From principles to practice: Maturing AI supervision in Singapore’s Financial Sector

Evolving guidance on AI

The Guidelines and the Operational Handbook are the latest steps in a multi-year process of developing AI governance for Singapore’s financial sector.

In 2018, the MAS introduced the “FEAT” Principles (Fairness, Ethics, Accountability and Transparency), to promote the responsible use of AI in the financial services sector.

Following significant advancements in generative AI in late 2022, the MAS launched Project MindForge: a collaborative industry initiative to examine the risks and opportunities of this novel technology. Phase one of the project concluded in November 2023 with the publication of a risk framework, designed to enable FIs to use generative AI in a responsible manner. Phase two expanded beyond banking to include insurance and capital markets companies and culminated with the Toolkit which we analyse below.

More recently, in November 2025, the MAS issued a consultation paper proposing the Guidelines. The Guidelines express MAS’s supervisory expectations relating to AI risk management in the financial sector. These expectations are informed by two trends: the growing pervasiveness and complexity of the use of AI within FIs, and the increase in associated risks, including hallucinations, security vulnerabilities, and infringements of personal data.

The Guidelines

The Guidelines set out MAS’s expectations in four key areas, summarised below. Preliminarily, the MAS proposes that the Guidelines should apply to all FIs, including banks, insurers, capital markets intermediaries, and payment services providers. While the final Guidelines remain pending, subject to the findings of the MAS’s consultation (which ended in January 2026), this preliminary draft offers a clear preview of the MAS’s thinking on AI governance.

1. AI oversight

An FI’s board of directors and senior management should maintain effective oversight of AI-related risks and foster an appropriate risk culture for the use of AI. Collectively, they are responsible for ensuring that an FI’s risk management frameworks, policies and practices are adequate to identify, assess and mitigate the risks created by the FI’s use of AI.

This expectation emphasises that AI risk is not a purely technical matter, but a matter of institutional governance, to be shaped by the FI’s senior leadership.

2. AI identification, inventories and risk assessment

An FI should ensure that its AI risk management framework includes systems, policies and procedures to enable the FI to identify and build an inventory of the FI’s uses of AI.

Based on this knowledge, FIs should conduct a risk materiality assessment of each instance of AI use, considering factors such as:

• Impact – the potential consequences of failure or malfunction of the AI system or model on the FI, its customers and other stakeholders;
• Complexity – depending on the AI technology, its application, and its data used;
• Reliance – considering the level of autonomy granted to the AI system or model, and the degree of human oversight in the process that it supports.

Lastly, FIs must assign clear roles and responsibilities for these critical functions of identifying, inventorying, and conducting risk assessments of the FI’s uses of AI.

The Guidelines make clear that the insights gained from the above efforts should inform the development and application of AI lifecycle controls – the subject of the next section.

3. Lifecycle controls

An FI should implement robust controls covering the entire lifecycle of each AI use case, system or model: i.e. from inception to decommissioning. The Guidelines describe the nature of controls relevant to a wide range of AI risk areas, including the following:

• Data management – Data used across an AI lifecycle should be fit for purpose and representative, and subject to robust data governance standards, including in areas such as data ownership, access controls, and intellectual property rights.
• Transparency and explainability – An FI should determine the extent of transparency and explainability required of each instance of AI use according to its assessed risk materiality and establish relevant controls.
• Human oversight – An FI should implement, and regularly review, controls to ensure appropriate oversight over an AI use case, system or model across its lifecycle. This includes equipping personnel assigned to monitor AI use with the necessary capabilities and authority, and designing AI systems to facilitate such oversight.
• Third-party AI management – An FI should ensure that onboarding, development and deployment controls for third-party AI are adequate, given the risk materiality of each instance of third-party AI use. This requires a consideration of many factors, including assessing the transparency from third-party AI providers on how key risks are addressed in the development or deployment of their AI.

In sum, reliance on third-party AI providers does not reduce an FI’s accountability in respect of the AI use case, system or model which it deploys.

