MAS’ New Guidance on Data Governance and Management: How to Respond

On May 29, 2024, the Monetary Authority of Singapore (MAS) issued new guidance on data governance and management practices for banks and financial institutions. This guidance stems from MAS’s inspections and aligns with the Basel Committee’s Principles for Effective Risk Data Aggregation and Risk Reporting (BCBS 239). It calls for stronger data governance frameworks, robust data management controls, and clear board‑level oversight—especially critical in risk aggregation and reporting.

MAS has long been viewed as a bellwether regulator, and its evolving approach informs global thinking across the financial services industry, from central banks to fintech innovators. As global financial sector leaders face an increasingly complex regulatory framework, including digital transformation, technology risk, and cybersecurity threats, MAS’s guidance offers a forward-looking blueprint for technology risk management, information security, and regulatory requirements more broadly.

In this blog, we’ll walk through MAS’s new guidance, explore how it intersects with emerging global standards, and share best practices—anchored in data governance—with lighter coverage of cybersecurity, outsourcing, supply chain, and data protection. We’ll conclude with a solution spotlight on how a modern data catalog can drive sustained compliance and resilience.

Key takeaways

• MAS’s guidance reaffirms global expectations for board oversight, governance frameworks, and data quality controls.

• Alignment with BCBS 239 helps embed risk assessment, sensitive data protection, and data lineage into compliance.

• MAS TRM guidelines reinforce cybersecurity, access controls, and vulnerability management as part of data governance.

• Managing outsourcing, cloud service, service providers, and API dependencies is key to mitigating technology risk.

• A data catalog supports audit‑ready evidence, mapping MAS controls, and sustaining MAS compliance in a digital transformation era.

MAS’s new guidance on data governance

MAS’s 2024 guidance emphasizes the need for board and senior management oversight of data governance—requiring regular updates on data quality and issues that impact financial and risk reporting. While many institutions already have data management offices, MAS insists on clearly defined roles, mandates, and escalation mechanisms to monitor and enforce data quality. This is central to global regulatory requirements, reinforcing the central bank’s mandates for governance and compliance across digital business operations.

Indeed, MAS inspections revealed critical issues in many financial institutions, including:

• Inconsistent and incomplete data

• Weak board oversight in data governance

• Siloed data systems that hinder risk data aggregation

• Inadequate data quality management leading to inaccurate reporting, especially in the context of regulatory compliance frameworks like BCBS 239

To address these gaps, MAS recommends:

1. Board and Senior Management Oversight: Boards must actively oversee data governance practices.

2. Data Quality Management: Implement robust data quality controls, including automated validation and reconciliation.

3. Clear Governance Structures: Establish governance councils and a stewardship framework to ensure accountability.

4. Escalation Mechanisms: Establish processes for quickly addressing and correcting data issues.

MAS sets a tone that resonates globally: as the financial regulator driving a regulatory framework that intersects BCBS 239, cybersecurity standards, and technology risk, it exemplifies the multi‑faceted approach institutions must take to manage technology risk management, data protection, and anti‑money laundering oversight—all while safeguarding sensitive data in a financial ecosystem rife with cyber threats.

MAS TRM guidelines: Strengthening cybersecurity and technology risk management

MAS’s Technology Risk Management (TRM) guidelines complement its data governance directive by spotlighting cybersecurity, vulnerability management, and access controls. These guidelines require institutions to strengthen their security posture through rigorous security controls and security standards, particularly around unauthorized access, threat detection, and service providers.

As financial firms pursue digital transformation, TRM guidelines serve as a guardrail—requiring risk assessment, information security, and technology oversight alongside data governance. MAS’s holistic approach illustrates that data quality isn’t sufficient if the underlying systems and networks aren’t resilient to cyber threats.

The role of risk assessment in the financial sector

The financial sector faces interconnected risks: escalating cyber threats, regulatory scrutiny, technological complexity, and evolving business operations models. MAS and global regulators require institutions to conduct continuous risk assessments that span technology risk, cybersecurity, and data governance.

