![BB OR [D] 6](https://blog.bcm-institute.org/hs-fs/hubfs/BB%20OR%20%5BAi%20Gen%20Blog%20Photo%5D/OR%20Pictures%20A/BB%20OR%20Folder%20D/BB%20OR%20%5BD%5D%206.jpg?width=2000&height=1333&name=BB%20OR%20%5BD%5D%206.jpg "BB OR [D] 6")
![[OR] [MAS] [E0] A Practical OR Guide to MAS Compliance and Implementation](https://no-cache.hubspot.com/cta/default/3893111/23a20024-f0ef-49c9-b977-9368b9e21491.png)
eBook 1: Chapter 2
Monetary Authority of Singapore's (MAS) Regulatory Landscape
Purpose of the Chapter
This chapter provides an overview of the regulatory landscape governing operational resilience in Singapore’s financial sector, anchored on the expectations of the Monetary Authority of Singapore (MAS).
It examines the key guidelines, notices, and supervisory approach that collectively shape how financial institutions design, implement, and maintain operational resilience.
The chapter also explains MAS’s principles-based regulatory philosophy, which requires institutions not only to comply with rules but to demonstrate sound judgement, proportionality, and effectiveness in managing resilience risks.
Overview of MAS Regulatory Framework
MAS adopts a holistic and integrated regulatory framework to strengthen operational resilience. Rather than issuing a single standalone “operational resilience regulation,” MAS embeds resilience expectations across multiple interrelated guidelines.
Business Continuity Management (BCM) Guidelines (2022)
The 2022 MAS BCM Guidelines represent a significant evolution in regulatory expectations, shifting from traditional recovery planning to a service-centric approach to operational resilience.
Key expectations include:
- Identification of Critical Business Services (CBS)
- Establishment of Service Recovery Time Objectives (SRTO)
- End-to-end dependency mapping (people, process, technology, third parties)
- Regular testing, audit, and continuous improvement
MAS explicitly requires financial institutions to adopt an end-to-end, service-centric view, ensuring that critical services can continue to be delivered even during disruptions.
The guidelines emphasise that resilience must be designed around customer outcomes, not just internal processes.
Operational Risk Management (ORM) Guidelines
The MAS ORM Guidelines complement BCM by focusing on the identification, assessment, and mitigation of operational risks.
Key elements include:
- Establishment of a robust risk management framework
- Identification of potential operational threats and vulnerabilities
- Implementation of controls and monitoring mechanisms
- Integration with enterprise-wide risk management
ORM provides the preventive foundation for operational resilience by reducing the likelihood and severity of disruptions.
Technology Risk Management (TRM) Guidelines
The MAS TRM Guidelines address the growing importance of technology and cyber resilience in financial institutions.
Key expectations include:
- Ensuring the availability, integrity, and security of IT systems
- Managing cybersecurity risks and incidents
- Strengthening third-party technology risk management
- Maintaining system resilience and recovery capabilities
Technology resilience is critical, as Singapore's financial services are highly dependent on digital infrastructure.
MAS expects institutions to maintain secure and reliable systems for customer use, reflecting the importance of technology in service continuity.
Integrated Regulatory Approach
MAS does not treat BCM, ORM, and TRM as isolated domains. Instead, it expects financial institutions to integrate them into a unified operational resilience framework, where:
- ORM reduces disruption risks
- TRM ensures system robustness
- BCM enables service recovery and continuity
This integrated approach reflects MAS’s focus on end-to-end resilience across the entire operating ecosystem.
MAS Notices (e.g., Notice 644 / 644A)
In addition to guidelines, MAS issues legally binding notices that impose specific requirements on financial institutions.
MAS Notice 644 (Technology Risk Management)
MAS Notice 644 (and related notices such as 644A) historically set out mandatory requirements for technology risk management, including:
- System availability and reliability standards
- Incident reporting requirements
- Security controls and safeguards
- Recovery and continuity expectations
These notices define minimum compliance thresholds, including timelines for reporting incidents and expectations for technology resilience
Although certain notices (e.g., Notice 644) have since been updated or superseded, they remain foundational in shaping technology resilience expectations.
Role of Notices vs Guidelines
- MAS Notices → Legally enforceable requirements
- MAS Guidelines → Supervisory expectations and best practices
Financial institutions must comply with notices while using guidelines to design and enhance their resilience frameworks.
