MAS Technology Risk Management Guidelines: what you need to know

Written by
RMI Team (F)

On 18 January 2021, the Monetary Authority of Singapore (MAS) released their comprehensive Technology Risk Management (TRM) Guidelines 2021, developed in close collaboration with leading cybersecurity experts. These guidelines continue to provide a robust framework for managing technology and cyber risks in the financial services industry, especially as digital transformation accelerates.

In the years since the guidelines were introduced, MAS has launched several initiatives to address the evolving landscape of technology risks, including the Financial Sector Technology and Innovation Scheme (FSTI 3.0) and enhanced cybersecurity requirements for Digital Payment Token Service Providers (DPTSPs) in 2024. These initiatives complement the TRM Guidelines, reinforcing MAS’s commitment to maintaining Singapore’s position as a global financial hub.

These TRM Guidelines apply to all licensed financial institutions (FIs) in Singapore, including service providers such as:

Enhance your understanding of MOM Employment Pass requirements and streamline your HR processes.
  • Funding and investment-related companies
  • Insurance companies and reinsurers
  • Banks, including wholesale banks and financial holding companies
  • Credit and payments-related companies
  • Market operators and financial exchanges

Here are 7 points that financial business leaders should take note of to strengthen cyber resilience against technology risks.

Expanded responsibilities for the board of directors and senior management

The revised TRM Guidelines introduce additional roles and responsibilities for the board of directors and senior management in ensuring that their organisations adopt sufficiently robust technology risk governance. These include:

  • Appointing a Chief Information Officer (or its equivalent) and a Chief Information Security Officer (or its equivalent) with requisite experience and expertise
  • Ensuring that the board of directors and senior management include members with knowledge of technology and cyber risks, and undergo cybersecurity training if necessary
  • Having sufficient oversight over technology risks and play an active role in key IT decisions
  • Establishing internal processes to enable effective reporting of technology matters to higher management
  • Adopting a risk appetite and risk tolerance statement

Extended oversight to include all third parties, not just outsourced service providers

Some third-party services may not constitute outsourcing, but as long as they process, transmit or store confidential or sensitive customer information, FIs should take measures to minimise risks of a third-party system failure or security breach.

Leaders are asked to assess and review their third-party partners’ risk governance measures to ensure that a high standard of care and diligence is employed with regard to data privacy, cybersecurity and system resilience – both before entering into a new contractual agreement, and on an ongoing basis.

New guidelines related to in-house software development

With APIs increasingly being used in the financial services industry to facilitate crossplatform collaboration, MAS recognises the need for any APIs developed and managed inhouse to adhere to strict security standards.

Section 6 of the TRM Guidelines outlines standards that FIs should adopt regarding secure coding, source code review and application security testing. It also advises on proper governance of third-party API access, and puts forth recommendations such as real-time monitoring of API calls, and having FIs vet and manage their end-users’ applications risks.

New section on cybersecurity operations and assessment measures

Financial leaders are advised to procure cyber intelligence monitoring services and subscribe to cyber intelligence sharing platforms such as FS-ISAC, IT-SAC, SingCERT or CVE to address operational risk. These services also improve the resilience of their organisations against common cyberthreats including malware and active cyberattacks.

Other recommendations include detecting and responding to misinformation propagated via the internet; establishing cyber incident response capabilities; carrying out penetration testing; and conducting scenario-based cyber exercises involving key stakeholders and senior management.

New section on managing employee device use

With remote and hybrid work, Bring Your Own Device (BYOD) – where employees use personal devices to access business information and systems – is now commonplace. To manage the increased risk of cyberattacks targeted at personal devices, FIs are required to revise their BYOD policies and procedures with stronger security controls, such as with Mobile Device Management or virtualisation solutions.

New section on data and infrastructure security

In the future of distributed work, FIs need to ensure their endpoints are secure. The Center for Internet Security (CIS) Benchmarks are a good reference for secure configuration and hardening of endpoint protection. Leaders should also look at using Network Intrusion Protection Systems and Network Access Control to detect and block malicious traffic.

The proliferation of the Internet of Things (IoT) has also prompted the 2021 TRM Guidelines to include policies and procedures to manage IoT security, such as the use of sandboxed browsing and network segregation between IoT devices and the core operating network.

New security requirements for online financial services

As more financial transactions and communications are happening via digital channels, FIs are required to strengthen their encryption, security and control measures to ensure better protection against data leaks, phishing attacks and malware.

Beyond improving the security of their digital channels, leaders should also not lose sight of fundamental operational risks, including customer authentication, secure transaction signing, fraud monitoring and customer education on proper cybersecurity hygiene.

Recent MAS Initiatives Strengthening TRM Compliance (2025 update)

In addition to the foundational Technology Risk Management (TRM) Guidelines introduced in 2021, the Monetary Authority of Singapore (MAS) has implemented several initiatives to further strengthen the financial sector’s resilience against emerging technology risks.

Financial Sector Technology and Innovation Scheme (FSTI 3.0)

Launched in 2023, FSTI 3.0 is designed to accelerate technology adoption and innovation within Singapore’s financial sector. Aligned with the nation’s Industry Transformation Map (ITM) 2025, the scheme provides funding support for projects that enhance cybersecurity, operational resilience, and the development of innovative financial products and services. By fostering a culture of innovation, FSTI 3.0 aims to position Singapore as a leading global financial hub, equipped to navigate the complexities of the digital age.

Enhanced Cybersecurity Requirements for Digital Payment Token Service Providers (DPTSPs)

In response to the growing prominence of digital payment tokens, MAS introduced stringent cybersecurity requirements for DPTSPs in 2024. Under the FSM-N13 Notice on Technology Risk Management, these service providers are mandated to implement comprehensive security assessments, establish robust incident response plans, and adhere to best practices in cybersecurity. This regulatory enhancement ensures that as the digital payments ecosystem expands, it remains secure and resilient against potential cyber threats.

Combatting Scams Initiative

Recognising the escalating threat of digital fraud, MAS has intensified efforts to safeguard consumers and maintain trust in the financial system through its Combatting Scams Initiative. This initiative encompasses a range of measures, including public education campaigns, collaboration with financial institutions to implement anti-scam technologies, and the establishment of frameworks to detect and respond to fraudulent activities promptly. By proactively addressing the menace of scams, MAS aims to protect consumers and uphold the integrity of Singapore’s financial landscape.

These initiatives, in conjunction with the TRM Guidelines, underscore MAS’s commitment to fostering a secure, innovative, and resilient financial ecosystem in Singapore. Financial institutions are encouraged to align their operations with these regulatory developments to effectively manage technology risks and capitalise on opportunities in the evolving digital economy.

Don’t be the weak link in an interconnected financial ecosystem

The 2021 revisions to the TRM Guidelines are an acknowledgement that while digital transformation brings significant benefits, it also increases businesses’ exposure to certain risks, including operational and cybersecurity risks.

While the guidelines are not legal obligations per se, they do put forth best practice standards and principles for managing some of the most critical technology risks in financial services today. Additionally, how well an FI observes and follows these TRM Guidelines may have an impact on MAS’s overall risk assessment. These reasons alone should serve as sufficient motivation for financial services leaders to take another look at the gaps in their current risk management plans.