RBI's Draft Guidance on Data Governance, Explained
The Reserve Bank of India has released the draft "Guidance on Regulatory Expectations for Data Governance"for public comments — its most comprehensive statement yet on how banks, NBFCs and other regulated entities must govern data as an organisational asset. It draws on supervisory observations and international practice, including the Basel Committee's BCBS 239 principles on risk data aggregation, and dovetails with the DPDP Act, 2023. Here is the complete breakdown.
Quick Facts
Who Does It Apply To?
Notably, the NBFC coverage spans all four scale-based layers including the Base Layer — so even the smallest NBFCs are within scope. The Guidance is to be read with existing RBI Directions; where they conflict, the Directions prevail.
The Governance Stack It Prescribes
Data Governance Framework (DGF)
Every RE must adopt a DGF covering all data — proportionate to its size, complexity and business model; aligned with the risk management framework; spanning organisational structure, policies, data privacy and security, technology and audit across the full data lifecycle; and compliant with the DPDP Act 2023 and DPDP Rules 2025. Reviewed at least ANNUALLY.
Board & Board-level committee
The Board oversees the DGF and reviews reports and metrics. A Board-level Data Governance Committee (DGC) — or an existing Board committee assigned the role — oversees implementation, formulates data governance policies (scope, architecture, data risk, ownership, quality, classification, third parties) and escalates material issues such as breaches and conflicts to the Board.
Executive-level committee
An executive Data Governance Committee with representation from the Data Function, IT, IS, business verticals, risk and compliance operationalises the DGF: allocates resources, reviews non-compliance and breaches, oversees data classification criteria and critical data element identification, and approves documented exceptions.
Data risk management
Data risk becomes part of the overall risk framework, assessed across seven principles — Accountability, Integrity, Auditability, Transparency, Traceability, Proportionality and Standardisation — plus cross-border processing risk. The DGF and its processes face periodic internal AND external audit (including CERT-IN empanelled auditors), with reports to the Audit Committee of the Board.
Four New Data Roles Every RE Must Map
| Role | Who / What | Core responsibility |
|---|---|---|
| Data Function | Central function headed by an officer NOT BELOW CGM rank (or equivalent) | Central coordination point: consistent interpretation of the DGF, effectiveness metrics, conflict resolution on definitions/classification/SSOT, documentation of standards and taxonomies |
| Data Owner | Individual or function per DATA DOMAIN (even when the domain spans multiple units) | Accountable for the domain: business definitions, classification, data quality, metadata and lineage oversight, SSOT designation, approving changes and exceptions |
| Data Steward | Individual/team under the Data Owner, positioned inside the business unit | Day-to-day operationalisation: connecting business rules to system design, documenting data flows, monitoring domain metrics, reporting deviations to the Data Owner |
| Data Custodian | Technical manager of the data environment | Access controls and entitlements per classification, technical capabilities for metadata/lineage/SSOT/reconciliation, transmission/storage/backup controls, retention-archival-disposal execution, BCP/DR for data platforms |
REs must maintain a documented, periodically reviewed mapping of these roles to processes and lifecycle stages — accountability, execution, consultation and escalation — a RACI-style matrix for data.
Lifecycle & Architecture — The Technical Core
Data lifecycle
Governance from origination to deletion: data may be created or acquired only for defined, legitimate purposes; foundational attributes (ownership, classification, usage intent, customer consent) must exist AT THE POINT OF CAPTURE; external/third-party data faces the same standards as internal data; transformation logic needs prior impact assessment and must preserve meaning; retention must be justified by business/legal/regulatory need, archival must not impede supervisory retrieval, and disposal must be secure and verifiable.
Single Source of Truth (SSOT)
One authoritative source per data element — no parallel or competing sources. All downstream systems, models and reports derive from the SSOT. Centralised, federated or hybrid models are all acceptable. SSOT designation (and changes) need executive committee approval, with reconciliation mechanisms to catch downstream inconsistencies.
Metadata & data lineage
Metadata for ALL data across the lifecycle — created at capture (source system, purpose, owner, classification, retention/usage), flowing downstream without loss, and updated on every transformation with source-to-derived relationships. Lineage means documented traceability from origin through transformations to final destination. System-generated data (logs, cookies) may carry proportionate metadata.
