MAS Proposes New Third-Party Risk Management Guidelines to Cover All Third-Party Services

23 March 2026

Executive Summary

The Monetary Authority of Singapore (“MAS“) is proposing new Guidelines on Third-Party Risk Management (“TPRM Guidelines“) to reflect the evolving use of third-party services by financial institutions (“FIs“) that is moving beyond outsourcing. This is significant because the TPRM Guidelines supersede the existing Guidelines on outsourcing for banks and other FIs[1] and expand their scope beyond outsourcing to cover all third-party services. MAS is conducting a public consultation to obtain feedback on the proposed TPRM Guidelines. The MAS Consultation Paper is available here. Comments should be provided to MAS by 20 April 2026.

The TPRM Guidelines will incorporate existing MAS requirements and international guidance on third-party arrangements. MAS Notices 658 and 1121 remain applicable to banks and merchant banks for baseline outsourcing requirements.

MAS proposes a six-month transition period from issuance of the TPRM Guidelines for it to come into effect. In the meantime, FIs must manage operational, technology, and cyber risks by re-assessing risks after significant changes or incidents and implementing robust business continuity and incident response plans.

This Update summarises the key provisions of the proposed TPRM Guidelines.

[1] Guidelines on Outsourcing (Banks) and Guidelines on Outsourcing (Financial Institutions other than Banks)

Topic	Key Provisions under Proposed TPRM Guidelines
Proportionality	Implementation of MAS' expectations in the TPRM Guidelines should be proportionate to the FI's size and complexity, and the risk and materiality of its third-party services.
Oversight of FI's Branch and/or Subsidiary	FIs with branches or subsidiaries (subject to consolidated supervision by MAS or owning critical information infrastructure) are expected to: Assess the impact of third-party services used by these entities, including those overseas, on consolidated operations; Ensure branches and subsidiaries adopt a group-aligned third-party risk management framework; Establish clear oversight structures for board and senior management; and Inform MAS of adverse developments in third-party service usage.
Record - Keeping Requirements	FIs should: Identify and monitor changes in the risk materiality of third-party arrangements; Understand concentration risk (e.g. at service provider or geographical level); Map dependencies and interconnections relating to their material third-party arrangements, where possible; and Maintain and update a record of third-party arrangements with risk implications. MAS proposes that FIs submit a register of all material third-party arrangements (including material sub-contractors) to MAS semi-annually and upon request.
Responsibilities of Board and Senior Management on Governance, Risk Management and Strategy	The board and senior management must ensure sound governance and risk management. Their responsibilities include ensuring adequate processes for a comprehensive FI-wide view of third-party risk exposures and incorporating risk assessment and mitigation into the FI's broader framework. MAS proposes that FIs must: Establish a third-party risk management framework aligned with the FI’s operational risk management framework and third-party strategy; and Maintain a third-party risk management strategy consistent with other relevant strategies (e.g. operational and technology risk management) and overall risk appetite. The TPRM Guidelines specify what this strategy should cover.
Third-Party Arrangement Life Cycle	Risk assessment. FIs should assess the types and levels of risks, and the materiality of potential third-party services, both for new arrangements and periodically for existing ones. Relevant factors include financial and non-financial risks. Due diligence. FIs should conduct due diligence on service providers, with the TPRM Guidelines setting out areas that could be covered, including general aspects and customer information protection. FIs must monitor and manage concentration risks. Banks and merchant banks must continue complying with MAS Notices 658 and 1121. Contracting. The TPRM Guidelines outline contractual expectations on FIs’ agreements with service providers, including contractual terms that an FI should consider for inclusion, reflecting MAS standards and international regulatory guidance. Onboarding and ongoing monitoring. FIs must regularly conduct due diligence, including after major changes affecting service delivery. MAS will not prescribe minimum audit frequency. The board should approve appropriate frequency based on service nature, scope, complexity, and risk impact. Banks and merchant banks must still comply with Notices 658 and 1121 regarding audit frequency. Termination. FIs should develop exit plans for various termination scenarios. The TPRM Guidelines specify when FIs should consider termination and circumstances where MAS may direct termination.
Use of Material Sub-Contractors	FIs should, where possible, include material sub-contractors in their record of third-party arrangements and require service providers to notify the FI before engaging material sub-contractors. For pass-through sub-contracting, FIs should assess risks and ensure effective oversight. FIs should ensure material sub-contractors meet standards comparable to service providers, such as by cascading contractual requirements.
Exempted Services	Under existing Notices and Guidelines, FIs are exempt from outsourcing requirements for "exempted services" (services wholly provided by GovTech or its agents, and services not performed for financial business). MAS proposes to: Retain the exhaustive list of exempted services in the TPRM Guidelines; and Include Financial Market Infrastructures and utilities as exempted services. FIs must implement adequate risk management measures and appropriate business continuity and incident response plans for exempted services.

For queries on the proposed TPRM Guidelines and/or to provide response to the consultation, please feel free to contact our team set out on this page.

_____________________________________________________________

^[1] Guidelines on Outsourcing (Banks) and Guidelines on Outsourcing (Financial Institutions other than Banks)

Disclaimer

Rajah & Tann Asia is a network of member firms with local legal practices in Cambodia, Indonesia, Lao PDR, Malaysia, Myanmar, the Philippines, Singapore, Thailand and Vietnam. Our Asian network also includes our regional office in China as well as regional desks focused on Brunei, Japan and South Asia. Member firms are independently constituted and regulated in accordance with relevant local requirements.

The contents of this publication are owned by Rajah & Tann Asia together with each of its member firms and are subject to all relevant protection (including but not limited to copyright protection) under the laws of each of the countries where the member firm operates and, through international treaties, other countries. No part of this publication may be reproduced, licensed, sold, published, transmitted, modified, adapted, publicly displayed, broadcast (including storage in any medium by electronic means whether or not transiently for any purpose save as permitted herein) without the prior written permission of Rajah & Tann Asia or its respective member firms.

Please note also that whilst the information in this publication is correct to the best of our knowledge and belief at the time of writing, it is only intended to provide a general guide to the subject matter and should not be treated as legal advice or a substitute for specific professional advice for any particular course of action as such information may not suit your specific business and operational requirements. You should seek legal advice for your specific situation. In addition, the information in this publication does not create any relationship, whether legally binding or otherwise. Rajah & Tann Asia and its member firms do not accept, and fully disclaim, responsibility for any loss or damage which may result from accessing or relying on the information in this publication.