AI Trailblazer Award

Insights

MAS TPRM Guidelines in 2026: What’s Changed and What’s Coming (UPDATED)

Last updated: July 9, 202613 mins read
MAS TPRM Guidelines in 2026: What’s Changed and What’s Coming (UPDATED)

MAS Notices 658 and 1121, Singapore’s binding MAS TPRM guidelines for banks and merchant banks, have been fully in effect since 11 December 2024. If your organisation spent 2024 racing to comply, you’re not done. You’re at the start of what MAS is building toward.

 

In March 2026, MAS published a consultation paper proposing updated MAS TPRM guidelines that will expand the scope of what banks and financial institutions (FIs) must govern.

 

A real-world incident at a printing vendor that exposed data for thousands of DBS and Bank of China customers has already demonstrated why regulators are pushing harder. This article covers where the framework stands today, what’s coming next, and how FIs should be preparing now.

 

MAS TPRM Guidelines: What Notices 658 and 1121 Require

 

Singapore’s MAS TPRM guidelines are anchored in two legally binding notices: Notice 658 for banks and Notice 1121 for merchant banks, setting out what FIs must do when outsourcing relevant services to third parties. Both were announced on 11 December 2023 with a 12-month grace period, and both took full effect on 11 December 2024.

 

They replaced and cancelled the previous outsourcing guidelines (Notices 634 and 1108, last updated in 2018). Unlike the old guidelines (which were supervisory expectations), these notices carry binding legal force under Section 47A of the Banking Act 1970.

 

One important nuance: paragraphs 7.1 and 12.8 of Notice 658, which govern outsourcing register submission obligations to MAS, operate under a separate implementation timeline. Bond pricing supplements filed by major Singapore banks with SGX consistently note that “with the exception of paragraphs 7.1 and 12.8, the requirements in MAS Notice 658 have taken effect from 11 December 2024.”

 

The specific activation date for these paragraphs was to be communicated separately by MAS.

 

Who the Notices Apply To

 

Under the MAS TPRM guidelines, Notice 658 applies to all banks operating in Singapore and Notice 1121 applies to merchant banks. Both are issued under Section 47A(2), (4), (6), (7) and (12) of the Banking Act 1970.

 

Responsibility for compliance sits with senior management, CISOs, and executives at these financial institutions. The notices do not apply directly to the third-party service providers themselves. The obligation sits squarely on the FI to manage, monitor, and document its vendor relationships.

 

Who the MAS Outsourcing Guidelines Apply to

Key Requirements Under the Current MAS TPRM Guidelines

 

The four core obligations MAS expects FIs to meet are well-established by now. Here’s where each stands in practice.

 

Register of All Outsourced Relevant Services

 

Under the MAS TPRM guidelines, banks and merchant banks must maintain a complete, current register of all outsourced service providers, available for submission to the Authority semi-annually and on demand.

 

MAS Notice 658 register requirements

 

Maintaining this register manually through spreadsheets is technically possible, but it creates real exposure: registers go stale, updates get missed, and producing a clean submission on short notice becomes a fire drill.

 

Cyber Sierra’s TPRM module maintains a continuously updated vendor inventory automatically, giving security teams a searchable, audit-ready record of how each vendor performs against MAS requirements.

 

Cyber Sierra vendor registry and database

Third-Party Risk Governance and Management Oversight

 

The MAS TPRM guidelines require FIs to implement an appropriate third-party risk governance framework and designate an executive team for oversight. The notices specify two non-negotiable requirements here.

 

MAS third-party risk governance requirements

 

FIs can build a custom governance framework or adopt and adapt globally accepted frameworks such as SOC 2 or NIST. Cyber Sierra comes pre-built with customisable versions of these frameworks, and provides a single workspace for all stakeholders involved in oversight and review.

 

Cyber Sierra governance framework management

Ongoing Evaluation of Third- and Fourth-Party Vendors

 

The MAS TPRM guidelines require FIs to evaluate vendors before engaging them and on a continuous basis afterward. Due diligence extends to fourth parties (the subcontractors a service provider uses). Vendors must provide evidence of meeting designated security assessment requirements, and that evidence must be current.

 

MAS ongoing vendor evaluation requirements

MAS expects vendors working with FIs to demonstrate compliance with designated security assessment requirements:

 

MAS vendor security assessment evidence requirements

Cyber Sierra’s TPRM AI Analysts can request, receive, and review vendor evidence submissions automatically, flagging missing, insufficient, or irrelevant documents before a human reviewer has to engage. The platform also validates each uploaded evidence file against the relevant assessment questions.

