Who owns the customer master record: Data Governance for Customer 360

Building a holistic view of the customer, known as Customer 360, is a fundamental objective for enterprise businesses, particularly in the banking and financial sectors. This goes beyond mere data aggregation; it involves creating a single, authoritative, and up-to-date master record that serves as the source of truth for all systems and departments. However, in practice, implementing this concept faces organizational and technical risks, the primary one being the determination of who precisely has the authority to modify this master record, especially with the increasing role of artificial intelligence (AI) and heightened cybersecurity requirements.

The challenge of fragmented data: Risks to Customer 360

The classic enterprise challenge lies in customer data being scattered across dozens, if not hundreds, of different systems: CRM, ERP, loyalty programs, billing platforms, risk management systems, contact centers, and mobile applications. Each of these systems may have its own set of attributes, validation rules, and data lifecycle. This leads to the following consequences:

• Data inconsistency: Different systems contain conflicting information (e.g., different addresses, phone numbers, statuses).
• Low data quality: Duplicate, incomplete, or outdated records complicate analytics and decision-making.
• Operational inefficiency: Employees spend time searching for and verifying information, reducing productivity.
• Degraded customer experience: Customers receive irrelevant offers or are required to re-submit their data.
• Regulatory risks: Inability to demonstrate compliance with GDPR or other data protection regulations.

Without a single, authoritative master record, the Customer 360 concept remains an idea rather than a tangible business tool.

Who owns the master record: Defining roles and responsibilities

Defining responsibility for the master record is the cornerstone of effective Data Governance. This is not purely a technical task but an organizational one, requiring clear distribution of roles and processes. In practice, this means establishing a multi-tiered structure:

• Data Owner: Typically, this is a business unit leader who is the primary consumer and source of data (e.g., Chief Marketing Officer, Head of Sales). The Data Owner is responsible for data quality, accuracy, and alignment with business requirements. They approve data management policies and resolve conflicts.
• Data Steward: Specialists who work directly with the data. They implement policies set by the Data Owner, focusing on data cleansing, de-duplication, enrichment, and resolving day-to-day data quality issues.
• Data Architect: Responsible for designing the data architecture, including data models, integration flows, and storage. They ensure the technical implementation of Data Governance policies.
• Cybersecurity Team: Responsible for protecting the master record from unauthorized access, modification, or leakage. This includes implementing access control mechanisms, monitoring, and incident response.
• AI Governance Team: With the proliferation of AI, there is a need to define roles for managing AI risks. According to NIST AI RMF 1.0, this includes Govern, Map, Measure, and Manage functions. AI Governance specialists and Data Scientists developing models that use customer data must also have clearly defined rights and responsibilities regarding access and modification of this data.

Without such a hierarchy and distribution of responsibility, attempts to build Customer 360 are destined to fail.

AI and cybersecurity: New challenges for data management

The widespread adoption of AI in business, as indicated by Microsoft’s latest Work Trend Index Annual Report where 49% of Copilot conversations supported cognitive work, necessitates new management models. AI models can not only consume data for analysis and forecasting but also propose changes or even modify it automatically. This creates new risks:

• Automated modification: If an AI model suggests changing an address based on external source analysis, who is responsible for the accuracy of this change? What is the approval mechanism?
• AI bias: Improperly trained AI models can introduce biased or discriminatory changes to data, leading to legal and reputational consequences. AI risk management, as emphasized by NIST AI RMF, extends beyond model accuracy.
• Cybersecurity: AI can be used to enhance cybersecurity or to perpetrate new types of attacks. According to ENISA Threat Landscape 2025, phishing remains a leading initial access vector. Gartner’s trends for this year note that the normalization of AI in cybersecurity is accompanied by new AI risks requiring comprehensive management.

To mitigate these risks, Data Governance policies must be integrated with AI risk management frameworks and cybersecurity standards. This means implementing audit mechanisms for all AI у changes and strengthening access controls for data used in model training.

