The RBI’s proposed data governance framework could have significant implications for India’s fintech ecosystem, even though the regulatory requirements are primarily directed at banks, NBFCs and other regulated entities.
The central bank’s draft ‘Guidance on Regulatory Expectations for Data Governance’, released for public consultations earlier this week, makes it clear that regulated entities remain accountable for their data even when it is shared with or processed by fintech partners, digital lending platforms, cloud vendors and other technology service providers.
This also means that while fintechs may not directly fall under the ambit of the proposed framework, banks and NBFCs could increasingly require their technology partners to comply with stricter standards around data access, traceability, consent management and auditability.
For fintechs that form a critical part of the technology and lending infrastructure of banks and NBFCs, this could translate into greater scrutiny, more stringent contractual requirements, and higher compliance spending.
The draft proposes a common governance framework requiring regulated entities to establish clear ownership of critical data, maintain end-to-end traceability, and strengthen oversight of third-party data sharing. Public comments have been invited until August 17.
While the draft is framed as guidance rather than binding regulation, it signals the RBI’s expectation that lenders retain control and accountability for their data throughout its lifecycle, including when it moves outside their own technology infrastructure.
The framework also significantly expands the regulatory net among lenders by covering all regulated entities, including base-layer NBFCs and cooperative banks that were excluded from some earlier technology governance norms.
According to the RBI, supervisory assessments show that while regulated entities have improved information management, gaps remain in data accuracy, consistency and traceability, affecting regulatory reporting, risk management, lending decisions and operational resilience.
Fintechs Feel The PainOne of the framework’s most consequential provisions for the fintech ecosystem relates to third-party data sharing.
Data sharing must be restricted to approved purposes, carried out through secure channels, be fully traceable and supported by appropriate access controls and audit trails.
The draft also proposes periodic audits of third-party systems, including assessments by CERT-In empanelled auditors where required, while requiring regulated entities to retain access to their data even when it is processed or stored outside their own infrastructure.
These provisions could have significant implications for India’s digital lending ecosystem, where data frequently flows between banks, NBFCs, fintech startups, lending service providers and co-lending partners.
In practice, lenders’ accountability could cascade down to the fintechs and technology providers they work with. Banks and NBFCs may demand greater visibility into how their partners collect, process, store and share data, while requiring them to demonstrate stronger access controls, detailed audit trails and traceability across their systems.
“Compliance will require investment in data architecture, governance processes, audit trails and accountability,” said SaveIN founder and CEO Jitin Bhasin.
Echoing a similar view, Spense cofounder and CEO Pawan Kumar said the draft reinforces that while lenders may outsource technology infrastructure, accountability for data remains with regulated entities.
“It will force the ecosystem to build for control by default, including need-based access, traceable consent and auditable data movement,” he said.
For fintechs, therefore, the impact may come less from direct regulatory obligations and more from the compliance requirements imposed by their banking and NBFC partners.
What Changes For LendersThe draft proposes a governance structure that places responsibility for data management squarely on regulated entities.
Every lender will be required to establish a board-approved ‘data governance framework’ that is reviewed annually and supported by clearly defined governance mechanisms.
Beyond governance committees, the framework introduces dedicated roles across organisations. It requires institutions to appoint ‘data owners’ responsible for specific data domains, ‘data stewards’ to oversee day-to-day implementation and ‘data custodians’ to manage the underlying technology infrastructure.
A central ‘data function’, headed by an officer not below the rank of chief general manager or its equivalent, will be expected to coordinate these efforts.
“Beyond additional personnel, lenders may also need to invest in data catalogues, data dictionaries, governance tools and ongoing maintenance, while institutions without enterprise data warehouses could face additional infrastructure costs,” said Aruna Pannala, a partner at Deloitte India.
Pannalaadded that finding skilled data governance professionals could become a challenge as more regulated entities attempt to build dedicated governance teams simultaneously.

