Regional thought
leadership.
Analysis from the people sitting the exams, chairing the panels, and running the programmes. Written for practitioners, without the vendor agenda.

CPS 230 and what Australian boards now actually own
APRA's Prudential Standard CPS 230 took effect on 1 July 2025. The substance is less about new paperwork and more about a clearer line of accountability that ends at the board table.

MAS technology risk and the one-hour clock
Singapore's technology risk regime is among the most prescriptive in the region. The one-hour incident notification is the most visible obligation, but the supervisory expectation behind it is broader.

HKMA OR-2 and the May 2026 operational resilience milestone
The HKMA's Supervisory Policy Manual module OR-2 set a three-year transition that ends in May 2026. From that point, authorised institutions are expected to be operationally resilient, not merely on the journey.

Japan's FSA cybersecurity guidelines and the Zengin lesson
The Japan FSA's revised cybersecurity guidelines, finalised in October 2024, raise the bar for boards, third-party oversight and resilience testing. Recent incidents have shaped that bar.

India's converging regime on IT governance, outsourcing and DPDP
The RBI's IT Governance Direction took effect on 1 April 2024, the IT outsourcing master direction is in force, and the DPDP Act is being operationalised. Together they reshape resilience expectations for Indian financial firms.

Pacific cables and the cost of single-thread connectivity
Most Pacific Island states are connected to the global internet by one or two submarine cables. The Tonga cable break of 2022 showed what a single fault means for financial services, government and humanitarian response.

AI governance for APAC finance, from FEAT to generative AI
MAS, HKMA and peer regulators set the early benchmarks for AI in financial services. The generative AI wave has now pulled those frameworks into resilience and third-party risk territory.

Korea's Kakao fire and the FSC's tightening of digital resilience rules
The October 2022 Pangyo data centre fire disrupted KakaoTalk and Kakao-linked financial services for days. Korea's response has reshaped digital resilience supervision for the sector.

APAC cloud concentration and the shared-region problem
A small number of hyperscaler regions host a large share of APAC financial workloads. Regulators across the region are converging on the same question: what happens when one of them fails.

Taiwan, the Matsu cable cuts and the island connectivity question
Two undersea cables to the Matsu Islands were severed within days of each other in February 2023. The disruption ran for weeks and reframed how Taiwan thinks about connectivity resilience.

Malaysia's BNM RMiT and the third-line question
Bank Negara's Risk Management in Technology policy has been in force since January 2021. Supervisory focus has moved from framework design to whether the three lines are working as intended.

Philippines BSP Circular 1198 and the operational resilience framework
The Bangko Sentral ng Pilipinas issued its operational resilience framework in September 2024. It pulls the Philippine financial sector into the same supervisory direction as the wider region.

Indonesia's OJK and the digital bank stress test
OJK's POJK 11/2022 on IT risk for commercial banks and the broader digital banking guidance have set a clear bar. The supervisory question now is whether the framework holds under real stress.

Basel's operational resilience principles, five years on
The Basel Committee published its Principles for Operational Resilience in March 2021. APAC implementation has converged on a recognisable shape, with sharpening edges on tolerance and testing.