Singapore’s MAS AI Risk Management Guidelines: What Financial Institutions Need to Know (2026)

Last reviewed: April 30, 2026

The Monetary Authority of Singapore is on the verge of issuing the first AI-specific binding-equivalent guidelines for any sector in Singapore. The proposed Guidelines on Artificial Intelligence Risk Management (AIRG), issued for consultation on November 13, 2025, closed for comments January 31, 2026 and are expected to be published in final form during 2026 with a 12-month transition period before full supervisory expectation kicks in. The Guidelines will apply to every MAS-regulated financial institution operating in Singapore and codify what has been a layered voluntary regime — FEAT Principles, Veritas Initiative methodology, Project MindForge handbooks — into a single supervisory document. This article explains what the Guidelines require, how they sit on top of the existing operational toolkit, and what financial institutions should be doing right now to be ready.

Key Takeaways

• The proposed AIRG Guidelines are MAS’s first AI-specific supervisory framework. Issued November 13, 2025; consultation closed January 31, 2026; final guidelines pending publication. When issued, a 12-month transition period applies before full supervisory expectation.
• Four content sections structure the Guidelines. Oversight of AI risk management; key AI risk management systems and procedures; AI lifecycle controls (covering 13 specific areas); capabilities and capacity for AI use.
• Coverage is comprehensive and technology-agnostic. All FIs regulated by MAS — banks, insurers, capital markets firms, payment providers, fintechs. Applies to traditional AI, generative AI, and AI agents. Proportionate to FI size and risk profile.
• The operational toolkit is already in place. FEAT Principles (2018) + Veritas methodology and toolkit (2019-2023) + Project MindForge Executive Handbook (November 2025) + Operationalisation Handbook (March 2026) provide the implementation guidance to comply with the AIRG Guidelines as written.
• Foreign FI branches and subsidiaries get a path. They can use parent-entity AI risk management frameworks if those frameworks demonstrably align with the Singapore Guidelines. Local sign-off remains required.

Why is MAS moving toward binding AI guidelines?

MAS has not regulated AI in financial services through binding rules until now. Its approach has been the FEAT Principles (Fairness, Ethics, Accountability, Transparency) issued November 2018 — fourteen principles structured around four pillars, voluntary in form but treated as supervisory expectations in practice. Non-compliance with FEAT did not produce direct fines, but it shaped how supervisors exercised their statutory powers under the Banking Act, the Insurance Act, the Securities and Futures Act, and the Payment Services Act. Most FIs adopted FEAT-aligned governance because the alternative was unfavorable supervisory dialogue.

That layered approach has reached its limits. Three pressures converge.

Pressure 1: AI deployment is now ubiquitous in Singapore financial services. DBS Bank reported S$1 billion in economic value from AI/analytics in 2025. UOB built a bank-wide AI upskilling program. OCBC established a dedicated AI Lab focused on multi-agent architectures. Voluntary frameworks designed for the 2018-2020 era — when AI in financial services meant fraud detection and credit scoring — do not provide adequate supervisory grip when banks are deploying generative AI agents that take customer-facing actions.

Pressure 2: International peers are moving. The EU AI Act applies to financial services AI deployments serving EU customers. The UK Financial Conduct Authority has expanded its AI guidance materially through 2025. The US SEC and CFPB enforce model risk management expectations under existing authorities. MAS supervisors increasingly find themselves comparing notes with counterparts who can point to published rules. Singapore’s voluntary FEAT approach was a competitive differentiator in 2019. By 2026 it is a supervisory gap.

Pressure 3: MAS conducted a thematic review of key banks’ AI use in 2024. That review produced findings about inconsistent governance maturity, gaps in data lineage, and weak monitoring of model drift. The proposed AIRG Guidelines are the supervisory response to those findings. They translate observed gaps into stated expectations.

The framing is significant. MAS is not rejecting the FEAT Principles — paragraph 2.4 of the consultation paper makes clear that “FEAT continues to apply for guiding the use of AI in the financial sector.” The AIRG Guidelines complement FEAT by adding supervisory expectations specifically around risk management process, lifecycle controls, and capability. FEAT remains the philosophical layer; AIRG becomes the operational supervisory layer.

