Wednesday, July 15


FILE PHOTO: Reserve Bank of India
| Photo Credit: FRANCIS MASCARENHAS

The Reserve Bank of India (RBI) on Wednesday issued the ‘Guidance on Regulatory Expectations for Data Governance’ for banks and other Regulated Entities (REs) prescribing a comprehensive framework to strengthen governance of data across the banking system. 

The objective of the guidance is to improve data quality, accountability, risk management and security while ensuring compliance with the Digital Personal Data Protection (DPDP) Act, 2023, and other applicable laws.

This has become important because with the increasing digitalisation of the financial sector and growing adoption of technology-driven business models, data has emerged as a critical asset for REs.

As the volume, variety and velocity of data continue to increase, effective data governance has become essential to ensure that data remains accurate, consistent, secure and fit for purpose across functions and systems, the RBI said. 

Weaknesses in data governance and its management can lead to broader financial, operational, compliance and reputational risk for the REs, it said. 

Recognising this, this draft has been released to support REs in strengthening their data governance framework and promoting sound practices relating to data management across the data lifecycle. 

Under the guidance, all REs have been directed to establish a comprehensive Data Governance Framework (DGF) aligned with their overall risk management framework. 

The framework needs to be proportionate to the size, complexity, business model and technology infrastructure of each bank, while covering all aspects of data governance, including organisational structure, policies, processes, technological systems, audit mechanisms and the entire data lifecycle. 

The RBI has also asked banks to review the framework annually or more frequently whenever required. It has assigned a key role to the board of directors in overseeing the implementation of the DGF. 

REs have been directed to establish a board-level data governance committee or assign the responsibility to an existing board committee to supervise implementation of the framework, formulate governance policies, periodically review them and place reports on data governance, breaches and other material issues before the board. 

The REs at the operational level must also establish an executive-level data governance committee comprising representatives from data management, information technology, information security, risk management, compliance and business functions to ensure effective implementation of the framework.

The RBI has laid significant emphasis on data risk management by directing banks to integrate data risks into their overall enterprise risk management framework.

REs have been asked to identify and manage risks relating to data quality, ownership, privacy, security, classification, cross-border data processing and third-party arrangements.  The framework should be built on principles such as accountability, integrity, transparency, auditability, traceability, proportionality and standardisation. 

REs have also been instructed to continuously assess the effectiveness of their governance framework and subject it to periodic internal and external audits.

To strengthen accountability, the guidance requires banks to establish a dedicated data function headed by a senior executive not below the rank of Chief General Manager or its equivalent.

Separate roles have also been prescribed for Data Owners, Data Stewards and Data Custodians. While data owners will be responsible for data definitions, quality, classification, metadata and governance within their domains; data stewards will oversee day-to-day implementation of governance standards. 

Data custodians will manage technical controls relating to access, storage, backup, business continuity, disaster recovery and secure disposal of data.

The RBI has also introduced detailed requirements covering the entire data lifecycle. 

REs have been directed ensure that data is collected only for legitimate business purposes and that ownership, classification, consent and usage requirements are defined at the point of origination. 

During processing and sharing, institutions must adopt approved standards while deploying security measures such as encryption, tokenisation, anonymisation and data loss prevention controls. 

REs are also required to establish policies governing data retention, archival and secure disposal, ensuring that information remains accessible for regulatory, supervisory and audit purposes throughout the prescribed retention period.

A major feature of the guidance is the requirement to establish a Single Source of Truth (SSOT) for all critical data elements so that all business functions rely on one authoritative source of information. 

REs have also been directed to maintain comprehensive metadata and data lineage records to ensure that data remains traceable throughout its lifecycle. In addition, they must implement robust data quality management processes, develop measurable quality metrics and periodically review persistent data quality issues at the board committee level.

The RBI has further tightened norms governing third-party data sharing by making banks fully responsible for customer and institutional data shared with service providers and group entities. 

As per the guidance REs must ensure that such sharing takes place only for approved purposes, with appropriate access controls, encryption, contractual safeguards, continuous monitoring and periodic audits. 

Through these measures, the central bank aims to build a stronger data governance ecosystem that enhances operational resilience, supports informed decision-making and protects customer data in India’s rapidly evolving digital banking environment.



Source link

Share.
Leave A Reply

Exit mobile version