Among the draft’s most significant proposals is the requirement for every regulated entity to establish a Single Source of Truth (SSOT) for each critical data element.
The central bank wants every important piece of data to originate from one designated authoritative source, eliminating parallel versions of the same information across multiple systems. Reports, risk models, and business processes would all need to rely on this common source, backed by reconciliation mechanisms to detect inconsistencies.
For many lenders, however, this could prove to be a resource-intensive requirement. Consolidating multiple data sources into a single authoritative system is likely to require significant investments in technology modernisation and system integration.
Mohit Srivastava, chief information security officer (CISO) and data protection officer (DPO) at Perfios, said the effort required would largely depend on the maturity of an institution’s existing data governance practices.
Organisations that have already invested in data discovery, classification and governance would find it easier to comply, while smaller NBFCs and regional and rural lenders that still rely on legacy systems are likely to face a steeper learning curve and higher implementation costs.
Srivastava said creating a single source of truth would add operational overhead because regulated entities rely on multiple internal and external data sources throughout the lending lifecycle.
Besides identifying an authoritative source for every critical data element, lenders would also need to establish the legitimacy of each data source, track customer consent where applicable and maintain governance across the data lifecycle.
While Srivastava did not estimate the cost, he said the resources required would generally range from “medium to high”, depending on the size and complexity of the institution.
The RBI has also proposed stronger requirements around metadata management and data lineage, requiring lenders to maintain a documented trail showing where data originated, how it moved across systems and every transformation it underwent. This would allow institutions to trace regulatory reports and business decisions back to the source data.
In addition, lenders will be expected to classify data based on sensitivity and criticality, establish quality metrics covering accuracy, completeness and consistency, and present quarterly data quality reports to governance committees.
Smaller Lenders Face A Steeper ClimbFor large private banks and upper-layer NBFCs, the draft largely formalises practices that many have already begun implementing under the RBI’s earlier IT governance framework and global risk management standards. While the proposals raise the compliance bar, they are unlikely to require a complete overhaul of existing governance structures.
The bigger shift lies elsewhere. Unlike the RBI’s 2023 IT Governance, Risk, Controls and Assurance Practices Directions, which excluded regional rural banks (RRBs) and base-layer NBFCs, the new draft extends data governance expectations across virtually the entire regulated financial ecosystem.
It covers commercial banks, foreign banks, small finance banks, payments banks, local area banks, RRBs, urban and rural cooperative banks, NBFCs across all four layers, all-India financial institutions (AIFIs), asset reconstruction companies (ARCs) and credit information companies (CICs).
This means even the country’s smallest lenders will be expected to establish formal data governance frameworks, assign clear ownership of data and improve traceability across their systems.
Unlike larger banks, smaller NBFCs and cooperative banks often operate with lean technology teams, legacy infrastructure and limited budgets. Building a SSOT, maintaining end-to-end data lineage, and implementing governance processes across multiple systems could require substantial investments in technology and skilled personnel.
Pannala of Deloitte India said the draft raises questions about whether the same governance expectations should apply uniformly across institutions of vastly different sizes and complexity.
She said a more proportionate approach, similar to the RBI’s scale-based regulatory framework, could reduce the compliance burden on smaller regulated entities without weakening supervisory objectives.
Meanwhile, Malcolm Gomes, chief operating officer at Privy by IDfy, said, “At the scale of an Indian bank, with data scattered across thousands of applications, legacy systems and vendors, a one-time mapping exercise is outdated the moment it’s finished. The real gap isn’t missing policy, it’s the distance between what the policy demands and what the systems can actually enforce and evidence.”
A Bigger Regulatory Shift Underway?Taken together, the draft signals that the RBI increasingly views data governance as a prudential issue rather than simply a technology concern.
As financial institutions rely more heavily on AI, digital lending platforms, embedded finance and third-party technology providers, the quality, ownership and traceability of data have become central to risk management and regulatory oversight.
For fintechs, the shift is significant. As banks and NBFCs become more accountable for data moving through their technology ecosystems, they are likely to demand greater control and visibility over the systems operated by their partners.
If adopted in its current form, the framework will require regulated entities to demonstrate not only that they protect data but also that they can explain where it originated, how it has been used, who is accountable for it and whether every step in its lifecycle can withstand regulatory scrutiny.
The regulatory obligation may ultimately sit with banks and NBFCs but meeting it will increasingly depend on the fintechs and technology providers plugged into their systems.
For India’s fintech ecosystem, that could make robust data governance less of a regulatory requirement in itself and more of a prerequisite for doing business with regulated financial institutions.
Edited by Vinaykumar Rai
The post Why RBI’s Data Governance Push Puts Fintech Partners In A Spot appeared first on Inc42 Media.
-
Will Bruno Guimaraes Make Arsenal’s Starting Line-up? Why Martin Odegaard Could Be Sold as Declan Rice Prepares to Take Over the Captaincy

-
Monsoon Vegetables: Eat these 5 vegetables during the rainy season, you will remain healthy

-
Face Serum vs Face Oil: Monsoon Skin Care

-
Next 15 days will be special: 6 big fasts and festivals from Akshaya Tritiya to Buddha Purnima, know the complete list

-
Suvendu’s taunt to Mamata Banerjee: ‘Now you have free time, come by helicopter’
