Singapore’s financial sector is becoming more digitally interconnected as banks expand cloud usage and scale AI across core functions. These shifts introduce new forms of systemic risk that regulators globally are now addressing. MAS has moved early to strengthen technology governance, anticipating the operational and cross-border implications of this evolution.

In this context, Vincent Loy, assistant managing director (technology) and chief technology officer at MAS, outlines how the regulator is raising expectations on operational resilience, tightening AI governance and guiding the industry toward quantum-safe readiness.

Raising the bar on operational resilience

Cloud adoption has become foundational to banks’ transformation agendas, but MAS is clear that this shift changes—not reduces—the nature of risk.

“While cloud technologies bring significant benefits in terms of scalability and innovation, they also introduce new challenges relating to dependencies and potential points of failure,” Loy said. “We give great importance to FIs needing to be cyber secure and operationally resilient, and we expect them to proactively manage the corresponding risks.”

MAS reiterates that outsourcing does not dilute an FI’s accountability. Loy emphasised that FIs remain wholly accountable for the resilience of services delivered through external parties and for the outcomes experienced by customers, regardless of the provider operating the underlying infrastructure. In practice, this means they must demonstrate the ability to maintain service continuity even when critical functions depend on cloud service providers or other third-party operators. Effective due diligence, rigorous oversight mechanisms, strong business continuity plans and well-defined exit strategies are essential components of this responsibility.These expectations are codified in MAS’ Outsourcing Guidelines, the sector’s key reference for managing third-party and cloud risks.

Enhancing sector-level collaboration

To address the systemic nature of cloud dependence, MAS established the Financial Sector Cloud Resilience Forum (FSCRF) in 2023. The forum strengthens collaboration between regulators and global cloud service providers by setting expectations and aligning approaches to technology risk and cyber security. Loy noted that the forum allows MAS and industry stakeholders to co-create safeguards.

He added that the forum helps initiate concrete resilience-building measures between financial regulators and CSPs, reflecting MAS’s view that sector-wide cloud dependency requires sector-wide safeguards. This mirrors responses from major jurisdictions where regulators increasingly view cloud concentration as a systemic issue, not merely an outsourcing category.

Looking ahead, the Digital Infrastructure Act (DIA), enacted by the Ministry of Digital Development and Information, will regulate systemically important digital infrastructure such as major cloud service providers (CSPs) and data centres. Together, the Outsourcing Guidelines, FSCRF and DIA constitute a multi-level framework for strengthening cloud resilience.

Expectations for multi-party incident response

As cloud dependence increases, coordinated multi-party response capabilities become critical. MAS expects banks to prepare for complex cyber incidents that unfold across multiple institutions or jurisdictions. Loy said that FIs must be able to activate response plans quickly and coordinate across organisational boundaries. Institutions should maintain well-defined communication protocols, escalation procedures and collaboration mechanisms.

MAS places strong emphasis on testing. Exercises such as Exercise Raffles—run with the Association of Banks in Singapore (ABS)—simulate cyber-attacks, outages and operational disruptions. MAS also conducts cross-border simulations with the US Treasury and French authorities.

In some scenarios, MAS has required institutions to operate from alternate sites for an extended periods to demonstrate sustained operations, not just short-term failover. On a global level, MAS has contributed to harmonising incident reporting via the Financial Stability Board’s (FSB) Format for Incident Reporting Exchange (FIRE) standard, which aims to strengthen response capabilities and simplify cross-border coordination.

Promoting timely intelligence sharing

These response expectations are closely linked to how the sector shares information and coordinates during active threats. MAS works closely with the ABS and insurance associations, as well as the Financial Services Information Sharing & Analysis Center (FS-ISAC), to circulate timely insights on emerging threats. MAS’ internal research and intelligence (R&I) team supplements this by distributing additional threat intelligence to FIs.

Domestically, Loy highlighted how MAS works through domestic structures such as the Standing Committees on Cyber Security (SCCS) for the banking and insurance sectors, established in 2013 and 2015. He said that MAS collaborates closely with these committees to share threat intelligence and pursue joint cyber-risk initiatives, including red-teaming guidelines, cloud implementation standards and industry-wide penetration testing exercises.

Internationally, Loy noted that MAS has entered cooperative cybersecurity agreements with the US Treasury, United Kingdom authorities, French financial regulators, Bank Negara Malaysia, and the Hong Kong Monetary Authority, creating structured channels for tactical and strategic information sharing. These arrangements reflect MAS’s recognition that cyber incidents increasingly span multiple institutions and jurisdictions, making structured cross-border information-sharing essential.

“Cyber threats are a collective challenge that requires a coordinated response across the entire financial ecosystem,” Loy emphasised.

Ensuring responsible AI adoption and data governance

As banks push AI systems into production—not just pilots—MAS is refining its expectations for governance, explainability and oversight. Loy said that the regulator's newly issued consultation paper on Guidelines on AI Risk Management outlines supervisory expectations across AI lifecycle controls, model governance and organisational capabilities, covering technologies including generative AI and AI agents.

MAS emphasises that the level of explainability and accountability must scale with the risk and context of the AI use case. Loy highlighted that use cases with significant customer impact—such as credit scoring, insurance underwriting, financial advisory or fund management—require far higher standards of transparency.

Loy noted that MAS considers the degree of AI autonomy an important determinant of explainability, particularly where the model plays a significant role in the final decision rather than serving as an input for human review. For such use cases, he said institutions should pay close attention to the features or attributes used in their models and justify their relevance, ensure users within the institution can identify key drivers of the output, inform customers when AI is used in decisions that affect them, and maintain clear channels for redress.