The IMF underscores that improved cyber‑related governance—including board-level oversight, antimalware, and multifactor authentication—can reduce cyber risk, especially when paired with inter‑institution information sharing (IMF). MAS’s expectations for governance frameworks must include ongoing risk assessment of vulnerability, unauthorized access, and evolving threats.

Data protection, sensitive data, and preventing data breaches

Data breaches in the financial services sector are both more frequent and more costly: in 2024, the average cost of a financial sector breach rose to US $6.08 million, up 3% year-over-year (vs $4.88 million across all sectors) (MarketWatch, metomic.io). Moreover, about 75% of financial services organizations have experienced at least one breach in the past five years—higher than the two-thirds average across all industries (BizTech Magazine).

In light of these risks, MAS expects institutions to manage sensitive data proactively—through data protection, robust risk assessment, and governance frameworks that include information security, access controls, and real-time monitoring of anomalies. Data governance must be inseparable from security posture.

Evolving cyber threats in the financial ecosystem

The financial services ecosystem remains a prime target for cybercrime. In 2024, 54% of global financial institutions experienced cyber-attacks that destroyed data—up 12.5% from 2023 (fsisac.com, infosecurity-magazine.com). This destructive trend is driven by ransomware, vulnerability exploitation, and elaborate attack models (e.g., Initial Access Brokers, Phishing-as-a-Service) (blog.sekoia.io).

As institutions adopt fintech platforms, increasingly outsource operations, and accelerate digital transformation, they expand attack surfaces. Effective data governance must thus integrate defensive measures, align with MAS TRM guidelines, and maintain ecosystem-wide security posture.

Managing outsourcing, service providers, and the supply chain

The shift to cloud services, APIs, and digital ecosystems means that institutions rely heavily on outsourcing and complex supply chains. MAS, like other global financial regulators, expects firms to manage the risks associated with service providers and third-party dependencies.

Recent evidence underscores this: the European Central Bank found that ~10% of critical functions across banks failed to meet regulatory standards, and just under 18% of critical outsourcing providers could be easily replaced (Thales Cyber Security, Financial Times). This highlights systemic vulnerability—particularly as banks rely on a narrow set of providers, many outside their jurisdiction.

Financial institutions must therefore govern not only internal data practices but also the supply chain, cloud service workloads, and API connections, ensuring security controls flow through every link and remain compliant with MAS regulations and broader regulatory requirements.

Ensuring ongoing MAS compliance with catalog-backed practices

MAS’s guidance is not a one-time checklist—it’s a continuous compliance imperative across financial services ecosystems, calling upon data leaders to:

• Enable fully automated, real-time control monitoring: Using Alation, institutions gain live visibility into data quality, lineage, security alerts, and policy compliance—ensuring instant detection of MAS-related risks.

• Map MAS controls to specific metadata assets: Align MAS requirements—board oversight, data quality thresholds, lineage—to actual datasets, cloud workloads, APIs, and outsourced operations.

• Maintain audit-ready evidence through automated metadata collection: Governance actions, lineage changes, control anomalies, and resolution steps are captured in an immutable metadata registry—ready for audit by MAS or other regulators.

• Continuously validate controls against MAS frameworks: As MAS TRM or data governance standards evolve, Alation enables calibration of policies and monitoring workflows to ensure compliance stays current.

With a catalog-backed approach, institutions can operationalize MAS requirements across the compliance lifecycle—including data protection, technology risk management, cybersecurity, and outsourcing.

BCBS 239 and the role of a data catalog

BCBS 239 or the "Basel Committee on Banking Supervision's Principles for Effective Risk Data Aggregation and Risk Reporting", is a regulatory framework that sets out guidelines for banks to improve their risk data aggregation capabilities and risk reporting practices. Its primary goal is to ensure that banks can produce accurate, timely, and comprehensive risk data, which is crucial for managing financial risks and making informed decisions, especially during times of stress.

​​The Monetary Authority of Singapore’s (MAS) 2024 guidance on data governance and management aligns closely with the principles of BCBS 239. MAS has taken a more focused approach to data governance, emphasizing key areas of improvement that many banks in Singapore still need to address. Both share common goals around strengthening data governance, improving data quality, and ensuring accurate reporting.

