BankopediaBankopedia
Press Release 2026-2027/677July 15, 2026Draft — comments by Aug 17, 2026

RBI's Draft Guidance on Data Governance, Explained

The Reserve Bank of India has released the draft "Guidance on Regulatory Expectations for Data Governance"for public comments — its most comprehensive statement yet on how banks, NBFCs and other regulated entities must govern data as an organisational asset. It draws on supervisory observations and international practice, including the Basel Committee's BCBS 239 principles on risk data aggregation, and dovetails with the DPDP Act, 2023. Here is the complete breakdown.

Quick Facts

IssuedJuly 15, 2026 — Press Release 2026-2027/677 (draft for consultation)
Issuing officeOperational Risk Group, Department of Regulation, RBI Central Office
Comments dueAugust 17, 2026 — via 'Connect 2 Regulate' on rbi.org.in, post, or e-mail
Applies to11 categories of regulated entities — from commercial banks to CICs
Global anchorBCBS 239 — Principles for effective risk data aggregation and risk reporting
Legal interplayMust comply with DPDP Act 2023 & DPDP Rules 2025; existing RBI Directions prevail over the Guidance in case of conflict
Data Function headOfficer not below the rank of Chief General Manager or equivalent
Quality reportingData quality metrics to the Data Governance Committee at least QUARTERLY

Who Does It Apply To?

Commercial Banks (incl. foreign banks)
Small Finance Banks
Payments Banks
Local Area Banks
Regional Rural Banks
Urban Co-operative Banks
Rural Co-operative Banks (StCBs & CCBs)
NBFCs — all layers (BL, ML, UL, TL)
AIFIs — EXIM, NABARD, NaBFID, NHB, SIDBI
Asset Reconstruction Companies
Credit Information Companies

Notably, the NBFC coverage spans all four scale-based layers including the Base Layer — so even the smallest NBFCs are within scope. The Guidance is to be read with existing RBI Directions; where they conflict, the Directions prevail.

The Governance Stack It Prescribes

Data Governance Framework (DGF)

Every RE must adopt a DGF covering all data — proportionate to its size, complexity and business model; aligned with the risk management framework; spanning organisational structure, policies, data privacy and security, technology and audit across the full data lifecycle; and compliant with the DPDP Act 2023 and DPDP Rules 2025. Reviewed at least ANNUALLY.

Board & Board-level committee

The Board oversees the DGF and reviews reports and metrics. A Board-level Data Governance Committee (DGC) — or an existing Board committee assigned the role — oversees implementation, formulates data governance policies (scope, architecture, data risk, ownership, quality, classification, third parties) and escalates material issues such as breaches and conflicts to the Board.

Executive-level committee

An executive Data Governance Committee with representation from the Data Function, IT, IS, business verticals, risk and compliance operationalises the DGF: allocates resources, reviews non-compliance and breaches, oversees data classification criteria and critical data element identification, and approves documented exceptions.

Data risk management

Data risk becomes part of the overall risk framework, assessed across seven principles — Accountability, Integrity, Auditability, Transparency, Traceability, Proportionality and Standardisation — plus cross-border processing risk. The DGF and its processes face periodic internal AND external audit (including CERT-IN empanelled auditors), with reports to the Audit Committee of the Board.

Four New Data Roles Every RE Must Map

RoleWho / WhatCore responsibility
Data FunctionCentral function headed by an officer NOT BELOW CGM rank (or equivalent)Central coordination point: consistent interpretation of the DGF, effectiveness metrics, conflict resolution on definitions/classification/SSOT, documentation of standards and taxonomies
Data OwnerIndividual or function per DATA DOMAIN (even when the domain spans multiple units)Accountable for the domain: business definitions, classification, data quality, metadata and lineage oversight, SSOT designation, approving changes and exceptions
Data StewardIndividual/team under the Data Owner, positioned inside the business unitDay-to-day operationalisation: connecting business rules to system design, documenting data flows, monitoring domain metrics, reporting deviations to the Data Owner
Data CustodianTechnical manager of the data environmentAccess controls and entitlements per classification, technical capabilities for metadata/lineage/SSOT/reconciliation, transmission/storage/backup controls, retention-archival-disposal execution, BCP/DR for data platforms

REs must maintain a documented, periodically reviewed mapping of these roles to processes and lifecycle stages — accountability, execution, consultation and escalation — a RACI-style matrix for data.

Lifecycle & Architecture — The Technical Core

Data lifecycle

Governance from origination to deletion: data may be created or acquired only for defined, legitimate purposes; foundational attributes (ownership, classification, usage intent, customer consent) must exist AT THE POINT OF CAPTURE; external/third-party data faces the same standards as internal data; transformation logic needs prior impact assessment and must preserve meaning; retention must be justified by business/legal/regulatory need, archival must not impede supervisory retrieval, and disposal must be secure and verifiable.

