Why MAS Incident Reporting Matters
MAS-regulated payment firms face a strict incident notification regime. Failure to report on time — or submitting an incomplete report — can result in regulatory censure, increased supervisory scrutiny, and in severe cases, licence conditions. The 24-hour rule catches most payment operations teams off guard because it applies from when you first become aware of the incident, not when the root cause is confirmed.
What Triggers a Reportable Incident?
Under MAS Technology Risk Management Guidelines (2021) and PSA reporting requirements, the following categories are reportable:
| Category | Threshold | Report to |
|---|---|---|
| System downtime | Any disruption >30 min affecting customer payment access | MAS via MASNET |
| Significant cyber attack | Any attack with material impact on systems or data | MAS + CSA (Cyber Security Agency) |
| Data breach | Unauthorised access/disclosure of customer PII or payment data | MAS + PDPC (under PDPA) |
| AML/CFT failure | Sanctions breach, failed to file STR, or known ML transaction processed | MAS + CAD (Commercial Affairs Dept) |
| Fraud losses | Any fraud resulting in customer financial loss >SGD 10,000 | MAS (and Police if criminal) |
The Timeline: T+0 to T+14 Days
- T+0 (within 1 hour of discovery): Initiate internal incident response. Activate your BCP if service is impacted. Notify senior management.
- T+0 (within 24 hours of discovery): Submit initial incident notification to MAS via MASNET. This does NOT need to include root cause — just what you know so far.
- T+14 days: Submit final incident report with full root cause analysis, impact assessment, customer impact, and remediation actions taken or planned.
- Within 5 business days of closure: Confirm incident is resolved and controls are in place.
What the Initial 24-Hour Report Must Include
The initial report does not need a root cause. MAS accepts uncertainty at this stage. Include:
- Brief description of what happened and when it was first detected
- Systems and services affected
- Estimated number of customers impacted
- Immediate containment actions taken
- Contact name and number for MAS to reach
Do not wait for your IT team to confirm root cause before filing. A late report because you were "still investigating" is a compliance breach. File early with limited information and update MAS as you learn more.
The Final Report: What MAS Looks For
The T+14 report is where most firms lose points. MAS examiners look for:
- Honest root cause analysis — do not bury the actual cause in vague language
- Quantified customer impact — number affected, financial loss amounts, downtime duration
- Specific remediation actions with dates (not "we will enhance our controls")
- Lessons learned and systemic changes to prevent recurrence
- Regulatory cross-references — which MAS notices or guidelines the incident relates to
Common Mistakes That Trigger MAS Follow-Up
- Reporting at T+23 hours then attaching timestamps showing the incident was known at T-2 days
- Using passive language ("a system error was encountered") instead of active root cause
- Remediation actions with no timeline or owner
- Not disclosing customer financial losses in the initial report
- Failing to notify customers within MAS's required timeline (typically 24–48 hours for financial loss)
Key Takeaways
- The 24-hour clock starts when anyone in your firm first becomes aware — not when IT confirms root cause
- File the initial report with what you know; incomplete information is acceptable at T+0
- The T+14 final report must have specific dates, actions, and quantified impact
- Vague, defensive language in incident reports is the fastest way to trigger a MAS inspection
- Build MASNET access and incident report templates into your BCP before you need them