A 2026 compliance guide for financial institutions in Southeast Asia

The resilience landscape for financial institutions in Southeast Asia

Southeast Asia is at the cutting edge of digital transformation. The region’s digital economy is forecasted to triple in value to $1 trillion by the end of the decade. But accompanying that rise has been a no-less conspicuous surge in cyber threats.

According to this year’s Allianz Risk Barometer, cyber incidents represent the most important business risk in Asia Pacific, demonstrated by a persistent uptick in cyberattacks.

In 2025, local businesses faced more than 18 million malicious attacks, according to Kaspersky. Malaysia alone faced more than 3 million. Organizations in Thailand and Singapore faced more than 1 million each.

The volume of incidents isn’t the only pressing challenge. Their sophistication is, as well. Generative AI (genAI) has transformed the scope of the cyber threat. Unsurprisingly, AI now rates as the second most important business risk in the region, findings echoed at the national level.

Regional risk profiles: Shifting top-tier threats

• Hong Kong: In 2026, cyber incidents are the top business threat (up from seventh in 2025), followed closely by AI, previously unranked.
• Singapore: Cyber incidents hold steady as the second most significant business risk after business interruption. AI makes an appearance as the third most important business risk, voted on by almost a third of respondents.
• Philippines: Business interruption, including supply chain and IT disruptions, once again tops the list of resilience threats. AI comes in fourth, shooting up from seventh in 2025.
• Malaysia: AI debuts in the second spot, following closely behind natural catastrophes in the severe weather-prone country. Cyber incidents remain in the top five.

The financial sector: A high-value target for AI-driven crime

The sectoral picture is even more stark. In the financial services, cyber incidents and AI rank as the top two most pressing business threats in 2026. A staggering 95% of respondents voted for these interrelated threats. It’s not hard to see why.

Finance only trails healthcare as the most expensive industry for remediating breaches, costing financial institutions an average of $5.56 million per incident, according to the Cost of a Data Breach Report 2025.

Beyond cyberattacks, financial institutions are experiencing a noticeable spike in AI-enabled financial crimes, including voice-cloning scams, deepfakes, AI-generated websites as well as phishing emails and listings.

These scams aren’t just one-offs. AI-enabled fraud has emerged as an industrial phenomenon. In the Philippines, the National Police recorded almost 3,000 cases of digital identity theft in 2023, up 12% from the previous year. Deepfake voice-cloning, in particular, has become a standard tool for local syndicates, leading to the 2026 regulatory crackdown we see today.

There are also traditional cyber threats which have been turbocharged by the rise of AI. Sophisticated cybercriminals are exploiting vulnerabilities in AI models and training data to drastically expand the attack surface against which financial institutions must defend.

Indeed, experts recently warned that AI-boosted attacks could pose a systemic risk to banks leveraging genAI alongside their legacy systems. Cybercriminals can weaponize ground-breaking AI models to identify soft targets that had previously gone unnoticed.

For financial institutions, EY analysts note that the very opacity of AI algorithms could paradoxically “obstruct efforts to identify and rectify security vulnerabilities, posing a significant challenge to maintaining robust cybersecurity defenses.”

Structural vulnerabilities: From supply chains to RaaS

Across the sector, these defenses are already stretched to the breaking point.

• Supply chain incidents: Financial institutions are among the most highly digitized. Yet their digitization is supported by an increasingly concentrated pool of third-party providers. This has elevated concentration risk to systemic levels, routinely decried by regulators. Today, a single disruption at a key provider, even a sub-contracted, fourth party, can trigger a catastrophic tailspin for an institution lacking end-to-end visibility into its own digital dependencies.
• Industrialized ransomware: Not only do financial institutions hold vast amounts of sensitive customer data, but they also manage substantial funds. This has long made the sector a perennial target of isolated ransomware attacks, perpetrated by cybercriminals seeking a payout. These incidents are no longer isolated, though. The proliferation of ransomware-as-a-service (RaaS) has industrialized cybercrime. The RaaS model sees hacking groups provide affiliates with the malware and services necessary to carry out an attack in exchange for a share of the proceeds.
• Geopolitically motivated cyber activity: The sharp rise in nation-state hostility and geopolitical rivalry, much of it centered in Southeast Asia, offers a fertile ground for state-backed threat actors to target the financial sector.