What does the proposed AIRG Guidelines require?

The proposed Guidelines (consultation paper P017-2025, issued November 13, 2025) are structured around four content areas. The text is comprehensive at approximately 30 pages, but the supervisory expectations sort cleanly into the four sections below.

Section 1: Oversight of AI risk management

FIs must have board and senior management accountability for AI risk. Specifically:

• A defined AI governance framework appropriate to the FI’s size and AI use intensity
• Named senior accountable individuals — typically the Chief Risk Officer or Chief Technology Officer
• AI risk integrated into the FI’s overall enterprise risk management framework rather than siloed
• Regular reporting to the board (at minimum, annually for FIs with material AI deployment)

This mirrors the supervisory architecture MAS uses for technology risk management under MAS Notice 644 (Technology Risk Management) and the Outsourcing Guidelines. AI risk gets added to that existing supervisory grammar.

Section 2: Key AI risk management systems, policies, and procedures

FIs must implement:

• AI identification and inventory. A maintained register of AI use cases — what models, what data, what business decisions, what materiality classification.
• Risk materiality assessment. Each AI use case rated for risk based on consumer impact, financial impact, regulatory impact, and operational impact. The proportionality of subsequent controls follows from this assessment.
• AI policies and procedures. Written policies covering AI governance, model development, deployment, and decommissioning. These should align with FEAT and reflect IMDA’s Model AI Governance Framework.
• Roles and responsibilities. Defined responsibility across the three lines of defense: business owners, risk management, internal audit.

The most operationally novel requirement is the AI inventory. Many FIs have model inventories for credit and market risk models under MAS-supervised model risk management practices — but those inventories typically do not capture AI use cases that sit outside the credit/market silos. The AIRG Guidelines push FIs to consolidate.

Section 3: AI lifecycle controls

This is the longest section of the Guidelines and covers thirteen specific control areas across the AI lifecycle:

Control area	What it covers
Data management	Data quality, lineage, provenance for AI training and inference
Fairness	Bias detection, fairness metrics, corrective action — operationalizes FEAT Fairness pillar
Transparency and explainability	Model documentation, interpretability, customer disclosures where appropriate
Human oversight	Human-in-the-loop / human-on-the-loop / human-over-the-loop calibrated to risk
Management of third-party AI risks	Vendor due diligence, contractual controls, ongoing monitoring of AI service providers
Selection of AI	Justification for using AI vs alternative approaches; appropriateness of AI technique
Evaluation and testing	Pre-deployment testing including adversarial testing where appropriate
Technology and cybersecurity	Standard cybersecurity hygiene plus AI-specific concerns (model extraction, prompt injection, data poisoning)
Reproducibility and auditability	Versioning, model cards, audit trails — supports later regulatory inquiry
Reviews	Periodic review of AI systems; trigger-based review for material changes
Monitoring	Ongoing performance monitoring, drift detection, fairness monitoring
Change management	Controls around model updates, retraining, deployment changes

The thirteen-area structure intentionally mirrors the AI lifecycle — discover risks early, control them in design, monitor them in operation. FIs that have implemented Project MindForge’s Executive Handbook will already have most of these controls in place; the Guidelines codify them as supervisory expectations.

Section 4: Capabilities and capacity for AI use

FIs must ensure their people, processes, and technology can support responsible AI deployment:

• Skills and competencies. Adequate AI risk expertise across risk management, internal audit, model validation, and business teams.
• Technology infrastructure. Compute, data infrastructure, and tooling adequate to support AI lifecycle controls including monitoring at scale.
• Resources. AI risk management is appropriately resourced — not an underfunded extension of model risk management or technology risk management.

This section is the supervisory acknowledgment that capability gaps drive most AI risk failures. A thirteen-area control framework cannot be implemented by a two-person model risk team running on legacy infrastructure.

How does the operational toolkit support compliance?

The AIRG Guidelines do not arrive as a regulatory shock. Three operational documents already provide the implementation backbone:

FEAT Principles (November 2018). Fourteen principles across four pillars. Voluntary but treated as supervisory expectations. The AIRG Guidelines explicitly preserve FEAT — paragraph 2.4 of the consultation paper states FEAT “continues to apply for guiding the use of AI in the financial sector.” The Guidelines complement FEAT; they do not replace it.