 

Cyber Sierra automated vendor evidence review

This level of automation is why financial institutions rely on Cyber Sierra for third-party risk management. Take one global bank based in Singapore:

 

Cyber Sierra case study quote - global bank Singapore

Continuous Independent Audits of Third Parties

 

The MAS TPRM guidelines also require FIs to arrange for independent audits of their third-party vendors on an ongoing basis. The requirement is direct:

 

MAS continuous independent audit requirements

 

Working with independent auditors gives FIs an external perspective on vendor risk that internal teams can miss. But because MAS requires this on an ongoing basis, the process needs to be structured rather than ad hoc. Cyber Sierra provides auditors with a central platform to search, review, and flag vendors with security gaps, without the coordination overhead of email-based audit workflows.

 

Cyber Sierra auditor access and vendor review interface

What Happened When the Framework Was Tested: The Toppan Incident

 

Four months after Notices 658 and 1121 took full effect, a real-world incident demonstrated exactly the risk the framework is designed to address.

 

On 5 April 2025, Toppan Next Tech (TNT) notified DBS Bank that ransomware had hit its systems. Toppan handled printing of customer statements for DBS and several other banks.

 

Threat actors extracted account statements for approximately 8,200 DBS Vickers customers and around 3,000 Bank of China Singapore customers whose print communications were handled by Toppan. No core banking systems were breached. The attack was entirely on the third-party vendor’s infrastructure.

 

MAS and the Cyber Security Agency of Singapore (CSA) were both informed and monitored the situation. The incident was widely covered by Reuters and disclosed publicly by DBS the following day.

 

The significance here is straightforward. Toppan was not an IT service provider in the traditional sense. It was a printing vendor.

 

Under the broadened scope that MAS is now proposing (more on that below), vendors like Toppan that handle customer data would fall explicitly within the MAS TPRM guidelines framework. The incident is a clear signal that these guidelines are grounded in observed risk, not just regulatory theory.

 

What’s Coming Next: MAS Proposed TPRMG (2026)

 

On 6 March 2026, MAS published Consultation Paper P004-2026 proposing new Guidelines on Third-Party Risk Management (TPRMG). The consultation closed on 20 April 2026. Final guidelines are pending as of mid-2026, with a 6-month transition period expected from the date of issuance.

 

This is the headline development for any FI that considers its MAS TPRM guidelines compliance settled. The proposed TPRMG will supersede the existing Guidelines on Outsourcing, but Notices 658 and 1121 remain in place as binding law. Both the updated TPRM guidelines and the binding notices will apply simultaneously.

 

The Scope Expansion Is the Key Change

 

The current MAS TPRM guidelines focus on “outsourcing”: arrangements where the FI delegates a function it could perform itself. The proposed TPRMG expands this to cover all third-party arrangements, including:

 

  • Technology subscriptions and SaaS platforms
  • Data services and data vendors
  • Intragroup arrangements
  • Professional services relationships
  • Fintech partnerships
  • Cloud services (explicitly confirmed as a form of outsourcing under the TPRMG)

 

Only a narrow set of arrangements is exempted: financial market infrastructures (clearing houses, SWIFT), utilities like telcos and electricity providers, and services unrelated to financial business where the provider has no access to customer or confidential data. Even exempted services must be covered by business continuity and incident response plans.

 

New Requirements Under the Proposed TPRMG

 

Law firm analysis from Reed Smith, Bird & Bird, Baker McKenzie, and Rajah & Tann identifies several requirements that go beyond what the current notices mandate:

 

  • Register expansion. Semi-annual submission to MAS of a register covering all material third-party arrangements, including material subcontractors where possible. Law firms describe this as “a new obligation” relative to existing requirements.
  • Concentration risk management. FIs must explicitly identify and manage concentration risk at the service provider and geographical level, with documented redundancy plans and alternative providers identified.
  • Exit planning. Regularly updated and tested exit plans covering multiple plausible termination scenarios, not just a theoretical document sitting in a drawer.
  • Group and branch oversight. FIs under MAS consolidated supervision or classified as Critical Information Infrastructure (CII) operators must extend TPRMG requirements to branches and subsidiaries globally.
  • Subcontractor notification. Written notification required before engaging a material subcontractor. FIs must use best efforts to hold subcontractors to equivalent standards.
  • Strategy dimension. FIs must assess the cost-benefit analysis of third-party reliance, define risk appetite for third-party exposure, and establish clear exit triggers.
  • MAS enforcement backstop. MAS may direct an FI to terminate a service provider agreement where the provider is unwilling to remediate identified issues.

 

The proposed TPRMG also runs parallel to a second March 2026 consultation on Updated Guidelines on Operational Risk Management, and to MAS’s November 2025 consultation on AI Risk Management Guidelines, which directly applies when FIs outsource AI or machine learning model development and deployment to third parties.

