The register is the audit.
And most registers do not survive an inspector reading them.
Notice 658 binds banks and merchant banks; the equivalent notices extend the same expectation across the other licence classes, and the TPRM consultation released 6 March 2026 (closed 20 April) proposes extending third-party expectations to every MAS-licensed FI plus a semi-annual register submission to the supervisor. The register is no longer an internal artefact you maintain in a spreadsheet between inspections; it is an evidence pack you ship to MAS twice a year.
The Toppan Next Tech third-party incident put third-party operational resilience back at the top of the MAS supervisory agenda. The 14 May 2026 revocation of a major payment institution licence for risk management failures put the rest of the market on notice: register gaps are now a supervisory action item, not a finding to remediate on next year’s audit cycle.
The standard response is a tooling project: stand up a third-party risk platform, send out questionnaires, populate the register from whatever vendors reply. The supervisor reads that as the absence of due diligence, not the presence of it. The register that survives inspection is built from your contract repository up, not from a questionnaire response down.
One register. Two regimes.
One audit-defensible binder.
Notice 658 and the TPRM Guidelines share most of their control surface: classification, due diligence depth, board accountability, exit clauses, sub-processor flowdown, ongoing monitoring. Running them as two projects means reconciling two registers, two policy libraries, and two evidence taxonomies six months from now, when MAS asks for both.
We build one register and tag each control against both regimes, so the policy authoring happens once, the due diligence pack is written once, and the semi-annual submission and the annual audit draw from the same evidence layer. Where the two regimes diverge, the divergence is resolved in the document, not in your team’s head.
Four to six weeks.
One unified third-party programme.
- Weeks 1 to 2
Register reconstruction.
We build the complete third-party register from your contract repository, finance ledger, and IAM systems. Every material vendor in one taxonomy, classified by service criticality, data sensitivity, and the supervisor's outsourcing-grade test. Existing internal lists are a starting point, not a source of truth.
- Weeks 3 to 4
Due diligence pack.
We replace the Yes-No questionnaire with outsourcing-grade due diligence: SOC2 review with reviewer notes, sub-processor flowdown, exit clauses tested against MAS expectations, residual-risk register the board can sign. Every material vendor gets evidence, not reassurance.
- Weeks 4 to 6
Notice 658 + TPRM mapping.
Each control mapped to its Notice 658 paragraph and its TPRM consultation clause in parallel. Where the two diverge, we resolve the divergence in the policy document with framework-specific language. The output is one register, two regimes, one inspector-ready binder.
- Throughout
Senior partner presence.
The partner who scoped is the partner who delivers. No analyst handoffs. Every MAS-fluent decision lands in the same room.
A register that survives.
Every inspection, every six months.
A third-party register your compliance team can defend on a fortnight’s notice. Not a spreadsheet you rebuild before each audit; a living artefact wired into vendor onboarding, contract renewal, and incident response so it updates by side-effect.
A semi-annual submission ready before MAS asks. When the TPRM Guidelines finalise and the submission cadence locks, you are already running the cycle; the work is the format, not the content.
A policy library that closes the gap between Notice 658, the TPRM Guidelines, and the wider operational resilience expectations the supervisor reads as one programme.
MAS-licensed FIs whose third-party register is older than the obligation.
Tier-2 and Tier-3 banks, merchant banks, payment institutions, capital markets services licence holders, and the SaaS platforms that serve them. The buyer is the Head of Compliance, the COO, or the CISO; the trigger is a supervisor letter, a board paper coming due, or a peer institution’s licence action that the chairperson read about over the weekend.
If your register was built for vendor onboarding and never rebuilt for inspection, this is what we built for you.
Three things this is not.
This is not a tooling implementation. We work alongside the third-party risk platforms in the market, but the register is built from your contract repository, not from a vendor’s template.
This is not a checklist exercise. The supervisor reads for evidence of judgement; we build evidence of judgement.
This is not a one-off. The TPRM cadence is semi-annual once the Guidelines finalise. We hand back a process, not just a binder.
Part of our Singapore practice. See the regulatory map →