The Reserve Bank of India (RBI) on Wednesday proposed that banks, NBFCs and other regulated entities (REs) should put in place processes to manage data risk as part of the overall risk management framework.

“The guidance sets out broad regulatory expectations relating to data governance, roles, architecture, metadata and lineage, quality, and third-party arrangements involving data sharing,” the RBI said. It has sought feedback by August 17.

Commercial banks, small finance banks, payments banks, cooperative banks, regional rural banks, non-banking financial companies (NBFCs), all-India financial institutions, asset reconstruction companies (ARCs), and credit information companies will come under the ambit of the guidelines.

“As the volume, variety and velocity of data continue to increase, effective data governance has become essential to ensure that data remains accurate, consistent, secure and fit for purpose across functions and systems,” the RBI said. “Weaknesses in data governance and its management can lead to broader financial, operational, compliance and reputational risk for Res,” the norms said.

Weaknesses in data governance and its management can lead to broader financial, operational, compliance and reputational risk for REs, it added.

As per the draft, REs will have to put in place a data governance framework covering the entire data lifecycle.

The RBI has proposed that the board will oversee the data governance framework, while every RE must either constitute a dedicated board-level data governance committee or assign the responsibility to an existing board committee. The committee would be responsible for approving data governance policies, overseeing implementation, reviewing material breaches, and reporting key issues to the board.

The RBI has also proposed that every RE maintain a “single source of truth” for each data element, ensuring that downstream systems, models, and business processes rely on one authoritative source. It also prescribes stronger controls over data shared with third parties, including restrictions on access, mandatory audit mechanisms, encryption, and traceability of shared data.