Singapore has built a layered AI governance architecture that distinguishes clearly between voluntary best-practice frameworks and binding sector-specific obligations. For global operators, the key analytical task is determining which layer applies to their activities: the voluntary Model AI Governance Framework and AI Verify carry no direct penalties, but the MAS FEAT Principles and the Personal Data Protection Act impose concrete compliance requirements on regulated financial institutions and any organisation handling personal data of individuals in Singapore. Understanding the structure of each layer, and where it overlaps with the EU AI Act, is the starting point for any cross-border AI compliance programme.

Key takeaways

  • Singapore's Model AI Governance Framework and AI Verify are voluntary instruments. Non-adoption carries no statutory penalty, but they are increasingly referenced in procurement and contractual contexts.
  • MAS FEAT Principles are supervisory expectations for MAS-regulated financial institutions. They are examined during supervisory review and are effectively binding for banks, insurers, and capital markets entities operating in Singapore.
  • The Veritas Initiative extends FEAT with a fairness assessment methodology for specific high-stakes use cases: credit scoring, life insurance, and talent management.
  • The PDPA and the 2023 PDPC Advisory Guidelines impose automated decision-making notification and human review rights. These apply to any organisation processing personal data of individuals in Singapore, regardless of incorporation location.
  • The contrast with the EU AI Act is structural: Singapore relies on soft instruments plus sector-specific binding rules; the EU Act is cross-sector binding legislation with extraterritorial application and substantial fines.

Singapore's governance philosophy: voluntary-first with targeted binding obligations

Singapore does not have a general AI law equivalent to the EU AI Act. The government's stated approach, articulated through the National AI Strategy and the AI Governance Framework series, is that regulation should be proportionate to risk, technology-neutral, and implemented at sector level where binding obligations are genuinely needed. This philosophy reflects Singapore's positioning as a regional AI hub and its concern that premature prescriptive regulation would disadvantage domestic development.

In practice, this means the architecture is two-speed. The IMDA-published Model AI Governance Framework and AI Verify programme sit in the voluntary tier: they provide detailed technical and governance guidance, but organisations choose whether to adopt them. The binding tier is sector-specific. The Monetary Authority of Singapore has issued the FEAT Principles as supervisory expectations for financial institutions. The Personal Data Protection Commission has issued Advisory Guidelines under the PDPA that impose specific obligations around automated decision-making. Other regulators, including the Ministry of Health and the Ministry of Education, have issued or are developing sector-specific guidance.

The result is a system where the voluntary tier is genuinely detailed and technically substantive, not aspirational boilerplate, while the binding tier operates through existing regulatory relationships rather than a new cross-sector enforcement body. For operators, this creates a compliance question that depends entirely on sector: a general technology company deploying AI in Singapore faces primarily voluntary guidance, while a licensed bank or insurer faces binding supervisory expectations.

Model AI Governance Framework: structure and the 2024 generative AI extension

The IMDA published the first edition of the Model AI Governance Framework in 2019, followed by a revised second edition in January 2020. The framework is organised around four areas: internal governance structures and measures; determining the appropriate level of human involvement in AI-augmented decisions; operations management (including data quality, model explainability, and incident response); and stakeholder communication and interaction.

The second edition introduced a two-by-two probability-severity risk matrix to guide decisions about human oversight. For decisions where errors carry high probability and severe impact, the framework recommends human-in-the-loop or human-on-the-loop involvement. Where probability and impact are low, a human-out-of-the-loop approach may be acceptable, provided monitoring controls are in place. This is not a prescriptive rule but a structured method for documenting the governance rationale behind deployment decisions.

In May 2024, IMDA published an extension specifically addressing generative AI risks. The extension identifies nine risk categories that are structurally different from those covered by classical predictive AI frameworks: hallucination and fabrication, data poisoning and adversarial manipulation, intellectual property exposure, sensitive data leakage, prompt injection, harmful content generation, over-reliance on AI outputs, model supply chain opacity, and concentration risk from reliance on a small number of foundation model providers. For each risk category, the extension sets out governance measures at three levels: pre-deployment, deployment, and ongoing monitoring.