The regulatory response across Southeast Asia

To proactively prevent market instability, policymakers have responded to this deteriorating threat picture, implementing robust operational resilience rules for the financial institutions they supervise. The Basel Committee on Banking Supervision (BCBS) issued Principles for Operational Resilience (POR) in March 2021. Across Southeast Asia, national regulators have been keen to implement the changes.

In recent years, the Hong Kong Monetary Authority (HKMA), Monetary Authority of Singapore (MAS) and the Congress of the Philippines have all either passed new or fortified existing statutes seeking to harden their respective financial sectors against digital threats.

Hong Kong Monetary Authority: Supervisory Policy Manual (SPM) OR-2: Operational Resilience

To provide authorized institutions (AIs) with guidance on general principles, HKMA issued SPM Module OR-2 in May 2022. This regulation sets out the supervisory approach to operational resilience, giving AIs until May 31, 2026, to comply.

By that deadline, AIs must have fully implemented the framework, specifically completing the mapping and scenario testing phases to demonstrate that they are operationally resilient. These requirements mimic a similar mandate, APRA CPS 230 in Australia:

Mapping interconnections and interdependencies:

AIs must identify and document:

• People, processes, technology, information and facilities

• Interconnections and interdependencies necessary to deliver critical operations.

• Interconnections and interdependencies dependent on third parties and intragroup arrangements, extending to critical fourth-party dependencies.

A note: Recent HKMA circulars have emphasized the need for more granular mapping. This is to enable AIs to fully uncover blind spots in their resilience chain and facilitate testing of the ability to deliver critical operations through disruptions. As of May 31, 2026, the preparation of mapping documentation must be proportionate to the AI’s size, scale and complexity. AIs are also expected to review and update mapping documentation on a regular basis, i.e., no less than annually or following any material changes to their operations.

Scenario testing

AIs must conduct regular testing of their operational resilience framework, using existing testing arrangements to demonstrate that they can continue to deliver critical operations through disruptions. By May 31, 2026, AIs must demonstrate that existing exercises help achieve the specific objectives of scenario testing. After each testing exercise, AIs should prepare a formal testing report, reviewed by senior management, to record gaps, highlight weaknesses and document the remedial actions planned.

Monetary Authority of Singapore: Business Continuity Management (BCM) Guidelines

In accordance with its resilience mandate, MAS has shifted from a traditional focus on internal business continuity to a more service-centric approach to operational resilience. This shift reflects a similar change across advanced economy peers, including the Financial Conduct Authority (U.K.) and Federal Reserve Board (U.S.).

With financial institutions (FIs) becoming increasingly interconnected and reliant on a narrower band of technology providers, MAS updated its guidelines on business continuity management in 2022. Under the revised guidelines, FIs must:

• Adopt a service-centric approach through timely recovery of critical business services provided to customers.
• Identify end-to-end dependencies that support critical business services and address any gaps that could hinder their effective recovery.
• Enhance threat monitoring and environmental scanning.
• Conduct regular audits, tests and industry exercises.

Last year, MAS went even further, publishing a circular on incident reporting. Beginning February 1, 2026, FIs must provide initial notification of a reportable incident and submit subsequent incident reports using an updated template. Further requirements include:

• Prompt notification: FIs must notify MAS of a reportable incident as soon as possible, but not later than 24 hours, upon discovery.
• Full incident reporting: The initial report should include the name of the FI, reporting staff details (e.g. designation, department and contact information) and information pertaining to the reportable incident (e.g. what happened, when did it happen, where did it happen and the impact on services and customers).
• Report submission: All incident reports (initial and final) must be submitted using a revised template. This template requires substantially more granular, root-cause analysis. The final incident report must be submitted within 14 days of incident discovery, capturing any updates or corrections to information provided in the first report.

Bangko Sentral ng Pilipinas: Circular No. 1203

In October 2024, the central bank of the Philippines, the Bangko Sentral ng Pilipinas, approved operational resilience guidelines, Circular No. 1203. This regulation moves local resilience standards toward international best practice. It sets out to strengthen the ability of Bangko-supervised financial institutions (BSFIs) to manage and mitigate the impact of disruption, particularly on their critical operations.

