ADVERTISEMENT

The Reserve Bank of India (RBI) on Wednesday proposed that banks, NBFCs and other entities regulated by it should establish processes to manage data risk as part of their overall risk management framework.
The central bank has issued draft guidelines setting out broad regulatory expectations relating to data governance, roles, architecture, metadata and lineage, quality, and third-party arrangements involving data sharing.
With the increasing digitalisation of the financial sector and growing adoption of technology-driven business models, data has emerged as a critical asset for regulated entities (REs).
As the volume, variety and velocity of data continue to increase, effective data governance has become essential to ensure that data remains accurate, consistent, secure and fit for purpose across functions and systems, RBI said in the draft norms.
Weaknesses in data governance and its management can lead to broader financial, operational, compliance and reputational risk for REs, it added.
"An RE should establish processes to manage data risk as a part of its overall risk management framework," the draft said.
It should include identification of data attributes, data structure, data sources (external and internal), data quality, data classification, and big data perspective, for identification, assessment, monitoring, and managing risks pertaining to data.
The draft also proposes that an RE should establish an executive-level Data Governance Committee or delegate the responsibility to an existing executive committee with representation from Data Function, IT, IS, relevant Business Verticals, Risk Management, Compliance, and others, as required.
The Board of an RE should oversee the Data Governance Framework (DGF), and review the reports and metrics placed before it.
Also, the DGF should be reviewed annually or more frequently as required, said the draft, on which the Reserve Bank of India (RBI) has invited comments from stakeholders by August 17.
Another key aspect of the proposal is that an RE should establish and implement a lifecycle-based approach to data governance, ensuring that the data is governed across all stages—from origination to deletion—in a consistent manner to identify the associated risks and mitigate them.
Also, the RE should ensure that data is created or acquired only for defined and legitimate purposes aligned with approved business, risk, and legal and regulatory objectives, the draft added.