Financial regulators around the globe continue to sharpen their focus on operational resilience, driven by the growing digitalisation of financial services, increasing reliance on third-party service providers, and heightened technology and cyber risks. A common theme across jurisdictions is the extension of regulatory expectations beyond traditional outsourcing to encompass all material third-party arrangements. For organisations operating across multiple APAC jurisdictions, understanding the commonalities and differences between these regimes is critical to developing an efficient, coordinated compliance approach — and to anticipating the commercial and contractual implications that flow from them.
The Monetary Authority of Singapore (MAS) is set to overhaul its regulatory framework for third-party risk management, having consulted the public on proposed new guidelines from 6 March to 20 April 2026. The proposed guidelines incorporate key elements of international standards and, most importantly, extend MAS' expectations beyond outsourcing to cover all third-party arrangements. A six-month transition period has been proposed for the implementation of the guidelines.
In Australia, the Australian Prudential Regulation Authority (APRA) has already implemented a comparable regime through Prudential Standard CPS 230 Operational Risk Management, which commenced on 1 July 2025 (with a transitional period for pre-existing contractual arrangements). CPS 230 similarly extends regulatory expectations beyond outsourcing to all material service provider arrangements and imposes prescriptive contractual requirements on APRA-regulated entities. The Australian experience in operationalising CPS 230 offers useful insights for financial institutions (FIs) in Singapore as they prepare for the proposed MAS guidelines.
In contrast, the requirements applicable to FIs' third-party risk management in Indonesia are not consolidated in a single guideline or regulation. Indonesia's Financial Services Authority (Otoritas Jasa Keuangan, or OJK) regulates this area through a modular framework of separate regulations which continue to be updated, including those governing risk management, outsourcing, and the use of information technology by banks and certain other FIs. It is also worth noting that general outsourcing regulations issued by the Manpower Ministry apply, and that Bank Indonesia (the central bank) has separate regulations governing these matters for payment service providers.
This briefing
In this briefing, we set out recommended next steps and a snapshot of the MAS, APRA and OJK frameworks.
For those who wish to read more, we have also included a more detailed overview of the proposed MAS guidelines as well as areas to note based on our experience in advising clients on APRA’s CPS 230.
Please feel free to reach out to any of our key contacts below or your regular contact at our firm to discuss any aspect of these developments.
Next steps: What should you be doing now?
With the MAS consultation having closed on 20 April 2026 and final guidelines expected in the coming months, FIs operating in Singapore should be taking steps now to prepare for the transition period. Drawing on lessons from the Australian experience with CPS 230, FIs should consider:
- Mapping your third-party landscape – Conduct a comprehensive inventory of all third-party arrangements (not just traditional outsourcing) and assess which are likely to be classified as material. This will also inform your register submission obligations.
- Engaging early with counterparties – Engage with counterparties now about potential materiality classifications and the contractual amendments that may be required. The Australian experience demonstrates that these negotiations can be protracted, particularly with global service providers.
- Reviewing existing contracts – Identify gaps between current contractual terms and the minimum content expectations in the proposed guidelines.
- Updating governance frameworks – Ensure board oversight arrangements, risk management frameworks and third-party risk management policies are aligned with the proposed guidelines, including clear escalation processes for adverse developments.
- Coordinating across jurisdictions – For organisations operating in both Singapore and Australia (or other jurisdictions with comparable regimes), develop a harmonised compliance approach and common contractual provisions that satisfy multiple regimes reducing complexity and cost.