The generative AI extension is notable for its treatment of supply chain risk. Unlike the EU AI Act, which places primary obligations on the developer of the AI system, the Singapore framework explicitly addresses the position of the deploying organisation, which may have limited visibility into the training data, safety fine-tuning, and structural properties of the foundation model it is using. The extension recommends contractual due diligence, technical sandboxing, and output monitoring as mitigations for this opacity. This is practically important for organisations using third-party large language models via API: they remain accountable under Singapore governance frameworks for outputs they generate, regardless of who built the underlying model.

AI Verify: open-source testing and the accountability trail

AI Verify is a testing toolkit published jointly by IMDA and the AI Verify Foundation (an industry-led body). The first version was released in 2022; the toolkit was updated in 2024 to incorporate generative AI test cases aligned with the 2024 Model AI Governance Framework extension.

The toolkit provides structured test procedures for eleven AI ethics principles: explainability, fairness, accountability, data governance, transparency, robustness, reproducibility, safety, security, and data privacy. For each principle, AI Verify specifies test inputs, expected outputs, and scoring methods. Organisations that complete an AI Verify assessment can generate a standardised report documenting their test results. IMDA maintains a public registry of completed assessments, though participation in that registry remains voluntary.

The practical value of AI Verify is documentation. In Singapore's procurement environment, particularly for public sector contracts, government buyers are increasingly requesting evidence that AI systems in use have been assessed against the Model AI Governance Framework. AI Verify provides a structured method for producing that evidence. For cross-border operators, the toolkit's test procedures are also broadly compatible with the technical documentation requirements under the EU AI Act for high-risk AI systems, allowing a single assessment cycle to support compliance artefacts in multiple jurisdictions.

Completing an AI Verify assessment does not constitute regulatory approval, certification, or a safe harbour under any Singapore law. It is a governance documentation exercise. Organisations should treat it as one input into their broader AI risk management programme, not as a compliance endpoint.

MAS FEAT Principles: binding supervisory expectations for financial services

The Monetary Authority of Singapore published the Principles to Promote Fairness, Ethics, Accountability and Transparency (FEAT) in November 2019. The FEAT Principles are addressed to financial institutions conducting AI and data analytics activities in Singapore: banks, insurers, capital markets intermediaries, and other MAS-regulated entities.

The four principles establish the following expectations. Fairness requires that AI outcomes do not result in unfair treatment of customers, including through discriminatory outputs from biased training data. Ethics requires that AI use is aligned with professional standards and societal norms, and that institutions identify and manage situations where AI decisions may conflict with ethical expectations. Accountability requires clear ownership of AI decisions within the institution, documented oversight processes, and mechanisms for addressing complaints or errors arising from AI outputs. Transparency requires that customers who are subject to AI-assisted decisions receive sufficient information to understand how those decisions were made and how to seek redress.

MAS examines FEAT compliance as part of its supervisory review process. This means FEAT is functionally binding for MAS-regulated entities: non-compliance is a supervisory risk, not merely a reputational one. MAS has published self-assessment guidance to assist institutions in evaluating their FEAT compliance posture, but the assessment is intended to feed into internal governance processes and supervisory dialogue, not to produce a public certification.

For global financial institutions with Singapore operations, FEAT operates in parallel with home-jurisdiction requirements. An institution subject to both FEAT and the EU AI Act high-risk classification (for example, a bank using AI for credit scoring that distributes products into the EU market) must satisfy both frameworks. The two frameworks share substantive overlaps in accountability and transparency, but they differ in enforcement mechanism: FEAT compliance is examined through the supervisory relationship, while EU AI Act obligations are enforceable by national market surveillance authorities through administrative fines.

Veritas Initiative: fairness methodology for credit, insurance, and talent management

The Veritas Initiative is a collaborative project led by MAS and developed with a consortium of financial institutions. It extends the FEAT Principles with a technical fairness assessment methodology targeting three specific use cases: credit risk scoring, life insurance pricing and underwriting, and talent management (recruitment and promotion).

