Skip to content
JENGA ANDERSON
Home About
Services
Incorporation & Secretary
Singapore Hong Kong USA Switzerland Dubai Malaysia Cayman Islands British Virgin Islands Panama
Work Pass and Immigration
Employment Pass EntrePass Personalised Employment Pass (PEP) ONE Pass Tech.Pass S Pass Dependant's Pass / DP Long-Term Visit Pass / LTVP Other Work Passes & Mobility Solutions Singapore Permanent Residence / PR Singapore Citizenship Global Passport Project
Human Resources
Recruitment & Placement Payroll & Statutory Administration HR Advisory & Documentation
Tailored Business Solutions
Global Business Structuring Singapore Family Office Setup Singapore Variable Capital Companies (VCC) Cayman Fund Singapore Fund BVI Fund Pre-IPO & IPO structuring DAO & Token Structuring Regulatory & Compliance Advisory
Tax And Accounting Services
Bookkeeping Service Compilation Financial Statement CFO services Personal Income Tax Corporate Tax Tax Planning CRS / FATCA
Trademark Registration
Singapore Trademark International Trademark Trademark Management and Dispute
Resources
Downloads / Tools Latest Insights FAQ
Join Us Contacts
GET A QUOTE
Regulatory Updates

MAS Launches Three Simultaneous Regulatory Upgrades: Technology Risk, AI Governance and Third-Party Risk Management

June 22, 2026

By Jenga Anderson Compliance & Advisory Team  |  Published: 20 June 2026  |  Singapore Financial Regulation & Compliance

Reading time: approx. 10 minutes

On 10 June 2026, the Monetary Authority of Singapore (MAS) issued a consultation paper proposing a systematic revision to its Technology Risk Management Notice (TRM Notice). The revision covers eight areas: IT asset management, IT risk assessment and monitoring, capacity planning, change management, continuous system and security monitoring, immutable offline data backup, incident management, and unplanned outage monitoring. The consultation closes on 31 July 2026. Once the final notice is published, compliance becomes mandatory within 12 months.

This is the third major regulatory signal MAS has issued in seven months. Three parallel tracks are advancing simultaneously, each pointing in the same direction: the technology risk management baseline for Singapore-licensed financial institutions is being comprehensively raised.

Key point: These are not separate initiatives. They form a coordinated architecture — AI governance, third-party risk management, and core technology risk controls — being upgraded in sequence within a single regulatory cycle. Institutions that treat each track in isolation will find themselves repeatedly reconfiguring their compliance programmes as each final notice is issued.

1. Three Tracks, Seven Months: The Full Picture

To understand the weight of the TRM Notice revision, it must be read within the full regulatory timeline.

Track 1 — AI Risk Management Guidelines (AIRM)

On 13 November 2025, MAS issued a consultation paper on its AI Risk Management (AIRM) Guidelines, with the consultation period closing 31 January 2026. The guidelines apply to all MAS-licensed financial institutions and cover four domains: AI governance architecture, key management systems and processes, AI lifecycle controls, and capability and resource requirements.

Core requirements include:

  • Establishment of a cross-functional AI risk oversight committee where overall AI risk exposure is assessed as material
  • Maintenance of an AI system inventory and ongoing risk materiality assessment framework
  • Full AI lifecycle controls applying to both internally developed and third-party AI tools — institutions may not delegate governance responsibility to vendors
  • Specific treatment of Generative AI risks through Project MindForge, covering hallucination outputs, prompt injection attacks and data leakage

MAS indicated a 12-month transition period from the date the final guidelines are issued.

Source: MAS consultation paper on AI Risk Management Guidelines, 13 November 2025; KPMG Singapore analysis, November 2025

Track 2 — Third-Party Risk Management Guidelines (TPRM)

On 6 March 2026, MAS simultaneously issued consultation papers on both Third-Party Risk Management Guidelines (TPRM) and Operational Risk Management Guidelines (ORM), with a joint consultation period closing 20 April 2026.

The significance of the TPRM Guidelines lies in their expanded scope: they are designed to replace the existing outsourcing guidelines, with the affected population broadening from institutions that have outsourcing arrangements to all institutions that depend on third-party services in any form.

Four core areas are covered:

  • Establishment and maintenance of a third-party arrangement register
  • Governance structure and strategy for third-party risk
  • End-to-end risk management process across the third-party lifecycle
  • Contractual provisions and ongoing monitoring mechanisms

MAS proposed that TPRM Guidelines take effect six months from publication — a tighter transition window than either AIRM or the TRM Notice revision.

