MAS TRM Penetration Testing Requirements: What Fintechs Need to Know

MAS penetration testing requirements catch many Singapore fintechs off guard. When MAS examiners arrive, they ask not just whether testing was done — but who did it, how, when, what was found, and what was fixed. This guide covers exactly what MAS TRM §10 requires, what qualifies as compliant testing, and why your choice of penetration testing provider matters as much as the frequency of testing.

Who MAS TRM Applies To

MAS Technology Risk Management Guidelines (revised January 2021) apply to all MAS-regulated financial institutions — banks, insurers, capital markets intermediaries, payment service providers, and licensed fintech entities operating under the Payment Services Act. The guidelines set baseline expectations for technology risk management, including mandatory penetration testing.

For fintechs that hold a MAS licence — even a Class 1 or Class 2 Payment Services Licence — MAS TRM applies. Many early-stage fintechs underestimate this, assuming MAS compliance is only relevant to banks. It is not.

MAS TRM §10: Penetration Testing Requirements

Section 10 of the MAS TRM Guidelines covers cyber surveillance, security testing, and incident response. The penetration testing requirements within §10 include:

Annual Testing Frequency

Financial institutions must conduct penetration testing at least once a year. This is a minimum — institutions with higher risk profiles, those that have experienced incidents, or those operating internet-facing payment systems should test more frequently.

Post-Change Testing

Penetration testing must also be conducted after significant system changes. This includes major application releases, significant infrastructure changes, cloud migrations, and new API integrations. A single annual test does not satisfy MAS requirements if major changes occur between tests.

Qualified Testers

MAS §10.2 requires that penetration testers possess relevant competencies and recognised certifications. CREST is the most consistently referenced standard. Beyond CREST, all penetration testing firms in Singapore must hold a CSRO (Cybersecurity Service Provider Regulation Order) licence from CSA to legally provide these services. Engaging an unlicensed provider creates compliance risk that will surface during MAS examination — even if the testing itself was technically sound.

Scope Coverage

MAS expects testing to cover critical systems, internet-facing applications, APIs, and payment infrastructure. Testing a single low-risk internal application while leaving internet-facing systems untested does not satisfy the spirit of §10.

Defining Scope: What Fintechs Must Test

For a Singapore fintech, a compliant MAS TRM penetration testing scope typically includes:

• Internet-facing web applications — customer portals, payment platforms, onboarding systems
• APIs — open banking APIs, partner integrations, payment gateway connections
• Mobile applications — iOS and Android apps if offered to customers
• Payment infrastructure — any systems that touch payment processing or settlement
• Cloud infrastructure — AWS, Azure, or GCP environments where data or systems are hosted
• Internal network segments — particularly any with access to customer data or payment systems

The exact scope depends on your architecture. Work with your CREST-accredited, CSRO-licensed provider to map your critical asset inventory against MAS requirements before finalising scope.

Qualifying Your Penetration Testing Provider

MAS examiners evaluate not just whether testing occurred but whether it was credible. Two non-negotiables:

CSRO Licensing

Under the Cybersecurity Act, penetration testing is a regulated activity in Singapore. Only firms holding a CSRO licence from CSA can legally provide VAPT services. This is not a quality mark — it is a legal requirement. Verify your provider's CSRO status on CSA's public register of licensed cybersecurity service providers before engaging them.

CREST Accreditation and Certification

CREST-accredited firms and CREST-certified testers (CRT, CCT INF, CCT APP) provide the technical credibility MAS expects. Ask for the certifications of the specific testers assigned to your engagement — not just the firm's overall accreditation status.

Remediation and Tracking: The Part Most Fintechs Miss

Conducting the test is only half the requirement. MAS expects financial institutions to track remediation of findings and retest to confirm vulnerabilities are closed. Build this into your contract:

• Establish a formal remediation timeline for critical and high findings (typically 30 days for critical, 90 days for high)
• Assign ownership of each finding internally
• Engage your provider for a formal retest before closing findings
• Maintain a record of the original finding, remediation actions taken, and retest confirmation
• Include this documentation in your information security management records for MAS examination

When Red Team Exercises Apply

MAS TRM also references adversary simulation exercises — what the industry calls red teaming. The MAS Adversarial Attack Simulation Exercise (AASE) framework provides specific guidance for significant financial institutions. If your fintech operates critical payment infrastructure or holds a significant volume of customer funds, red team exercises may be expected alongside annual penetration testing.

Red team exercises are distinct from standard VAPT: they simulate a full attack campaign targeting a specific objective (e.g., exfiltrating customer data or disrupting payment processing) using CREST CCSAM-led teams. They are more expensive and time-consuming than standard VAPT but provide a more realistic assessment of your security posture.

Documentation for MAS Examination

Every MAS-compliant VAPT engagement should produce the following documentation, retained for at least three years:

• Signed scope agreement and rules of engagement
• Full technical report with CVSS-scored findings and evidence
• Management summary for board or audit committee
• Remediation tracking record
• Retest report confirming closure of critical/high findings
• Provider's CSRO licence number and CREST accreditation certificate

At Infinite Cybersecurity, every engagement is designed to produce exactly this documentation chain. Explore our MAS TRM compliance services or review our VAPT offerings for fintechs.