Version 2.0 of the Veritas Methodology, released in 2022, provides quantitative fairness metrics, a fairness assessment process, and case study implementations across the three use cases. For credit scoring, the methodology addresses proxy discrimination: situations where a model trained on historical data reproduces discriminatory patterns even when protected characteristics are formally excluded from the feature set. For life insurance, it addresses actuarial fairness versus individual fairness tensions. For talent management, it provides methods for assessing whether AI-assisted screening tools produce disparate impact across protected groups.

Veritas is not a regulation and completion of a Veritas assessment is not legally required. However, for financial institutions that use AI in the three covered use cases, Veritas provides the most operationally specific fairness assessment methodology available in the Singapore market. MAS has indicated that it regards the Veritas methodology as consistent with FEAT expectations in the covered use cases. Institutions using AI for credit, life insurance, or talent decisions that cannot demonstrate a structured fairness assessment process are exposed to adverse supervisory findings under FEAT.

The Veritas framework is also relevant to AI insurers and liability underwriters. An organisation underwriting AI liability policies for financial institution clients in Singapore should understand the Veritas assessment process, since the completeness of a client's FEAT and Veritas documentation will be material to underwriting risk. Related analysis on AI insurance market structure is available at agentinsured.eu.

PDPA and the PDPC Advisory Guidelines on AI: automated decision obligations

The Personal Data Protection Act 2012 (PDPA) applies to any organisation that collects, uses, or discloses personal data of individuals in Singapore, regardless of where the organisation is incorporated or located. The PDPA was amended by the Personal Data Protection (Amendment) Act 2020 to introduce a range of new obligations, including provisions relevant to automated decision-making.

The Personal Data Protection Commission (PDPC) published Advisory Guidelines on the Use of Personal Data in AI Recommendation and Decision Systems in 2023. These guidelines clarify the application of PDPA obligations to contexts where AI systems make or assist in making decisions about individuals using their personal data.

The key obligations under the combined PDPA and Advisory Guidelines framework are as follows. Notification: organisations must inform individuals that their personal data will be used in automated decision-making processes that produce legal or similarly significant effects. This notification requirement applies at the point of collection or before the automated decision is made. Access: individuals have a right to request access to their personal data used in an automated decision, and in certain circumstances, to request that a human being review a decision made wholly or substantially by automated means. Explainability: when an individual requests an explanation of an automated decision, the organisation must be able to provide information about the main factors considered and their relative weight. The PDPC guidelines acknowledge that full algorithmic transparency may be technically or commercially constrained, but require that organisations make reasonable efforts to produce an explanation that is meaningful to the individual.

The 2023 guidelines also address data quality as a precondition for lawful automated decision-making. An organisation that uses personal data known to be inaccurate, outdated, or unrepresentative in an automated decision process may be in breach of PDPA data accuracy obligations, even if no human error is involved. This has practical implications for model retraining: organisations must manage the currency and representativeness of training data as a compliance matter, not only as a model quality matter.

For global operators, the PDPA extraterritorial position is important. The Act applies based on the data subjects: if an organisation processes personal data of individuals located in Singapore, PDPA obligations attach regardless of where the processing takes place. A company based in the United States or the European Union that uses AI to make decisions about customers or employees located in Singapore is within scope of the PDPA automated decision obligations.

Comparison with the EU AI Act: voluntary versus mandatory, domestic versus extraterritorial

The structural contrast between Singapore's framework and the EU AI Act is one of legal architecture rather than substantive values. Both regimes address similar risks: unfair automated decisions, opaque AI systems, accountability gaps, and data quality failures. But they differ sharply in how those concerns are translated into legal obligations.

The EU AI Act is a binding regulation with direct effect in all 27 EU member states. It establishes a risk classification system that applies to any AI system placed on the EU market or used by EU persons, regardless of where the system is developed or operated. High-risk systems in sectors including credit scoring, employment, and critical infrastructure face mandatory conformity assessments, technical documentation requirements, post-market monitoring obligations, and registration in an EU database. Prohibited uses carry fines of up to 35 million euros or 7% of global annual turnover. The Act is explicitly extraterritorial: compliance is determined by where the system's outputs have effect, not where the developer is located. For a full analysis of the EU AI Act's extraterritorial reach, see our separate guide for US and UK operators.

