Regulatory Updates March 2026 – APAC Region

The Monetary Authority of Singapore (MAS) has recently taken enforcement actions in connection with anti-money laundering and countering the financing of terrorism (AML/CFT) breaches.

1. Prohibition Orders Against Former Relationship Managers – 17 March 2026

MAS has issued prohibition orders (POs) against two former relationship managers, Mr Wang Qiming (Mr Wang) and Mr Liu Kai (Mr Liu), in connection with their involvement in misconduct linked to the major money laundering case in August 2023.

They were found to have:

• Assisted clients in circumventing AML/CFT controls
• Handled or facilitated suspicious transactions
• Engaged in misconduct, including the falsification of documents.

Following its assessment, MAS imposed:

• A 16-year prohibition order against Mr Wang
• A 7-year prohibition order against Mr Liu.

They are prohibited, for the duration of the POs from carrying on or providing any MAS-regulated activity or business, managing (directly or indirectly) any financial institution, and acting as a director, partner, or manager, or holding substantial shareholdings in any financial institution. In addition, Mr Wang was sentenced to 24 months’ imprisonment, while Mr Liu was sentenced to 4 months’ imprisonment.

For further information, please refer to the enforcement actions.

Enforcement Action Involving Capital Asia Investments – 9 March 2026

Separately, the MAS and Singapore Police Force launched an investigation into Capital Asia Investments Pte Ltd (CAI), a licensed fund management company following information received about possible unlawful activities.

As part of the ongoing investigation, two Directors of CAI were arrested and more than S$160m of assets were seized by the Singapore Police Force.

Preliminary findings have indicated potential serious deficiencies in the firm’s AML/CFT controls, including areas relating to customer due diligence and the monitoring and escalation of suspicious activities.

MAS has stated that investigations are ongoing and further regulatory actions may be taken depending on the outcome of these investigations.

For further information, please refer to the enforcement actions.

The Monetary Authority of Singapore (MAS) has issued a consultation paper on proposed updates to its Guidelines on Operational Risk Management (“ORM Guidelines”). The updated framework is intended to strengthen financial institutions’ resilience amid increasing digitalisation, reliance on third parties, and heightened cyber threats. The consultation closes on 20 April 2026 and industry participants may provide feedback.

The revised ORM Guidelines introduce a more structured, integrated and data-driven approach to operational risk management, requiring financial institutions to formalise their ORM frameworks, adopt quantitative monitoring tools (e.g., KRIs), and implement robust processes for risk identification, incident management, and control effectiveness.

There is increased emphasis on clearly defined risk appetite, strengthened Board and Senior Management oversight, and clear delineation of responsibilities under the three lines of defence model. The Guidelines also require integration of key risk areas — including technology, outsourcing, business continuity, and fraud — into a unified framework, with heightened focus on third-party risks, forward-looking risk assessments, and regular, data-driven reporting to support continuous improvement.

The proposed 2026 ORM Guidelines represent a material uplift from the 2013 framework, shifting MAS’ focus from the mere existence of policies to the effectiveness, integration and demonstrability of operational risk management.

In particular, the updated guidelines introduce formal change management requirements, expand expectations to group-wide and cross-border risk oversight, and impose more structured governance and accountability on boards and senior management.

MAS proposes providing a transition period of 6 months after the updated ORM Guidelines is issued, for FIs to meet the expectations set out.

Please view the consultation here.

The MAS has issued a consultation paper on its proposed Guidelines on Third-Party Risk Management (“TPRM”), which will supersede the existing outsourcing guidelines and significantly expand regulatory expectations on how financial institutions manage third-party arrangements.

The proposed Guidelines reflect MAS’ recognition of the increasing reliance on third-party service providers, including cloud, technology and intra-group arrangements, and the corresponding need for stronger oversight and risk management.

The proposed TPRM Guidelines significantly expand the scope beyond traditional outsourcing to cover all third-party arrangements, including technology and intra-group services, and require firms to implement a structured, ORM-aligned framework.

