The Government of India, through the Ministry of Finance and RBI, has affirmed that customer data protection in financial services is being strengthened to align with international standards. Regulated entities (REs), including banks and NBFCs, are required to observe strict secrecy under multiple statutes such as the State Bank of India Act, Credit Information Companies Act, and Public Financial Institutions Act, ensuring non-disclosure of customer information except as permitted by law. Public Sector Banks have implemented robust information security and cybersecurity policies and upgraded protocols to meet global best practices. The enactment of the Digital Personal Data Protection (DPDP) Act, 2023, and the DPDP Rules, 2025, provides a citizen-centric framework for responsible data usage. RBI oversees compliance, updating guidelines through supervisory reviews and stakeholder consultations to bridge gaps and adopt global best practices, thereby ensuring secure, ethical, and efficient handling of customer data in India’s financial sector.
GOVERNMENT OF INDIA
MINISTRY OF FINANCE
DEPARTMENT OF FINANCIAL SERVICES
RAJYA SABHA
STARRED QUESTION NO. 20
ANSWERED ON TUESDAY, DECEMBER 2, 2025/ 11 AGRAHAYANA, 1947 (SAKA)
CUSTOMER DATA PROTECTION IN FINANCIAL SERVICES
20. SHRI RAJEEV SHUKLA:
Will the Minister of FINANCE be pleased to state:
(a) whether customer data protection protocols in financial services have been upgraded in line with international practices;
(b) if so, the details of oversight bodies and regulatory frameworks;
(c) the current status of compliance by banks and NBFCs to such protocols;
(d) the main gaps in customer data protection and steps for filling such gaps; and
(e) the proposed measures for data protection in the ongoing policy review and stakeholder participation?
ANSWER
THE MINISTER OF FINANCE
(SMT. NIRMALA SITHARAMAN)
(a) to (e): A statement is laid on the Table of the House.
*****
STATEMENT REFERRED TO IN REPLY TO PART (a) TO (e) OF RAJYA SABHA STARRED QUESTION NO. 20 FOR DECEMBER 2, 2025, REGARDING “CUSTOMER DATA PROTECTION IN FINANCIAL SERVICES” TABLED BY SHRI RAJEEV SHUKLA, HON’BLE MEMBER OF PARLIAMENT
(a) to (e): As per Reserve Bank of India (RBI), privacy in financial services, offered by Regulated Entities (REs) of RBI, is governed under various Statutes, which demand the observance of secrecy by the REs on the customer related information. REs are required to observe statutory compliance to various laws, including, inter alia, –
(i) State Bank of India Act, 1955 (section 44)
(ii) Banking Companies (Acquisition and Transfer of Undertakings) Act, 1970/1980 (section 13)
(iii) Regional Rural Banks Act, 1976 (section 25)
(iv) Credit Information Companies Act, 2005 (Section 29)
(v) The Public Financial Institutions (Obligation as to Fidelity and Secrecy) Act, 1983 (Section 3)
These statutes require banks to observe secrecy and not divulge any information relating to or to the affairs of its constituents except when there is a compulsion of law or there are circumstances which, in accordance with law or practices and usages customary among bankers, necessary or appropriate for it to divulge such information.
As per information provided by the Public Sector Banks (PSBs), compliance to data protection guidelines as issued by the concerned regulatory and oversight bodies, including, inter alia, RBI, Unique Identification Authority of India, Indian Computer Emergency Response Team and other Government bodies, is being maintained by PSBs. Banks have aligned their Information Security Policy and Cybersecurity Policy with the best practices and regulatory guidelines. Banks have also strengthened consumer data protection protocols to align with globally accepted practices.
The Government has passed Digital Personal Data Protection (DPDP) Act, 2023 which is an overarching law to protect personal data of individuals. Further, the Digital Personal Data Protection Rules, 2025 have been notified on 14.11.2025. The Digital Personal Data Protection Act, 2023 and the Digital Personal Data Protection Rules, 2025 form a clear and citizen-centered framework for responsible use of digital personal data.
RBI, as part of its supervisory review process, regularly monitors and ensures compliance of data protection guidelines issued by it and other bodies. In case any gap is observed, alignment of the guidelines with the prevailing ecosystem are taken up by RBI so that the policy framework is updated with the globally adopted best practices. RBI also issues guidelines related to consumer data protection from time-to-time. Further, as part of the consultative framework of RBI, consultations and feedbacks are sought from stakeholders for framing/ updating the relevant policies/guidelines.
*****
