establish a Data Governance Framework (“DGF”), proportionate to its size, complexity and business model, reviewed at least annually, and aligned with the Digital Personal Data Protection Act, 2023 and the DPDP Rules, 2025. Accountability for the DGF is structured in three tiers, extending directly to the Board:

Layer Responsibility
Board Overall oversight of the DGF; review of governance reports and metrics placed before it.
Board Data Governance Committee Approval and periodic review of governance policy; escalation of material issues and breaches to the Board.
Executive Data Governance Committee Implementation and operationalisation of the DGF; cross-functional coordination, exception approval and breach review

 

Defined Organisational Roles

Beneath this committee structure, the Draft Guidance allocates responsibility to specific roles rather than to functions in the abstract. A Data Function, headed by an officer not below the rank of Chief General Manager or equivalent, is required at the centre. Each data domain is assigned a Data Owner, supported by Data Stewards who operationalise governance requirements and Data Custodians who carry technical responsibility for the data environment.

Role Core Responsibility
Data Function Central coordination of the DGF; governance metrics, conflict resolution and documentation standards.
Data Owner Domain-level accountability for classification, quality, metadata, lineage and SSOT designation.
Data Steward Operational implementation of governance requirements in support of the Data Owner.
Data Custodian Technical management of the data environment — access controls, storage, backup, disaster recovery.

 

REs are additionally required to maintain a documented mapping of these roles against data processes and lifecycle stages, reviewed periodically and on material change.

Data Risk as Enterprise Risk

The Draft Guidance integrates data risk into the RE’s overall risk management framework, organised around seven principles: accountability, integrity, auditability, transparency, traceability, proportionality and standardisation. In practice, this requires ongoing risk monitoring, periodic effectiveness assessments of the DGF, internal and external audit, including, where applicable, CERT-In empanelled auditors and reporting of material data risks and incidents to the Board-level committee. Customer-related data continues to be governed in parallel by the DPDP Act, 2023 and the DPDP Rules, 2025.

Governance Across the Data Lifecycle

 

The Draft Guidance adopts a lifecycle-based approach, requiring governance from the point of data origination through to secure disposal covering capture, processing, sharing, transformation, storage, and archival. Throughout, REs are expected to maintain appropriate metadata, document data lineage, preserve consent records where applicable, and ensure traceability of transformed or derived data. Data obtained from external sources, including third parties, is required to be governed to standards equivalent to internally generated data.

Data Architecture and Quality

REs are required to designate a Single Source of Truth (“SSOT”) for each data element, with no parallel or competing sources permitted, and any SSOT designation or change subject to approval by the Executive Data Governance Committee. This is supported by comprehensive metadata maintained throughout the lifecycle, documented data lineage covering transformation and downstream use, a risk-based data classification framework reflecting criticality and sensitivity, and measurable data quality metrics, with persistent quality issues placed before the Data Governance Committee on at least a quarterly basis.

Third-Party Data Arrangements

Responsibility for governed data continues to rest with the RE notwithstanding sharing with third parties, including group entities. Data may be shared only for approved purposes and on a need-to-know basis, and must be supported by confidentiality obligations in third-party agreements and secure transmission standards, including encryption and authentication controls. Metadata and lineage records must capture the extent of third-party sharing, and third-party systems remain subject to periodic audit and ongoing monitoring.

The Draft Guidance does not specify an effective date, a supervisory consequence for non-compliance, or any differentiated phase-in by RE size or complexity, notwithstanding that proportionality is named as a core governance principle. On its current text, a Base Layer NBFC and a Top Layer NBFC face materially the same obligations. Whether this is addressed before finalisation will be relevant to implementation timelines.

Preparatory Considerations for Regulated Entities

While the Draft Guidance remains open for consultation, REs may wish to assess their current position against it. The obligations vary considerably in the extent of change they are likely to require.

  • Governance structures: establishing Board-level oversight of data governance, a Data Function headed at Chief General Manager level or equivalent, and formal designation of Data Owners, Stewards and Custodians across data domains.
  • Documentation and systems: a documented Single Source of Truth for critical data elements, metadata and lineage tracking that persists through transformation and downstream use, and reviewed retention and disposal policies.
  • Existing practice: tightening third-party contractual terms on access, confidentiality and audit rights, and confirming alignment between the proposed DGF and existing DPDP Act and DPDP Rules compliance

Concluding Remarks

The Draft Guidance marks a notable shift in RBI’s regulatory approach. Rather than addressing data governance as an adjunct to technology or cybersecurity regulation, it treats data as a governed regulatory asset in its own right, requiring clear ownership, defined governance structures, lifecycle-based controls and enterprise-wide accountability.

If adopted substantially in its present form, REs will likely need to revisit their governance structures, organisational responsibilities, risk management practices, data architecture and third-party data arrangements to align with RBI’s proposed expectations. Given the breadth of applicability, the absence of a stated implementation timeline, and the extent of structural change contemplated, REs would be well advised to begin this assessment during the consultation period rather than after finalisation.

Disclaimer: The views expressed herein are solely for legal research purposes and do not constitute legal opinion, legal advice, solicitation, or professional guidance of any nature. The views are personal to the author and do not necessarily reflect those of PJ Law Offices (www.pjlaw.in), its principal, representatives, associates, retainers, affiliates (collectively, “PJLaw”). Readers are advised to seek independent legal counsel before acting on any information contained herein. PJLaw makes no representation or warranty, express or implied, regarding the accuracy or completeness of the contents and expressly disclaims all liability arising from reliance upon or use of the same.

 

 

 

 

Related blogs

shape