New Delhi: Banks, non-banking financial companies (NBFCs) and credit bureaus will have to tag every piece of customer data at the point of collection, recording who owns it, why it was taken, how sensitive it is, how long it may be kept and whether the customer consented. Those tags will have to travel with the data into every system it moves to, under a draft guidance released Wednesday by the Reserve Bank of India (RBI).
The central bank has invited comments from regulated entities and the public on the draft ‘Guidance on Regulatory Expectations for Data Governance’. The comments can be submitted until 17 August.
The draft policy arrives 10 months before the deadline for stakeholders to comply with privacy norms proposed by the Digital Personal Data Protection (DPDP) Rules. The DPDP Rules were notified in November 2025 with an 18-month runway, taking the compliance date to May 2027. Under the DPDP Act, 2023, failure to maintain security safeguards for personal data attracts a penalty of up to Rs 250 crore.
Through the draft, the RBI does not restate that law. It sets out the systems lenders will need to comply with it.
Also Read: Meta & WhatsApp step back, tell SC they’ll comply with take-it-or-leave-it NCLAT privacy order
Consent at point of entry
The draft requires that “sufficient foundational attributes of data (e.g., ownership, classification, usage intent, appropriate consent in case of customer data) are established at the point of origination or capture, to enable downstream governance”.
Those attributes must then survive the journey customer data undertakes after the point of collection. For instance, the draft proposes that Metadata “should flow with data such that it moves to downstream systems…without loss of basic attributes created at source”.
Where data is transformed, the record must be updated to show the link to the source, the purpose of the change, and any “changes in classification and accessibility of data”.
The proposed policy addresses a known gap: When a customer withdraws consent and asks for erasure, a lender must locate every copy. This is because most lenders at present run a core banking system built in one era, a customer database from another, a data warehouse added later, an analytics stack and a partner app on top. Each holds a version of the same customer.
Aggregation can change sensitivity
The draft proposes that lenders be asked to track what their own processing does to the risk profile of data. The classification framework must account for “impact owing to data aggregation, enrichment, and derivation such as changes in data materiality, risk profile or sensitivity,” it said.
For example, nothing in a bank’s records is sensitive on its own: a merchant name, an amount, a date. When read together, a run of payments to an oncology clinic and a diagnostic lab tells the bank something about a customer’s health that the customer never disclosed and the bank never asked for. Health information is sensitive but the transaction log it was inferred from was not. The draft requires the inferred data to be reclassified to match what it now reveals.
Classification must also weigh “criticality to customers, including potential harm arising from misuse, inaccuracy, or unavailability of data”. For lenders, this makes potential harm to the customer a test.
Vendors & group companies
Sharing data with a third party, including a group entity, does not transfer responsibility, the draft said. It proposes access on a need-to-know basis.
Agreements must carry non-disclosure clauses. Sharing must not result in “unauthorised reuse, sharing, or duplication”. Channels must have encryption, authentication, access controls, “auto-deletion, and de-duplication controls”.
Further, it proposes that third-party systems be audited, including by auditors empanelled with the Indian Computer Emergency Response Team (CERT-In).
Data shared outside must also stay accounted for: it “remains traceable to the designated SSOT, and metadata and lineage capture the extent of such sharing”.
SSOT, or Single Source of Truth, is the draft’s other central requirement. For each data element, one system must be the authoritative version. “No parallel or competing SSOT sources exist for the same data element,” it said, proposing that all downstream systems must derive from the SSOT.
Data governance committee
The draft also proposes that every entity must set up a Data Function “headed by a sufficiently senior officer not below the rank of chief general manager or equivalent”. Below that sit three roles: a Data Owner for each data domain, a Data Steward positioned inside the business unit, and a Data Custodian responsible for access controls, encryption, backups and deletion.
Disputes over consent management are to be settled by the Data Function.
The draft also proposes that a Board-level Data Governance Committee will clear policies. An executive committee will implement them. Data quality metrics go to the board committee every quarter.
Data held abroad
Cross-border processing, storage, transfer and usage must not “impair the RE’s ability to access, retrieve, and manage its data,” the draft said.
RE, or regulated entity, is the RBI’s term for the institutions it supervises.
The DPDP framework does not mandate localisation; it restricts transfers to notified jurisdictions. The RBI’s requirement is separate: a lender must retain access to its own data regardless of where it sits or who holds it.
If accepted, the norms draft will apply to commercial banks including foreign banks, small finance banks, payments banks, local area banks, regional rural banks, urban and rural co-operative banks, NBFCs across all four layers, all-India financial institutions, asset reconstruction companies and credit bureaus.
(Edited by Amrtansh Arora)
Also Read: In death, who owns your data? Gujarat court grants heirs digital inheritance of deceased’s iCloud