Singapore's framework, by contrast, does not establish a general AI regulator with cross-sector enforcement powers. Voluntary instruments have no penalties. Binding obligations operate through existing sector regulators (MAS, PDPC) using existing supervisory and enforcement tools. There is no Singapore AI Act equivalent pending as of mid-2026, though the government has indicated it will continue to review the adequacy of sector-specific approaches as AI adoption deepens.

The comparison with Canada is also instructive. Canada's Artificial Intelligence and Data Act (AIDA), part of Bill C-27, would create cross-sector mandatory obligations for high-impact AI systems, with penalties and a dedicated AI and Data Commissioner. As of 2026, AIDA remains in legislative process and has not entered into force. Singapore, by contrast, has a functioning voluntary framework and functioning sector binding frameworks, without waiting for comprehensive AI legislation. For detail on Canada's approach, see our Canada AIDA operators guide.

For organisations operating across Singapore, the EU, and Canada, the practical implication is that the EU AI Act will drive the highest compliance overhead and the most prescriptive documentation requirements. Singapore alignment is achievable at lower cost, particularly where FEAT and PDPA obligations are already being met. A well-constructed EU AI Act compliance programme will typically satisfy most Singapore voluntary framework expectations as a by-product.

Practical operator priorities for Singapore AI compliance

The following operational framework reflects the compliance structure as of May 2026.

For MAS-regulated financial institutions: FEAT compliance is the primary obligation. This requires documented AI governance structures, ownership of AI decision outcomes, customer-facing transparency mechanisms, and a fairness assessment process. For credit, life insurance, and talent management use cases, the Veritas methodology provides the most operationally specific route to demonstrating FEAT alignment. AI Verify assessments are a useful supplement to the FEAT accountability trail but are not a substitute for substantive FEAT compliance.

For any organisation processing personal data of Singapore individuals: PDPA compliance requires automated decision-making notification procedures, access request handling, and the ability to produce meaningful explanations of automated decisions. Data governance processes must ensure that training data currency and representativeness are actively managed. Organisations should review customer-facing privacy notices to confirm they address AI-assisted decision-making as required by the 2023 PDPC Advisory Guidelines.

For technology companies and operators not subject to MAS regulation: The Model AI Governance Framework and AI Verify are the relevant instruments. Voluntary adoption provides governance documentation that is increasingly expected in public procurement, and provides a structured basis for managing AI risk. For organisations that also operate in the EU, AI Verify assessments can be aligned with EU AI Act technical documentation requirements to reduce duplicated effort.

For AI liability underwriters and insurers: Singapore presents a structured risk assessment environment. FEAT compliance documentation, Veritas assessment reports, and PDPA data governance records all provide observable indicators of AI governance maturity at covered organisations. The absence of these records in a financial institution's AI programme is a credible risk indicator. Cross-site coverage of AI insurance market development is maintained at agentinsured.eu.

Frequently asked questions

What is Singapore's Model AI Governance Framework?

The Model AI Governance Framework is a voluntary guidance document published by the Infocomm Media Development Authority (IMDA). The second edition was released in January 2020. A generative AI extension followed in May 2024, addressing risks specific to large language models and foundation models: hallucination, data poisoning, intellectual property exposure, sensitive data leakage, and prompt injection, among others. The framework covers four governance areas: internal structures and measures; human involvement levels in AI decisions; operations management; and stakeholder interaction. It is not legally binding, but it provides the most detailed practical AI governance guidance available from a Singapore government body, and it is the reference document for the AI Verify testing toolkit.

Is compliance with Singapore's AI Verify framework mandatory?

