You are currently viewing Counterparty and Outsourcing Risk: Managing Third Party Service Providers

Counterparty and Outsourcing Risk: Managing Third Party Service Providers

In a financial ecosystem increasingly dependent on digital outsourcing, third-party failures have become a systemic risk. The Monetary Authority of Singapore (MAS) has addressed Third-Party Risk Management (TPRM) concerns with the issuance of Circular MAS/TCRS/2025/05 (the Circular) on 9 July 2025. The move comes on the heels of high-impact ransomware attacks on Toppan NexTech and DataPost, which disrupted Financial Institutions and compromised sensitive client data earlier this year.

These incidents were not isolated cyber events—they exposed structural weaknesses in third-party oversight across the financial sector. The scale and downstream impact are summarised below:

However, it is clearly determined that a Financial Institution is to take clear accountability for the services that it outsources.

Beyond a compliance reminder, the Circular represents a clear supervisory expectation by MAS on governance, cyber resilience, and operational continuity, requiring Broker Dealers, Custodians and Fund Management companies regulated under the Securities and Futures Act, Licensed and Exempt Financial Advisers under the Financial Advisers Act, Payment Services entities under the Payment Services Act, and Trust Companies under the Trust Companies Act – to name a few – to demonstrate defensible risk practices, enforce Board-level accountability, and strengthen controls across all TPSP arrangements.

1. Regulatory Accountability and Governance Expectations

Accountability is regulatorily expected of all Financial Institutions, shouldered by Senior Management and the Board of Directors, for all TPSP engagements irrespective of function or delivery model. This includes cloud services, fund administration, payment processing, KYC/AML operations, cybersecurity, and data management. Governance frameworks must extend beyond procurement compliance and technology oversight, forming a core pillar of enterprise risk management and operational resilience.

To meet these supervisory expectations, the Board and Senior Management must:

  • Approve and periodically review a comprehensive TPRM framework with clear policies on risk ownership and escalation.
  • Oversee material TPSP engagements through risk-based tiering and governance escalation.
  • Assign clear accountability across business, risk, compliance, procurement, and technology functions.
  • Ensure contractual agreements uphold MAS’ requirements, including audit rights, data protections, and prompt incident reporting.
  • Maintain adequate internal resources and competencies to oversee TPSP arrangements — not rely solely on vendor attestations.
  • Demonstrate effective governance through defensible evidence, including monitoring records, risk assessments, detailed due diligence documentation and processes, remediation tracking and escalation logs.

MAS has signalled a supervisory shift: written policies and frameworks will no longer be sufficient. During thematic reviews and inspections, auditors will expect evidence of effective control operation, supported by monitoring records, risk assessments, due diligence files, remediation tracking, and escalation logs. In short, governance must be demonstrable and defensible.

2. Comprehensive and Continuous Risk Assessments

Third-party risk management must be continuous, risk-based, and evidence-driven. Vendor Due Diligence should never be a one- off onboarding exercise; this instead must cover the full TPSP lifecycle from pre-engagement to exit, with reassessment triggered either upon a predetermined frequency or upon the occurrence of material changes/incidents.

Financial institutions are expected to:

  • Perform pre-engagement risk assessments to evaluate TPSP suitability based on service criticality, data sensitivity, system connectivity and regulatory impact.
  • Categorise TPSPs into risk tiers (Critical, High, Medium, Low) and apply proportionate levels of due diligence and monitoring.
  • Reassess TPSP risk on a periodic basis and when material events occur, such as system upgrades, ownership changes, cybersecurity incidents or service expansion.
  • Evaluate subcontractor (fourth-party) exposure and outsourced-cloud concentration risks.
  • Monitor cumulative concentration risk across the institution, especially where multiple business functions rely on a single TPSP or common industry vendor.

There is the specific warning against passive acceptance of vendor self-attestations or checklist-style assessments. Financial Institutions should obtain independent assurance via SOC 2 or ISO certifications (where relevant), penetration tests, vulnerability assessments, and financial viability reviews. Where control gaps persist, risk remediation with documented plans tracked to closure is now expected to be market convention.