Single Source of Truth (SSOT)

One authoritative source per data element — no parallel or competing sources. All downstream systems, models and reports derive from the SSOT. Centralised, federated or hybrid models are all acceptable. SSOT designation (and changes) need executive committee approval, with reconciliation mechanisms to catch downstream inconsistencies.

Metadata & data lineage

Metadata for ALL data across the lifecycle — created at capture (source system, purpose, owner, classification, retention/usage), flowing downstream without loss, and updated on every transformation with source-to-derived relationships. Lineage means documented traceability from origin through transformations to final destination. System-generated data (logs, cookies) may carry proportionate metadata.

Data classification

A framework reflecting risk, criticality and sensitivity — considering business criticality, customer harm potential, personal-data sensitivity, confidentiality impact and legal/regulatory dimensions — including reclassification when aggregation or enrichment changes the risk profile. Classification travels in the metadata.

Data quality management

Quality processes proportionate to criticality, with multi-dimensional quality metrics (accuracy, completeness, consistency, timeliness, relevance, validity, reliability). Metrics and persistent issues go to the Data Governance Committee at least QUARTERLY.

Third-party arrangements

The RE stays responsible for data shared with third parties INCLUDING group entities: defined purposes only, need-to-know access, non-disclosure clauses, secure channels (encryption, authentication, auto-deletion), traceability back to the SSOT, periodic audits of third-party systems (CERT-IN empanelled where required), and ongoing monitoring.

✅ For JAIIB / CAIIB / Promotion Exam Aspirants

  • Draft issued July 15, 2026 (PR 2026-2027/677); comments due August 17, 2026 via 'Connect 2 Regulate'.
  • Anchored in BCBS 239 — the Basel principles for risk data aggregation and risk reporting.
  • Hierarchy to remember: Board → Board-level Data Governance Committee → executive Data Governance Committee → Data Function (headed by an officer ≥ CGM rank).
  • Role ladder: Data Owner (accountable per domain) → Data Steward (operationalises under the Owner) → Data Custodian (technical management).
  • SSOT = Single Source of Truth — one authoritative source per data element; models may be centralised, federated or hybrid.
  • Metadata = 'data about data'; Data Lineage = documented traceability from origin to final destination.
  • Seven data-risk principles: Accountability, Integrity, Auditability, Transparency, Traceability, Proportionality, Standardisation.
  • Data quality metrics reach the DGC at least quarterly; the DGF itself is reviewed at least annually.
  • Customer data must comply with the DPDP Act 2023 and DPDP Rules 2025.

How to Submit Feedback (by August 17, 2026)

→ Online through the "Connect 2 Regulate" section on RBI's website (rbi.org.in); or

→ By post to: The Chief General Manager, Operational Risk Group, Department of Regulation, Central Office, Reserve Bank of India, Shahid Bhagat Singh Marg, Fort, Mumbai – 400 001; or

→ By e-mail with the subject line "Feedback on Guidance on Regulatory Expectations for Data Governance".

Frequently Asked Questions

What has RBI released?

On July 15, 2026, RBI released the draft 'Guidance on Regulatory Expectations for Data Governance' (Press Release 2026-2027/677) for public comments. It sets out broad regulatory expectations on data governance frameworks, roles and responsibilities, the data lifecycle, data architecture (including Single Source of Truth, metadata and lineage), data quality, and third-party arrangements involving data sharing.

Which entities does the draft Guidance apply to?

Eleven categories of regulated entities: Commercial Banks (including foreign banks), Small Finance Banks, Payments Banks, Local Area Banks, Regional Rural Banks, Urban Co-operative Banks, Rural Co-operative Banks, All-India Financial Institutions (EXIM Bank, NABARD, NaBFID, NHB, SIDBI), NBFCs across all four scale-based layers, Asset Reconstruction Companies, and Credit Information Companies.

What is the deadline for comments?

Comments from regulated entities, members of the public and other stakeholders are due by August 17, 2026 — through the 'Connect 2 Regulate' section on RBI's website, by post to the Chief General Manager, Operational Risk Group, Department of Regulation, Central Office, Mumbai, or by e-mail with the subject line 'Feedback on Guidance on Regulatory Expectations for Data Governance'.

Is this a final regulation?

No. It is a DRAFT guidance issued for public consultation. It also states that it should be read with existing RBI Directions, and where there is any inconsistency, the applicable Directions prevail.

What is a 'Single Source of Truth' (SSOT) under the draft?

A single designated authoritative source for each specific data element within the regulated entity. The draft requires that no parallel or competing SSOT exists for the same data element, that all downstream systems and reports derive from the SSOT, and that reconciliation mechanisms detect inconsistencies. REs may adopt centralised, federated or hybrid SSOT models.

Who must head the Data Function?

A sufficiently senior officer not below the rank of Chief General Manager (or equivalent), with adequate authority and the necessary competence to implement the Data Governance Framework.

Disclaimer:This is an explainer of RBI's draft guidance based on the official press release and draft text, provided for information and exam preparation. It is a DRAFT open for consultation and may change before finalisation. Refer to the official documents on rbi.org.in for the authoritative text.