Methodology

Legally binding MAS Notices issued under the relevant Acts (e.g., Banking Act, Securities and Futures Act). Non-compliance may result in regulatory action, fines, or licence conditions.

Source instruments: Currently no AI-specific STATUTORY requirements. This tier is included for completeness and forward compatibility, as MAS may issue binding Notices on AI use in future.

MAS Guidelines and Circulars that set out supervisory expectations. While not legally binding per se, institutions are expected to comply and MAS will assess adherence during inspections and thematic reviews.

Source instruments: TRM Guidelines (January 2021), Fair Dealing Guidelines (May 2024), CMG-G02 Digital Advisory Guidelines, Outsourcing Guidelines for Banks (December 2023).

Good practices observed by MAS through thematic reviews, inspections, and industry engagement. Published as Information Papers, these describe what MAS has seen leading institutions do, without prescribing specific requirements.

Source instruments: MAS Information Paper on AI Model Risk Management (December 2024).

Proposed guidance currently in public consultation. These represent MAS's likely direction of travel and institutions should begin planning for compliance, though final requirements may differ from consultation drafts.

Source instruments: P017 – Proposed Guidelines on AI Risk Management (consultation closed January 2026), P004 – Proposed Guidelines on Third-Party Risk Management (consultation open until April 2026).

Industry methodologies, frameworks, and guidance developed by regulatory-adjacent bodies, industry consortiums, or standards organisations. These provide practical implementation approaches that institutions can adopt or adapt.

Source instruments: FEAT Principles (2018), Veritas Assessment Methodology, MindForge Operational Handbook & Implementation Examples (January 2026), IMDA Model AI Governance Framework for Agentic AI, PDPA Advisory Guidelines (March 2024).

External assurance and certification standards that provide independent verification of AI governance maturity. Requirements within these standards use mandatory language, but adoption of the standard itself is voluntary.

Source instruments: ISO/IEC 42001:2023 – AI Management System.

This domain covers the full AI model lifecycle from initial identification and risk classification through development, validation, deployment, ongoing monitoring, and eventual decommissioning. It addresses governance structure and committee oversight for AI/ML models, the capability and independence of validation functions, controls around third-party and vendor AI models, and specific safeguards for generative AI and large language model deployments. Requirements are drawn primarily from P017 (which provides the most comprehensive AI lifecycle framework), the MAS AI MRM Information Paper (observed leading practices), MindForge (practical implementation guidance), and ISO/IEC 42001 (management system controls). This is the largest domain, reflecting the depth of emerging regulatory expectations around AI model risk management.

Primary sources: P017, MAS AI MRM Information Paper, MindForge Ops Handbook, ISO/IEC 42001, TRM Guidelines.

This domain addresses the management of personal data within AI systems, including consent and notification requirements, data protection impact assessments, privacy-by-design principles, data anonymisation and pseudonymisation techniques, bias assessment of training data, and governance of third-party data processing. Requirements integrate obligations from the PDPA Advisory Guidelines with AI-specific data governance expectations from P017 and the MindForge framework. The domain recognises that robust data governance is foundational to responsible AI, as model outputs are only as reliable as the data used for training and inference.

Primary sources: PDPA Advisory Guidelines, P017, MindForge Ops Handbook.

This domain covers AI systems that directly interact with clients or influence client outcomes, including robo-advisory platforms, AI-driven recommendation engines, chatbots providing financial guidance, and automated suitability assessments. It addresses algorithm governance for client-facing systems, suitability of AI-generated advice, fair dealing obligations in AI-mediated interactions, customer transparency and disclosure requirements, and mechanisms for client redress when AI systems produce adverse outcomes. Requirements draw heavily on the CMG-G02 Digital Advisory Guidelines and Fair Dealing Guidelines, supplemented by client-facing provisions in P017.

Primary sources: CMG-G02 Digital Advisory Guidelines, Fair Dealing Guidelines, P017.

This domain addresses responsible AI principles including the definition and measurement of fairness across protected attributes, bias detection and mitigation methodologies, explainability requirements for different model types and use cases, and emerging governance challenges around agentic AI systems. Requirements are sourced primarily from the FEAT Principles (which established Singapore's foundational approach to fairness, ethics, accountability, and transparency in AI), the Veritas Assessment Methodology (which operationalises FEAT into measurable criteria), and the IMDA Agentic AI Framework (which extends governance to autonomous AI systems). This domain recognises that explainability and fairness requirements must be proportionate to the materiality and complexity of the AI use case.

Primary sources: FEAT Principles, Veritas Assessment Methodology, IMDA Agentic AI Framework, P017.

This domain covers the use of AI systems, models, and services from external providers, including cloud-hosted AI platforms, vendor model APIs, and outsourced AI development. It addresses the governance framework for third-party AI, due diligence and vendor assessment requirements, outsourcing agreement provisions specific to AI, concentration risk from dependency on a small number of AI providers, and lifecycle management of third-party AI models. Requirements draw on the existing MAS Outsourcing Guidelines (which apply to AI outsourcing arrangements), supplemented by third-party AI provisions in P017 and emerging requirements from P004 (the proposed Third-Party Risk Management guidelines currently in consultation).

Primary sources: Outsourcing Guidelines for Banks, P017, P004, MindForge Ops Handbook.

This domain addresses the technology infrastructure and security controls supporting AI systems, including IT governance and change management for AI deployments, access control and privilege management for AI systems and data, audit logging and monitoring of AI system behaviour, incident management and response procedures for AI failures, and AI-specific cybersecurity threats such as adversarial attacks, data poisoning, and model extraction. Requirements are drawn primarily from the TRM Guidelines (which establish baseline technology risk management expectations) supplemented by AI-specific operational resilience requirements from P017 and MindForge. This domain recognises that AI systems introduce novel operational risks that extend beyond traditional IT risk management frameworks.

Primary sources: TRM Guidelines, P017, MindForge Ops Handbook.

This domain covers the institutional governance architecture required to manage AI risk effectively, including the establishment of an AI management system with clear roles, responsibilities, and escalation paths, the definition of AI risk appetite and tolerance levels aligned with the institution's overall risk framework, the fostering of an AI risk culture that embeds responsible AI principles across the organisation, the design of an operating model that integrates AI governance with existing risk management and compliance functions, and the development of AI skills, knowledge, and capability at board, senior management, and operational levels. Requirements draw on ISO/IEC 42001 (which provides the most structured approach to AI management systems), P017 (governance structure requirements), and cross-cutting accountability provisions from multiple instruments.

Primary sources: ISO/IEC 42001, P017, MindForge Ops Handbook, TRM Guidelines.