Open navigation
Search
Search
All expertise
Explore our breadth of expertise.
International Desks
Helping you access overseas markets with support from our country and region-specific experts.
Sectors View all
Practice Areas View all
Offices
Discover the scope of our presence in the jurisdiction.
Global Reach
Learn about our capabilities beyond borders.
CMS Singapore
All insights
Leverage our expert analysis, intelligence and thought leadership for your strategic advantage.
Personalised updates
Receive tailored insights and intelligence that apply directly to your business.
Topics in Focus View all
Insights by type
CMS News
Stay up to date with our growth, evolution and our many successes.
Contact us
For all general enquiries.
About CMS
CMS Careers

Select your region

International Europe Africa Asia-Pacific The Americas Middle East
Legal Update

MAS Consultations on Third Party Risk Management & Updated Operational Risk Management Guidelines

26 Mar 2026 Singapore 5 min read

The Monetary Authority of Singapore (“MAS”) released two major consultation papers on 6 March 2026 which together signal a significant shift toward a unified, resilience‑focused supervisory regime for Singapore financial institutions (“FIs”):

  1. Consultation Paper on Proposed Guidelines on Third-Party Risk Management  
  2. Consultation Paper on Updated Guidelines on Operational Risk Management 

Both consultations close on 20 April 2026.

Consultation Paper on Proposed Guidelines on Third-Party Risk Management

1. What Is MAS Changing?

The MAS has proposed new Guidelines on Third‑Party Risk Management (“TPRM Guidelines”) for FIs which will supersede the existing MAS guidelines on outsourcing and expand the application of relevant expectations currently imposed on outsourced services to all third-party services.  Bank‑specific outsourcing notices (MAS Notices 658 and 1121) will remain in force.

2. What MAS Expects from FIs

A. Governance & Oversight

  • Board and senior management remain fully responsible for maintaining effective oversight and governance of third-party arrangements, managing third-party risk and implementing a sound third-party risk management framework.
  • FIs must maintain an FI‑wide view of risks from all third‑party services and incorporate the assessment and mitigation of such risks into their risk management framework.
  • FIs should establish a third-party risk management framework.
  • FIs with a branch or subsidiary under them, and which is subject to consolidated supervision by MAS or an owner of critical information infrastructure, must ensure group‑wide alignment.

B. Central Register & Reporting

FIs must maintain a record of their third‑party arrangements and submit a register of third-party arrangements to MAS semi-annually or upon request using a prescribed template. The register should minimally include all their material third-party arrangements (including material sub-contractors, where possible).

C. A Full Life‑Cycle Approach

The TPRM Guidelines provide guidance for every stage of a third-party arrangement’s life cycle. 

1. Risk Assessment

  • To identify and assess the types and levels of risks, and the materiality of potential services provided through a third-party arrangement.
  • Performed before entering into a third-party arrangement, when there are major changes impacting the arrangement, and periodically.

2. Due Diligence

  • Performed prior to entering, renegotiating or renewing the third-party arrangement, and periodically.
  • Due diligence can involve onsite checks, particularly for material arrangements.
  • Implement appropriate measures to monitor and manage concentration risks.

3. Contracting

  • Address the risks identified at the risk assessment and due diligence stages. 
  • Set out the scope of the arrangement and allow for timely renegotiation and renewal. 
  • Agreements with material third-party arrangements should include:
    • a right to receive information
    • audit & inspection rights
    • adverse event reporting
    • FI’s right to ownership, access to and use of assets
    • termination rights
    • provision governing rights granted to third-party service providers
    • business continuity obligations
    • security, resilience and other technical obligations 
    • framework to modify existing arrangements
    • key performance benchmarks
    • provisions necessary to allow FI to exercise effective monitoring and control
    • locations, regions or jurisdictions where the service will be performed and where relevant data will be processed and stored 
    • choice of law and dispute resolution process
    • subcontracting controls
    • complaints procedure (if applicable)

4. Onboarding & Ongoing Monitoring

  • Ensure that the third-party service provider has adequate understanding of the FI’s policies, people, processes, technology, facilities and interconnections that are needed to provide the service.
  • Periodic due diligence.
  • Independent audits/expert assessments for material arrangements.
  • Board‑approved audit frequency.

5. Termination

  • Maintain exit plans to cater for different plausible termination scenarios 
  • MAS may direct termination for egregious issues.

D. Sub‑Contractor Oversight

  • MAS extends expectations to material subcontractors, on a “risk‑proportionate and best-effort” basis.
  • Pass‑through subcontracting is not prohibited, but FIs must understand and mitigate the risks.
  • Maintain up-to-date information of material subcontractors, to the extent possible and practicable. 

E. Adverse Developments

  • An FI must notify MAS as soon as possible once it receives a notification of an adverse development that has widespread impact or materially impacts the FI’s service to its customers.
  • Service providers are expected to support MAS investigations; lack of cooperation may lead MAS to require the FI to terminate.

F. Confidentiality, Security & BCM

FIs must ensure third‑party arrangements do not compromise:

  • Confidentiality and security of customer information; and
  • Business continuity.

G. Exempted Services

  • Same exemptions as existing outsourcing guidelines, plus use of Financial Market Infrastructures and utilities.
  • Even for exempt services, FIs must still maintain business continuity measures.

3. MAS Implementation Timeline

MAS proposes that the TPRM Guidelines take effect 6-months from the date of issuance. This transition period is intended to provide FIs with time to make necessary arrangements, including updating third-party service agreements to align with the TPRM Guidelines.

Consultation Paper on Updated Guidelines on Operational Risk Management

The MAS has proposed updated Guidelines on Operational Risk Management (“ORMG”) which will supersede the 2013 Operational Risk Guidelines. The updated ORMG builds on MAS’ existing expectations and incorporates key elements of guidance by the Basel Committee on Banking Supervision. MAS proposes that the ORMG come into effect 6-months after publication. 

Some key changes proposed include:

  • Public disclosure requirements for domestic systemically important bank or insurer.
  • Strengthened change‑management processes.
  • Governance and oversight of branches/subsidiaries, aligned with group‑wide operational resilience.

Next steps  

FIs should carefully review the proposed TPRM Guidelines and ORMG and conduct a gap analysis against current practices. In particular, FIs should assess the adequacy of existing governance frameworks and review contractual terms with service providers against the proposed new requirements.

If any FI would like to discuss the impact of the TPRM Guidelines and/or the ORMG on its organisation or if any FI would like to give feedback to MAS on either, please feel free to reach out to us. 

More insights
Commercial

Explore more

Expert Guide International

Trade secret laws and regulations in Singapore

16 min read
Publication Singapore

CMS toolkit series

02 Jul 2025 1 min read
Event Singapore

IP Insights webinar series 2026

28 Apr 2026
Back to top Back to top
You will now find all Law-Now content on CMS.law
Explore more
Law-Now, RegZone, LEXplicite and Blogtt have moved to CMS.law. Law-Now has moved to CMS.law. RegZone has moved to CMS.law. LEXplicite has moved to CMS.law. Blogtt has moved to CMS.law.
Learn more Learn more Learn more Learn more
If you want to use third party tools, please enable personalisation cookies as part of your cookie preferences. You can change this setting at any time via the button below or in our Cookie Notice.