Analysis of the Monetary Authority of Singapore Consultation Papers on Third-Party and Operational Risk Management

Share This Post

Introduction: The Regulatory Context of Consultation

The Monetary Authority of Singapore (the “Authority”) has released two significant consultation papers: the Consultation Paper on Proposed Guidelines on Third-Party Risk Management (the “TPRM”) and the Consultation Paper on Updated Guidelines on Operational Risk Management (the “ORM”). It is important to emphasise that these papers are proposals open for industry feedback, not final regulations.

The consultation process is a core feature of the Authority’s regulatory approach, and the final scope, timing, calibration, and transition arrangements may still change in response to industry feedback.

This article analyses the proposed enhancements, places them in context, and identifies practical issues Financial Institutions (“FIs”) may wish to consider both in preparing consultation responses and in assessing the possible implications if the proposals are adopted, whether in their current or a modified form.

The Strategic Importance of the Consultation Process

For FIs, proactive engagement with these papers is strategically important precisely because the outcome is not yet settled. The consultation window is not only a preview of possible future expectations; it is also an opportunity for firms to help shape the final framework.

Engagement offers three distinct advantages. First, it provides an opportunity to shape regulatory outcomes through practical input on proportionality and implementation timing. Second, it demonstrates proactive governance to supervisors. Third, it allows firms to conduct gap assessments without premature lock-in to implementation approaches that may need to change once the final framework is published.

The Global Regulatory Context: Alignment with International Standards

The Authority’s proposals do not arise in isolation. Across major jurisdictions, regulators have been moving toward broader and more integrated frameworks for operational resilience, third-party dependency management, and board accountability. International standard-setters, including the Financial Stability Board and the Basel Committee on Banking Supervision, have reinforced this direction of travel.

That broader context helps explain why the Authority’s consultation papers focus on themes such as expanded scope beyond traditional outsourcing, structured life cycle management, concentration risk, operational resilience, and stronger governance. Even so, the existence of global trends does not mean the final Singapore framework is predetermined. The Authority may still calibrate the final requirements in a way that reflects local market structure, proportionality concerns, and feedback from industry. With that context established, the specific proposals reveal both continuity with existing practice and meaningful evolution across two interconnected workstreams. That continuity is grounded in MAS’s own supervisory track record: the Authority’s thematic inspections of banks conducted in 2020 and 2021, the findings of which were published in its August 2022 Information Paper on Operational Risk Management, identified material weaknesses in exactly the areas the current proposals now seek to formalise — including governance of non-outsourcing arrangements, subcontractor oversight, concentration risk analysis, and the independence of second-line challenge.

Proposed Guidelines on Third-Party Risk Management (TPRM)

Of the two consultation papers, the proposed TPRM may represent the more significant change in regulatory perimeter and process. The proposal would move beyond the narrower concept of outsourcing and would place a broader range of third-party relationships within a more formal risk management framework if adopted.

While the proposed TPRM introduces several significant new requirements, it is also important to distinguish these from areas where the Authority is proposing an extension and deepening of existing expectations. Under the current Guidelines on Outsourcing (e.g., the version effective December 2024 for non-bank FIs), FIs are already expected to perform due diligence, manage business continuity, ensure audit rights, and submit an annual outsourcing register. The true step-change in the TPRM proposal lies in three key areas:

the significantly wider scope beyond traditional outsourcing to all “third-party arrangements”;
the more demanding data collection via a semi-annual register that explicitly includes material subcontractors; and
the more explicit and stringent treatment of the entire third-party lifecycle, including subcontracting chains, direct cooperation with the Authority, and termination rights.

Proposed Enhancement: From “Outsourcing” to All “Third-Party Arrangements”

The cornerstone of the proposal is the expansion in scope from “outsourcing arrangements” to “third-party arrangements” more generally. This shift would materially broaden the population of vendor and service-provider relationships that may need to be inventoried, assessed, governed, and monitored under a dedicated framework.

