Mumbai: A man looks at the logo of the Reserve Bank of India (RBI), in Mumbai, Wednesday, Oct. 1, 2025. (PTI Photo/Kunal Patil)(PTI10_01_2025_000171B)

| Photo Credit:

Regulated entities (REs) such as commercial banks, co-operative banks and NBFCs will have to implement a data governance framework (DGF) proportionate to their size, complexity, business model and Information Technology (IT) and Information Security (IS) setup, going by draft ‘Guidance on Regulatory Expectations for Data Governance’.The guidance is aimed at supporting REs in strengthening their DGF and promoting sound practices relating to data management across the data lifecycle.RBI noted that data has emerged as a critical organisational asset for REs, underpinning business operations, customer service, financial reporting, regulatory compliance, risk management and strategic decision-making.The central bank said rapid growth in digital financial services, interconnected technology ecosystems, third-party arrangements, advanced analytics, and automated decision-making processes has significantly expanded the volume, velocity and complexity of data being generated, processed, shared and stored by REs.Consequently, the ability of REs to ensure the accuracy, availability, confidentiality, consistency, integrity and traceability of data across systems and business functions has assumed heightened importance.RBI said supervisory assessments and stakeholder engagements with REs indicated that while REs have progressively strengthened their information and data management capabilities, there are still certain weakness which need to be addressed else it may lead to operational, compliance, and financial risks.So, the DGF has to be comprehensive, covering all aspects of data governance including organisational structure, policies, and processes, risk management including data privacy and security, technological infrastructure, and audit mechanisms across the data lifecycle.It should cover all material aspects of data governance, including its lifecycle, quality, classification, single source of truth (SSOT: a single designated authoritative source for specific data element within the RE) arrangements, metadata (data about data), lineage, and third-party arrangements.The DGF, which should be reviewed annually or more frequently as required, should also comply with the Digital Personal Data Protection (DPDP) Act, 2023, the DPDP Rules, 2025, and all other applicable laws and rules, as amended from time to time.As per the Guidance, an RE should have Data Retention and Archival Policy under its DGF. It should ensure that data retention period is justified by business, legal, regulatory, or audit requirements.REs have to establish a Board level Data Governance Committee (DGC) or assign the responsibility to an existing Committee of the Board. The Committee responsible for data governance should oversee the implementation of the DGF; formulate policy / policies for data governance; and review them periodically or on material changes.An RE should establish a data function headed by a sufficiently Senior officer not below the rank of Chief General Manager or equivalent having adequate authority and with necessary competence/ skills for implementation of DGF.It should also designate a data owner for each data domain accountable and responsible for ensuring that data within the domain is defined, classified, and used in a manner consistent with the DGF.Further, a data steward, mapped to specific data domain under a data owner, and positioned within the business function or unit of the data owner should be designated by the RE.An RE should designate data custodian, responsible for functions such as enforcing access controls, and user entitlements in line with data classification and approved usage; and maintaining system capabilities to support effective implementation of DGF, among others.Published on July 15, 2026