Knowledge Highlights 9 February 2026
MAS seeks feedback on proposed Guidelines on Third-Party Risk Management
On 6 March 2026, the Monetary Authority of Singapore (“MAS”) published a consultation paper seeking feedback on the proposed Guidelines on Third-Party Risk Management (“Guidelines”). The consultation closes on 20 April 2026.
Financial institutions (“FIs”) routinely leverage third-party services to support their operations and the delivery of services to their customers. While this can bring cost efficiencies and other benefits, it also introduces risks that require careful management by FIs. For example, an adverse event at the service provider could lead to an operational disruption at the FI or a loss of customer information.
In line with FIs’ evolving use of third-party services beyond outsourcing, MAS proposes to introduce the Guidelines to set out its expectations of an FI that has engaged or is planning to engage third-party services, incorporating guidance from international standard setting bodies such as the Financial Stability Board and the Basel Committee on Banking Supervision. The Guidelines will supersede the Guidelines on Outsourcing (Banks) and Guidelines on Outsourcing (Financial Institutions other than Banks) and expand the application of the relevant expectations currently imposed on outsourced services to all third-party services.
For banks and merchant banks, MAS Notice 658 on Management of Outsourced Relevant Services for Banks and Notice 1121 on Management of Outsourced Relevant Services for Merchant Banks (collectively, “Notices”) will remain in effect and continue to set baseline requirements for banks and merchant banks in their management of outsourcing arrangements. Banks and merchant banks should comply with the Notices in addition to meeting the expectations in the Guidelines. Where there are arrangements for third-party services (including outsourcing arrangements) which involve disclosure of customer information, banks and merchant banks must also ensure that such disclosures comply with section 47 of the Banking Act 1970.
The key features of the Guidelines are set out below.
Proportionality
The extent and degree to which an FI implements the expectations in the Guidelines should be commensurate with the size and complexity of the FI and the nature of risks in, and materiality of, the third-party services the FI uses. This approach seeks to balance the effort required of FIs to observe expectations with the level of risks that the third-party services pose to the FIs.
Oversight over an FI's branch and/or subsidiary
An FI with a branch or subsidiary under it, and which is (i) subject to consolidated supervision by MAS; or (ii) an owner of critical information infrastructure, is expected to consider the impact of third-party services used by its branch and/or subsidiary, including those located outside Singapore, on its consolidated operations. Such an FI should ensure the Guidelines are observed by its branches and subsidiaries by applying a third-party risk management framework that is in line with the Guidelines. The FI is expected to have clear structures and processes by which its board and senior management discharge their roles in the oversight and management of third-party risks on the FI and its branches and subsidiaries. The FI should also notify MAS of adverse developments in the use of third-party services encountered by the FI’s branches or subsidiaries.
Record and register of third-party arrangements
For effective management of third-party risks, an FI should be able to (i) identify and monitor for changes in the risk materiality of its third-party arrangements; (ii) understand its concentration risk (e.g. at the service provider level or geographical level); and (iii) map dependencies and interconnections relating to its material third-party arrangements, where possible. One way to help achieve this is for the FI to maintain a record of its third-party arrangements, to the extent possible and practicable, and to update the record when there are new arrangements or changes to existing arrangements with risk implications.
MAS proposes that an FI should submit a register of third-party arrangements to MAS, using a proposed template, semi-annually and upon request. The register should minimally include all its material third-party arrangements (including material sub-contractors, where possible). For the avoidance of doubt, the requirements under the Notices continue to apply. Banks and merchant banks will only need to submit one register covering the third-party arrangements in scope, including (i) all ongoing outsourced relevant services obtained or received from a service provider; and (ii) all outsourced relevant services obtained or received from a service provider which involve the disclosure of customer information as set out in the Notices.
Governance, risk management, and strategy
The Guidelines set out the responsibilities of the board and senior management of an FI. These include ensuring adequate processes to provide a comprehensive FI-wide view of the FI’s risk exposures from third-party services, and incorporating the assessment and mitigation of such risks into the FI’s risk management framework. MAS will expect the FI to establish a third-party risk management framework that is aligned with the FI’s broader framework for management of operational risk and strategy for the use of third-party service providers. Further, an FI should have a third-party risk management strategy that is consistent with other relevant strategies (e.g. operational risk management strategy and technology risk management strategy) and its overall risk appetite. The Guidelines set out areas which an FI’s third-party risk management strategy should cover.
Third-party arrangement life cycle
The Guidelines provide guidance on the stages of a third-party arrangement’s life cycle:
- Risk assessment: FIs should identify and assess the types and levels of risks, and the materiality of potential services provided through a third-party arrangement. The assessment should be performed when the FI is planning to enter into a third-party arrangement with an existing or a new service provider, or when there are major changes impacting the arrangement, and re-performed periodically as part of the approval, strategic planning, risk management, or internal control reviews of the FI’s third-party arrangements. The Guidelines provide guidance on factors that an FI should assess as part of risk assessment.