3. Contractual and Legal Safeguards

Outsourced vendor contracts must evolve from commercial documents into regulatory instruments that embed enforceable provisions protecting the Financial Institution’s operational and regulatory oversight. Particularly in relation to materially outsourced arrangements, Financial Institutions must secure contractual rights that enable timely disclosure upon periodic or regulatory-driven scrutiny, operational resilience and data protection. Weak contractual terms may constitute a significant regulatory gap and constitute more serious consequences both from a regulatory as well as a business risk perspective.

Contracts must include:

  • The right for a Financial Institution to conduct periodic audits or obtain independent assurance (SOC 2, ISAE 3402, ISO 27001) as relevant. Vendor refusal is not acceptable.
  • TPSPs must notify the Financial Institution promptly of material cyber, data or operational incidents, with defined reporting timelines and escalation protocols.
  • TPSPs must disclose and obtain approval from the Financial Institution for subcontractor engagement; fourth-party risk must be accorded for in the documentation and monitored.
  • TPSPs must comply with the MAS Outsourcing and Technology Risk Management (TRM) Guidelines and Cyber Hygiene Notice on secure data processing, retention and destruction.
  • Agreements must include structured exit and transition to ensure orderly service migration and secure data deletion.

Financial Institutions are expected to conduct timely contract remediations to uplift legacy agreements that lack mandatory protections. Contracts signed before the last 2 to 3 years as of time of writing are unlikely to meet current regulatory expectations and must be progressively amended and updated. Where a TPSP refuses contract changes, risk acceptance must be documented and approved at a senior level with compensating controls/fall back measures.

4. Cyber Hygiene and Security Validation

Outsourcing does not dilute accountability for cyber risk. MAS holds Financial Institutions fully responsible for safeguarding information assets and enforcing security controls across third-party arrangements. TPSPs fall squarely within the scope of the MAS Notice on Cyber Hygiene and relevant provisions of the TRM Guidelines. From a supervisory standpoint, third-party environments are treated as an extension of the Financial Institution’s technology estate and must therefore meet equivalent security standards. At a minimum, MAS expects TPSPs to demonstrate:

  • Strong identity and access management controls, including multi-factor authentication and privileged account monitoring.
  • Secure network architecture with appropriate segmentation between systems, regular firewall rule reviews, and protection against unauthorised access.
  • System hardening and configuration management, ensuring standard secure builds and controlled change processes.
  • Effective vulnerability management, including timely patching, remediation of security findings, and documented closure evidence.
  • Endpoint and malware protection across all servers and workstations that process the Financial Institution’s data.
  • Active security monitoring and log review with detection of unauthorised access and anomalous activity.
  • Data protection measures, including encryption of sensitive information in transit and at rest, and strict data transfer controls.
  • Cloud security assurance (where applicable), including validation of Cloud Service Provider (CSP) controls and clarity over shared security responsibilities.

Vendor assurances should not be the sole reliance of Financial Institutions when assessing the security measures of their Third Party arrangements. TRM and Cyber Hygiene compliance reviews and independent audits/resilience testing should be executed by the Financial Institution periodically on its vendors, particularly when Technology and Cyber Risk is apparent.

5. Incident Response and Regulatory Reporting Obligations

Financial Institutions are expected to maintain robust incident response measures that extend to third-party service providers. Accountability cannot be transferred to the vendor.  Ownership of incident response remains with Financial Institutions even if the root cause involves TPSPs.

When a TPSP experiences a cyber, data or service disruption incident, Financial Institutions are expected to take immediate containment action, including possibly restricting or revoking TPSP access, isolating affected systems, pausing data flows, collaborating on root cause investigation, escalating to senior management and activating immediate contingency plans – all of course subject to the seriousness of the matter at hand.

Reportable incidents include cases where (non-exhaustively):

  • A Financial Institution’s operations are materially disrupted due to a TPSP failure
  • Confidential data is accessed, leaked or compromised
  • Payment or trading systems are affected
  • Regulatory reporting thresholds are triggered

Notifications must be made within required timelines, typically within 1 hour for severe cases, followed by detailed investigation reports.

6. Business Continuity and Exit Preparedness

Financial Institutions are required to ensure the continuity of critical business services, even in the event of third-party disruption. Under the MAS’ Business Continuity Management requirements, which overlap with the expectations outlined here, Business Continuity arrangements must be relevant, practical, regularly tested and proportionate to the risk level of TPSP dependency. Reliance on unverified or theoretical plans will not meet supervisory expectations.

