The Reserve Bank of India has released draft guidelines for a new data governance framework for banks and NBFCs. The proposal mandates strict data accuracy and oversight standards ahead of the 2027 Expected Credit Loss framework. Investors should note that this will likely increase compliance and technology spending for financial institutions.
The Reserve Bank of India (RBI) has introduced a draft data governance framework that will apply to all commercial banks and Non-Banking Financial Companies (NBFCs). The central bank aims to standardize how financial institutions collect, store, and manage data, ensuring higher levels of accuracy, traceability, and security across all business functions.
Preparing for Expected Credit Loss Implementation
A primary driver for these new rules is the upcoming transition to the Expected Credit Loss (ECL) framework, which is scheduled to take effect on April 1, 2027. Under current rules, banks typically set aside capital after a loan turns into a bad debt. The ECL framework requires banks to estimate potential future losses and set aside provisions in advance. To make these complex calculations accurate, banks need high-quality and consistent data. By mandating this governance framework now, the RBI is ensuring that financial entities have the necessary digital infrastructure to comply with the new provisioning standards when they arrive.
Governance and Board Accountability
The RBI’s proposal shifts data management from a purely technical task to a core strategic function. Regulated entities will be required to form a board-level Data Governance Committee to oversee policies related to data architecture and risk management. This committee will be responsible for defining data ownership and monitoring the effectiveness of the institution's data practices. Furthermore, companies must appoint a senior executive to lead a dedicated Data Function, ensuring that accountability rests with top management rather than just IT departments.
Managing Third-Party Data Risks
As banks increasingly rely on fintech partners and cloud service providers, the RBI has clarified that financial institutions remain fully responsible for data governance, even when sharing information with third parties or group entities. The draft rules require companies to maintain strict controls over data access, usage, and deletion. All processes must align with the Digital Personal Data Protection Act, 2023, with a specific focus on obtaining clear customer consent. For investors, these requirements imply that banks and NBFCs may face higher technology and compliance costs in the near term as they upgrade their systems to meet these traceability and security standards. The final impact on profitability will depend on the existing technological maturity of individual institutions, with larger banks likely better equipped to manage these shifts compared to smaller NBFCs.
