MAS Consults on Proposed Technology Risk Management Amendments to Strengthen Financial Sector Resilience
Aimed at strengthening Singapore’s financial sector resilience against emerging technology, cyber and AI-driven risks, the proposed amendments introduce enhanced compliance expectations for Financial Institutions (FIs).
FIs across banking, insurance, payments and capital markets have until 31 July 2026 to submit feedback on the proposed changes. Once finalised, FIs are expected to have a 12-month transition period to implement the requirements.
Affected Financial Institutions
The proposed updates are intended to standardise technology risk management expectations across several key sectors and would impact multiple MAS regulatory notices:
Banks and finance companies: Licensed banks (FSM-N05), merchant banks (FSM-N11) and finance companies (FSM-N09). Insurers and brokers: Licensed insurers, except captive insurers, marine mutual insurers and SPRVs (FSM-N03), and registered insurance brokers (FSM-N19). Payment Services: Designated payment system operators/settlement institutions and digital payment token (DPT) service providers (FSM-N13). Capital markets: Approved exchanges, clearing houses, trade repositories, benchmark administrators, capital markets services licensees and approved CIS trustees (FSM-N21). Credit Bureaus: Licensed credit bureaus (FSM-N17).Key Proposed Technology Risk Management Changes
The proposed MAS TRM amendments cover the following technology resilience, cyber risk and operational resilience domains:
- IT asset management – Maintain an accurate and up-to-date inventory of all IT assets.
- IT risk assessment and monitoring – Establish and maintain an IT risk management framework that includes risk assessments, a risk register and key risk indicators.
- Capacity planning and management – Implement a framework and process for capacity planning to manage critical systems.
- Change management – Ensure changes to systems are properly authorised, tested, managed and implemented.
- Continuous system and security monitoring – Continuously monitor system performance and security indicators for critical systems, with processes to respond to and remediate identified issues.
- Immutable or offline data backup – Maintain immutable and/or offline backups to enable timely restoration of services.
- Incident management – Implement an incident management framework and process to manage IT incidents effectively.
- Monitoring of unscheduled downtime – Include partial or intermittent disruptions when calculating unscheduled downtime for critical systems.
Together, these proposed changes signal MAS’ continued focus on strengthening technology governance, operational resilience and cyber preparedness across the financial sector. For FIs, the consultation presents an opportunity to assess whether existing frameworks are sufficiently robust, documented and scalable ahead of implementation.
Immediate Action Items and Forward-Looking Considerations
While the proposed changes remain under consultation, MAS is expected to retain many of the core requirements in the finalised Notices. FIs should use the consultation period and anticipated transition window to assess their current technology risk management framework, identify gaps across critical systems, strengthen governance over cyber and operational resilience, and plan remediation activity before the requirements take effect.
Taking a forward-looking approach now can also help firms move beyond minimum compliance and build a more resilient operating model. By aligning technology inventories, risk assessments, monitoring, incident response and data backup capabilities with the proposed MAS expectations, FIs can better demonstrate regulatory readiness while reducing operational disruption and strengthening stakeholder confidence.
How Waystone Can Help
Waystone’s Compliance Solutions team supports financial institutions in navigating evolving regulatory expectations, including technology risk management, cyber resilience, operational resilience and compliance programme enhancement.
If you would like to discuss how the proposed MAS TRM amendments may affect your organisation, or how Waystone can assist with readiness planning and implementation support, please contact your usual Waystone representative or get in touch with our APAC Compliance Solutions team below.