- Due diligence: The Guidelines set out areas that could be covered when an FI performs due diligence on a service provider including general aspects of the service provider and the safeguarding of customer information. Banks and merchant banks will still be subject to the requirements under the Notices and will need to comply with the due diligence frequency set out in the Notices in respect of their material ongoing outsourced relevant services.
- Contracting: The Guidelines set out MAS’ expectations on FIs’ agreements with service providers, including contractual terms that an FI should consider for inclusion. The proposed contractual terms incorporate existing MAS expectations as well as expectations from relevant publications from international standard setting bodies.
- Onboarding and ongoing monitoring: The Guidelines provide guidance on measures that FIs should take to onboard and monitor their third-party arrangements. MAS proposes that FIs perform due diligence of third-party arrangements periodically, including whenever there are major changes at the FI, the service provider, or in the external environment that may impact the delivery of the service. The frequency for re-performing due diligence for a material third-party arrangement should be approved by the FI’s board and be commensurate with the risks posed by the arrangement. Specifically, the audit frequency of material third-party arrangements should be approved by the board and commensurate with the nature, scope, and complexity of the relevant service, and the nature and extent of risk and impact to the FI from the arrangements. Banks and merchant banks will still need to comply with the Notices, including the audit frequency set out in the Notices in respect of material ongoing outsourced relevant services.
- Termination: An FI should have exit plans to cater for different plausible termination scenarios. The Guidelines provide guidance on the areas that should be provided in such plans. The Guidelines also set out the scenarios under which an FI should consider whether to terminate the service provider agreement for a third-party arrangement and the circumstances under which MAS may direct an FI to terminate the agreement.
Use of sub-contractors
As the use of sub-contractors can introduce additional risk into an FI’s supply chain, an FI must manage such risks even though it may not have a direct contractual relationship with the sub-contractors. Where possible, expectations in the Guidelines on FIs’ management of risks from service providers in material third-party arrangements should be read to extend to risks from material sub-contractors.
MAS proposes that FIs include material sub-contractors, to the extent possible and practicable, in their record of third-party arrangements. An FI will be expected, where possible, to ensure the service provider notifies the FI in writing prior to the engagement of a material sub-contractor.
Pass through sub-contracting, i.e. arrangements which involve an FI engaging a service provider which will sub-contract all or the bulk of the service which the service provider is engaged to provide to the FI, introduces additional layers between the FI and the eventual provider of the service. As this could weaken the ability of the FI to exercise effective oversight, MAS proposes that an FI should assess the risks involved, put in place mitigating measures, and ensure effective oversight.
MAS further proposes that for material third-party arrangements, an FI should take reasonable steps, on a risk proportionate and best effort basis, to ensure that material sub-contractors are held to similar standards as service providers, for example, through the inclusion of appropriate provisions in its service provider agreements to cascade certain contractual requirements to material sub-contractors.
Adverse developments
During an adverse development, a service provider is expected to cooperate with MAS by providing comprehensive and timely information. Where the level of cooperation is lacking, MAS will consider further action and in egregious cases, request FIs to terminate or not renew their arrangements involving the service provider.
Exempted services
Under the existing Notices and Guidelines on Outsourcing, FIs are not subject to MAS requirements and expectations on outsourcing in respect of their use of “exempted services”. Exempted services comprise services wholly provided by the Government Technology Agency (GovTech) or its agents and services that are not performed for the conduct of any financial business of the institution (e.g. cleaning and gardening). MAS proposes to retain the exhaustive list of “exempted services” in the proposed Guidelines such that an FI that obtains or receives any exempted service does not need to observe the expectations in the proposed Guidelines in relation to the exempted services.
MAS further proposes that an FI’s use of financial market infrastructures (“FMIs”) and utilities be included as exempted services. This recognises the practical challenges of subjecting FIs’ use of FMIs and utilities to the expectations in the Guidelines.
Nonetheless, the use of exempted services can still pose significant risks to FIs and FIs are expected to put in place adequate measures to manage risks arising from their use of such services. An FI should still have appropriate business continuity measures and incident response plans (e.g. during disruption or compromise of FI confidential information) to address risks from its use of exempted services.
Transition period
MAS proposes that the proposed Guidelines take effect six months from the date of issuance so as to provide FIs with a transition period to make the necessary arrangements, including to update third-party service agreements to meet the expectations set out under the Guidelines.
Pending the issuance of the Guidelines, MAS expects FIs to manage the operational, technology, and cyber risks associated with their third-party arrangements, such as by re-performing risk evaluations when there is a significant change or incident that affects the risk posture of the service provider. FIs must also establish robust business continuity measures and effective incident response mechanisms to minimise service disruptions caused by service provider-related incidents.
Reference materials
The following materials are available on this webpage of the MAS website www.mas.gov.sg:
