Contact us

      RBI CSITE Group conducted a thematic study on “Security of customer data” across Supervised Entities (SEs) covering multiple categories of supervised entities in 2025, to identify several best practices that are being followed for protection of customer data in the SEs’ ecosystem and published an advisory to summarise the same as guidance for SEs in strengthening their framework for protection of customer data.

      Objectives of Supervised Entities (SEs)

      SEs must prioritise robust customer data protection framework

      Establish and continuously enhance cyber security and data‑protection mechanisms to safeguard customer information across the entire digital ecosystem

      Adherence to all applicable laws, regulations, and supervisory guidelines related to data protection

      Leading practices of security of customer data

      Establishing a clear governance structure to protect customer data properly, ensure accuracy and regulatory compliance, the process for data collection, classification, and data use needs to be defined

      Protection of customer data during accessing from anywhere, sharing and third‑party interactions requires the implementation of strong security controls with structured approach of cloud security to manage risks to customer data on cloud platforms as well

      Defined framework is required for incident response, simulation exercises, and customer communication, with layered security controls and 24x7 monitoring to enable continuous detection, alerting, and response to threats involving customer data

      Defined data retention and destruction processes to avoid keeping customer data longer than necessary and to minimize security risks

      Robust framework for tracking complaints and grievance redressal is necessary to empower customers and ensure transparency

      Security of customer data requires defined measures for its discovery, classification, encryption, and monitoring

      Way forward

      • Conduct a gap assessment of the existing data protection framework and data lifecycle
      • Assess current SOC monitoring tools and controls for possible data leaks
      • Review existing data discovery, classification and DLP capabilities for critical systems
      • Devise a priority-based and risk-based issue remediation plan
      • Phase wise gap closure implementation
      • Define enhancements for data protection controls and finding opportunities for streamlining usage of technology
      • Focus on re-configuration and optimisation of existing security tools and monitoring capabilities
      • Supporting with project management and running operations on behalf of SEs
      • Use continuous monitoring to safeguard compliance and protection

      RBI advisory on customer data protection and management

      Guidance for the protection of customer data in the Supervised Entities ecosystem to strengthen the overall framework

      Download the report (1.04 MB)

      Key Contacts

      Kunal Pande
      Kunal Pande

      National Leader - Digital Trust for Financial Services Sector, National Co-Head - Digital Risk and Cyber

      KPMG in India

      Romharsh Razdan
      Romharsh Razdan

      Partner, Digital Trust

      KPMG in India

      How can KPMG in India help

      Use cyber security to protect your future
      Read more

      New technologies. Sales channels. Customer experiences. Does your organisation have the confidence and agility to seize these kinds of opportunities, or are cyber threats holding you back?
      Read more

      New challenges and opportunities are quickly reshaping financial services
      Read more

      Access our latest insights on Apple or Android devices

      kpmg-insights-edge-qr