Veritas Initiative methodology and toolkit (2019-2023). A three-phase MAS-led consortium that operationalized FEAT through assessment methodologies. Phase 2 produced five white papers covering FEAT assessment, fairness, ethics and accountability, transparency, and practical implementation. Phase 3 delivered the Veritas Toolkit v2.0 — open-source software at github.com/veritas-toolkit that supports FIs running FEAT assessments. Seven major FIs piloted the integration: BNY Mellon, DBS, HSBC, OCBC, Singlife, Standard Chartered Bank, and UOB. The Veritas methodology remains the canonical implementation approach for FEAT.

Project MindForge (2023-March 2026). The Veritas successor. A 24-member consortium including banks, insurers, capital markets firms, consultancies, and technology partners. Phase 2 (November 2024 – March 2026) produced two operational deliverables that directly support AIRG Guidelines compliance:

• AI Risk Management: Executive Handbook (November 2025) — published at Singapore Fintech Festival. A practitioner-focused guide that explicitly maps to the proposed AIRG Guidelines. Living document; updates expected as final Guidelines publish.
• AI Risk Management Operationalisation Handbook (March 2026) — detailed implementation guidance with specific case studies. Includes Appendices C and D mapping the Handbook’s Considerations to AIRG Guideline sections.

Project MindForge concluded Phase 2 on March 20, 2026. Phase 3 has been signaled but not yet announced.

For an FI that has been operating against FEAT, deploying Veritas toolkit, and contributing to MindForge — the AIRG Guidelines should not require new infrastructure. They require codification of existing operational practices into supervisory artifacts: written policies, formal risk materiality assessments, board-level reporting, and capability documentation.

Where will the Guidelines be operationally binding?

MAS Guidelines occupy a specific status in the Singapore regulatory hierarchy. They are not statutory rules. They are supervisory expectations. In practice, three mechanisms make them binding:

1. Supervisory dialogue. MAS supervisors will reference the Guidelines in their thematic reviews and on-site examinations. Non-alignment with the Guidelines will trigger supervisory letters and corrective expectations. FIs that ignore supervisory letters face escalation up to formal enforcement under sectoral statutes.

2. Statutory enforcement powers. Where AIRG non-compliance contributes to a regulated event — a credit decision that violates fair lending obligations, an insurance underwriting decision that breaches Insurance Act obligations, a payment services failure under the Payment Services Act — MAS exercises its statutory enforcement authority. The Guidelines provide evidentiary structure for those cases. Non-aligned governance becomes a culpability factor in penalty calibration.

3. Authorization and licensing implications. Major changes to FI business models — new product approvals, license variations, expansion into new sectors — require MAS approval. Demonstrable AIRG alignment will be a precondition for approvals involving material AI use cases. Non-aligned FIs face slower approval timelines or denied applications.

The proportionality clause in paragraph 1.4 of the Guidelines means the supervisory expectation calibrates to FI size and AI usage scale. A small payment services provider with two AI use cases faces lighter expectations than a Tier 1 bank running fifty AI systems including agentic deployments. But proportionality does not relieve any FI of all expectations — every FI in scope must produce some version of governance documentation, risk materiality assessment, and lifecycle controls.

For foreign FI branches and subsidiaries, the consultation paper’s paragraph 1.5 provides flexibility: parent-entity AI risk management frameworks can be leveraged if they meet the AIRG expectations. This is operationally critical for branches of US, EU, and UK banks. Parent compliance with the Federal Reserve’s SR 11-7 (model risk management), the Basel Committee’s principles, the EU AI Act, or the FCA’s expectations typically gets most of the way there. Local sign-off in Singapore — typically by a named CRO or equivalent — remains required to evidence that the parent framework has been adapted to Singapore-specific expectations.

How does MAS compare internationally?

Three international comparators frame where Singapore sits.

