MAS consults on new third‑party risk management guidelines as part of its widening efforts to strengthen operational resilience across the financial sector

The Monetary Authority of Singapore (MAS) has issued a consultation paper on the proposed guidelines on third‑party risk management. The proposals highlight MAS’ increasing focus on how financial institutions manage risks linked to third‑party service providers. Once finalised, the guidelines will replace the existing outsourcing guidelines and apply across all third‑party services.

Financial institutions rely increasingly on third parties to support their operations, while these arrangements bring efficiency and flexibility, they also create risks if they are not properly understood and managed.
 

Moving beyond outsourcing

The proposed guidelines go beyond traditional outsourcing to include any third‑party arrangement that could materially affect a financial institution’s operations, customers, data security or regulatory obligations. For many financial institutions, this broader scope means taking a fresh look at how third‑party risks are identified and monitored across the business.

Governance and accountability

Whilst third‑party providers carry out services, financial institutions remain accountable for the risks those arrangements create. The guidelines place clear responsibility on boards and senior management who, together, are responsible for ensuring that third-party risks are effectively governed and managed across the organisation. It’s expected that the board sets the overall direction by approving the third-party risk management strategy, defining risk appetite and tolerance, and that senior management is responsible for putting this into practice by establishing clear policies, processes and controls, allocating appropriate resources, and ensuring third-party risks are identified, assessed, monitored and reported throughout the lifecycle of each arrangement.

Managing risk across the lifecycle

The MAS proposes a lifecycle‑based approach to managing third‑party risk:

Image

The guidelines also stress the importance of aligning third‑party risk management with operational risk, technology risk and business continuity management, helping financial institutions manage risks in a more joined‑up and consistent way.

More regulatory oversight and reporting

A key proposal is for financial institutions to maintain and submit a register of material third‑party arrangements to MAS on a semi‑annual basis. This reflects MAS’ focus on understanding sector‑wide concentration risks and dependencies. Financial institutions will need to strengthen their third‑party inventories, clarify how materiality is assessed and improve oversight of subcontractors and locations where services are delivered.

Proportionality, but rising expectations

The MAS continues to apply proportionality, allowing financial institutions to tailor their approach based on size, complexity and risk. However, the proposals also make clear that minimum expectations are rising across the industry. Even smaller financial institutions can be seriously affected by third‑party disruptions, particularly where systems, data or critical services are involved. As a result, there are stronger expectations around governance, documentation, exit readiness and incident response across the board.

Preparing for implementation

Although the guidelines are still under consultation, the direction is clear. Once finalised, the MAS proposes the guidelines to take effect after six months. Since the guidelines will bring into scope third-party service providers that don’t currently constitute outsourcing arrangements, we expect that there’ll be plenty to do during that six-month period.

Here are practical steps firms should take to start preparing now:

• Start reviewing your existing third‑party risk management arrangements

• Assess gaps against the proposed expectations

• Considering whether your governance and controls are sufficient

Taking early steps will support a smoother transition once the guidelines are finalised and help you strengthen your ability to manage third‑party risks.

How Ocorian can help

We can help you interpret the guidelines, develop, review and improve third‑party risk management frameworks aligned with MAS expectations. Our support includes gap assessments, governance and policy development, lifecycle controls and support with third‑party inventories and registers.

To find out how we can support your organisation, please contact us.