Model and data governance

For MAS, effective AI governance begins at the top. Loy explained that boards are expected to approve overarching AI governance frameworks, incorporate AI-related risks into their risk appetite statements and build sufficient understanding of AI technologies to exercise proper oversight. Senior management is responsible for embedding AI governance throughout the organisation by enforcing policies, establishing clear escalation pathways for AI-related incidents and ensuring adequate staffing and expertise.

High-risk models, Loy noted, require regular monitoring for drift, bias or performance degradation, alongside periodic independent validation to ensure robustness throughout the lifecycle. Loy stressed that strong AI outcomes rely on strong data foundations. Institutions must ensure that datasets are representative and fit for purpose, supported by comprehensive documentation and lineage tracking. Privacy safeguards and well-managed access controls are also essential to prevent misuse and maintain the integrity of AI models. In Loy’s view, poor data governance not only undermines model performance but also increases the risk of biased outcomes at scale as AI systems become more embedded in core financial processes.

Preparing for the quantum-safe transition

Alongside AI supervision, MAS is accelerating its work on quantum-safe readiness. Ahead of perceived threats to current cryptographic systems, MAS has taken a proactive stance, conducting trials on both Quantum Key Distribution (QKD)—a technology that uses quantum mechanics to securely generate and exchange encryption keys—and Post-Quantum Cryptography (PQC), a new class of cryptographic algorithms designed to remain secure even against future quantum computers.

The QKD sandbox— conducted with DBS, HSBC, OCBC and UOB, alongside SPTel/SpeQtral—validated the potential of quantum-safe technologies in securing sensitive communications. Loy explained that MAS and participating banks used a QKD solution to demonstrate that highly sensitive data could be securely exchanged between institutions and MAS.

Loy noted that the sandbox revealed several operational realities. QKD security assurance still requires strengthening, particularly around tamper-resistant trusted nodes and multi-layer safeguards in shared environments. Interoperability remains a challenge, as different QKD providers use varying standards that may not integrate seamlessly across borders or within a bank’s existing infrastructure. Loy acknowledged that the cost and technical complexity of deploying QKD are considerable, necessitating careful planning and strong senior-level support.

He further emphasised that QKD’s practical value today is clearest in fixed, point-to-point use cases—such as links between an FI’s primary and secondary data centres—where controlled physical environments and dedicated fibre make operational deployment more feasible. This puts MAS among the few regulators globally conducting applied experiments rather than treating quantum risk as a distant academic concern. Loy encouraged institutions to consult MAS’ detailed QKD technical report published in September 2025, which outlines operational considerations for future deployment.

Next steps toward scalable QKD deployment

Following the QKD sandbox, participating institutions have outlined next steps to determine whether the technology can be operationalised more broadly. Loy said that QKD providers and telcos should develop detailed rollout playbooks, including compliance frameworks and key-management procedures. Banks will need to prepare internal business cases for quantum investments and may consider tapping schemes such as MAS’ Financial Sector Technology & Innovation Scheme (FSTI) 3.0 Quantum Track.

Loy also highlighted the importance of building internal expertise. Banks should train IT and cybersecurity teams, draw on external experts where necessary, and run proof-of-concept trials to gain hands-on experience, he said. Providers will need to refine security standards for trusted nodes and continue developing interoperability protocols to minimise integration challenges.

“Continued collaboration between FIs, QKD providers, telecommunications companies and regulators will be essential,” Loy stressed.

Balancing PQC and QKD: a complementary approach

MAS views PQC and QKD as serving different but mutually reinforcing roles. Loy explained that PQC is particularly well suited to digital signatures, authentication and software-based environments because it does not require specialised hardware. QKD, conversely, is ideal for high-sensitivity, point-to-point communication channels where the physical guarantees of quantum mechanics provide a meaningful advantage.

He said that institutions should adopt a risk-based prioritisation model that evaluates data sensitivity, operational impact and cost. According to Loy, PQC is expected to form the foundation of most quantum-safe migrations, while QKD will serve as an additional layer of protection for the most critical communication channels.

Prioritising systems and data in a migration plan

MAS’ quantum advisory, issued in February 2024, recommends that FIs begin their transition by establishing a comprehensive inventory of cryptographic assets, identifying vulnerable algorithms, mapping system locations and assigning ownership responsibilities. Loy said that this inventory allows institutions to assess crypto-agility and identify where infrastructure upgrades may be needed. He emphasised that part of this assessment involves determining whether existing systems can support quantum-safe algorithms seamlessly—a capability MAS refers to as “crypto-agility”—or whether they require fundamental redesign.

He noted that institutions should prioritise the systems that protect their most sensitive or enduring data—particularly in light of “harvest now, decrypt later” threats, whereby adversaries capture encrypted information today with the intention of decrypting it once quantum capabilities advance. The implicit supervisory warning is that delayed preparation increases long-term vulnerability, even if quantum disruption appears years away.

A holistic regulatory posture for a digital era

MAS’s tightened expectations reflect a maturing digital financial system—one in which operational resilience, AI accountability and quantum-safe preparedness are becoming essential supervisory priorities.

Loy’s message is clear: institutions must strengthen governance as they deepen their use of cloud, AI and emerging technologies, and build the capabilities needed to manage the risks that accompany them. As technology becomes more embedded in core operations, MAS expects firms to take a proactive, well-governed approach—supported by continuous testing, clear accountability and close coordination across the industry.