Existing Framework: Under the current outsourcing approach, the focus has generally been on services that an FI could perform itself. That has historically left a range of external dependencies outside the core outsourcing framework.
Proposed Framework: The proposed concept of a third-party arrangement is much broader and would extend to formal arrangements for the provision of services by external providers. That may bring a much wider ecosystem of vendors within scope.
Data and Market Information Providers: Providers such as Bloomberg, Refinitiv, and credit rating agencies may fall within the proposed framework.
Professional Services: Engagements with legal counsel, external auditors, and management consultants may also need to be considered more systematically.
Other Technology Service Providers: SaaS vendors, cloud providers, enterprise software providers, and FinTech partners may become more clearly subject to structured third-party risk governance if the proposal is finalised.

Importantly, the proposals also clarify the boundaries of this expanded scope. The consultation retains existing exemptions for certain services and proposes adding Financial Market Infrastructures (“FMIs”) and utilities to the exempt list. While this is a critical operational detail that helps scope the inventory exercise, the paper notes that FIs are still expected to have appropriate business continuity and incident response plans to manage the risks arising from their use of these exempt services.

Proposed Principle of Proportionality: A Requirement for Strategic Judgment

The consultation paper proposes that implementation should be commensurate with the size and complexity of the FI and the nature and materiality of the relevant third-party services. That is an important signal that the Authority is not necessarily expecting identical implementation across all institutions. However, it also means that firms may need to develop, document, and defend their own methodology for deciding what proportionality looks like in practice.

Opportunity: A proportional approach may allow institutions to calibrate governance, diligence, approval, and monitoring requirements by reference to materiality rather than applying the same control set to every arrangement.
Practical Question: Because the consultation is still open, important issues remain in play, including how materiality should be assessed, what level of documentation the Authority will expect, and whether clearer thresholds or examples will be provided in the final guidance.

Proposed Enhancements to Governance and Accountability

The TPRM also proposes to elevate third-party risk more clearly to the level of board and senior management responsibility. If adopted, this could formalise expectations around oversight structures, reporting, risk appetite, and accountability for material arrangements.

Board Role: The board may be expected to approve the overall framework, set the institution’s risk appetite and tolerance for third-party risk, and oversee the approach to assurance over material arrangements.
Senior Management Role: Senior management may be expected to ensure implementation, allocate resources, monitor key exposures, and report emerging issues to the board in a timely and coherent way.

This new governance model is fortified by enhanced supervisory powers. The proposals explicitly expect FIs to ensure, via contractual obligation, that their service providers cooperate directly with the Authority during adverse developments by providing timely information. The consultation paper notes that where cooperation is lacking or risks are not effectively mitigated, the Authority may direct an FI to terminate the arrangement.

Proposed Structured Life Cycle Management

A further feature of the proposal is the move toward a more structured life cycle approach covering risk assessment, due diligence, contracting, onboarding, ongoing monitoring, and exit planning. Many firms will already have pieces of this in place, but the consultation paper suggests a more consistent and documented end-to-end approach.

Contracting Expectations: The proposed provisions appear to contemplate rights of audit, sub-contracting controls, cooperation during adverse events, and more explicit treatment of data ownership, access, and termination.
Practical Negotiation Challenges: These provisions may prove difficult to negotiate with large global service providers, including cloud vendors and AI providers whose standard terms do not always align neatly with regulated-sector expectations.
Exit and Resilience Planning: The proposals also indicate a stronger focus on plausible termination scenarios, service continuity, and the ability to transition away from critical providers where necessary.

Deepening Oversight of Subcontractor and Supply Chain Risk

A particularly challenging aspect of the proposed lifecycle management—and a key area of heightened supervisory focus—is the management of subcontractor risk. The proposals identify this as a primary operational hurdle, requiring FIs to move beyond a passive acceptance of their vendors’ supply chains toward a more active governance posture. This creates a significant new challenge in supply-chain visibility, as FIs often lack direct contractual privity with their vendors’ vendors.

The following practical measures represent current industry good practice for addressing these requirement.

Practical Approach to Subcontractor Oversight

Effective management of this “fourth-party” risk under the proposed framework would require a multi-faceted approach spanning contractual protections, enhanced due diligence, resilience testing, and strategic supply chain mapping.

