On July 15, 2026, the Reserve Bank of India released a draft "Guidance on Regulatory Expectations for Data Governance" and opened it for public comment until August 17, 2026. The reach is wide: the draft applies to 11 categories of regulated entities, from commercial banks, small finance banks and payments banks down to co-operative banks, All India Financial Institutions, NBFCs, asset reconstruction companies and credit information companies. Read only the requirements and this looks like routine governance hygiene. Every regulated entity must set up a Data Function led by an officer no junior than a Chief General Manager, coordinating data governance across business, risk and technology functions, on top of a "Single Source of Truth" and named data owners, stewards and custodians. Name the right people, standardise the right master record, tick the box.

It is worth slowing down on what those named officers are actually being asked to answer for. A bank's own staff rarely originate the bulk of the data now sitting on its books. A fintech app scores the borrower, a Banking-as-a-Service platform runs the ledger, or an NBFC partner services the loan, while the bank's license sits on top of all three. The draft's central demand, that one senior, named individual inside the regulated entity owns that data end to end, is not a tidiness rule. It is RBI declaring that the entity holding the license cannot point at a vendor's systems when the data those systems produced turns out to be wrong.

The figure that explains why RBI is doing this now is 80. By September 2025, banks were acquiring around 80 percent of NBFC-originated loan-transfer and securitisation assets through a limited number of NBFCs, a concentration the RBI's Financial Stability Report says could create correlated risk and amplify stress across the banking system. That describes a banking system whose balance sheets increasingly run through a small cluster of non-bank originators, whose internal data practices no bank directly controls, not a pile of messy spreadsheets.

Bar chart showing 80 percent of banks' NBFC-originated loan-transfer and securitisation assets flow through a limited set of top NBFCs, versus 20 percent through the rest of the market, as of September 2025.

RBI has run this play before

This is not RBI's first attempt to reattach accountability to an outsourced relationship. Its Digital Lending Directions, 2025 already state that an outsourcing agreement between a regulated entity and a Lending Service Provider does not dilute or absolve the entity of its statutory obligations, and that the entity remains fully responsible and liable for all acts and omissions of that provider. And its Co-Lending Arrangements Directions, 2025, effective from January 1, 2026, require each regulated entity in a co-lending arrangement to retain a minimum 10 percent share of every individual loan on its own books, while capping the originating lender's default loss guarantee at 5 percent of outstanding loans.

Bar chart comparing co-lending requirements: a lender must retain a minimum 10 percent of every loan on its own books, while its default loss guarantee is capped at a maximum 5 percent of outstanding loans, effective January 1, 2026.

The data governance draft extends the same logic one layer up the stack. Where the lending rules force a bank to keep real money on its own books when a partner originates the loan, the data governance draft makes sure a bank keeps a named, senior person accountable for the information behind that loan, whichever partner's systems produced it.

The rest of the world reached the same conclusion

RBI is not alone here. The Basel Committee on Banking Supervision's "Principles for the sound management of third-party risk," published in December 2025, state plainly that a bank's board of directors carries ultimate responsibility for the oversight of the bank's third-party risks, not the vendor performing the work. Those principles formally supersede the Basel Committee's 2005 Joint Forum guidance on outsourcing, reflecting two decades of growth in banks' dependence on outside technology and service providers. The European Union had already moved. Its Digital Operational Resilience Act, in application since January 17, 2025, covers 20 categories of financial entities and builds an EU-wide oversight framework for the critical ICT third-party providers whose concentration risk regulators now treat as systemic.

Three regulators converged on the same fix within a short span: name someone inside the regulated firm to own the third-party risk.

FrameworkEntities coveredStatus
RBI draft data governance guidance11 categories of regulated entitiesDraft, released July 15, 2026; comments close August 17, 2026
EU Digital Operational Resilience Act20 categories of financial entitiesIn force since January 17, 2025
Basel Committee third-party risk principlesBoard-level mandate across member-jurisdiction banksPublished December 2025, supersedes 2005 guidance

Source: Reserve Bank of India; European Insurance and Occupational Pensions Authority; Basel Committee on Banking Supervision.

The honest objection

The strongest case against reading much into this is that naming a Chief General Manager and standing up a Data Function does not, by itself, move a single byte of data back onto a bank's own servers. Compliance teams are good at creating an accountable name on an organisation chart. They are worse at re-architecting the technology stack a fintech or BaaS partner actually runs. On this view, RBI has produced a paperwork requirement that smaller NBFCs, the ones with the thinnest compliance budgets and the heaviest reliance on third-party tech, will absorb as cost without any real change in where their data risk sits.

That objection is real, and it should not be waved away. But the same skepticism was available before RBI's co-lending retention rule took hold, and that rule forces each partner in a co-lending arrangement to retain a real 10 percent of every loan rather than pass all of it downstream, a requirement that changes underwriting behavior, not just an org chart. The data governance draft borrows the same design: a single senior officer, not a delegated committee, carrying the accountability. The Basel Committee's own December 2025 principles put that same responsibility at board level, not with a delegated compliance function.

The Signal

RBI's draft is a comment paper, not yet law. Comments close August 17, 2026, and the version that emerges could soften the Chief General Manager threshold or extend the timeline for smaller entities that raise objections. What to watch is whether the final rule treats a bank's technology and lending partners as the bank's own responsibility in substance, the way the co-lending retention rule and the digital lending liability rule already do, or whether it settles for a name on an org chart. Watch the concentration number too. At roughly 80 percent of NBFC-linked assets running through a limited set of originators as of September 2025, and with Basel and Brussels reaching for the same fix in 2025 and 2026, the direction of travel is not in doubt. A vendor can still fail. A bank can no longer say the failure was not its data to own.

Reporting basis: the draft data governance guidance, its coverage and its comment deadline are from the Reserve Bank of India's own press release. The Data Function and Chief General Manager requirement is per BusinessToday's reporting on the draft. The co-lending retention and default-loss-guarantee figures are from the Reserve Bank of India's own notified Co-Lending Arrangements Directions, and the outsourcing-liability language is from its Digital Lending Directions. The 80 percent concentration figure is from the Reserve Bank of India's Financial Stability Report, December 2025. The Basel Committee's board-responsibility principle and its supersession of the 2005 Joint Forum guidance are both from the Basel Committee's own December 2025 publication and press release, one origin cited twice. The EU coverage and effective date are per the European Insurance and Occupational Pensions Authority. No figure in this piece is calculated; each is reported directly by the body that produced it.