← Back to all briefings
Policy 8 min read Published Updated Credibility 92/100

Compliance Briefing — September 10, 2020

Implementation roadmap for MAS's Individual Accountability and Conduct Guidelines, detailing responsibility mapping, conduct risk controls, outsourcing governance, and leadership actions.

Zeph Tech Research Lead

Research lead, Zeph Tech

Timeline plotting source publication cadence sized by credibility.
2 publication timestamps supporting this briefing. Source data (JSON)

Executive briefing: The Monetary Authority of Singapore (MAS) finalised the Guidelines on Individual Accountability and Conduct (IAC) on 10 September 2020, establishing a senior manager accountability regime that requires banks, insurers, capital market intermediaries, and key payment institutions to document responsibility mapping, strengthen conduct risk controls, and demonstrate board ownership of culture outcomes. The regime demands visible, sustained leadership focus that links senior manager appointments, incentive design, and misconduct remediation to the specific risks and legal obligations borne by Singapore operations.[1]

MAS expects firms to be able to explain who is accountable for each critical function, what controls and delegations apply, and how governance arrangements ensure timely remediation. The guidelines highlight proportionality but stress that smaller institutions cannot treat accountability as a paperwork exercise; they must still maintain complete and current responsibility maps, evidence fair conduct standards, and integrate accountability into succession planning and outsourcing oversight. Implementation therefore requires cross-functional effort between compliance, risk, HR, and operational leaders, with explicit board endorsement.

Applicability and regulatory expectations

The IAC guidelines apply to MAS-regulated banks, merchant banks, insurers, reinsurers, approved trustees, capital market service licensees, designated financial holding companies, and systemically important payment institutions. MAS emphasises five outcomes: senior managers are clearly identified; their core functions are documented; conduct standards are reinforced; material risk-taking is controlled; and incentive structures discourage misconduct.[2]

MAS links the guidelines to existing fit-and-proper, outsourcing, technology risk, and business continuity requirements. Institutions should therefore demonstrate how accountability obligations interact with current board and management committees, control testing schedules, and regulatory reporting lines. The supervisor also expects FIs to brief MAS on implementation progress, especially where structural changes to reporting lines, service-level agreements, or product approvals are required.

Accountability mapping

Responsibility mapping is the cornerstone of the IAC regime. Each institution should produce a living accountability map that names senior managers, delineates their mandated functions, and records delegations to direct reports. The map should be granular enough for an independent reviewer to understand who is accountable for finance, risk, operations, technology, compliance, and front-office supervision in Singapore. RACI (Responsible, Accountable, Consulted, Informed) matrices help clarify shared functions such as operational resilience, data governance, and product suitability. Updates are required upon organisational changes, material outsourcing decisions, or geographic realignments.

MAS expects the map to be supported by role statements that align job descriptions, performance scorecards, and approval authorities. Documentation should cover acting arrangements, escalation triggers, and succession planning so that accountability is maintained during leadership transitions. Firms should link these documents to their human resource systems and board minutes to prove that appointments were vetted for fitness and propriety and that remit changes received governance approval.

Institutions should also maintain evidence of regular senior manager attestations. Semi-annual certifications that controls are adequate for the manager’s remit, coupled with control self-assessments and remediation plans, provide a defensible audit trail. Where responsibilities are shared across legal entities or branches, memoranda of understanding and service-level agreements should be appended to the accountability pack to confirm reporting lines, information flows, and escalation criteria.

Conduct standards

MAS articulates five conduct outcomes covering integrity, competence, due skill and care, proper treatment of customers, and effective management of conflicts. Senior managers must set the tone for these outcomes, ensuring that remuneration, onboarding, and disciplinary frameworks reinforce the standards. Training should emphasise expected behaviours in common scenarios such as client onboarding, product suitability, trading controls, technology change, and data privacy.

In practice, firms should align conduct risk frameworks with their operational risk taxonomy so that misconduct events—such as unauthorized trading, mis-selling, fraud, or data leakage—are captured, rated, and remediated consistently. Early-warning indicators (e.g., surveillance alerts, complaints, overdue reconciliations, control overrides) should feed dashboards that senior managers review. Where misconduct is substantiated, remediation plans must assign accountable owners, root-cause actions, and timelines, with progress reported to the board risk or audit committee.

Given MAS’s focus on culture, institutions should evidence challenge from control functions. Compliance and risk leaders should document how they test the effectiveness of conduct standards through thematic reviews, employee surveys, and mystery shopping. HR should ensure that grievance processes, whistleblowing channels, and retaliation safeguards are accessible and independent. Findings from these mechanisms should be mapped back to the accountable senior manager and, where necessary, to board-level oversight committees.