Contractual Levers: The primary tool is the negotiation of robust contractual rights with the direct service provider. This includes securing the right to receive prior written notification of any new material subcontractors, making the primary vendor explicitly liable for the actions and resilience of its subcontractors, and embedding “flow-down” provisions that require the subcontractor to adhere to key standards on data confidentiality, security, and audit access.
Enhanced Due Diligence: Due diligence on a primary vendor should extend to an assessment of their own third-party risk management framework. FIs should inquire about the vendor’s processes for selecting, monitoring, and testing their own critical suppliers.
Scenario-Based Resilience Testing: Business continuity and exit planning should incorporate severe but plausible scenarios involving the failure of a key, unnamed subcontractor. For example, an FI using a critical SaaS provider for trade reporting should test its resilience not only to the failure of the SaaS vendor itself but also to a widespread outage of the underlying public cloud infrastructure on which the SaaS platform operates.
Strategic Mapping of Concentration Risk: FIs should use the process of compiling the new semi-annual register to strategically map their supply chain dependencies. This allows for the identification of hidden concentration risks, such as discovering that three otherwise unrelated, material service providers are all critically dependent on the same niche fourth-party cybersecurity or data processing firm.

Proposed Mandatory Register and Reporting

One of the most operationally concrete proposals is the requirement to maintain a register of material third-party arrangements and submit information to the Authority on a regular basis. This proposal would require stronger central visibility over vendor data, ownership, materiality, and reporting lines.

Data and Systems Implications: Manual tracking may not be sufficient for a framework that requires consistent, repeatable, and auditable identification of material arrangements across the institution.
AI Inventory Implications: The register’s data requirements will also be relevant to emerging technology categories discussed below.

Proposed Updated Guidelines on Operational Risk Management (ORM)

The proposed ORM updates are more than complementary to the TPRM; they provide the foundational architecture for the entire non-financial risk framework. Four areas of structural change are particularly significant.

A Highly Structured ORM Framework: The guidelines propose a more prescriptive framework requiring FIs to formally document their risk appetite and tolerance, establish a common taxonomy of operational risk terms, maintain an inventory of controls mapped to identified risks, and ensure processes for independent review and challenge by the second line of defence.
Specific Public Disclosure for D-SIBs/D-SIIs: The proposal for public disclosure is targeted at Domestic Systemically Important Banks and Insurers (D-SIBs/D-SIIs). It is more specific than a general statement, expecting disclosure of not only the ORM approach but also significant operational loss events, all governed by a formal, board-approved disclosure policy.
Formalised Change Management: The paper points toward a more formal process for assessing operational risk arising from organisational and technological change. This has particular relevance for major transformation initiatives, including cloud migration, vendor transitions, and the rollout of AI-enabled tools.
Reinforcement of the Three Lines of Defence: The proposals reinforce the roles of the three lines, placing emphasis on the independence and capability of the second and third lines to challenge business decisions and oversee risk.

These structural requirements provide the foundation upon which third-party risk management must be built.

Cumulative Impact of the Proposals: An Integrated Framework

Viewed together, the two consultation papers suggest an integrated approach to operational resilience in which third-party risk is treated as a core domain within the broader operational risk framework. The third-party inventory, governance, monitoring, and reporting obligations contemplated by the TPRM would not sit in isolation; they would feed directly into board reporting, change governance, incident response, and enterprise operational risk oversight.

AI tools illustrate that interaction clearly. The same AI arrangement may need to be considered both as a third-party relationship and as a source of operational risk arising from data usage, model behaviour, concentration risk, continuity concerns, and change management. For that reason, the consultation papers may be especially relevant to firms that are scaling their use of third-party AI services across front-office, control, and back-office functions.

At the same time, the eventual implementation effort will depend heavily on the final drafting, the Authority’s treatment of proportionality, and the practical calibration that emerges after industry feedback. Notably, the consultation paper contemplates a six-month transition timeline, which underscores the importance of early preparation even while the final framework remains open. It would therefore be premature to treat every proposal as a settled requirement, but equally premature to defer all preparatory work until the final guidelines are issued.