No. AI Verify is a voluntary open-source testing toolkit maintained by IMDA and the AI Verify Foundation. It translates the Model AI Governance Framework's principles into structured test procedures across eleven ethics dimensions. Completing an AI Verify assessment is not required by any Singapore law, and there is no penalty for non-participation. The practical value is documentation: completed assessments produce standardised reports that can support procurement requirements, contractual assurances, and internal governance records. For MAS-regulated entities, AI Verify documentation can supplement but does not replace the substantive FEAT compliance programme.

How do MAS FEAT principles apply to AI in financial services?

The FEAT Principles (Fairness, Ethics, Accountability, Transparency) were published by MAS in November 2019 as supervisory expectations for banks, insurers, capital markets intermediaries, and other MAS-regulated entities using AI and data analytics. They are examined as part of MAS's supervisory review process, which makes them functionally binding for regulated institutions. FEAT requires documented AI governance ownership, customer-facing transparency on AI-assisted decisions, and mechanisms for complaint and error remediation. The Veritas Initiative, developed under MAS leadership, extends FEAT with a quantitative fairness assessment methodology covering credit scoring, life insurance underwriting, and talent management. MAS-regulated entities using AI in those three areas should be familiar with the Veritas methodology and able to demonstrate a structured fairness assessment process.

How does Singapore's approach differ from the EU AI Act?

The EU AI Act is binding cross-sector legislation with extraterritorial effect. It classifies AI systems by risk, imposes mandatory conformity assessments and registration requirements for high-risk systems, establishes prohibited uses, and sets substantial fines. Singapore's primary AI governance instruments are voluntary, and binding obligations are sector-specific, implemented through existing sector regulators rather than a new cross-sector AI regulator. For most organisations operating only in Singapore, the compliance burden is lower and more targeted than under the EU AI Act. For organisations operating in both markets, the EU Act will drive the higher compliance overhead, and Singapore alignment can largely be achieved as part of the EU compliance programme. The key exceptions are MAS FEAT and PDPA obligations, which are Singapore-specific and require independent compliance attention.

Does Singapore's PDPA apply to automated AI decisions?

Yes. The PDPA applies to any organisation processing personal data of individuals in Singapore, including organisations not incorporated or located there. The PDPC Advisory Guidelines on AI and Personal Data (2023) clarify that automated decision-making using personal data triggers specific obligations: notification to individuals that automated means are being used, access rights to the data used, and the ability to provide a meaningful explanation of the main factors in an automated decision. In certain circumstances, individuals may also request human review of an automated decision. These obligations apply across all sectors and are not limited to financial services. Organisations should review their data processing notices and complaint handling procedures to ensure they address the AI-specific requirements in the 2023 guidelines.

References

  1. IMDA, Model AI Governance Framework, Second Edition, January 2020. Infocomm Media Development Authority, Singapore.
  2. IMDA, Model AI Governance Framework for Generative AI, May 2024. Infocomm Media Development Authority, Singapore.
  3. AI Verify Foundation and IMDA, AI Verify, v2.0, 2024. Open-source testing toolkit. Singapore.
  4. Monetary Authority of Singapore, Principles to Promote Fairness, Ethics, Accountability and Transparency (FEAT) in the Use of Artificial Intelligence and Data Analytics in Singapore's Financial Sector, November 2019.
  5. Monetary Authority of Singapore, Veritas Document 2: Fairness Metrics and Fairness Assessment Methodology, v2.0, 2022. Veritas Initiative, Singapore.
  6. Singapore, Personal Data Protection Act 2012 (No. 26 of 2012), as amended by the Personal Data Protection (Amendment) Act 2020.
  7. Personal Data Protection Commission, Advisory Guidelines on Use of Personal Data in AI Recommendation and Decision Systems, 2023. PDPC, Singapore.
  8. European Parliament and Council, Regulation (EU) 2024/1689 of the European Parliament and of the Council on Artificial Intelligence (AI Act), 13 June 2024. Official Journal of the European Union.
  9. Office of the Superintendent of Financial Institutions (Canada), Guideline E-23: Model Risk Management, 2023 revision, with AI-specific supervisory guidance. OSFI, Ottawa.
  10. Government of Singapore, National AI Strategy 2.0, December 2023. Smart Nation and Digital Government Office.