Track 3 — Technology Risk Management Notice Revision (TRM Notice)

The 10 June 2026 consultation paper proposes a systematic upgrade of the existing TRM Notice across eight domains. The consultation closes 31 July 2026, with compliance mandatory within 12 months of the final notice being published.

Three-Track Timeline at a Glance

Regulatory DocumentIssuedConsultation ClosesEffective Arrangement
AI Risk Management Guidelines (AIRM)13 Nov 202531 Jan 202612 months after final publication — est. H2 2027
Third-Party Risk Management Guidelines (TPRM)6 Mar 202620 Apr 20266 months after final publication — est. late 2026
TRM Notice Revision10 Jun 202631 Jul 2026 (OPEN)12 months after final publication

Source: MAS official consultation papers, November 2025, March 2026 and June 2026

2. The TRM Notice Revision: Eight Domains Explained

The current TRM Notice is the statutory instrument through which MAS constrains the technology risk management capabilities of all licensed financial institutions. This revision is a systematic upgrade — not a targeted amendment. Institutions that fail to meet TRM Notice requirements are subject to MAS issuing written rectification directions, restricting business growth, and publicly disclosing regulatory action.

1. IT Asset Management

Institutions must build and continuously maintain a complete IT asset inventory covering hardware, software and cloud-based assets, ensuring asset visibility and lifecycle tracking capability.

2. IT Risk Assessment and Monitoring

A systematic risk identification, rating and periodic review mechanism must be established, producing risk register documentation available for regulatory inspection. Assessment records must include: identified technology risks, risk ratings, control effectiveness assessments, and risk reporting outputs.

3. Capacity Planning and Management

Institutions must conduct forward-looking capacity planning to ensure service stability during peak business periods or unexpected demand scenarios, preventing service degradation or system outages resulting from capacity shortfalls.

4. Change Management Controls

MAS requires security controls to be embedded throughout the system development lifecycle (SDLC), including secure coding practices, security testing procedures, and formal change approval processes.

5. Continuous System and Security Monitoring

Real-time monitoring capability covering security events must be established, incorporating security operations monitoring, tested incident response playbooks, and integrated threat intelligence.

6. Immutable and Offline Data Backup

This is the domain with the most technically specific requirements in the revision. Institutions must establish tamper-proof (immutable) and offline-accessible data backup mechanisms, designed specifically to address ransomware and other attack scenarios that target backup data.

Why this matters: Ransomware attacks increasingly target backup systems specifically, rendering standard backup arrangements insufficient. MAS is requiring institutions to demonstrate that a recovery path exists even when primary and standard backup systems are compromised.

7. Incident Management

The existing standard already requires financial institutions to report system failures or IT security incidents to MAS within one hour of detection. The revision will further define process standards and documentation requirements for incident management — including root cause analysis, remediation measures, and lessons-learned outputs. Recovery Time Objectives (RTO) for critical systems must reach four hours or less.

8. Unplanned Outage Monitoring

MAS explicitly requires the use of unplanned downtime hours as the primary measurement metric — not system uptime percentages. The reason: uptime percentages can mask the severity of outages occurring during specific time windows, particularly during peak transaction periods.

3. Which Institutions Are in Scope

Directly Bound — All Three Tracks Apply

Institution TypeLegal BasisApplicability
Licensed banks (full, wholesale, merchant)Banking ActTRM / TPRM / AIRM — all three tracks
Licensed insurers (life, general, reinsurance)Insurance ActTRM / TPRM / AIRM — all three tracks
Capital Markets Services licensees (CMS)Securities and Futures ActTRM / TPRM / AIRM — all three tracks
Licensed payment institutions (MPI / SPI)Payment Services ActTRM / TPRM / AIRM — all three tracks
Digital Payment Token service providers (DPT)Payment Services ActTRM / TPRM / AIRM — all three tracks

Sources: MAS official consultation papers; Atlas Systems MAS TRM Compliance Guide, 2026

For directly bound institutions, the three tracks translate to concrete operational demands:

  • Existing IT outsourcing arrangements must be reassessed for alignment with TPRM’s third-party governance framework
  • Institutions already using AI tools must build an AI inventory and risk materiality assessment system meeting AIRM requirements
  • Technology governance accountability chains must extend to board level — not remain within the IT function

Non-compliance consequences are consistent with MAS’s established enforcement approach: written rectification directions, restrictions on business growth, and public disclosure of regulatory action.