How Third-Party AI Arrangements are Likely to be Captured

Third-party AI and Machine Learning arrangements are likely to fall within the expanded scope to all “third-party arrangements.” This can be reasonably inferred from the draft’s reference to managing risks from “new or advanced technologies” and the ORM draft’s requirement for structured change management for new IT systems.

This includes subscriptions to generative AI assistants, access to model APIs, AI-enabled surveillance tools, and software products with embedded AI functionality. The risks are significant: these tools may process confidential data, influence material business decisions, and depend on complex supply chains. If the proposals are adopted, FIs will need to assess the materiality of these arrangements, perform due diligence, and establish governance around data use, resilience, and concentration risk. Given the Authority’s parallel and detailed consultation on AI-specific risks, it is a prudent assumption that material third-party AI arrangements will be a key area of supervisory focus under the final TPRM framework.

Conclusion and Near-Term Considerations

These consultation papers appear to signal a meaningful supervisory direction of travel toward a broader and more integrated approach to non-financial risk management. But direction of travel is not the same thing as a final rule. At this stage, the proposals should be read as an important consultation signal rather than as settled obligations.

As the industry formulates its feedback, consultation responses are likely to highlight certain key implementation themes. Specifically, the industry may advocate for:

Explicit regulatory recognition of independent assurance mechanisms, such as SOC 2 reports and ISO certifications, to satisfy due diligence and audit requirements in a more scalable manner.
Clearer materiality thresholds and the formalisation of risk-tiered vendor classifications to ensure the principle of proportionality can be applied consistently and defensibly.

FIs should monitor this industry dialogue as it will provide further context for the Authority’s final position.

Individual institutions can complement this industry engagement with internal preparatory steps. In that spirit, FIs may wish to consider the following near-term actions during the consultation period:

Form a Cross-Functional Working Group: Bring together Risk, Compliance, Legal, IT, Procurement, Operations, and relevant business teams to review the proposals in a coordinated way.
Conduct an Initial Gap Assessment: Compare existing frameworks against the consultation proposals and identify where additional information, governance, or systems visibility may be needed if the proposals are adopted.
Map Third-Party AI Usage: Build a clearer view of AI tools, model-enabled vendors, and AI-related service dependencies across the organisation so that these can be assessed within the broader third-party and operational risk picture.

Prepare a Consultation Response and Scenario-Based Roadmap: Consider where feedback to the Authority would be most valuable and develop preparatory scenarios that support readiness without assuming that the final framework will mirror the consultation draft in every respect.

The overarching objective of these steps is not to pre-empt the final framework, but to ensure that institutions are well-positioned to respond efficiently once it is settled—and to engage constructively in the consultation process that will shape it.

HM is positioned to support institutions in navigating this evolving landscape. We assist firms in analysing the proposals, shaping practical consultation responses, and designing proportionate governance frameworks for third-party and operational risk, including for complex areas such as AI adoption. Our focus is to provide independent, board-level advice that helps firms build readiness while preserving flexibility pending the final position promulgated by the Authority.

For further information, please contact:

Chris Holland
Partner
[email protected]

Frederic Thieltgen
Partner
[email protected]

Disclaimer: The material in this post represents general information only and should not be relied upon as legal advice. Holland & Marie Pte. Ltd. is not a law firm and may not act as an advocate or solicitor for purposes of the Singapore Legal Profession Act.

Subscribe To Our Newsletter

Get updates and learn from the best

More To Explore

AI Tool Diligence Done Right: A Primer on Managing AI Risk in Practice

While the debate about what we can achieve with AI remains wide open, its use is now embedded, to varying degrees, across all aspects of

31 March 2026

Analysis of the Monetary Authority of Singapore Consultation Papers on Third-Party and Operational Risk Management

Introduction: The Regulatory Context of Consultation The Monetary Authority of Singapore (the “Authority”) has released two significant consultation papers: the Consultation Paper on Proposed Guidelines

9 March 2026



Pushing Back on Compliance – Moving KYC from Compliance Theatre to Effective Risk Management AI Tool Diligence Done Right: A Primer on Managing AI Risk in Practice