Alation helps leading financial services organizations across the globe to establish a solid foundation of trust in data across the organization. Data consumers are empowered to find, understand, and use data with confidence, knowing it is well-governed and aligned with the compliance standards. Alation’s platform supports compliance with BCBS 239 by:

• Helping organizations define and enforce their data governance framework in a simple and automated manner. 

• Automatically ingesting metadata from enterprise applications, creating a centralized catalog of critical data elements.

• Providing granular technical and business lineage for transparent reporting.

• Monitoring data quality metrics and flagging issues in real-time for rapid escalation.

• Supporting the definition and management of critical data elements (CDEs) for risk data reporting

• Helping validators from an auditing standpoint

By providing a comprehensive view into Critical Data Elements (CDEs) Alation helps businesses comply with critical regulations.

Let’s explore the other ways in which a data catalog can help bank leaders in Singapore respond to MAS’ new imperative.

How a data catalog can help banking leaders report on governance metrics

One issue highlighted by MAS was the lack of detailed reporting on data quality across business units (BUs) and support units (SUs). Alation helps document key data risk indicators, enabling organizations to collaboratively define data quality policies with input from all stakeholders. It provides visibility into critical data issues, flags them for the relevant teams, and ensures that the workforce is trained and compliant with established policies. This can be applied across all business units, reducing the risk of unnoticed low data quality scores.

Alation also overlays the data quality scores on the lineage graphs, ensuring users have visibility on key issues impacting business functions:

Alation’s Data Quality processor empowers business users with DQ metrics from Databricks or Snowflake in a single, consistent view within Alation

US financial services company Oportun used Alation to enhance data governance and compliance reporting by identifying key data users as stewards responsible for managing sensitive information and regulatory compliance. Their Data Management and Business Intelligence team created a self-service model for SEC reporting, replicable for other state compliance needs as the company expands. By capturing critical SEC metrics in a single catalog article, protected through strict permissions, the bank ensures data accuracy and security. Trust Flags further inspire confidence in the data, allowing leaders to focus on business strategy rather than data quality.

Addressing data lineage with a data catalog

MAS found that many banks have incomplete data lineage, with gaps in end-to-end tracking. Alation’s platform offers a holistic, detailed view of data lineage, including technical and business layers, and can enrich data lineage with data quality overlays and policy indicators. This enables banks to maintain complete and accurate lineage tracking for critical data elements, ensuring compliance with regulatory requirements.

For example, Singapore’s GXS Bank relies on Alation’s lineage capabilities to trace back source tables and understand downstream impact as part of enabling users to better understand and discover their data assets.

Improving data quality with a data catalog

MAS observed that many banks use generic thresholds for data quality, which may not reflect the unique importance of certain data fields. Alation allows banks to customize data quality thresholds, ensuring more critical fields like customer names receive higher scrutiny than less critical ones. It also helps aggregate data quality results across units, providing a complete view of data quality performance at the entity level:

Alation's business lineage feature simplifies lineage to ease comprehension for business users.

Each business's data quality needs are unique, depending on its goals, industry, and data use cases. For this reason, businesses need the freedom and flexibility to partner with data quality vendors best suited to their needs. Alation has partnered with a range of best-in-class data quality vendors to support its Open Data Quality Framework so that customers can easily integrate the DQ solution of their choice into the data catalog. 

Conclusion

MAS’s guidance reinforces that strong data governance is now inseparable from an institution’s security posture, technology risk management, and ecosystem resilience. As a bellwether regulator, MAS’s approach—combining governance, BCBS 239 alignment, TRM, and outsourcing oversight—is shaping expectations globally.

For financial services leaders—whether central banks, global banks, insurers, or fintech firms—the message is clear: you cannot separate digital transformation from structured governance, risk assessment, and data protection. Embracing modern frameworks, such as a data catalog, equips your institution to meet MAS regulations and stay resilient in a rapidly evolving threat landscape.

Interested in how Alation can help you achieve data governance excellence with embedded security and compliance? Request a demo today.