MAS Proposes Guidelines on Third-Party Risk Management to replace Outsourcing Guidelines

  1. Background 

In March 2026, MAS released a consultation paper proposing new Guidelines on Third-Party Risk Management (“TPRMG”). The TPRMG supersede existing MAS Outsourcing Guidelines, expanding expectations to all third-party arrangements due to increased reliance on external services and evolving risks. The framework aims to strengthen FIs’ oversight, incorporate international standards, and ensure robust risk management across the financial sector, affecting all FIs leveraging external providers.

 

 

  1. Key Observations

 

The proposed guidelines signify a comprehensive shift towards a more holistic and integrated approach to managing risks associated with external dependencies.

 

Gaps observed

 

  • Limited Scope of Existing Guidelines: Current outsourcing guidelines do not adequately cover the full spectrum of third-party arrangements, leaving potential risk exposures unaddressed.
  • Inadequate Oversight of Non-Outsourcing Third Parties: FIs have historically focused primarily on outsourced services, neglecting comprehensive risk management for other critical third-party relationships.
  • Evolving Risk Landscape: Increased digitalization, interconnectedness, and reliance on external service providers introduce new and complex operational, technology, and cyber risks.
  • Lack of Standardized Approach: Inconsistent application of risk management practices across various third-party engagements, leading to potential vulnerabilities and regulatory arbitrage.

 

 

 New Guidelines

 

  • Expanded Scope and Definition: FIs must now manage risks for all third-party arrangements, not just traditional outsourcing, requiring a broader and more integrated approach.
  • Board and Senior Management Accountability: Enhanced expectations for oversight, with clear roles and responsibilities for managing third-party risks at the highest levels.
  • Proportionality in Implementation: FIs must implement guidelines commensurate with their size, complexity, and the materiality of risks posed by third-party services.
  • Comprehensive Risk Management Lifecycle: FIs are expected to establish robust frameworks covering due diligence, contract management, ongoing monitoring, and exit strategies for all third-party engagements.

 

 

Comprehensive review 

 

The TPRMG is a comprehensive review and planned update of current Outsourcing Guidelines. In total, MAS is inviting public response to 19 questions, including proportionality of implementation, due diligence and monitoring, frequency of MAS submissions, adverse development disclosures, and termination conditions. 

 

 

  1. What’s next?

 

 

The consultation period closes on 20 April 2026. The new TPRMG could be issued in late 2026, with a 6 months transition period. 

 

If implemented as expected, FIs will face a significant compliance uplift, requiring a re-evaluation of all third-party relationships and existing risk frameworks. The expanded scope will necessitate increased attention to third party arrangements. FIs must proactively assess their current TPRMG maturity, identify gaps, and develop comprehensive implementation plans to meet these heightened expectations and avoid potential regulatory penalties. This will drive a more resilient and secure financial ecosystem.

 

 

  1. How can we help?

 

Capital Governance assists FIs by:

 

  • TPRMG Framework Development: Designing and implementing comprehensive third-party risk management frameworks, and migrating the current outsourcing framework
  • Gap Analysis & Remediation: Identifying and addressing compliance gaps against the new guidelines.
  • Contractual Review: Ensuring third-party agreements align with MAS expectations.

and much more

Search

Latest Stories