UPSC Prelims Practice Questions — RBI issues data governance guidance framework for banks
Q1. With reference to the RBI's draft 'Guidance on Regulatory Expectations for Data Governance', consider the following as institutional roles newly created within a Regulated Entity's data governance structure:
1. Data Owner
2. Data Steward
3. Data Custodian
4. Data Principal
Which of the above is/are NOT correctly identified as a role created by the guidance?
- Data Owner
- Data Steward
- Data Custodian
- Data Principal
- A. 1 and 2
- B. 2 and 3
- C. 3 only
- D. 4 only
Q2. Under the RBI's draft data governance guidance, the dedicated 'Data Function' within a Regulated Entity is to be headed by an officer not below which one of the following ranks (or equivalent)?
- A. Chief General Manager (CGM)
- B. General Manager
- C. Chief Risk Officer
- D. Managing Director & CEO
Q3. Consider the following statements about the Data Governance Framework (DGF) that the RBI guidance requires each Regulated Entity to put in place:
1. It must be overseen at the board level.
2. It must be aligned with the entity's overall risk management framework.
3. It must be proportionate to the size, complexity and business model of the entity.
4. It must follow a single uniform template applied identically to every Regulated Entity regardless of size.
Which of the above is/are NOT correct?
- It must be overseen at the board level.
- It must be aligned with the entity's overall risk management framework.
- It must be proportionate to the size, complexity and business model of the entity.
- It must follow a single uniform template applied identically to every Regulated Entity regardless of size.
- A. 1 and 2
- B. 3 only
- C. 4 only
- D. 2 and 4
Q4. In the RBI's data governance guidance, the governance tool termed 'Single Source of Truth' is best described as:
- A. A designated authoritative, reconciled reference source for a given data element across the entity
- B. A single physical server on which all customer data of the entity is stored
- C. The sole senior officer empowered to approve all third-party data-sharing requests
- D. The board resolution that formally approves the Data Governance Framework
Q5. The stated objective of the RBI guidance is to strengthen data governance by improving certain expressly named focus areas — data quality, accountability, risk management and security. How many such focus areas are expressly named?
- A. Two
- B. Three
- C. Four
- D. Five
Q6. The 'Guidance on Regulatory Expectations for Data Governance' for regulated entities is issued and operationalised by which one of the following authorities?
- A. Reserve Bank of India
- B. Securities and Exchange Board of India
- C. Ministry of Electronics and Information Technology
- D. Data Protection Board of India
Q7. With reference to the data-protection framework that the RBI guidance is aligned to, consider the following statements:
1. The Digital Personal Data Protection Act was enacted in 2023.
2. The DPDP Rules were notified in 2025.
3. Banks handling large volumes of personal data can be treated as Significant Data Fiduciaries.
4. Under the DPDP Act, the individual whose personal data is processed is termed the 'Data Custodian'.
Which of the statements given above are correctly identified?
- The Digital Personal Data Protection Act was enacted in 2023.
- The DPDP Rules were notified in 2025.
- Banks handling large volumes of personal data can be treated as Significant Data Fiduciaries.
- Under the DPDP Act, the individual whose personal data is processed is termed the 'Data Custodian'.
- A. 1 and 2 only
- B. 1, 2 and 3 only
- C. 2, 3 and 4 only
- D. 1, 3 and 4 only
Q8. Consider the following as obligations imposed on data fiduciaries under the DPDP framework that banks must comply with:
1. Obtaining clear and specific consent for processing personal data.
2. Observing purpose limitation and data minimisation.
3. Notifying affected individuals of a personal data breach.
4. Transferring all customer personal data to a central repository maintained by the RBI.
Which of the above is/are NOT correct?
- Obtaining clear and specific consent for processing personal data.
- Observing purpose limitation and data minimisation.
- Notifying affected individuals of a personal data breach.
- Transferring all customer personal data to a central repository maintained by the RBI.
- A. 1 and 2
- B. 3 only
- C. 4 only
- D. 2 and 3
Q9. In the context of the RBI's guidance, the term 'Regulated Entity (RE)' is best understood to mean:
- A. Financial-sector entities such as banks, NBFCs, cooperative banks and credit information companies that are supervised/regulated by the RBI
- B. Any company incorporated under the Companies Act, 2013
- C. Only scheduled commercial banks listed in the Second Schedule to the RBI Act
- D. Entities regulated by SEBI in the securities and capital markets
Q10. The RBI guidance emphasises governing data across its 'data lifecycle'. In this context, the data lifecycle is best described as:
- A. The stages data passes through — creation/collection, storage, use, sharing, archival and deletion
- B. The tenure for which a bank's core banking software remains in service
- C. The period during which a customer's loan account remains outstanding
- D. The validity period of a Data Protection Officer's appointment
Q11. Consider the following statements comparing the RBI's 2026 data governance guidance with its earlier IT Governance Master Direction, 2023:
1. The IT Governance Master Direction primarily addresses IT infrastructure, systems and cyber-risk governance, whereas the data governance guidance focuses on governance of data across its lifecycle.
2. Unlike the IT Governance Master Direction, which excludes Regional Rural Banks, the data governance guidance extends to entities such as cooperative banks and Regional Rural Banks.
3. Both instruments were enacted as statutes passed by Parliament rather than issued as RBI directions or guidance.
Which of the statements given above is/are correct?
- The IT Governance Master Direction primarily addresses IT infrastructure, systems and cyber-risk governance, whereas the data governance guidance focuses on governance of data across its lifecycle.
- Unlike the IT Governance Master Direction, which excludes Regional Rural Banks, the data governance guidance extends to entities such as cooperative banks and Regional Rural Banks.
- Both instruments were enacted as statutes passed by Parliament rather than issued as RBI directions or guidance.
- A. 1 only
- B. 1 and 2 only
- C. 2 and 3 only
- D. 1, 2 and 3