• Evaluation and testing – An FI should conduct evaluation and testing proportionate to the risk materiality of each instance of AI use.
• Technology and cybersecurity risks – An FI should ensure that each AI system is deployed in secured IT environments; that access to AI components or infrastructure is appropriately controlled, such as through role-based access; and that adequate controls exist to mitigate third-party risks, such as cybersecurity issues or service disruptions.
• Reproducibility and auditability – An FI should document the AI development process to ensure that an independent party, such as a reviewer or auditor, can understand and potentially replicate the implementation of an AI system or model, and its results.

4. AI Capability and Capacity

An FI should ensure the competence and proper conduct of personnel involved in developing or deploying its AI use cases. This includes proper recruitment, training, and regular reviews of programmes for effective AI risk management.

An FI must also ensure that its technology infrastructure is adequate, including in terms of resilience, safety and cybersecurity risks.

These expectations reflect the perspective that effective AI governance requires not only well-designed policies and controls – the FI’s personnel and systems must be sufficiently robust to implement them.

5. Proportionality

The Guidelines emphasise that the application of their principles within an FI must be proportionate: commensurate with the size and nature of the FI’s activities, its risk profile, and its specific AI uses. In particular, if an AI use is an integrated part of an FI’s business process, a framework involving the four broad areas of risk management described above should apply. Otherwise, the FI may institute basic policies, commensurate with its level of AI adoption.

The Handbook: Operationalising AI governance

The AI Risk Management Toolkit, published in March 2026, represents the conclusion of Phase two of Project MindForge.

The Toolkit provides FIs with resources for managing AI-related risks across traditional AI, generative AI, and agentic AI technologies. Central to the Toolkit is the Operational Handbook, which offers detailed recommendations on implementing an AI risk management framework.

The Handbook is organised into four sections, which align with the Guidelines analysed above:

• Scope and oversight – discusses how AI should be overseen in an FI, including the responsibilities for such oversight.
• AI risk management – examines how FIs can measure, monitor and mitigate AI risks, by establishing policies, procedures and systems within their organisation.
• AI lifecycle management – presents the key activities that may be applied to manage risks at each lifecycle stage of a specific AI use case.
• Enablers – discusses the foundational capabilities, such as skills, knowledge, and AI infrastructure, necessary to support effective AI risk management.

Elaborating on the four sections are 17 “Considerations”: thematic recommendations intended to support an FI in operationalising AI governance. Supporting each

Consideration are “Practices”: actions which, when taken appropriately to the FI’s context, can support the FI in implementing the Consideration. The Handbook elaborates on each Practice in further detail.

Importantly, the Handbook represents continuity with preceding guidance. It expressly builds on the FEAT principles and supports the implementation of the Guidelines. In sum, the Handbook extends the supervisory expectations described in these previous guidance documents into concrete and practical steps, to support their implementation.

Like the Guidelines, the Handbook emphasises proportionality. FIs should adjust their AI governance measures based on factors such as the FI’s business, the scale and nature of its AI use, and its risk appetite. FIs should also apply measures only as relevant to the AI technology they use, and their specific deployment.

How Hogan Lovells can assist

Collectively, the Guidelines and the Operational Handbook emphasise that AI governance is no longer a theoretical concern. It is an urgent operational priority – one that MAS expects FIs to address proactively as they adopt and scale their AI use.

Hogan Lovells has extensive experience in advising on AI governance, related areas such as information privacy and cybersecurity, and other areas of corporate risk and compliance such as sanctions and export controls. We are well-placed to assist FIs in the following:

• Reviewing AI policies and governance frameworks to ensure their compliance with the principles and requirements set out in MAS’s evolving guidance.
• Supporting in the processes of AI identification, inventory creation, risk materiality assessment, and the design of appropriate lifecycle controls.
• Advising on the application of MAS’s expectations as they relate to a novel or emerging AI technology, or its specific deployment within an FI.
• Advising on compliance with data protection and cybersecurity laws in AI use cases, including lawful collection, use, and disclosure of personal data.
• Supporting third-party AI risk management, including vendor due diligence, risk allocation, and contractual protections for AI-enabled services.

Authored by Nick Williams, Han Liang Lie, Charmian Aw, and Ciara O’Leary.