Role of MAS as Regulator and Supervisor
The Monetary Authority of Singapore plays a dual role:
Regulator
MAS establishes:
- Regulatory frameworks and policies
- Minimum standards for risk management and resilience
- Requirements for governance, reporting, and accountability
Its objective is to ensure:
- Safety and soundness of financial institutions
- Stability of the financial system
- Protection of customers and stakeholders
Supervisor
MAS actively supervises financial institutions through:
- Inspections and audits
- Review of BCM and operational resilience frameworks
- Assessment of scenario testing and recovery capabilities
- Evaluation of governance and risk management practices
MAS also requires institutions to conduct regular BCM audits and testing to validate the effectiveness of their resilience capabilities.
System-Wide Resilience
MAS’s role extends beyond individual institutions to safeguarding:
- Interbank dependencies
- Payment systems and financial market infrastructure
- Systemic stability across the financial ecosystem
This reinforces the need for industry-wide coordination and resilience.
Regulatory Expectations vs Principles-Based Approach
A defining feature of MAS regulation is its principles-based approach, which differs from rigid rule-based regimes.
Principles-Based Regulation
MAS sets broad principles and outcomes, allowing financial institutions flexibility in implementation.
Key characteristics:
- Focus on outcomes rather than prescriptive rules
- Encourages proportionality based on size, complexity, and risk profile
- Requires management judgement and accountability
- Supports innovation and adaptability
For example, institutions are not given a fixed list of critical services—they must identify their own CBS based on their business model and risk exposure.
Regulatory Expectations
Despite flexibility, MAS expectations are clear and stringent:
- Institutions must demonstrate continuous delivery of critical services
- Resilience frameworks must be comprehensive and integrated
- Governance must ensure Board and senior management accountability
- Testing, audit, and improvement must be ongoing and evidence-based
MAS expects firms to move beyond “paper compliance” and demonstrate operational effectiveness.
Balancing Flexibility and Accountability
The MAS approach can be summarised as:
|
Principles-Based Flexibility |
Regulatory Accountability |
|
Customised implementation |
Demonstrable outcomes |
|
Risk-based approach |
Strong governance oversight |
|
Innovation-friendly |
Strict supervisory review |
|
Business-driven design |
Regulatory assurance |
This balance ensures that financial institutions remain resilient while adaptable to evolving risks.
The MAS regulatory landscape provides a comprehensive and integrated framework for operational resilience in Singapore’s financial sector.
Through a combination of BCM, ORM, and TRM guidelines, supported by enforceable notices such as Notice 644, MAS establishes clear expectations for maintaining the continuous delivery of critical financial services.
Importantly, MAS’s principles-based approach places responsibility on financial institutions to design resilience frameworks that are fit for purpose, risk-based, and customer-centric.
This requires not only compliance but also strong governance, proactive risk management, and continuous improvement.
Ultimately, the MAS framework ensures that operational resilience is not treated as a standalone function, but as a strategic capability essential to financial stability, customer trust, and long-term sustainability in Singapore’s financial ecosystem.
![[OR] [MAS] [E1] Understanding Operational Resilience in Singapore’s Financial Sector](https://no-cache.hubspot.com/cta/default/3893111/af4e7abf-3775-4632-811f-7d71e11f8bca.png)
| eBook 1 | C1 | C2 | C3 | C4 |
| C5 | C6 | C7 | C8 | |
Gain Competency: For organisations looking to accelerate their journey, BCM Institute’s training and certification programs, including the OR-5000 Operational Resilience Expert Implementer course, provide in-depth insights and practical toolkits for effectively embedding this model.
More Information About OR-5000 [OR-5] or OR-300 [OR-3]
To learn more about the course and schedule, click the buttons below for the OR-300 Operational Resilience Implementer course and the OR-5000 Operational Resilience Expert Implementer course.
![[BL-OR] [3-4-5] View Schedule](https://no-cache.hubspot.com/cta/default/3893111/d0d733a1-16c0-4b68-a26d-adbfd4fc6069.png)
![[BL-OR] [3] FAQ OR-300](https://no-cache.hubspot.com/cta/default/3893111/f20c71b4-f5e8-4aa5-8056-c374ca33a091.png)
![Email to Sales Team [BCM Institute]](https://no-cache.hubspot.com/cta/default/3893111/3c53daeb-2836-4843-b0e0-645baee2ab9e.png)