 

What This Means for FIs Right Now

 

The 6-month transition window once the final MAS TPRM guidelines are published will move fast. FIs that wait for the final text before assessing their gaps will spend that window scrambling. The practical implication is that preparation should start against the proposed requirements now. The consultation is closed, and the direction is clear enough to act on.

 

Specifically, this means auditing which third-party arrangements currently fall outside your TPRM program (SaaS subscriptions, data vendors, intragroup arrangements), assessing concentration risk exposure, and verifying that exit plans exist and have been tested for critical providers.

 

Preparing for Sustained MAS TPRM Guidelines Compliance

 

Whether your focus is on meeting the current MAS TPRM guidelines or preparing for the proposed TPRMG expansion, the operational challenge is the same: managing vendor risk continuously rather than periodically, across a vendor population that only grows larger.

 

The Toppan incident made clear that even non-IT vendors with access to customer data create material exposure. The proposed TPRMG makes clear that MAS has drawn the same conclusion and is extending the governance perimeter accordingly.

 

The teams that handle this well are the ones that move TPRM from a compliance project (something done once a year ahead of an audit) to an ongoing operational function with automated evidence collection, continuous vendor monitoring, and audit-ready documentation available on demand.

 

Cyber Sierra’s TPRM module is built for exactly this: AI Analysts that review vendor evidence, flag gaps, and maintain audit trails continuously. When MAS asks for your vendor register or an auditor needs documentation, the answer is ready. See how the TPRM platform works in practice, or book a demo to walk through how it fits your current compliance program.

 

Cyber Sierra TPRM demo CTA

Frequently Asked Questions

 

Are MAS Notices 658 and 1121 still in effect in 2026?

 

Yes. Both notices took full effect on 11 December 2024 and remain fully operative. The proposed TPRMG, once finalised, will supersede the existing Guidelines on Outsourcing, but the MAS TPRM guidelines in Notice form carry binding legal force under the Banking Act 1970 and will remain.

 

What is the difference between the current outsourcing notices and the proposed TPRMG?

 

The current MAS TPRM guidelines apply specifically to “outsourcing” arrangements where an FI delegates a function it could perform itself. The proposed TPRMG expands this to cover all third-party arrangements, including SaaS platforms, data vendors, intragroup services, fintech partnerships, and cloud services.

 

The TPRMG also introduces new requirements around concentration risk, exit planning, and group-level oversight.

 

Does the TPRMG replace MAS Notice 658?

 

No. The proposed TPRMG will supersede the Guidelines on Outsourcing (the non-binding guidelines layer), but Notice 658 and Notice 1121 remain in force as binding notices issued under the Banking Act. When the TPRMG is finalised, FIs will need to comply with both.

 

What happened in the Toppan Next Tech incident?

 

In April 2025, printing vendor Toppan Next Tech suffered a ransomware attack that resulted in customer statement data being extracted for approximately 8,200 DBS Vickers customers and around 3,000 Bank of China Singapore customers.

 

No core banking systems were compromised. The incident highlighted that third-party vendors with access to customer data, even non-IT vendors, represent material exposure under the MAS TPRM guidelines framework.

 

When will the final TPRMG be published?

 

The consultation paper was issued on 6 March 2026 and closed on 20 April 2026. As of mid-2026, final guidelines have not been published. Once issued, FIs will have a 6-month transition period to comply. Preparation against the proposed requirements can begin now. The direction is clear from the consultation paper and supporting law firm analysis.

 

How can Cyber Sierra help with MAS TPRM compliance?

 

Cyber Sierra’s TPRM module provides AI Analysts that automate vendor evidence review, flag missing or insufficient documentation, maintain audit trails, and support continuous vendor monitoring, replacing the manual, email-based workflows that most TPRM teams currently rely on. The platform also maintains a continuously updated vendor registry suitable for MAS register submission requirements.

  • Third Party Risk Management
  • CISOs
  • CTOs
  • Cybersecurity Enthusiasts
  • Enterprise Leaders
  • Startup Founders
Pramodh Rai

Meet Pramodh Rai, a technology aficionado and Cyber Sierra’s co-founder, whose zest for innovation is fuelled by a cupboard stacked with zero-sugar Redbull. With a nimble footwork through the tech tulips across Asia Pacific, he’s donned hats at Hmlet (the proptech kind) and Funding Societies | Modalku, building high-performing teams and technologies. A Barclays prodigy with dual degrees from Nanyang Technological University, Pramodh is a treasure trove of wisdom, dad jokes, and everything product/tech. He’s the Sherpa in sneakers you need.

A weekly newsletter sharing actionable tips for CTOs & CISOs to secure their software.

Your Name*
Your Email Address*
I accept Cyber Sierra’s terms and conditions*
Leave this field empty if you’re human:

Thank you for subscribing!

Please check your email to confirm your email address.

Find out how we can assist you in completing your compliance journey.

Related Articles