The Monetary Authority of Singapore (“MAS”) has issued a consultation paper proposing new Third-Party Risk Management Guidelines (“the Guidelines”), which, if implemented, will supersede the existing Guidelines on Outsourcing. 

The proposed framework broadens MAS’ supervisory expectations by extending oversight beyond traditional outsourcing to a wider range of third-party service relationships entered into by Regulated Financial Institutions (“RFIs”). As a result, RFIs will be expected to implement stronger governance, risk assessment, due diligence, monitoring, and oversight measures across the lifecycle of these arrangements. This includes service relationships that historically fell outside the scope of the existing Outsourcing Guidelines.

The Guidelines adopt a lifecycle-based approach to third-party risk management. This aligns with standards issued by the Financial Stability Board (“FSB”) and the Basel Committee on Banking Supervision (“BCBS”). The framework covers risk assessment, due diligence, contracting, ongoing monitoring, and termination. More broadly, the proposal reflects MAS’ continued focus on operational resilience, governance, and accountability over increasingly complex third-party ecosystems.

Importantly, the Guidelines are not limited to outsourcing arrangements involving the delegation of business functions. Instead, they apply to third-party arrangements that could materially affect the institution’s operations, customers, data security, or regulatory obligations. This includes technology subscriptions, data providers such as Bloomberg and Refinitiv, intragroup shared-service arrangements, and professional service providers such as legal counsel and external auditors, which historically fell outside the scope of the existing Outsourcing Guidelines.

MAS also reaffirms that cloud services continue to be treated as outsourcing arrangements. These services remain subject to the same oversight and risk-management expectations. RFIs remain ultimately accountable for managing the risks associated with these arrangements.

As a result, the Guidelines materially expand regulatory expectations for fintech partnerships, SaaS providers, cloud vendors, data service providers, and intragroup support arrangements. The Guidelines now bring these arrangements within a single, principles-based framework.

MAS Third Party Risk Singapore: Scope and Applicability

The Guidelines apply across a broad range of RFIs regulated by MAS. This includes Payment Services entities, insurance companies, and Capital Markets Services (“CMS”) licence holders. The proposed framework extends to both external and intragroup arrangements. This applies even where the arrangement was not traditionally classified as outsourcing.

MAS adopts a proportionality principle. Risk-management frameworks must remain commensurate with the institution’s size, complexity, and the materiality of the arrangement. MAS has proposed a six-month transition period following the issuance of the final Guidelines. This allows RFIs time to update internal processes, governance, controls, and contracts.

In practice, many RFIs will face operational challenges consolidating third-party inventories and governance processes, particularly where arrangements are managed across decentralised compliance, operations, technology, procurement, and business functions.

Key Third-Party Risk Considerations

Risk Assessment Framework

The Guidelines require RFIs to conduct tailored risk assessments for each third-party arrangement. These assessments should evaluate the arrangement’s nature, materiality, and potential impact of the arrangement. They should consider both financial and non-financial risks. These include operational disruption, reputational exposure, data risks, and supply-chain dependencies arising from subcontracting arrangements. The outcome of the assessment should determine the level of due diligence, governance oversight, and controls applied to the arrangement.

Due Diligence Requirements

RFIs should perform robust due diligence before entering, renegotiating, or renewing third-party arrangements. RFIs should also conduct periodic reassessments thereafter. This includes assessing the provider’s financial and business viability, reputation, track record, and ability to deliver against agreed service levels. RFIs should also assess governance and risk-management capabilities, including technology risk-management controls, business continuity arrangements, and compliance with applicable laws and regulations.

RFIs may engage third parties to assist with these assessments. However, accountability for ensuring the adequacy of the due diligence process ultimately remains with the RFI. The Guidelines further enhance existing expectations by emphasising on-site reviews, specialist involvement for technical assessments, checks on key service-provider personnel, and concentration risk assessments.

Governance and Oversight

The board and senior management retain ultimate responsibility for third-party risk oversight and governance implementation. This remains the case even where service providers perform day-to-day operational responsibilities. The board should approve the third-party risk-management strategy and set risk appetite and tolerance. Independent audits should also be conducted periodically. Senior management should establish clear policies, standards, and procedures governing the lifecycle of third-party arrangements, while ensuring that staff responsible for managing such risks have appropriate training, authority, and resources.

Ongoing Monitoring and Reporting

In practice, MAS third party risk Singapore requires RFIs to strengthen governance, monitoring, and subcontractor oversight across third-party arrangements. RFIs must establish ongoing oversight mechanisms to monitor provider performance and compliance with contractual obligations. This includes regular reporting to senior management and the board on material performance issues, recurring audit findings, and adverse developments such as operational disruptions. Larger institutions may also establish cross-functional governance forums to oversee material third-party relationships and remediation efforts. 

The Guidelines also introduce a new obligation requiring RFIs to maintain and submit a register of third-party arrangements to MAS using the template set out in Annex B. At a minimum, the register should capture material arrangements and, where possible, material subcontracting dependencies. RFIs must submit the register semi-annually or upon MAS’ request. In practice, many RFIs may need to reassess whether existing governance, procurement, and data management processes are capable of supporting the level of visibility contemplated under the proposed framework.

Management of Subcontractors

The Guidelines extend RFI management expectations to material subcontractors, recognising that subcontracting may introduce additional operational, concentration, and oversight risks. RFIs must be able to monitor and manage such risks, including through requirements for prior written notification before providers engage material subcontractors.

MAS also highlights risks arising from “pass-through subcontracting”, where providers subcontract substantial portions of services to downstream parties. RFIs should take reasonable steps to ensure that material subcontractors meet standards comparable to those imposed on primary providers. This may include cascading contractual requirements across the supply chain to safeguard the confidentiality, integrity, and availability of RFI information.

In practice, RFIs are likely to incorporate provisions requiring providers to remain accountable for subcontractor performance, notify the RFI of material subcontracting changes, and ensure prompt escalation of adverse incidents involving downstream providers.

However, RFIs may encounter practical constraints when negotiating such rights with large global cloud and AI providers, whose standardised contractual models may not always align neatly with MAS’ supervisory expectations, particularly where subcontracting chains lack direct contractual visibility.

How Curia Regis Can Help

We can help you interpret the Guidelines, develop, review, and strengthen third‑party risk‑management frameworks aligned with MAS expectations. Our support includes gap assessments, governance and policy development, lifecycle controls, and assistance with third‑party inventories and registers.

• • MAS Alignment & Gap Analysis: Review and update third‑party risk frameworks to identify compliance gaps against the proposed MAS Guidelines.

• • Governance & Strategy: Refine policies and committee mandates to ensure the board and senior management have clear accountability and oversight.

• • Lifecycle & Contract Advisory: Provide guidance on end‑to‑end processes, from risk assessment and due diligence through to mandatory contractual provisions.

• • Risk & Performance Monitoring: Map supply‑chain dependencies and establish ongoing audit schedules and KPIs to manage concentration risk and service‑provider performance.

To find out how we can support your organisation, please contact us.