India Advances Financial Sector Customer Data Security with Regulatory Framework and Statutory Safeguards

The Indian government, operating through the Reserve Bank of India and the Ministry of Finance, has taken substantial measures to enhance the protection of customer information within the financial services sector. These initiatives aim to bring domestic practices in line with globally recognized standards for data security and privacy protection. The regulatory framework mandates that all Regulated Entities under RBI supervision adhere to stringent confidentiality requirements established under various parliamentary statutes.

Parliamentary Question and Governmental Response

In response to Rajya Sabha Starred Question No. 20, presented by Shri Rajeev Shukla on December 2, 2025 (corresponding to 11 Agrahayana, 1947 under the Saka calendar), the Finance Minister Smt. Nirmala Sitharaman provided comprehensive details regarding the current state of customer data protection mechanisms within India's financial services industry. The question addressed five critical dimensions:

• The modernization of customer data protection protocols according to international benchmarks
• Details concerning oversight authorities and governing regulatory structures
• Present compliance status among banking institutions and Non-Banking Financial Companies
• Identification of existing deficiencies in customer data safeguarding and remedial actions
• Future policy measures under consideration with stakeholder engagement

The ministerial response encompassed all aspects through a detailed statement tabled before the House.

Statutory Framework Governing Financial Data Privacy

According to information disseminated by the Reserve Bank of India, the protection of customer privacy within financial services provided by Regulated Entities operates under the governance of multiple statutory provisions. These legislative instruments impose mandatory secrecy obligations on financial institutions concerning customer-related information. The legal framework requires Regulated Entities to maintain statutory compliance across several parliamentary acts.

Key Legislative Provisions for Confidentiality

The statutory architecture for customer data protection encompasses the following legislative instruments:

State Bank of India Act, 1955: Section 44 of this Act establishes specific confidentiality requirements for the nation's premier banking institution, mandating strict protocols for handling customer information.

Banking Companies (Acquisition and Transfer of Undertakings) Act, 1970/1980: Section 13 of these Acts extends confidentiality obligations to nationalized banking entities, ensuring that customer data receives appropriate protection.

Regional Rural Banks Act, 1976: Section 25 of this legislation provides for secrecy requirements applicable to rural banking institutions, thereby extending data protection to rural financial services.

Credit Information Companies Act, 2005: Section 29 of this Act governs the handling of credit information, establishing boundaries for the collection, storage, and dissemination of customer credit data.

The Public Financial Institutions (Obligation as to Fidelity and Secrecy) Act, 1983: Section 3 of this Act imposes fidelity and secrecy obligations on public financial institutions, creating a comprehensive framework for data protection.

These statutory provisions collectively require banking institutions and financial entities to maintain secrecy regarding customer information and affairs. Disclosure of such information is permissible only under specific circumstances: when mandated by legal compulsion or when circumstances arise that, in accordance with established law, banking practices, and customary usage among financial institutions, make such disclosure necessary or appropriate.

Implementation Status in Public Sector Banks

Public Sector Banks have reported substantial progress in implementing data protection guidelines issued by relevant regulatory and oversight authorities. These financial institutions maintain compliance with directives from multiple regulatory bodies, which include:

• Reserve Bank of India
• Unique Identification Authority of India
• Indian Computer Emergency Response Team
• Various other governmental oversight bodies

Information Security and Cybersecurity Enhancements

Public Sector Banks have undertaken comprehensive measures to strengthen their information security infrastructure. These initiatives include:

Policy Alignment: Banking institutions have revised and updated their Information Security Policies and Cybersecurity Policies to reflect best practices recognized internationally and comply with regulatory guidelines issued by competent authorities.

Protocol Upgradation: Financial institutions have implemented enhanced consumer data protection protocols designed to align with practices accepted globally, ensuring that Indian banking standards meet international benchmarks.

Technical Infrastructure: Banks have invested in technological solutions that provide robust protection against data breaches, unauthorized access, and cyber threats, thereby safeguarding customer information across digital and physical platforms.

Digital Personal Data Protection Act, 2023

Recognizing the need for comprehensive data protection legislation, the Government of India enacted the Digital Personal Data Protection (DPDP) Act, 2023. This legislation represents an overarching legal framework specifically designed to protect the personal data of individuals across all sectors, including financial services.

Legislative Framework and Rules

The DPDP Act, 2023 establishes fundamental principles for data protection, including consent requirements, data minimization, purpose limitation, and accountability of data fiduciaries. Subsequently, the Digital Personal Data Protection Rules, 2025 were notified on November 14, 2025, providing detailed operational guidelines for implementing the Act's provisions.