Snapshot of the MAS, APRA and OJK frameworks
| Feature | MAS Proposed Guidelines | APRA CPS 230 | OJK Framework |
|---|---|---|---|
| Scope | All third-party arrangements of FIs regulated under Singapore's Financial Services and Markets Act 2022 (not just traditional outsourcing) | All service provider arrangements of APRA-regulated entities (banks, insurers and superannuation fund trustees) | Outsourcing and engagement of third parties in IT implementation by banks and other FIs are subject to various OJK regulations |
| Materiality framework | Principles-based assessment considering factors such as impact on earnings and liquidity, reputation and brand value, customers, counterparties, and the Singapore financial market | Two-part test: does the entity rely on the provider for a critical operation, or does the provider expose it to material operational risk? Certain service categories are automatically deemed material unless the entity can justify otherwise | Outsourcing covers both delegation of work to a third party and supply of manpower by a third party. Only supporting activities (non-core functions) can be outsourced IT implementation includes operation of core applications and placements of data centres and disaster recovery centres |
| Register requirement | FIs must submit a register of their third-party arrangements to MAS twice a year and upon request (covering at minimum all material arrangements, including material sub-contractors where possible) | Regulated entities must submit a register of material service providers to APRA annually | No express requirement to maintain a register, but plans to engage the relevant third parties must be submitted to OJK |
| Prescribed contractual terms | Yes – contracts for material third-party arrangements must address matters such as information and audit rights, termination rights, key performance benchmarks, conditions governing material sub-contractors (if the specified matters are not addressed, the FI must assess and document how the relevant risk is mitigated) | Yes – formal agreements must include prescribed minimum content covering service levels, rights and responsibilities, sub-contractor notification, liability allocation, force majeure, termination and regulator access | Yes – agreements must include minimum terms such as rights and obligations, reporting requirements, customer confidentiality, service levels, termination rights, and regulator access |
| Regulator access rights | In the event of adverse developments, FIs must notify MAS as soon as possible, and inform the service provider to cooperate with MAS by providing comprehensive and timely information | Contracts must give APRA access to relevant documents and data, the right to conduct on-site visits, and an undertaking from the provider not to obstruct APRA | Service providers must provide audit rights to OJK and/or other authorities if required |
| Sub-contractor / fourth party oversight | FIs should have the ability to monitor and control the risks arising from their arrangements even when service providers use sub-contractors, and should take reasonable steps to hold material sub-contractors to similar standards as the primary service provider | Service providers must notify the entity of material sub-contractors; the service provider remains liable for any sub-contractor failures | Prior approval of the FI will be required for any subcontracting |
| Exemptions | Government technology services, financial market infrastructures (e.g. clearing houses), utilities (e.g. telecoms), and non-financial services where the provider has no access to confidential information | APRA may grant entity-specific adjustments or exclusions; for foreign banks, certain insurers and foreign life insurers, only Australian branch operations are in scope |
A more detailed overview of the MAS proposed guidelines on third-party risk management
The proposed Guidelines on Third-Party Risk Management (Guidelines) are attached to the consultation paper.
In light of the increase in FIs’ reliance on third-party services and their evolving use of third-party services beyond outsourcing, MAS considers it necessary to strengthen FIs' oversight of third-party arrangements by:
- extending its expectations beyond outsourcing to all third-party arrangements; and
- incorporating guidance from international standard setting bodies in relation to third-party arrangements, including a toolkit by the Financial Stability Board and principles by the Basel Committee on Banking Supervision.
Experience from APRA's CPS 230
CPS 230 applies to all APRA-regulated entities, including authorised deposit-taking institutions (ADIs), general insurers, life companies, private health insurers and registrable superannuation entity licensees. Like the proposed Guidelines, CPS 230 moves beyond traditional outsourcing to impose requirements on all material service provider arrangements, regardless of whether the arrangement constitutes outsourcing in the conventional sense.
Key contacts
Chee Hian Kwah
Director, Prolegis LLC, Singapore
Peter Jones
Partner, Head of TMT, Asia, Singapore
Michelle Virgiany
Partner, Herbert Smith Freehills Kramer Prolegis Alliance, Singapore
Mark Khouri
Senior Associate (Australia), Singapore
Clare Hubert
Senior Associate (Australia), Singapore
Tengku Almira
Senior Associate, Jakarta
Disclaimer
The articles published on this website, current at the dates of publication set out above, are for reference purposes only. They do not constitute legal advice and should not be relied upon as such. Specific legal advice about your specific circumstances should always be sought separately before taking any action.