Stay in the know
Receive timely insights and briefings from HSF Kramer, tailored to keep you informed and ahead
Financial regulators around the globe continue to sharpen their focus on operational resilience, driven by the growing digitalisation of financial services, increasing reliance on third-party service providers, and heightened technology and cyber risks. A common theme across jurisdictions is the extension of regulatory expectations beyond traditional outsourcing to encompass all material third-party arrangements. For organisations operating across multiple APAC jurisdictions, understanding the commonalities and differences between these regimes is critical to developing an efficient, coordinated compliance approach — and to anticipating the commercial and contractual implications that flow from them.
The Monetary Authority of Singapore (MAS) is set to overhaul its regulatory framework for third-party risk management, having consulted the public on proposed new guidelines from 6 March to 20 April 2026. The proposed guidelines incorporate key elements of international standards and, most importantly, extend MAS' expectations beyond outsourcing to cover all third-party arrangements. A six-month transition period has been proposed for the implementation of the guidelines.
In Australia, the Australian Prudential Regulation Authority (APRA) has already implemented a comparable regime through Prudential Standard CPS 230 Operational Risk Management, which commenced on 1 July 2025 (with a transitional period for pre-existing contractual arrangements). CPS 230 similarly extends regulatory expectations beyond outsourcing to all material service provider arrangements and imposes prescriptive contractual requirements on APRA-regulated entities. The Australian experience in operationalising CPS 230 offers useful insights for financial institutions (FIs) in Singapore as they prepare for the proposed MAS guidelines.
In contrast, the requirements applicable to FIs' third-party risk management in Indonesia are not consolidated in a single guideline or regulation. Indonesia's Financial Services Authority (Otoritas Jasa Keuangan, or OJK) regulates this area through a modular framework of separate regulations which continue to be updated, including those governing risk management, outsourcing, and the use of information technology by banks and certain other FIs. It is also worth noting that general outsourcing regulations issued by the Manpower Ministry apply, and that Bank Indonesia (the central bank) has separate regulations governing these matters for payment service providers.
In this briefing, we set out recommended next steps and a snapshot of the MAS, APRA and OJK frameworks.
For those who wish to read more, we have also included a more detailed overview of the proposed MAS guidelines as well as areas to note based on our experience in advising clients on APRA’s CPS 230.
Please feel free to reach out to any of our key contacts below or your regular contact at our firm to discuss any aspect of these developments.
With the MAS consultation having closed on 20 April 2026 and final guidelines expected in the coming months, FIs operating in Singapore should be taking steps now to prepare for the transition period. Drawing on lessons from the Australian experience with CPS 230, FIs should consider:
| Feature | MAS Proposed Guidelines | APRA CPS 230 | OJK Framework |
|---|---|---|---|
| Scope | All third-party arrangements of FIs regulated under Singapore's Financial Services and Markets Act 2022 (not just traditional outsourcing) | All service provider arrangements of APRA-regulated entities (banks, insurers and superannuation fund trustees) | Outsourcing and engagement of third parties in IT implementation by banks and other FIs are subject to various OJK regulations |
| Materiality framework | Principles-based assessment considering factors such as impact on earnings and liquidity, reputation and brand value, customers, counterparties, and the Singapore financial market | Two-part test: does the entity rely on the provider for a critical operation, or does the provider expose it to material operational risk? Certain service categories are automatically deemed material unless the entity can justify otherwise | Outsourcing covers both delegation of work to a third party and supply of manpower by a third party. Only supporting activities (non-core functions) can be outsourced IT implementation includes operation of core applications and placements of data centres and disaster recovery centres |
| Register requirement | FIs must submit a register of their third-party arrangements to MAS twice a year and upon request (covering at minimum all material arrangements, including material sub-contractors where possible) | Regulated entities must submit a register of material service providers to APRA annually | No express requirement to maintain a register, but plans to engage the relevant third parties must be submitted to OJK |
| Prescribed contractual terms | Yes – contracts for material third-party arrangements must address matters such as information and audit rights, termination rights, key performance benchmarks, conditions governing material sub-contractors (if the specified matters are not addressed, the FI must assess and document how the relevant risk is mitigated) | Yes – formal agreements must include prescribed minimum content covering service levels, rights and responsibilities, sub-contractor notification, liability allocation, force majeure, termination and regulator access | Yes – agreements must include minimum terms such as rights and obligations, reporting requirements, customer confidentiality, service levels, termination rights, and regulator access |
| Regulator access rights | In the event of adverse developments, FIs must notify MAS as soon as possible, and inform the service provider to cooperate with MAS by providing comprehensive and timely information | Contracts must give APRA access to relevant documents and data, the right to conduct on-site visits, and an undertaking from the provider not to obstruct APRA | Service providers must provide audit rights to OJK and/or other authorities if required |
| Sub-contractor / fourth party oversight | FIs should have the ability to monitor and control the risks arising from their arrangements even when service providers use sub-contractors, and should take reasonable steps to hold material sub-contractors to similar standards as the primary service provider | Service providers must notify the entity of material sub-contractors; the service provider remains liable for any sub-contractor failures | Prior approval of the FI will be required for any subcontracting |
| Exemptions | Government technology services, financial market infrastructures (e.g. clearing houses), utilities (e.g. telecoms), and non-financial services where the provider has no access to confidential information | APRA may grant entity-specific adjustments or exclusions; for foreign banks, certain insurers and foreign life insurers, only Australian branch operations are in scope |
The proposed Guidelines on Third-Party Risk Management (Guidelines) are attached to the consultation paper.
In light of the increase in FIs’ reliance on third-party services and their evolving use of third-party services beyond outsourcing, MAS considers it necessary to strengthen FIs' oversight of third-party arrangements by:
CPS 230 applies to all APRA-regulated entities, including authorised deposit-taking institutions (ADIs), general insurers, life companies, private health insurers and registrable superannuation entity licensees. Like the proposed Guidelines, CPS 230 moves beyond traditional outsourcing to impose requirements on all material service provider arrangements, regardless of whether the arrangement constitutes outsourcing in the conventional sense.
Director, Head of Financial Services Regulatory
Director
The contents of this publication, current at the date of publication set out above, are for reference purposes only. They do not constitute legal advice and should not be relied upon as such. Specific legal advice about your specific circumstances should always be sought separately before taking any action based on this publication.
Herbert Smith Freehills Kramer LLP is licensed to operate as a foreign law practice in Singapore. Where advice on Singapore law is required, we will refer the matter to and work with licensed Singapore law practices where necessary.
© Herbert Smith Freehills Kramer 2026
Receive timely insights and briefings from HSF Kramer, tailored to keep you informed and ahead