Key expectations include maintaining a centralised register of third-party arrangements, strengthening Board and Senior Management oversight, and adopting a full lifecycle approach to risk management — from due diligence and contracting to ongoing monitoring and termination. The Guidelines also emphasise enhanced due diligence, management of concentration and dependency risks, oversight of material sub-contractors, and the need for robust exit and contingency planning to ensure operational resilience.

Please view the consultation here.

On 5 March 2026, the Hong Kong Monetary Authority (HKMA), Securities and Futures Commission (SFC), Insurance Authority (IA) and Mandatory Provident Fund Schemes Authority (MPFA) jointly issued a circular announcing the expansion of the Generative Artificial Intelligence Sandbox to GenA.I. Sandbox++, open to multiple financial sectors, with applications required by 30 June 2026. (circular)

The joint circular invites authorised institutions, licensed corporations, authorised insurers, licensed insurance broker companies, MPF approved trustees, principal intermediaries and stored value facility licensees to participate in the expanded GenA.I. Sandbox++. Building on the 2024 banking-sector sandbox, the initiative now covers securities and capital markets, asset and wealth management, insurance, MPF, and stored value facility sectors; provides complimentary access to GPU computing resources at Cyberport’s A.I. Supercomputing Centre, supervisory guidance from the respective regulators and technical support from Cyberport; and includes Collaboratory workshops with technology firms to develop sector-specific and cross-sector AI use cases through ideation and rapid prototyping.

This promotes responsible AI innovation to enhance operational efficiency, risk management and customer engagement across the financial industry. Applications should be submitted through each regulator’s dedicated channel; further details and assessment criteria are set out in the Annex.

For assistance or if you have any enquiries about this circular, please contact Waystone.

To view the circular, please click here.

On 13 March 2026, the Securities and Futures Commission (SFC) issued a circular to licensed corporations, SFC-licensed virtual asset service providers and associated entities on Anti-Money Laundering / Counter-Financing of Terrorism (AML/CFT), providing updates on FATF statements and Plenary outcomes, with immediate effect. (circular)

The SFC circular reminds licensed firms to:

1. Apply FATF countermeasures to high-risk jurisdictions:

• Democratic People’s Republic of Korea – robust implementation of targeted financial sanctions and countermeasures due to proliferation financing risks
• Iran – effective countermeasures due to ongoing terrorist financing and proliferation financing threats
• Myanmar – enhanced due diligence proportionate to risks.

2. Take note of jurisdictions under increased monitoring:

• Kuwait and Papua New Guinea have been added to the FATF list; firms should consider the information in their risk analysis and monitor FATF updates.

3. Review key FATF Plenary outcomes (11–13 February 2026):

• Report on cyber-enabled fraud and the role of AML/CFT tools in prevention and victim redress (published 24 February 2026)
• Report on risks of offshore virtual asset service providers and regulatory gaps exploited by criminals (published 11 March 2026)
• Targeted report on stablecoins and unhosted wallets highlighting illicit finance risks and recommended controls (published 3 March 2026).

For assistance or if you have any enquiries about this circular, please contact Waystone.

To view the circular, please click here.

On 16 March 2026, the Securities and Futures Commission (SFC) issued a circular to licensed corporations on documentation updates for OTC derivatives trade reporting, attaching the HKMA’s Notice issued on the same date. (circular)

The SFC circular reminds licensed corporations of the HKMA’s updates to the Reference Manual for the Over-the-counter Derivatives Trade Repository (HKTR) following the ISO 20022 implementation. Effective 16 March 2026, the HKTR system now supports regular archiving of historical OTC derivatives transaction data, valuations, margin and collateral during the revised Sunday maintenance window. Weekday and Saturday operating hours remain unchanged.

Licensed corporations subject to mandatory reporting obligations should refer to the HKMA Notice and the updated Reference Manual, Operating Procedures and technical documents on the HKTR Info page for full details.

For assistance or if you have any enquiries about this circular, please contact Waystone.

To view the circular, please click here.