EU AI Act + financial sector overlay. The EU AI Act applies to financial services AI deployments under Annex III Areas 5 (essential services and benefits, including credit) and 6 (law enforcement, including financial crime). Penalties under the AI Act regime reach up to €35 million or 7% of global annual turnover for prohibited practices. Member State competent authorities — often national central banks or financial regulators — implement the Act in their territories.

UK FCA approach. The FCA has not issued binding AI rules. It has issued substantial guidance through Discussion Paper DP24/1, AI Public-Private Forum outputs, and supervisory letters. UK approach mirrors Singapore’s pre-AIRG posture — guidance-heavy, voluntary on paper, supervisory in practice. The FCA explicitly references MAS FEAT in its DP24/1.

US Federal Reserve / OCC / FDIC + SEC. US prudential regulators apply existing model risk management frameworks (SR 11-7, OCC 2011-12 Bulletin) to AI. The SEC enforces under existing authorities; the SEC’s AI focus is on disclosure accuracy and investment adviser obligations. CFPB historically pursued algorithmic credit decisions but has reduced enforcement intensity since 2025.

Dimension	Singapore (proposed AIRG)	EU (AI Act + sector)	UK (FCA guidance)	US (existing frameworks)
Status	Supervisory expectations (when finalised)	Binding regulation + sectoral implementation	Guidance + supervisory expectation	Sub-regulatory; enforced under existing statutes
Coverage	All MAS-regulated FIs	All AI providers/deployers in EU + financial sector overlay	FCA-regulated firms	Banks, broker-dealers, advisers, payment firms
AI scope	Traditional AI + GenAI + agents	Same	Same	Same
Maximum penalty	Sector-statute penalties	€35M / 7% global turnover	FCA unlimited civil; sector-statute	Sector-statute (CFPB up to $1.5M/day; SEC unlimited)
Lifecycle controls codified	Yes (13 areas)	Partial (Articles 8-15 high-risk requirements)	No (guidance level)	Through SR 11-7 model risk lens
Transition period when finalised	12 months	Phased (Aug 2026 high-risk; longer for some)	N/A	N/A

Singapore’s positioning is distinct. It is the only major jurisdiction codifying AI lifecycle controls as supervisory expectations across an entire regulated sector without doing so through binding regulation. The result is operationally similar to EU AI Act compliance for high-risk financial services AI but maintains the flexibility advantages of supervisory-expectation framing — quicker updates as technology evolves, clearer FI ability to plead good-faith implementation.

A compliance roadmap for Singapore-licensed FIs

For FIs preparing for AIRG Guidelines publication during 2026, the path is concrete. The 12-month transition period after publication gives time to close gaps — but FIs that wait for publication before starting will run out of runway.

1. Inventory all AI use cases now. Build a comprehensive register of AI systems deployed across the institution — credit, market risk, fraud, customer-facing, operations, compliance, internal productivity. Most FIs discover at least 30% more AI use cases than they expected. The inventory is prerequisite for everything below.

2. Conduct risk materiality assessment per use case. Rate each AI system on consumer impact, financial impact, regulatory impact, and operational impact. The materiality rating drives proportionality of subsequent controls. Adopt MAS’s framing — “scale, scope, business model, risk profile” — verbatim.

3. Map existing FEAT and Veritas work to the 13 lifecycle control areas. FIs that participated in Veritas pilots (BNY Mellon, DBS, HSBC, OCBC, Singlife, Standard Chartered, UOB) will find substantial overlap. FIs that have not implemented Veritas-equivalent processes have the largest gap to close.

4. Adopt the Project MindForge Operationalisation Handbook (March 2026) as the implementation backbone. Appendices C and D map the Handbook to the AIRG Guidelines sections. The Handbook is open and free; it is the canonical practical guide. Use it as the audit framework for self-assessment.

5. Establish board-level AI governance reporting. At minimum: annual report on AI risk to the board for FIs with material AI deployment. More frequent reporting (quarterly, monthly) for Tier 1 institutions or those with rapid AI rollout. The reporting cadence should match the FI’s existing technology risk reporting cadence.

6. Build the third-party AI risk framework. Vendor due diligence, contractual controls, ongoing monitoring. This is the most-frequently-overlooked area in our 2024 supervisory thematic findings. Build it before MAS finds the gap.

