Brief Overview:
Messy data is now under regulatory glare with the expectation of board-level supervision. RBI’s proposed Guidance on Regulatory Expectations for Data Governance puts one point in sharp focus: REs cannot rely on data they cannot identify, explain, trace, control or defend.
For banks, NBFCs, ARCs and other Regulated Entities (“REs”), data used for credit, reporting, risk, customer outcomes, compliance or outsourcing cannot remain siloed or opaque. RBI expects data to have clear ownership, lifecycle controls, traceability, quality checks, Digital Personal Data Protection (“DPDP”) alignment and third-party accountability. Get comfortable with Single Source of Truth (“SSOT”) as a key responsibility, and then with data quality management expectations.
Technical Details:
What does RBI expect REs to clean up?
1) Enterprise-wide DGF: REs must implement a Data Governance Framework (“DGF”) covering governance, risk, privacy, security, audit, lifecycle controls, classification, quality, SSOT, metadata, lineage and third-party arrangements.
2) Ownership and oversight: Boards / committees must oversee implementation, review data-risk metrics and escalation, with a senior-led Data Function comprising Data Owners, Stewards and Custodians.
3) Lifecycle governance and DPDP alignment: Data must be governed from capture to deletion, covering consent, validation, use, lineage, retention, archival and disposal, aligned with DPDP expectations.
4) SSOT, traceability, classification and quality: REs must identify authoritative sources, trace downstream systems to the SSOT, classify data by risk / sensitivity, and track quality issues for timely remediation.
5) Third-party sharing: Vendor, fintech, cloud and group-sharing arrangements must be governed by need-to-know access, traceability, security, confidentiality, audit and deletion safeguards.
6) Comments: To be submitted to RBI by 17th August 2026.
JC takeaway:
1) AI or not, systems need reworking: If not due to AI, then RBI’s expectations may well result in many REs re-engineering their day-to-day data practices.
2) Data housekeeping (not the outsourced type!) first: REs should begin by mapping what data they hold, where it sits, who owns it, how it moves, what it supports, etc.
3) Board attention required: Data governance may now need to move out of the back office and into board / committee-level dashboards, with metrics, escalation and audit visibility.
4) DPDP and data governance will overlap: Consent, retention, deletion, security and customer data handling should not sit in separate silos.
5) Vendor contracts need attention: Outsourcing, fintech, cloud, analytics and group-sharing arrangements may need a sharper look at access, use, audit, deletion, confidentiality and traceability clauses.
6) Cross-functional build-out: This is unlikely to be a legal / compliance-only exercise; risk, IT, IS, business and operations will have to be in the room.
For further details, please see:
Guidance on Regulatory Expectations for Data Governance
For any queries / clarifications, please feel free to ping us and we will be happy to chat
- Jayesh H (jayesh.h@juriscorp.in)
● Bhumika Makhija (bhumika.makhija@juriscorp.in)