Indirectly Affected — Through the Banking Relationship

Single family offices (SFOs) and fund managers are not directly subject to the TRM Notice. However, both carry indirect compliance exposure through their banking relationships.

Under the revised SFO framework, a single family office must open and maintain an account with a MAS-licensed bank. The bank’s KYC/AML diligence on institutional clients is a prerequisite for opening and maintaining that account — and the bank’s technical capacity to conduct that diligence is built directly on its own TRM compliance level.

As TRM standards rise, banks’ substantive review of client-institution governance capabilities is expected to rise in parallel. For family offices and fund managers, this means: the clarity of internal governance documentation, the extent to which IT outsourcing arrangements are recorded, and the rigour of data management practices will increasingly affect the stability of banking relationships — not just the ability to open an account in the first place.

4. The Compliance Window: Why Timing Matters

DocumentConsultation ClosesStatusEstimated Mandatory Effective Date
AIRM Guidelines31 Jan 2026Closed — MAS processing feedbackEst. H2 2027
TPRM Guidelines20 Apr 2026Closed — MAS processing feedbackEst. late 2026 (6 months after final publication)
TRM Notice Revision31 Jul 2026OPEN NOW12 months after final publication

Source: MAS official consultation papers, November 2025, March 2026 and June 2026

The TRM Notice revision consultation is the only window among the three tracks that remains open. It closes 31 July 2026.

Acting now versus waiting for the final notice carries a material difference across three dimensions:

Time Cost

The TRM Notice final publication triggers a 12-month mandatory compliance period. On the surface, a year appears adequate. In practice, those 12 months must cover: a compliance gap assessment against the final requirements, internal policy revision, system upgrades or vendor re-evaluation, documentation rebuild, and staff training — all while simultaneously managing TPRM and AIRM compliance demands running in parallel. For institutions facing all three tracks, 12 months is operationally tight.

Resource Cost

Beginning a gap assessment during the consultation period allows institutions to plan based on the already-published direction of travel, rather than competing for advisory resources once the final notice is published and the entire population of affected institutions enters the market simultaneously. Scarcity of qualified compliance advisors has driven up costs significantly during previous MAS compliance cycles.

Regulatory Signal Value

MAS publishes a Response to Consultation following each consultation period, typically providing further clarification and specific modifications to individual provisions. Having already studied the technical requirements of the consultation paper, institutions can compare the final notice against their existing gap assessment immediately — rather than starting analysis from scratch when the response is published.

For institutions applying for MPI, SPI or DPT licences:The compliance window is more urgent. MAS licence applications must demonstrate technology governance capabilities aligned with MAS regulatory expectations — and the revised TRM framework has already become one of the reference benchmarks MAS uses when assessing applicants. Demonstrating alignment with the revised framework, even before it is finalised, strengthens an application.

5. The Regulatory Logic Behind the Three Tracks

Reading all three consultation papers together, a structural shift becomes visible: MAS is systematically migrating technology governance requirements from Guidelines (regulatory expectations) to Notices (statutory obligations).

The distinction matters practically. A Guideline represents MAS’s supervisory expectation — failing to meet it will attract scrutiny during an inspection, but does not by itself constitute a statutory violation. A Notice is a legally binding instrument — failing to comply constitutes a breach of the relevant legislation, and MAS may take direct enforcement action.

The TRM Notice revision’s core intent is precisely this: converting requirements that previously existed only at Guideline level — data backup standards, system recovery time objectives, outage monitoring metrics — into statutory obligations. The threshold for compliance is rising not just in content, but in legal force.

From an operational perspective, the three tracks converge on two specific scenarios that will determine how they affect institutions in practice.

Scenario 1: Banking Account Opening and Maintenance

Banks reviewing institutional clients for KYC/AML purposes are increasingly incorporating the client institution’s own IT governance documentation into their assessment. For directly licensed institutions, this is a primary compliance demand. For family offices and fund managers whose operations depend on licensed-bank accounts, it is an indirect constraint — unclear governance documentation and unrecorded IT arrangements will directly affect the stability of banking relationships.

Scenario 2: Regulatory Inspections and Licence Renewal

MAS inspections of licensed institutions are placing progressively greater emphasis on whether an institution can proactively demonstrate its governance capabilities — not simply produce documentation when asked. With three tracks running simultaneously, the next inspection cycle for most institutions will address technology governance, AI usage and third-party service provider management simultaneously — not as separate examination items in separate cycles.

For institutions that build systematic compliance capability during this regulatory cycle, that capability will itself become a tangible asset in conversations with banks, investors and business partners. For institutions that are unprepared, the combined compliance pressure of three converging tracks is expected to materialise acutely between 2027 and 2028.