Following an initial self-assessment phase in 2025, BSFIs are now expected to demonstrate that their resilience frameworks are fully integrated into three lines of defense. Senior management must take the lead in implementation across:

1. Business units and internal controls
2. Risk management and compliance functions
3. Internal audit

Key rules include:

• Critical operations, tolerance levels and scenarios: The regulator emphasizes the need for BSFIs to identify critical operations, establish disruption tolerance and determine the range of severe but plausible scenarios.
• Mapping interconnections and interdependencies: To assess vulnerabilities holistically, BSFIs must map the chain of activities involved in the delivery of critical operations. This includes activities arising from both the network of interconnections and interdependencies and those performed by service providers. BSFIs must then invest in appropriate resilience measures before disruption occurs.
• Risk management and planning: The regulator underlines the importance of appropriate risk management measures, stressing that these activities should not be undertaken in silos. Instead, BSFIs must leverage existing, effective risk management frameworks for an integrated, enterprise-wide approach. For such an approach, BSFIs must consider the broad nexus of operational resilience, operational risk, business continuity, third party risk and information and technology risk.
• Scenario testing: BSFIs must identify the disruptive events and incidents that may affect the delivery of critical operations. This exhaustive mapping should include identified interconnections and interdependencies, both internal and external. Periodic testing will sharpen operational resilience awareness, resulting in refinements to the operational resilience framework.
• Disaster response and recovery: BSFIs should be able to respond to and manage disruptions while delivering critical operations consistent with their integrated operational resilience framework. Disaster response and recovery capabilities should include:
• Clear delineation of roles and responsibilities and succession of authority in the event of disruption.
• Incident response plan, capturing the full lifecycle of an incident. This should contain the key steps to handle the disruption and assess how it will affect the BSFI’s risk appetite and tolerance for disruptions. The BSFI should also maintain an inventory of incident response and recovery actions, key roles (and their responsibilities) and internal and external resources.
• Reporting and notification: Beyond annual reports, BSFIs must also notify the Bangko Sentral within 24 hours after activating an incident response plan for critical operations. These mandatory notifications should include:
• Nature, duration and root cause of disruption
• Affected critical operations
• The impact of the disruption on the delivery of critical operations
• Status if tolerance for disruption is breached
• Remediation actions

Anti-Financial Account Scamming Act (AFASA)

AFASA, also known as Republic Act 12010, was signed into law in July 2024. The legislative response to industrialized fraud in the Philippines, the Act regulates the use of financial accounts to prevent fraudulent activities.

At its core the Act requires BSP-supervised institutions to protect financial accounts by establishing adequate risk management systems and controls. High among the list of controls is the fraud management system (FMS).

Fraud management systems are a comprehensive set of automated, real-time monitoring and detection systems to identify and block disputed and/or suspicious online transactions.

By June 25, 2026, BSFIs engaged in complex electronic products and services as well as those handling large sums of online transactions must adopt robust, AI-driven FMSs. Compliant FMSs must be capable of rapidly detecting, preventing and blocking disputed and/or suspicious transactions, including new and evolving fraud schemes, such as deepfake identity theft.

In this respect, AFASA builds on Circular No. 1140, the BSP’s information technology risk management regulation. Effective as of April 2022, the regulation requires BSFIs to implement FMSs commensurate with the risks associated with their digital financial and payment platforms.

Bank Negara Malaysia (BNM): Business Continuity Management

In 2022, the BNM issued a policy document on business continuity management. To improve response preparedness among regulated FI’s, the document seeks to facilitate the development and implementation of a robust BCM framework, policies and processes. This is part of the broader goal to reinforce sound risk management practices by integrating the BCM framework with the FI’s overall risk appetite.

While much of the policy document came into effect in December 2023, the BNM extended the compliance deadline for disaster recovery plan (DRP) testing rules until the end of December 2025.

