Background

The Monetary Authority of Singapore (MAS) published two consultation papers on 6 March 2026 on risk management requirements for financial institutions (FIs), with feedback due by 20 April 2026:

1. The Consultation Paper on Proposed Guidelines on Third-Party Risk Management (the TPRM Consultation Paper)
2. The Consultation Paper on Updated Guidelines on Operational Risk Management (the ORM Consultation Paper)

In the TPRM Consultation Paper, the MAS proposes to introduce new Guidelines on Third-Party Risk Management (the TPRM Guidelines), which will supersede the Guidelines on Outsourcing (Banks) and Guidelines on Outsourcing (Financial Institutions other than Banks) (collectively, the Current Outsourcing Guidelines) and extend outsourcing requirements to all third-party arrangements, subject to limited exceptions. Banks and merchant banks will remain subject to existing notices, which impose legally binding requirements relating to their management of outsourced services.

In the ORM Consultation Paper, the MAS proposes to replace the existing Guidelines on Risk Management Practices – Operational Risk (the Current ORM Guidelines) with updated Guidelines on Operational Risk Management (the Updated ORM Guidelines) containing additional requirements on board and senior management responsibility, change management, and public disclosures, among others.

Third-party risk management – Scope of third-party arrangements

The TPRM Guidelines regulate “third-party arrangements”, which covers any arrangement between an FI and a service provider for the provision of services to the FI, including services provided by intragroup entities but excluding services provided by directors or employees.

Services which are exempt from the third-party risk management (TPRM)  requirements (but must still be covered by business continuity and incident response plans) include:

1. Financial market infrastructures (e.g., clearing houses, trade repositories, central securities depositories, systemically important payment systems, and the SWIFT network)
2. Utilities (e.g., telcos and electricity providers)
3. Services which are not for the conduct of any financial business and where the service provider does not receive, handle, or access confidential or customer information (e.g., cleaning and pantry services)

The TPRM Guidelines will apply to a broader range of services than the scope of outsourcing arrangements covered by the Current Outsourcing Guidelines, which broadly include services which an FI is able to perform itself and which are integral to its financial business.

Third-party risk management – Revisions to existing outsourcing requirements

The TPRM Guidelines cover topics similar to those in the existing outsourcing requirements. However, the MAS has also modified the language in the Current Outsourcing Guidelines to better reflect its supervisory expectations. Key updates include the following:

1. Requiring an FI that is subject to consolidated supervision by the MAS to include its branches and subsidiaries in its implementation of the TPRM Guidelines. The same applies where an FI is an owner of critical information infrastructure.
2. Reframing certain existing requirements within the three concepts of “governance”, “risk management”, and “strategy”, and refining the MAS’ expectations relating to those requirements:
   1. “Governance” encompasses the responsibilities of the board and senior management to maintain oversight, manage risks, and implement the risk management framework.
   2. “Risk management” encompasses an FI’s evaluation of risks arising from the arrangement, including identifying the role of third parties within the overall business strategy and objectives, performing due diligence, assessing the third party’s ability to meet standards, and assessing the impact on the FI’s overall risk profile.
   3. “Strategy” encompasses new requirements, such as assessing the continued relevance of third-party arrangements to the FI, performing cost-benefit analyses of relying on third parties, assessing the implications for the FI’s safety and soundness, defining the FI’s risk appetite, and assessing conditions which would trigger an exit from the third-party arrangement.
3. Reframing other existing requirements within the context of the life cycle of a third-party arrangement, and refining the MAS’ expectations relating to those requirements:
   1. FIs must perform risk assessments when planning to enter into a third-party arrangement, or if there are major changes impacting the arrangements, among other circumstances. FIs should also assess the substitutability of the services to be provided and whether their controls are adequate to manage the risks.
   2. Due diligence should be performed prior to entering into, renegotiating, or renewing third-party arrangements, considering aspects such as the service provider’s financial and business viability, its ability to deliver the service within the expected service levels, and its governance and risk management controls. The TPRM Guidelines set out new guidance not previously covered, including using on-site reviews, enlisting subject-matter experts for technical elements, conducting checks on the service provider’s staff, and addressing concentration risk.
4. Enhancements to existing ongoing monitoring and control requirements, including reviewing third parties’ business continuity and disaster recovery plans and testing, performing due diligence on a periodic basis, and remediating any identified issues.

Other outsourcing topics (e.g., register of arrangements, contractual terms, notification of adverse developments, confidentiality and security, audit and inspection, and subcontracting) remain covered, although the MAS has proposed changes to the language to provide more comprehensive guidance on its supervisory expectations.

Operational risk management – New requirements

The Current ORM Guidelines set out the MAS’ expectations for an FI’s operational risk management framework at a very high level, including expectations on the monitoring and reporting of operational risks. The Updated ORM Guidelines will build on the MAS’ existing expectations and incorporate the Basel Committee on Banking Supervision’s Revised Principles for the Sound Management of Operational Risk. Key updates include the following:

1. Requiring an FI that is subject to consolidated supervision by the MAS to include its branches and subsidiaries in its implementation of the Updated ORM Guidelines. The same applies if an FI is an owner of critical information infrastructure.
2. Additional details on what an operational risk management (ORM)  framework should include, such as governance structures, clearly defined risk appetite and tolerance, taxonomy of operational risk terms, and other internal policies, procedures, and controls.
3. Defining a “three lines of defence model” for operational risk, comprising (i) business units, (ii) an independent ORM function, and (iii) independent assurance or audit. This is similar to the expectation for managing anti-money laundering and countering the financing of terrorism risk.
4. Additional guidance on board and senior management responsibilities.
5. Requiring an ORM process, which includes identifying and assessing operational risks, selecting and implementing risk treatment options, and monitoring and reporting operational risks.
6. Requiring a change management process to identify and assess additional operational risks arising from planned operational changes, review and approve these changes pre-implementation, and monitor the changes post-implementation.
7. Requiring domestic systemically important banks (DSIBs) and domestic systemically important insurers (DSIIs) to publicly disclose their operational risk exposures (whilst ensuring that operational risk is not created through the disclosures) and to put in place a formal disclosure policy. The MAS has in parallel proposed to amend the Guidelines on Risk Management Practices – Internal Controls to require DSIBs and DSIIs to publicly disclose their code of conduct.

Transition period

The MAS is proposing to implement the new requirements six months after the publication of the new guidelines. No date range has been proposed for publication of the new guidelines, but we expect them to be released alongside the MAS’ responses to the TPRM and ORM Consultation Papers, which will be forthcoming sometime after 20 April 2026, once the MAS has collected and analysed all feedback received prior to the submission deadline.

Conclusion

The TPRM and ORM Consultation Papers represent a significant uplift to the existing requirements for outsourcing arrangements and the management of operational risks. Although MAS guidelines should be implemented on a risk-proportionate basis, compliance by FIs remains crucial since this is relevant to the MAS’ assessment of their soundness and governance strength.

FIs should assess the gaps between their existing risk management frameworks and controls and the new requirements and take early steps to implement the necessary changes, given that a six-month transitional period may not be sufficient to put in place the necessary changes (e.g., negotiations with affiliates and external third parties on the TPRM requirements, and communications with internal stakeholders on the ORM requirements).

Client Alert 2026-067