Implementation steps

A disciplined implementation plan is critical to meet MAS expectations. A phased approach helps teams deliver quickly while preserving quality:

  • Mobilise: Form a steering committee chaired by a C-suite sponsor, appoint a programme manager, and agree scope across legal entities. Create a central repository for role statements, maps, and attestations.
  • Assess gaps: Compare existing governance charts, product approval workflows, and outsourcing registers against the five MAS outcomes. Identify missing role statements, unclear delegation chains, and areas where committee mandates conflict with individual accountability.
  • Design controls: Draft role statements, delegation principles, and escalation protocols. Update policies on conduct risk, outsourcing, incident management, and technology change to embed accountability checkpoints.
  • Execute and evidence: Obtain board endorsement of the accountability map, issue senior manager attestations, and integrate accountability checkpoints into HR and risk systems. Capture meeting minutes, approvals, and training records as evidence.
  • Review and improve: Conduct post-implementation testing—covering scenario walkthroughs (e.g., cyber breach, trading loss, third-party outage), data lineage checks, and control sampling—to verify that accountable owners understand their duties and that escalation paths work.

Firms should maintain a regulatory engagement plan that highlights milestones, issues, and mitigation steps. Transparent updates to MAS demonstrate ownership and can mitigate supervisory concerns where structural changes take longer than expected.

Outsourcing and operational resilience

Accountability obligations extend to outsourced and intra-group service arrangements. Senior managers must confirm that service providers meet MAS Outsourcing Guidelines, technology risk requirements, and data localisation constraints. Responsibility maps should show which senior manager owns the vendor relationship, contract performance, business continuity planning, and incident escalation. When using regional shared services for finance, HR, technology, or trading operations, the accountable manager in Singapore should ensure that service-level agreements include right-to-audit clauses, clear recovery time objectives, and incident reporting requirements.

Operational resilience testing should align with accountability roles. Business impact analyses, disaster recovery exercises, and cyber tabletop tests should identify accountable owners for decision-making, customer communication, and regulatory notification. Lessons learned must be tracked to closure, with remediation actions tied to the responsible senior manager’s scorecard. Where critical third parties fail a resilience test, firms should document contingency options and contractual remedies.

Board oversight and incentives

Boards bear ultimate accountability for firm-wide culture and control effectiveness. Directors should challenge whether senior manager role statements reflect actual influence, whether committee terms of reference create ambiguity, and whether incentive structures reward sustainable conduct. Compensation committees should document how misconduct history and control deficiencies affect variable pay, including malus and clawback triggers. Audit and risk committees should receive aggregated conduct metrics, thematic review findings, and status of remediation plans tied to accountable owners.

Succession and talent processes should incorporate accountability criteria. Fit-and-proper assessments must evaluate track record on risk management, conduct, and team supervision. When interim appointments are necessary, boards should approve temporary accountability allocations and ensure handover packs capture ongoing remediation commitments. Directors should also commission independent assurance (e.g., internal audit or third-party reviews) to validate that accountability maps remain current after reorganisations or strategic shifts.

Data, reporting, and documentation standards

Reliable documentation is essential. Role statements, RACI matrices, committee charters, and outsourcing inventories should be version-controlled and centrally stored. Firms should align their accountability records with other regulatory submissions—such as Notices 649 (outsourcing), 655 (technology risk), and 644 (business continuity planning)—to ensure consistency. Management information dashboards should combine people data (appointments, attestations, training completion) with control data (incident counts, surveillance alerts, customer complaints) to provide a holistic view of accountability performance.

Senior managers should receive periodic analytics that highlight control themes by business line and function. Heatmaps showing process owners, open issues, and remediation deadlines improve transparency and enable boards to hold managers to account. When control failures occur, root-cause analyses should document whether accountability statements or delegations contributed to the lapse, and whether structural changes are needed to prevent recurrence.

Enforcement exposure and global alignment

MAS has signalled that it will use its existing powers—such as composition penalties, prohibition orders, and licence conditions—if institutions cannot demonstrate effective accountability. Persistent deficiencies in accountability maps, weak conduct dashboards, or poor follow-through on remediation may trigger targeted inspections. Firms should therefore rehearse how they will evidence compliance during supervisory visits, including presenting current role statements, attestation logs, and recent scenario test outcomes.

Global institutions should align Singapore accountability frameworks with other regimes such as the UK Senior Managers and Certification Regime and Australia’s Financial Accountability Regime. Consistency reduces the risk of conflicting delegations and facilitates cross-border incident management. However, local Singapore nuances—such as MAS expectations on technology risk, data classification, and outsourcing—must still be reflected in Singapore-specific role statements and committee charters.

Key takeaways for the next 90 days

In the near term, firms should: (1) complete refreshed accountability maps and role statements; (2) secure board sign-off and issue senior manager attestations; (3) embed accountability checkpoints into HR, risk, and outsourcing processes; (4) establish conduct dashboards with clear owners; and (5) schedule scenario testing that validates escalation and decision-making paths. Institutions that can produce clean evidence packs, show cross-functional ownership, and demonstrate board challenge will be better positioned for MAS engagement and for maintaining stakeholder confidence.

Timeline plotting source publication cadence sized by credibility.
2 publication timestamps supporting this briefing. Source data (JSON)
Horizontal bar chart of credibility scores per cited source.
Credibility scores for every source cited in this briefing. Source data (JSON)

Related briefings

Curated signals from the same pillar or overlapping topics.

Continue in the Policy pillar

Return to the hub for curated research and deep-dive guides.

Visit pillar hub

Latest guides

  • Singapore
  • MAS
  • Conduct risk
  • Accountability
  • Financial services
Back to curated briefings