As of today, FIs must have developed rigorous testing programs to evaluate the functionality and effectiveness of their BCMs. Compliance entails a unified approach to resilience. FIs must demonstrate that their DRP, business continuity plan (BCP) and crisis management plan (CMP) are part of a synchronized capability that can withstand extreme stress.

Further requirements include:

• Risk assessment (RA): FIs must perform risk assessments to identify potential business risks. In conducting the RA, FIs must consider the potential loss or diminished availability of key staff, office premises, critical business information and records, IT systems and third-party services.
• Business impact analysis (BIA): FIs must undertake BIAs to assess the potential impact of various disruption scenarios. In performing the BIA, FIs must assess financial and non-financial impacts stemming from the unavailability of critical business functions, resources and infrastructure.
• Critical business functions (CBFs): Based on the outcome of the RA and BIA, FIs must identify critical business functions and establish recovery priorities. In determining CBFs, FIs should prioritize business functions involving large-value and time-sensitive payment instructions, clearing and settlement of material transactions and the fulfillment of material end-of-day funding and collateral obligations. In line with recent updates to the Risk Management in Technology (RMiT) policy document, FIs are now encouraged to adopt a customer-centric approach to service availability. This ensures that intermittent issues are managed with the same rigor as total system failures.
• Crisis management team (CMT): To make key decisions during a crisis, FIs must deputize a crisis management team comprising key representatives from senior management. The CMT is responsible for:
• Assuming the central role in assessing and monitoring the severity and impact of a disruption.
• Making management decisions in response to a disruption.
• Leading and overseeing the implementation of business continuity and disaster recovery plans.
• Communicating with stakeholders.
• Reporting to the board on the status of the disruption and recovery efforts.
• Crisis communication strategy: FIs must devise a crisis communication plan, which will be incorporated in the CMP. The crisis communication plan should include:
• A list of all relevant internal and external stakeholders.
• Designated contact persons to lead stakeholder communication.
• Scenario-specific messaging to use in statements with stakeholders.
• Appropriate communication protocols.
• Communication channels, including alternative channels that can be used when the primary channel is unavailable.

Resilience frameworks: Upcoming deadlines

The compliance gap in Southeast Asia

As regional regulators ratchet up the pressure, FIs have responded by investing heavily in building out their risk management capabilities. Yet, their best efforts don’t always yield an appreciable increase in operational resilience.

Why’s that? As mandates mount, FIs often treat compliance as a check-the-box exercise. They add new controls, to be sure, but onto inadequate technology infrastructure.

A key issue is data fragmentation. Risk, resilience, business continuity and disaster recovery activities are often siloed across incompatible tools. The patchwork requires tedious, manual effort to reconcile, resulting in a fractured view of the true resilience picture. Not only does this separation raise costs (from duplicate efforts), but it also stymies root-cause analysis, shielding critical vulnerabilities, particularly those buried in third-party supply chains, from the Board’s view.

In an era where regulators are increasingly focused on individual accountability, this visibility gap represents a professional and financial risk to senior leadership.

Manual resilience is another barrier to compliance. Despite digitization, many business continuity and operational resilience processes remain paper based, with teams depending on cumbersome spreadsheets and outdated methods.

No matter how insightful, manual BCPs and BIAs are particularly challenging during active incidents like ransomware attacks. Traditional BCPs assume a loss of availability. Yet, ransomware attacks in 2026, particularly RaaS incidents, target data integrity and confidentiality through triple extortion. A paper-based plan cannot coordinate the simultaneous forensic, legal and communication streams required to manage a data-integrity crisis in real time. Instead, manual documents slow down response, remediation and reporting.

Most resilience mandates now call for a live response and initial reporting within 24 hours of discovery. This deadline is nearly impossible to meet if data must be manually reconciled across different departments and legacy systems.

In the Philippines, where AFASA now mandates automated, real-time fraud monitoring, relying on manual reviews can mean a legal breach.

Need to go beyond static BCPs to active resilience

Regulatory compliance necessitates a shift in perspective. In the 2026 threat landscape, operational resilience can no longer be treated as a static document to be filed away for auditors. It must be transformed into a living capability, part of a broader organizational shift from passive planning to active resilience. This transformation should be built on three non-negotiable pillars.