7. Run pre-deployment testing including adversarial testing. Use Project Moonshot for LLM-based deployments — it is open-source and government-developed. Use Veritas Toolkit for traditional AI fairness assessment. Use IMDA’s Starter Kit for Safety Testing of LLM-Based Applications as a baseline.

8. Document everything. Reproducibility and auditability is one of the 13 control areas. Model cards, audit trails, version control, deployment records. The supervisory expectation is that an MAS examiner can reconstruct any AI decision path.

9. Address capability gaps. AI risk expertise in risk management, internal audit, and model validation. Hire, train, or contract — but document the capability assessment and remediation plan.

10. Engage MAS proactively. Singapore’s supervisory tradition rewards proactive engagement. FIs that share their AIRG implementation roadmap with their MAS lead supervisor before final Guidelines publication build supervisory goodwill that pays dividends through the transition period and beyond.

For broader context on Singapore’s AI governance ecosystem, see Singapore AI Governance: All Frameworks in One Place. For Singapore’s specific approach to agentic AI — relevant to FIs deploying AI agents in customer-facing or operational workflows — see Singapore’s Agentic AI Framework and Agentic AI Regulation: The Closing Gap in AI Law. For the EU comparator, see EU vs UK AI Regulation — the precaution-vs-innovation framing translates directly to the financial services context.

Sources

• Monetary Authority of Singapore. “Consultation Paper on Proposed Guidelines on Artificial Intelligence Risk Management for Financial Institutions.” Consultation Paper P017-2025, November 13, 2025. https://www.mas.gov.sg/publications/consultations/2025/consultation-paper-on-guidelines-on-artificial-intelligence-risk-management
• Monetary Authority of Singapore. “MAS Guidelines for Artificial Intelligence (AI) Risk Management — Media Release.” November 13, 2025. https://www.mas.gov.sg/news/media-releases/2025/mas-guidelines-for-artificial-intelligence-risk-management
• Project MindForge consortium. “AI Risk Management: Executive Handbook.” November 2025. https://www.mas.gov.sg/-/media/mas-media-library/schemes-and-initiatives/ftig/project-mindforge/mindforge-ai-risk-management-executive-handbook.pdf
• Project MindForge consortium. “AI Risk Management Operationalisation Handbook.” March 2026.
• Monetary Authority of Singapore. “Project MindForge — Phase 2 Conclusion.” Media Release, March 20, 2026. https://www.mas.gov.sg/news/media-releases/2026/mas-partners-industry-to-develop-ai-risk-management-toolkit-for-the-financial-sector
• Monetary Authority of Singapore. “Principles to Promote Fairness, Ethics, Accountability and Transparency (FEAT) in the Use of Artificial Intelligence and Data Analytics in Singapore’s Financial Sector.” November 2018. https://www.mas.gov.sg/publications/monographs-or-information-paper/2018/feat
• Monetary Authority of Singapore. “Veritas Initiative.” https://www.mas.gov.sg/schemes-and-initiatives/veritas
• Veritas Toolkit. https://github.com/veritas-toolkit
• Eversheds Sutherland. “SINGAPORE — New Proposed Guidelines for AI Risk Management by Financial Institutions.” November 27, 2025. https://www.eversheds-sutherland.com/en/global/insights/singapore-new-proposed-guidelines-for-ai-risk-management-by-financial-institutions
• Association of Banks in Singapore. “Handbook on Generative AI Guardrails in Banking.” May 2025.
• MAS Notice 644 — Technology Risk Management.
• MAS Outsourcing Guidelines (most-recent revision).
• Federal Reserve / OCC. SR 11-7 / OCC 2011-12 Bulletin — Supervisory Guidance on Model Risk Management.
• Basel Committee on Banking Supervision principles applicable to AI in banking.

---

Reg Intel is not a law firm and does not provide legal services. This article is for informational purposes only and should not be relied upon as legal advice. Consult qualified counsel for your specific compliance situation.

Singapore Wave 2 — Deep Dives + EU Comparison

• Singapore AI Verify Testing Toolkit Explained
• EU vs Singapore AI Regulation: Binding Law vs Voluntary Frameworks