Data classification
A framework reflecting risk, criticality and sensitivity — considering business criticality, customer harm potential, personal-data sensitivity, confidentiality impact and legal/regulatory dimensions — including reclassification when aggregation or enrichment changes the risk profile. Classification travels in the metadata.
Data quality management
Quality processes proportionate to criticality, with multi-dimensional quality metrics (accuracy, completeness, consistency, timeliness, relevance, validity, reliability). Metrics and persistent issues go to the Data Governance Committee at least QUARTERLY.
Third-party arrangements
The RE stays responsible for data shared with third parties INCLUDING group entities: defined purposes only, need-to-know access, non-disclosure clauses, secure channels (encryption, authentication, auto-deletion), traceability back to the SSOT, periodic audits of third-party systems (CERT-IN empanelled where required), and ongoing monitoring.
✅ For JAIIB / CAIIB / Promotion Exam Aspirants
- •Draft issued July 15, 2026 (PR 2026-2027/677); comments due August 17, 2026 via 'Connect 2 Regulate'.
- •Anchored in BCBS 239 — the Basel principles for risk data aggregation and risk reporting.
- •Hierarchy to remember: Board → Board-level Data Governance Committee → executive Data Governance Committee → Data Function (headed by an officer ≥ CGM rank).
- •Role ladder: Data Owner (accountable per domain) → Data Steward (operationalises under the Owner) → Data Custodian (technical management).
- •SSOT = Single Source of Truth — one authoritative source per data element; models may be centralised, federated or hybrid.
- •Metadata = 'data about data'; Data Lineage = documented traceability from origin to final destination.
- •Seven data-risk principles: Accountability, Integrity, Auditability, Transparency, Traceability, Proportionality, Standardisation.
- •Data quality metrics reach the DGC at least quarterly; the DGF itself is reviewed at least annually.
- •Customer data must comply with the DPDP Act 2023 and DPDP Rules 2025.
How to Submit Feedback (by August 17, 2026)
→ Online through the "Connect 2 Regulate" section on RBI's website (rbi.org.in); or
→ By post to: The Chief General Manager, Operational Risk Group, Department of Regulation, Central Office, Reserve Bank of India, Shahid Bhagat Singh Marg, Fort, Mumbai – 400 001; or
→ By e-mail with the subject line "Feedback on Guidance on Regulatory Expectations for Data Governance".
Frequently Asked Questions
What has RBI released?
On July 15, 2026, RBI released the draft 'Guidance on Regulatory Expectations for Data Governance' (Press Release 2026-2027/677) for public comments. It sets out broad regulatory expectations on data governance frameworks, roles and responsibilities, the data lifecycle, data architecture (including Single Source of Truth, metadata and lineage), data quality, and third-party arrangements involving data sharing.
Which entities does the draft Guidance apply to?
Eleven categories of regulated entities: Commercial Banks (including foreign banks), Small Finance Banks, Payments Banks, Local Area Banks, Regional Rural Banks, Urban Co-operative Banks, Rural Co-operative Banks, All-India Financial Institutions (EXIM Bank, NABARD, NaBFID, NHB, SIDBI), NBFCs across all four scale-based layers, Asset Reconstruction Companies, and Credit Information Companies.
What is the deadline for comments?
Comments from regulated entities, members of the public and other stakeholders are due by August 17, 2026 — through the 'Connect 2 Regulate' section on RBI's website, by post to the Chief General Manager, Operational Risk Group, Department of Regulation, Central Office, Mumbai, or by e-mail with the subject line 'Feedback on Guidance on Regulatory Expectations for Data Governance'.
Is this a final regulation?
No. It is a DRAFT guidance issued for public consultation. It also states that it should be read with existing RBI Directions, and where there is any inconsistency, the applicable Directions prevail.
What is a 'Single Source of Truth' (SSOT) under the draft?
A single designated authoritative source for each specific data element within the regulated entity. The draft requires that no parallel or competing SSOT exists for the same data element, that all downstream systems and reports derive from the SSOT, and that reconciliation mechanisms detect inconsistencies. REs may adopt centralised, federated or hybrid SSOT models.
Who must head the Data Function?
A sufficiently senior officer not below the rank of Chief General Manager (or equivalent), with adequate authority and the necessary competence to implement the Data Governance Framework.
Disclaimer:This is an explainer of RBI's draft guidance based on the official press release and draft text, provided for information and exam preparation. It is a DRAFT open for consultation and may change before finalisation. Refer to the official documents on rbi.org.in for the authoritative text.