What Financial Institutions Should Be Preparing for Ahead of 1 February 2026

From 1 February 2026 onwards, Financial Institutions in Singapore will be required to submit all reportable incidents using the updated Incident Reporting Template via the MAS-FI Transactions Platform (MAS-Tx). This requirement follows the issuance of the Circular on Financial Institution Incident Reporting by the Monetary Authority of Singapore (MAS) in December 2025 and represents a further refinement of supervisory oversight over operational, technology, and cyber risks across the financial sector.

With the effective date fast approaching, January 2026 presents an appropriate juncture for Financial Institutions to re-examine their incident response and reporting arrangements, particularly in light of increasingly frequent and complex operational disruptions observed both locally and internationally.

Regulatory Context and Supervisory Intent

The updated incident reporting framework does not expand the scope of reportable incidents. Instead, it focuses on improving the quality, coherence, and consistency of information available to supervisors as incidents emerge.

In revising the template, MAS has aligned the incident reporting framework with international supervisory practices, including the Financial Stability Board’s Format for Incident Reporting Exchange. The decision to mandate submissions through MAS-Tx further reflects a deliberate move towards standardisation and improving supervisory visibility across Financial Institutions and incident types.

Key Points for Financial Institutions

1. Mandatory Use of the Updated Template from 1 February 2026

From 1 February 2026 onwards, all reportable incidents must be submitted using the revised Incident Reporting Template via MAS-Tx. Alternative submission channels will only be acceptable where technical constraints prevent use of the platform, and Financial Institutions are expected to consult their MAS Review Officer to agree on an alternative arrangement.

2. Two-Stage Reporting Structure

The updated template comprises a two-stage reporting process. For the purposes of this framework, an incident refers broadly to a reportable operational, technology, cyber, or third-party event that triggers notification obligations under applicable MAS regulations. An Initial Incident Report must be submitted as soon as possible, and no later than 24 hours from the point of incident discovery. This initial submission is intended to provide MAS with a clear overview of what happened, when it occurred, and the preliminary impact on systems, services, and customers.

A Final Incident Report must be submitted within 14 days of discovery, incorporating updates, investigation findings, root cause analysis, and the remediation actions taken or planned. Separate from these submissions, Financial Institutions remain required to notify MAS promptly upon discovering a reportable incident, in accordance with timelines under the applicable regulations and guidelines.

3. Continued Emphasis on Timely Notification

Financial Institutions are expected to notify MAS promptly upon discovering a reportable incident, in line with timelines prescribed under the applicable acts, notices, or guidelines. Notification remains a critical first step and is separate from the formal submission of the incident report through MAS-Tx.

4. Broader Regulatory Coverage

The revised template applies across a wide range of regulatory areas, including Technology Risk Management, Outsourcing, Business Continuity, Payment Services, and Securities and Futures Regulations. As a result, Financial Institutions should ensure that the updated reporting approach is understood across technology, operations, compliance, and risk functions.

Beyond reinforcing existing expectations, the revised template also provides greater clarity around how incident reporting is expected to operate in practice.

What Has Changed

MAS has required incident reporting using prescribed templates for many years, and most Financial Institutions will already be familiar with earlier versions. The revised template builds on this foundation by providing greater structure around how incidents are described, assessed, and managed through to resolution.

Earlier templates relied heavily on narrative descriptions, leaving significant discretion in how incidents were described and assessed. While professional judgement remains important, the revised template introduces clearer data fields and more structured sections, particularly around incident description, impact assessment, and remediation. This makes it easier for supervisors to compare incidents across Financial Institutions and over time.

The clearer distinction between initial and final reporting is another important change. In the past, information was often provided through a mix of notifications, interim updates, and full reports. The revised template brings greater clarity to what is expected at each stage of the incident lifecycle, while recognising that facts may evolve as investigations progress.

The revised template also reflects closer alignment with international supervisory practices, with more emphasis on common data points such as incident type, affected services, and severity indicators. In addition, the move to MAS-Tx as the primary submission channel represents a practical shift that has implications for internal workflows and access management.

Why Incident Reporting Remains a Supervisory Focus

Financial Institutions operate in an environment increasingly exposed to cyber, technology, and third-party risks. Incidents arising from these risk areas can escalate quickly, affecting customer access, data integrity, and confidence in the financial system.

Recent developments in Singapore illustrate this risk landscape. Banks have faced a sustained volume of attempted cyber intrusions, with industry reporting indicating an average of more than 1,800 cyberattacks per week over a six-month period, underscoring the persistent threat environment and the growing demands placed on detection and response capabilities (Asian Banking & Finance, 2025). At the same time, service disruptions affecting digital banking and e-payment channels have drawn public attention, demonstrating how operational faults can rapidly translate into customer-facing issues and broader scrutiny (Channel NewsAsia, 2023).

Separately, a ransomware attack involving a third-party data services vendor highlighted the complexity of modern operational risk. Although core banking systems and customer access credentials were not directly compromised, the incident resulted in the potential exposure of thousands of customer statement records and prompted regulatory engagement by MAS and the Cyber Security Agency of Singapore (Reuters, 2025). This illustrates how dependencies outside an institution’s immediate control can still give rise to supervisory and reputational consequences.

From a supervisory perspective, these developments reinforce the importance of clear escalation, disciplined communication, and consistent incident disclosures. The updated incident reporting framework provides insight into how MAS expects Financial Institutions to respond, escalate, and communicate as operational incidents unfold. Clear and consistent reporting enables regulators to assess systemic impact, identify emerging risk patterns, and engage Financial Institutions at an early stage where supervisory intervention may be required.

The updated MAS template gives practical effect to these supervisory objectives by standardising incident disclosures and enhancing the consistency and decision-usefulness of information submitted.

Linking Case Context to Regulatory Reporting Practices

While incidents may vary in nature, whether cyber intrusions, system outages, or third-party failures, supervisory expectations increasingly converge around three core principles.

1. Timeliness: Early escalation enables regulators to develop situational awareness and assess potential customer or systemic impact before issues compound.
2. Clarity: Structured reporting reduces ambiguity and ensures that key facts, impacts, and mitigation actions are communicated consistently.
3. Governance: Incident reporting is not purely a technical exercise, but a reflection of how effectively internal escalation, decision-making, and oversight operate under stress.

The revised reporting template and the move to MAS-Tx reinforce these principles in practice.

Preparing Ahead of 1 February 2026

With the impending effective date approaching, Financial Institutions may wish to use this period to review their internal processes and test their operational readiness. This may include updating internal incident response playbooks, validating escalation thresholds, confirming MAS-Tx access and user roles, and ensuring that reporting responsibilities are clearly understood across technology, operations, risk, and compliance teams.

Advance preparation can materially reduce execution risk during an actual incident, when time pressures, information gaps, and supervisory scrutiny often coincide.

How Curia Regis Can Assist

As a regulatory compliance advisory firm, Curia Regis works with Financial Institutions to support their ongoing regulatory obligations in Singapore.

In relation to incident reporting, we assist clients with reviewing and strengthening incident response frameworks, interpreting supervisory expectations, and preparing for updated reporting requirements. Our support includes readiness assessments, process reviews, and practical guidance to help Financial Institutions operationalise regulatory changes in a proportionate, effective, and defensible manner.

For Financial Institutions seeking further clarity or support in relation to the updated incident reporting framework, please feel free to contact us or reach out at admin@thecuriaregis.com.