The Reserve Bank of India has released draft guidelines requiring banks and NBFCs to adopt a formal data governance framework. The proposal mandates board-level oversight and stricter controls to ensure data security and accuracy. Entities must submit public feedback on these draft rules by August 17, 2026.
The Reserve Bank of India (RBI) has introduced a new draft framework aimed at tightening how financial institutions manage and protect their data. As digital operations become central to banking and lending, the regulator is looking to ensure that the massive amounts of information handled by these entities are accurate, secure, and reliable. This proposal covers a wide range of regulated entities, including commercial banks, small finance banks, regional rural banks, non-banking financial companies (NBFCs), asset reconstruction companies, and credit information companies.
Why Data Governance Matters to the RBI
The central bank has identified data as a critical asset for modern financial operations. From routine customer service and financial reporting to complex risk assessment and long-term strategic planning, the quality of data is essential for the stability of these institutions. The RBI noted that because of the increasing volume and speed at which data is generated, weak management practices can lead to significant operational, financial, and reputational risks. If a financial institution loses track of its data or suffers a security breach, the impact can extend from internal mismanagement to broader systemic issues.
New Requirements for Oversight and Structure
Under the proposed rules, financial entities must move beyond basic IT maintenance and establish a comprehensive data lifecycle strategy. This means they must define clear roles, maintain strict data quality standards, and create secure protocols for sharing information with third parties. A central requirement is the creation of a 'single source of truth' for all data elements. This ensures that every department within a bank or NBFC is looking at the same, consistent data, rather than having conflicting reports across different systems.
Furthermore, the RBI is placing responsibility at the very top of the organization. Regulated entities will be required to establish a Data Governance Committee (DGC) at the board level, or assign these duties to an existing board committee. This committee will be directly responsible for approving data policies, overseeing their implementation, and reporting any significant data breaches or failures to the full board. By making data management a board-level issue, the regulator aims to ensure that technology and information risks receive the same level of attention as financial or credit risks.
The industry has until August 17, 2026, to provide feedback on these draft guidelines. Investors and stakeholders should monitor how these requirements impact the operational costs of financial institutions, as implementing robust data governance and 'single source of truth' systems may involve investments in technology and infrastructure. The final version of these rules will clarify the timelines for compliance and the specific technical requirements for different types of financial institutions.
