RBI Advisory No. 3/2026 dated March 25, 2026 – Best Practices relating to Customer Data
Protection
Background
The Reserve Bank of India’s Advisory No. 3/2026 dated March 25, 2026 on best practices relating to customer data protection for Supervised Entities (SEs) is based on a 2025 thematic study on “Security of customer data” undertaken by RBI Department of Supervision, Central Office Cyber Security and IT Risk Group (“CSITEG”), across multiple categories of supervised entities. The advisory records practices observed during that study and presents them as illustrative guidance for strengthening customer data protection frameworks.
Importantly, the advisory expressly states that it does not substitute for, dilute, or override any applicable legal, regulatory, or supervisory requirements, and SEs must continue to comply with all applicable requirements. It also notes that entities may adopt other relevant practices depending on their risk profile, business model, operating environment, and compliance framework.
Key Expectations
- Governance and Board oversight:
RBI expects customer data protection to be embedded in governance architecture through formal approval of policies, standards and frameworks, periodic Board or Board-level committee review, clearly defined roles and reporting lines, documented accountability structures such as RACI matrices, and periodic cross-functional oversight involving business, technology, information security, legal and compliance functions. - End-to-end data lifecycle management:
The advisory expects SEs to establish controls across the full data lifecycle, including automated tagging/classification, centralized consent management, transparent privacy communication, regular data discovery and mapping, encryption and key management, DLP deployment, retention/deletion policies, periodic review of retention practices, audit trails for deletion/modification, and secure destruction methods. - Access control, monitoring and incident response:
SEs are expected to implement secure remote access architecture, endpoint and mobile controls, integrated access logging, centralized monitoring through SIEM/DAM or equivalent tools, real-time alerts for unusual or unauthorized access, a structured incident response framework, post-incident review and RCA documentation, regular simulation exercises, and customer-centric breach communications integrated into the Cyber Crisis Management Plan. - Third-party, outsourcing and cloud controls:
RBI places strong emphasis on customer data protection in third-party arrangements, including minimization of shared data, vendor due diligence, review of vendor personnel/background screening and access privileges, contractual breach-reporting obligations, monitoring of third-party data handling/modification, restrictions on plain-text storage of sensitive data, cloud security baselines, centralized visibility over cloud assets and data stores, and clear documentation of shared responsibility between the SE and service provider.
- Auditability, customer rights and emerging technology safeguards
The advisory expects customer-data security to be covered in internal/IS audit, supported by
tamper-proof centralized audit logs, periodic review of third-party data protection controls,
transparent complaint-tracking and grievance redressal mechanisms, and layered controls for
APIs, chatbots, AI/ML and other emerging technologies, with continuous monitoring and risk
mitigation.
Action Points for SEs
| Action point | What SEs should do |
| Governance refresh | Review whether customer-data protection, privacy, cyber controls and third-party risk frameworks are formally approved, periodically reviewed, and reported to the Board/Board committee |
| Accountability mapping | Define and document ownership across CISO/DPO/business/compliance/legal/technology teams, including a RACI or equivalent accountability matrix. |
| Data inventory and classification | Undertake comprehensive data discovery, mapping and classification across on-premises systems, cloud environments and third-party systems. |
| Consent and privacy notices | Assess whether consent capture/management is centralized, auditable and transparent, and whether customer-facing communications adequately explain data collection, usage and rights. |
| Access and monitoring controls | Validate logging, SIEM/DAM integration, real-time alerting, endpoint/mobile controls, remote-access protections and 24×7 monitoring arrangements. |
| Vendor / outsourcing remediation | Review third-party onboarding diligence, contractual breach notification obligations, access-review practices, monitoring rights, and restrictions on plain-text storage of sensitive customer data. |
| Incident response readiness | Update incident response plans, RCA templates, cyber drill coverage and customer communication playbooks for customer-data incidents. |
| Retention and deletion framework | Confirm approved retention/deletion policies, periodic review, audit trails, and secure data destruction measures across live systems, test environments and backups. |
| Audit and testing scope | Expand internal/IS audit and assurance scope to cover customer-data controls, including third-party data protection measures and VAPTlinked remediation. |
| AI / cloud governance | Put in place specific governance and risk controls for AI/ML, APIs, chatbots and cloud-hosted customer data environments. |
Impact on NBFCs
For NBFCs, the advisory is particularly relevant because many NBFC operating models
involve digital sourcing, outsourced servicing, third-party collection/technology partners,
cloud-based infrastructure, and extensive customer-data flows across multiple vendors and
platforms. Although the advisory is framed as illustrative guidance, it sets out a clear
supervisory benchmark for what RBI considers robust customer-data governance and control
architecture.
NBFCs should therefore expect focus from a supervisory and internal compliance perspective
on:
- whether outsourcing / service-provider contracts adequately deal with breach reporting, access restrictions, monitoring, and sensitive-data handling;
- whether consent management, privacy disclosures, and grievance handling are operationally robust across digital customer journeys;
- whether customer-data retention and deletion practices extend to cloud environments, test systems and vendor ecosystems; and
- whether incident response, audit, and Board reporting frameworks are sufficiently mature and evidenced.
In practice, NBFCs may need to prioritize contract remediation, control validation, governance
formalization, and evidence-building. This is likely to be especially important for NBFCs using
fintech partners, API integrations, digital onboarding tools, AI-enabled workflows, and
outsourced processing arrangements involving customer data.
Disclaimer: This note is for informational purposes only and is not a substitute for legal
advice or opinion.