Pillars of active resilience

• Visibility: The first pillar of active resilience is visibility. Visibility is often thwarted by manual, siloed data. Active resilience replaces these blind spots with a centralized dashboard that aggregates real-time data to detect and monitor emerging risks early, visualizing them against established impact tolerances for critical business services.
• Velocity: Velocity refers to how quickly an FI can respond to disruption, minimize service downtime and eliminate communication gaps. Predictive analytics and scenario modeling facilitate faster, more informed decision-making, drastically reducing the extreme uncertainty and lack of situational awareness experienced in the initial moments of a disruption. By leveraging automated workflows and real-time stakeholder notifications, FIs can help ensure that mandatory regulatory notifications are triggered the moment a threshold is breached. This removes human error from the 24-hour reporting clock.
• Auditability: The final pillar of active resilience is auditability. This is the ability to prove to regulators that your FI survived disruption by design, not luck. Digitized audit trails help ensure that the remedial actions identified during scenario testing or live incidents are tracked to completion. This demonstrates a closed-loop resilience lifecycle to auditors, which provides the necessary defensibility for senior management oversight.

Integration: Moving from spreadsheets to an integrated ecosystem

To translate these active resilience pillars into the functional reality necessary for ongoing compliance, FIs require a centralized ecosystem. Such an automated platform acts as the connective tissue between people, processes and third-party dependencies, helping to ensure that regulatory compliance is a byproduct of seamless operations.

Unified business continuity and operational resilience software, like Noggin, automates the complex mapping and reporting requirements mandated by the HKMA, MAS, BNM and Bangko Sentral.

By moving away from static, fragmented documentation, FIs gain the following strategic capabilities:

• Service-centric dependency mapping: Move beyond a list of assets to a dynamic map of critical products and services. By visualizing end-to-end dependencies, from internal teams to fourth-party vendors, stakeholders gain full transparency into the resilience of the entire value chain.
• Dynamic business impact analysis: Replace tedious, siloed data collection with a step-by-step digital process. Beyond compliance, this helps to ensure BIAs are rich with the real-time data needed to understand exactly how the business functions under stress.
• Actionable, digitized planning: Substitute static PDFs and binder-based documents with interactive plans accessible on any device. This helps to ensure that responders have the right plan in their hands even when the primary office or network is inaccessible, so, when a disruption occurs, the response is guided by up-to-date protocols rather than outdated methods.
• Rigorous scenario testing and severe but plausible modeling: Shift from basic tabletop exercises to sophisticated scenario modeling. By testing recovery strategies against the severe but plausible threats defined by regional regulators (e.g., third-party outages, systemic cyber-outages, AI-driven fraud, etc.), teams build the requisite know-how to respond deftly during a high-velocity incident.
• Cross-functional resilience dashboards: Keep the board compliant with the visibility needed to meet regulatory mandates. Flexible dashboards and analytics capabilities help ensure everyone maintains line of sight, transparency and appreciation of resilience across the organization.
• Automated regulatory and self-assessment reporting: Real-time analytics allow teams to visualize and communicate resilience progress instantly. This provides a single source of truth for self-assessments, enabling FIs to demonstrate to regulators and the Board that vulnerabilities are being identified and rectified before they can be exploited.

Conclusion: From compliance to competitive advantage

In 2026, FIs across Southeast Asia have reached the end of the best-effort regulatory era. As the grace period closes across Hong Kong, Singapore, Malaysia and the Philippines, the growing divide between paper compliance and active, operational resilience will be laid bare by the next major disruption.

That’s why forward-thinking FIs are treating these deadlines as an opportunity to secure a competitive advantage, eliminating the operational latency inherent in manual, fragmented systems and replacing it with an active resilience model.

To get there, FIs must embrace an integrated ecosystem that maps dependencies, tracks thresholds and readies the response in real time. Only then can they clear the regulatory hurdles erected to protect customers, reputations and the bottom line in an increasingly volatile digital economy.

Experience active resilience in action

Don’t let your resilience strategy remain a static document. See how a unified platform can automate your mapping, streamline your BIAs and orchestrate your crisis response. Request a demo of Noggin to see the platform in action.