In addition to continuity planning, MAS also expects Financial Institutions to demonstrate exit readiness for high-risk TPSP relationships. Exit strategies must be feasible, well-structured, regularly reviewed and operationally executable. They should include structured service transfer plans, defined transitional responsibilities, data migration readiness and enforceable contractual provisions for data return or certified destruction at termination.

The regulator has warned that untested contingency plans will not be acceptable during supervisory inspections. Financial Institutions must be able to demonstrate that they can operate through vendor disruption without compromising on their regulatory obligations or customer service.

7. Documentation and Supervisory Readiness

From a compliance perspective, evidence is everything. If it’s not documented, it’s not done.

Financial Institutions must not only demonstrate that controls exist, but that they operate effectively in practice. This requires audit-ready documentation and traceable records demonstrating oversight and governance across the third-party risk lifecycle.

Policy reviews alone will no longer suffice. Regulatory expectation outlines the need for evidence trails to validate risk management effectiveness. Documentation must be complete, consistent and easily retrievable.

8. Implementation Roadmap for Financial Institutions

To align with MAS Circular MAS/TCRS/2025/05, Financial Institutions should adopt a structured and risk-based implementation roadmap. Immediate priorities include:

  1. Updating TPRM framework with Board approval to incorporating lifecycle risk management, accountability and evidential governance.
  2. Risk-tier TPSPs based on service criticality, data sensitivity and system connectivity, applying proportionate controls by risk category.
  3. Remediate legacy contracts to include MAS-required clauses (regulatory access, audit rights, subcontractor approval, incident notification and exit provisions).
  4. Strengthen cyber assurance by validating TPSP compliance with MAS TRM and Cyber Hygiene requirements through independent testing and security reviews.
  5. Integrate TPSP disruptions into BCM testing and validate the operational viability of contingency and exit plans.
  6. Maintain inspection-ready documentation that provides evidence of due diligence, monitoring, issue remediation and governance oversight.

Financial Institutions that embed these actions within enterprise risk governance will be better positioned to withstand both operational and regulatory stress tests.

Conclusion

MAS Circular MAS/TCRS/2025/05 represents a significant escalation in supervisory expectations for third-party risk management. The regulatory narrative is clear: outsourcing does not transfer accountability. Financial Institutions must be able to demonstrate control effectiveness, governance discipline and evidential oversight across every stage of the third-party lifecycle.

The regulatory focus has shifted from documented intent to provable outcomes. Policies and contracts alone are no longer sufficient. Supervisory expectations now centre on independent assurance, defensible documentation and operational resilience. Financial Institutions that continue to rely solely on vendor assurances, legacy outsourcing practices or fragmented oversight will face increasing regulatory scrutiny.

How Curia Regis Can Support

The expectations introduced under MAS Circular MAS/TCRS/2025/05 require Financial Institutions to demonstrate structured governance, clear, succinct and defensible documentation and independent assurance over third-party arrangements. Curia Regis can help you design, enhance and operationalise your third-party risk management framework to meet regulatory expectations.

We provide regulatory-aligned support in:

  • Developing and enhancing TPRM frameworks, outsourcing policies and governance structures
  • Building TPSP risk registers and risk tiering models to align oversight with criticality
  • Establishing due diligence and ongoing monitoring procedures with evidence-based assessments
  • Reviewing TPSP contracts to include MAS-required obligations
  • Validating cybersecurity and MAS TRM/Cyber Hygiene compliance across TPSP environments
  • Strengthening incident response integration, fallback planning and exit readiness
  • Preparing audit-ready documentation and supervisory review packs for MAS inspections
  • Carrying out Independent Audits and Reviews to better prepare you for a regulatory inspection

Our approach is practical, structured and implementation-focused. We embed oversight methodologies and tools that help you demonstrate control effectiveness, satisfy regulatory expectations and strengthen your overall operational resilience as a Regulated Financial Institution.

If your organisation is reviewing its third-party risk governance or intends to uplift its current measures to meet these recently updated requirements,  contact us here or  email admin@thecuriaregis.com to get in touch.