6. Frequently Asked Questions

Does the TRM Notice revision apply to all MAS-licensed institutions?

Yes. The TRM Notice applies to all MAS-licensed financial institutions, including banks, insurers, capital markets services licensees, licensed payment institutions (MPI/SPI), and digital payment token service providers. There is no carve-out by institution size.

Are family offices subject to any of these three tracks?

Single family offices and fund managers are not directly subject to the TRM Notice. However, they face indirect exposure through their banking relationships: as TRM standards rise, banks’ review of client-institution governance documentation is expected to tighten in parallel, affecting account opening and account maintenance.

What is the difference between a MAS Notice and a MAS Guideline?

A MAS Notice is a legally binding instrument issued under specific legislation. Non-compliance constitutes a statutory breach and MAS may take direct enforcement action. A MAS Guideline represents regulatory expectation — failing to meet it attracts supervisory scrutiny but is not itself a statutory violation. The TRM revision is converting a number of previously Guideline-level requirements into Notice-level obligations.

Why is MAS launching three regulatory tracks simultaneously?

The three tracks address distinct but related risk domains: AI risk (AIRM), third-party service dependency risk (TPRM), and core technology infrastructure risk (TRM). Each addresses a gap that has become more acute as financial institutions have adopted more AI tools, more third-party services, and more complex technology infrastructure. MAS is upgrading the baseline across all three simultaneously because they are interconnected — a vulnerability in any one area can cascade across the others.

What should an institution do first if it hasn’t started yet?

Begin with a gap assessment against the TRM Notice consultation paper — this is the only window still open, closing 31 July 2026. Simultaneously map existing third-party arrangements against the TPRM framework, and inventory any AI tools in use against AIRM requirements. Starting with documentation of current-state is faster and more cost-effective than waiting for final notices across all three tracks to be published before acting.

What are the consequences of non-compliance?

MAS’s enforcement toolkit for TRM non-compliance includes written rectification directions, restrictions on business growth, and public disclosure of regulatory action. For institutions applying for new licences, demonstrated alignment with the revised framework is a factor in the application assessment.

About the Author

Jenga Anderson Compliance & Advisory TeamJenga Anderson (jenga-dev.zaps.work/) is a Singapore-based institutional corporate services platform, holding ACRA CSP, MOM EA, CPA, Certified Tax Adviser and fund administration credentials. Its parent, Anderson Global, has a 23-year operating history across 15 office locations worldwide.We assist licensed and licence-seeking MPI/SPI and DPT institutions, family offices and fund managers in building compliance architectures aligned with MAS regulatory frameworks, covering:Gap assessments against the new TRM / TPRM / AIRM frameworksIdentification of compliance gaps in IT outsourcing arrangements, incident response mechanisms and data management processesCompliance documentation rebuild and ongoing operational supportFamily office 13O/13U establishment and MAS-licensed bank account assistanceCRS/FATCA compliance and cross-border compliance coordinationCredentials: ACRA CSP  ·  MOM EA  ·  CPA  ·  Certified Tax Adviser  ·  Fund Administration

To discuss your institution’s compliance position relative to these three regulatory tracks, contact our team for an initial assessment.

This article is published for general informational purposes and does not constitute legal, tax or investment advice. Compliance decisions should be made following individualised professional assessment.

References & Sources

Monetary Authority of Singapore (MAS). Consultation Paper on Technology Risk Management Notice Revision. 10 June 2026.

Monetary Authority of Singapore (MAS). Consultation Paper on AI Risk Management (AIRM) Guidelines. 13 November 2025.

Monetary Authority of Singapore (MAS). Consultation Paper on Third-Party Risk Management (TPRM) Guidelines and Operational Risk Management Guidelines. 6 March 2026.

Baker McKenzie. Analysis of MAS TRM Notice Revision consultation paper. 19 June 2026.

Baker McKenzie. Analysis of MAS TPRM Guidelines consultation paper. March 2026.

Reed Smith. Analysis of MAS TPRM Guidelines consultation paper. March 2026.

Rajah & Tann Asia. Analysis of MAS TPRM and ORM Guidelines consultation papers. March 2026.

KPMG Singapore. Analysis of MAS AI Risk Management Guidelines consultation paper. November 2025.

Protiviti Singapore. MAS regulatory compliance commentary.

Atlas Systems. MAS TRM Compliance Guide 2026.

Jenga Anderson  ·  www.jengacorp.com  ·  www.anderson-global.com