On Wednesday, the Reserve Bank of India (RBI) published draft norms for a Data Governance Framework (DGF) that will bind commercial banks and non‑banking financial companies (NBFCs). Issued in July 2026, the guidelines aim to tighten data accuracy, consistency, confidentiality, integrity and traceability in anticipation of the expected credit‑loss (ECL) framework slated for April 1, 2027.

The draft arrives as digital financial services surge, generating more data, faster and in more complex forms than ever before. RBI notes that banks and NBFCs must design a DGF proportionate to their size, complexity, business model and IT environment. The framework must dovetail with existing risk‑management systems and cover organisational structure, policies, risk management—including data privacy and security—technology and audit mechanisms that span the entire data lifecycle.

Compliance with India’s Digital Personal Data Protection Act (DPDP Act) of 2023 and the DPDP Rules of 2025 is compulsory under the draft. RBI requires an annual review of the DGF, or more frequent reviews if circumstances demand. For third‑party arrangements, the norms make clear that regulated entities remain responsible for governing data shared with group entities and external parties. Controls must govern access, usage and deletion, taking into account data classification, sensitivity and customer consent. The framework must also guarantee that data shared with third parties can be traced back to a single source of truth, with metadata and lineage capturing the extent of sharing. Any unauthorized reuse, duplication or sharing is expressly prohibited.

Board oversight emerges as a cornerstone of the draft. RBI states that the board of a bank or NBFC should supervise the DGF and review reports and metrics presented to it. A board‑level Data Governance Committee—or an existing committee—will oversee implementation. The committee will be tasked with formulating policies on data architecture, risk management, ownership, accountability, data quality management, classification and third‑party arrangements.

The norms also mandate a dedicated data function led by an executive of at least the rank of chief general manager. This function must develop metrics to gauge the DGF’s effectiveness and serve as a central coordination point, ensuring consistent interpretation and execution across business, risk, technology and other functions. Each data domain should have a designated data owner responsible for defining, classifying and using data in line with the DGF, and a data custodian charged with enforcing access controls and user entitlements.

Data quality management processes must be proportionate to the criticality, sensitivity and classification of the data involved. The framework is designed to guarantee that data is fit for its intended use and that material issues are identified and remediated promptly.

The draft norms form part of RBI’s broader regulatory expectations for data governance and are being released ahead of the ECL framework, which will obligate banks to use forward‑looking loss provisioning based on accurate data. RBI has opened the draft for comments, with final guidelines expected before the 2027 implementation deadline. Banks and NBFCs will need to begin building or revising their DGFs now to meet the forthcoming requirements.

In short, the RBI’s draft mandates a comprehensive, proportionate data governance framework for banks and NBFCs. The framework will support the upcoming ECL rules, align with the DPDP Act and Rules, and establish board oversight, a senior data function and robust third‑party data controls. The draft is open for comment, and institutions must prepare for the mandatory framework that will be required by April 2027.