NEWS
RBI proposes new data governance norms for banks, NBFCs
Banks, NBFCs, ARCs, credit information companies and other regulated entities should set up processes to manage data risk.
Banks, NBFCs, ARCs, credit information companies and other regulated entities should set up processes to manage data risk.
The Reserve Bank of India (RBI) has proposed that banks, NBFCs and other entities regulated by it need to set up processes to manage data risk as part of their overall risk management framework.
The RBI said that this should include identification of data attributes, data structure, data sources (external and internal), data quality, data classification, and big data perspective, for identification, assessment, monitoring and managing risks pertaining to data.
The draft guidelines, issued today, set out broad regulatory expectations relating to data governance, roles, architecture, metadata and lineage, quality and third party arrangements involving data sharing.
With the increasing digitalisation of the financial sector and growing adoption of technology-driven business models, data has emerged as a critical asset for regulated entities (REs).
As the volume, variety and velocity of data continue to increase, effective data governance has become essential to ensure that data remains accurate, consistent, secure and fit for purpose across functions and systems, RBI said in the draft norms.
Weaknesses in data governance and its management can lead to broader financial, operational, compliance and reputational risk for REs, it added.
The draft also proposes that an RE should establish executive level Data Governance Committee or delegate the responsibility to an existing executive committee with representation from Data Function, IT, IS, relevant Business Verticals, Risk Management, Compliance, and others, as required.
Board of an RE should oversee the Data Governance Framework (DGF), and review the reports and metrics placed before it.
Also, the DGF should be reviewed annually or more frequently as required.
The RBI has invited comments from stakeholders by 17 August.
Another key aspect of the proposal is that an RE should establish and implement a lifecycle-based approach to data governance, ensuring that the data is governed across all stages -- origination to deletion, in a consistent manner to identify the associated risks and mitigate them.
Also, the RE should ensure that data is created or acquired only for defined and legitimate purposes aligned with approved business, risk and legal and regulatory objectives, the draft added.
Besides banks and non-banks, the draft guidelines is applicable to asset reconstruction companies (ARCs) and credit information companies.