Lowdown: RBI’s new advisory pushes for tighter data use, AI safeguards, vendor checks
RBI has issued a detailed advisory mandating stronger customer data protection across banks and fintechs. Here’s what changes. The post Lowdown: RBI’s new advisory pushes for tighter data use, AI safeguards, vendor checks appeared first on MEDIANAMA .
The Reserve Bank of India (RBI) has recently issued a comprehensive advisory aimed at enhancing customer data protection across the financial sector, including banks and fintech companies. This move follows the enactment of the Digital Personal Data Protection Act (DPDPA) 2023, which established a legal framework for data protection. However, the RBI's advisory takes a step further by providing sector-specific guidelines to ensure robust implementation of data protection measures in the financial ecosystem.
The advisory mandates that all regulated entities, including banks, fintechs, non-banking financial companies (NBFCs), and payment aggregators, must prioritize customer data protection. This includes stringent requirements for data minimisation, user consent, data erasure, and platform accountability. The RBI's guidance is designed to align with the DPDPA while offering practical insights tailored to the financial sector's unique challenges and risks.
One of the key aspects of the advisory is the emphasis on governance and regulatory compliance. Entities are now required to obtain formal approval at appropriate governance levels for any policies and frameworks related to customer data security, privacy, and third-party risks. This means that boards or board-designated committees must review data security risks and incidents on a quarterly or semi-annual basis. Additionally, entities must define clear roles and responsibilities for customer data protection, such as appointing a Chief Information Security Officer (CISO) or Data Protection Officer, and ensuring regular reporting of metrics, exceptions, and audit findings to senior management and the board or committee.
To enhance accountability, the advisory recommends the use of the RACI (Responsible, Accountable, Consulted, Informed) framework. This framework clarifies ownership for governance, monitoring, and incident reporting, ensuring that everyone involved in the data protection process understands their roles and responsibilities. Furthermore, entities are required to establish a steering committee or cross-functional oversight mechanism to periodically oversee customer data governance and associated risks.
In terms of data collection, classification, and usage, the advisory emphasises the need for automated tools to tag and classify customer data based on sensitivity. These tools will help identify and label data across in-house systems, cloud networks, and third-party systems. Entities must also implement centralised platforms or mechanisms for capturing, tracking, and updating user consent. Communication about data usage and collection practices must be transparent and easily accessible to users.
The advisory also highlights the importance of data minimisation, meaning that entities should only collect and process the minimum amount of data necessary to achieve their objectives. This principle is crucial in reducing the risk of data breaches and ensuring that customer information is protected.
Moreover, the RBI's advisory underscores the need for robust vendor checks and third-party risk management. Entities must conduct thorough due diligence on third-party vendors and service providers to ensure that they comply with data protection standards. This includes conducting regular audits and monitoring of third-party systems to prevent unauthorised access or data leaks.
The RBI's advisory also addresses the use of artificial intelligence (AI) in the financial sector. It emphasises the need for safeguards to protect customer data when AI systems are used for data processing, analysis, or decision-making. This includes ensuring that AI algorithms are transparent, accountable, and do not introduce biases that could discriminate against certain customer groups.
In conclusion, the RBI's new advisory represents a significant step towards strengthening customer data protection in the financial sector. By providing clear guidelines on governance, data collection, and third-party risk management, the advisory aims to create a more secure and transparent environment for both customers and financial institutions. As the financial sector continues to evolve, particularly with the increasing adoption of AI and digital technologies, the RBI's advisory serves as a crucial roadmap for ensuring the protection of sensitive customer data.