CISA Cross-Sector Cybersecurity Performance Goals (CPG) outline foundational cybersecurity practices for critical infrastructure, serving as a benchmark for protecting master records and ensuring their integrity and confidentiality.

A common mistake: Treating CRM as the single source of truth

Organizations often err by assuming their CRM system is automatically the single source of truth for all customer data. While CRMs are crucial for interaction management, they rarely contain the complete set of master data. For instance, financial data, payment history, and legal aspects might reside in other specialized systems. If a CRM attempts to aggregate all this data without a proper MDM layer, it leads to:

• CRM overload: The system becomes overly complex, slow, and expensive to maintain.
• Logic duplication: Data validation and integration rules are duplicated across the CRM and other systems.
• Lack of a single version: Multiple data versions may exist in the CRM and other systems, causing confusion.

Instead, a dedicated Master Data Management (MDM) layer should be implemented. This layer aggregates, cleanses, de-duplicates, and enriches data from all sources, creating a single “golden record.” The CRM then becomes a consumer of this record, not its sole owner.

Architectural approach to master data management

For the banking sector, an architectural approach to master data management involves various systems (front-office, back-office, lending, risk management) acting as data sources and consumers. Instead of direct “point-to-point” integrations, which create a chaotic network, a centralized MDM hub is implemented. This hub is responsible for:

• Data ingestion: Collecting data from all sources via integration buses (e.g., based on Apache Kafka or ESB).
• Cleansing and de-duplication: Identifying and removing duplicates, correcting errors, and standardizing formats.
• Data enrichment: Augmenting data from internal sources (e.g., transaction history) and external sources (e.g., government registries).
• Creating the “golden record”: Forming a single, authoritative, and up-to-date master record.
• Data distribution: Providing the “golden record” to all consumers via APIs or publish/subscribe mechanisms.

This approach allows each system to work with a single, reliable version of data, enhancing its quality and consistency. Data Management IG, a member of the Intecracy Group alliance, has experience in designing and implementing such architectural solutions. For example, UnityBase (an open-source low-code platform developed by InBase) can be utilized for building centralized data management systems.

Practical steps to building a robust data management system

Building an effective master data management system is a multi-stage process requiring a strategic approach:

1. Assess the current state: Inventory all customer data sources, analyze their quality, and identify problem areas.
2. Develop a Data Governance policy: Clearly define roles, responsibilities, access rules, modification procedures, and data lifecycles. This must include aspects of AI Governance and cybersecurity.
3. Select an MDM solution: Choose a platform or set of tools that meet the organization’s needs. This could be a commercial solution or development based on low-code platforms.
4. Phased implementation: Start with pilot projects, gradually integrating systems and expanding data coverage.
5. Integrate with cybersecurity systems: Ensure compliance with standards (e.g., CISA Cross-Sector CPG) and implement SIEM systems for monitoring access and changes to the master record.
6. Staff training: Conduct regular training for all employees working with data on Data Governance policies, AI risks, and cybersecurity requirements.
7. Monitoring and auditing: Continuously monitor data quality, audit changes, and ensure compliance with policies. For managing and versioning documents that regulate these processes, Scriptum (a low-code BPM platform on UnityBase from InBase) can be used.

Key business outcomes from implementing effective master data management include improved data quality, enhanced customer experience, reduced operational costs, accelerated time-to-market for new products, and mitigated regulatory and cybersecurity risks. Softline, as part of the alliance, also possesses expertise in implementing comprehensive system integrations.

Readiness checklist for master record management

• Has a Data Owner been appointed for the customer master record?
• Has a Data Governance policy been approved, regulating access and modification rights for the record?
• Are roles and responsibilities defined for teams working with AI models (Data Scientist, AI Governance Lead)?
• Are access control mechanisms and change audit processes in place, compliant with cybersecurity standards (e.g., CISA CPG)?
• Is there a process for assessing and managing risks associated with using AI for data processing (according to NIST AI RMF)?
• Are incident response procedures defined for security events related to unauthorized data changes or leaks?
• Has staff training been conducted on handling confidential data and cybersecurity requirements?