MAS TRM & ITAD: FSM-N21 + FSM-N22 for asset disposal.
The Monetary Authority of Singapore's TRM Notice (FSM-N21) and Cyber Hygiene Notice (FSM-N22) — both effective 10 May 2024 — set legally enforceable expectations on regulated FIs. Asset disposal sits inside both. Here's how we align our delivery to support your TRM evidence.
TRM expectations on third-party service selection.
FSM-N21 (TRM) requires regulated FIs to apply technology-risk-management principles across the IT lifecycle — including disposal. In practice that means choosing service providers (including ITAD vendors) with a documented risk basis, getting evidence of the work performed, and being able to demonstrate continuity of control from in-service through to destruction.
The MAS does not maintain a register of approved ITAD vendors. What it expects is that you can demonstrate, on inspection, that the vendor you chose performs the service competently and that the evidence of each disposal is on file.
TRM-aware document pack per job
- ♦ Vendor due-diligence pack: insurance certificates, parent-group references, sample destruction certificate, sample chain-of-custody log.
- ♦ NDA + SoW + per-asset disposition decision before pickup.
- ♦ Asset list reconciled against your CMDB — shows continuity of control.
- ♦ Locked-transit log with GPS evidence — shows custody never lapsed.
- ♦ NIST 800-88 destruction with two-operator + witness sign-off — shows the destruction was performed competently.
- ♦ Per-job Certificate of Destruction citing TRM-aware protocols — slotting straight into your TRM evidence file.
What MAS does and does not certify.
The MAS does not certify ITAD vendors. The phrase 'MAS-aligned' in our materials means we provide documentation suitable to support your TRM evidence — not that the MAS has reviewed or approved Maxicom Singapore. Any vendor claim of MAS endorsement for ITAD is not a real designation.
Which clauses touch IT-asset disposal directly.
MAS Notice FSM-N21 (Technology Risk Management Notice) and FSM-N22 (Cyber Hygiene Notice) both became effective 10 May 2024. Together they replaced the previous guideline-style framework with legally enforceable obligations on regulated FIs — banks, insurance, capital-markets firms, payment-services providers, financial-advisory firms.
FSM-N21 doesn't dedicate a section to asset disposal but disposal is embedded in three clauses. Information-asset protection requires controls ‘throughout the lifecycle of information assets’ — disposal is part of that lifecycle. Third-party risk management requires equivalent controls when an external party performs technology services on the FI's behalf — disposal performed by an ITAD vendor is a technology service. Operational resilience implicitly covers data-loss-prevention through disposal because lost or recovered data is an operational-resilience event.
FSM-N22 sets baseline cyber-hygiene expectations including secure disposal of decommissioned assets in a manner that prevents data leakage. The two notices reinforce each other; satisfying TRM expectations on disposal naturally satisfies the Cyber Hygiene baseline as well.
MAS does not maintain an approved-vendor register for ITAD. Each regulated FI is expected to choose its disposal vendors with documented risk basis — DDQ, references, evidence-pack-format match, contractual audit rights, ongoing performance review. Our standard onboarding pack provides the input for that documentation.
FI-side documentation we provide to support FSM-N21 obligations
- ♦ Vendor due-diligence pack: insurance, parent-group references, sample destruction certificate, sample chain-of-custody log.
- ♦ Counter-signed NDA — executed before any asset list shared.
- ♦ Statement of Work — scope, evidence-pack format, SLA, contractual audit rights.
- ♦ Per-asset disposition decision — locked before pickup; documented in the SoW.
- ♦ Asset-list-vs-CMDB reconciliation — proves continuity of control from in-service to disposal.
- ♦ Locked-transit log + GPS track — proves custody never lapsed during transit.
- ♦ Per-asset wipe-log or shred-batch-ID — proves the destruction was performed competently.
- ♦ Two-operator + witness sign-off — proves the destruction was supervised.
- ♦ Per-job Certificate of Destruction with FSM-N21-aware citation.
- ♦ Downstream-recipient log — closes the chain at an NEA-licensed party.
- ♦ Retention plan — Maxicom retains a counter-signed copy for at least 7 years.
Visual reference.
MAS TRM & ITAD — frequently asked
Do you do MAS-aligned destruction certificates as standard?
Yes. Every Certificate of Destruction we issue can include the TRM-aware citation by default. If your bank's TRM file expects specific wording, send it; we'll match it.
Does MAS regulate ITAD vendors in Singapore?
MAS does not directly license or approve ITAD vendors. MAS Notice FSM-N21 (TRM) and FSM-N22 (Cyber Hygiene) — both effective 10 May 2024 — apply to regulated financial institutions and require the FI to document its third-party-service-provider risk management, including ITAD vendor selection. The FI's responsibility is to choose disposal vendors with documented risk basis, retain audit rights, and produce disposal evidence on inspection. Any vendor claim of MAS approval for ITAD is not a real designation.
What goes in a TRM evidence file for IT-asset disposal?
Vendor due-diligence pack (insurance, references, sample destruction certificate, sample chain-of-custody log), executed NDA, Statement of Work with per-asset disposition decision, asset-list-vs-CMDB reconciliation, locked-transit log with GPS evidence, per-asset wipe-log or shred-batch-ID, two-operator + witness destruction sign-off, per-job Certificate of Destruction with FSM-N21-aware citation, downstream-recipient log, and retention plan. Maxicom Singapore provides each item as part of the standard service.
Does FSM-N21 explicitly mention asset disposal?
FSM-N21 does not have a dedicated ‘asset disposal’ section, but disposal is embedded in three areas: technology lifecycle management, third-party risk management, and information-asset protection. The combined effect is that a regulated FI's disposal practice is part of its TRM evidence file by default. FSM-N22 overlays a baseline cyber-hygiene expectation including secure disposal of decommissioned assets.
Does MAS regulate ITAD vendors directly?
No. MAS does not license or approve ITAD vendors. MAS Notice FSM-N21 (Technology Risk Management, effective 10 May 2024) and FSM-N22 (Cyber Hygiene Notice, also effective 10 May 2024) apply to regulated financial institutions — banks, insurance, capital-markets firms, payment-services providers. The FI's responsibility is to choose disposal vendors with documented risk basis (DDQ, references, evidence-pack-format match), retain audit rights, and produce disposal evidence on inspection. Any vendor claim of MAS approval for ITAD is not a real designation — the register does not exist.
Does FSM-N21 specifically mention asset disposal?
FSM-N21 doesn't dedicate a section to asset disposal but disposal is embedded in three areas: technology lifecycle management (covers in-service to disposal), third-party risk management (covers vendor-performed disposal), and information-asset protection (covers data-bearing media throughout lifecycle). Combined effect: a regulated FI's disposal practice is part of its TRM evidence file by default. FSM-N22 overlays a baseline cyber-hygiene expectation including secure disposal of decommissioned assets in a manner that prevents data leakage.
What documentation does MAS expect for IT-asset disposal at regulated FIs?
Vendor due-diligence pack (insurance, references, sample destruction certificate, sample chain-of-custody log), executed NDA, Statement of Work with per-asset disposition decision, asset-list-vs-CMDB reconciliation, locked-transit log with GPS evidence, per-asset wipe-log or shred-batch-ID, two-operator + witness destruction sign-off, per-job Certificate of Destruction with FSM-N21-aware citation, downstream-recipient log, and retention plan. Maxicom Singapore provides each item as part of the standard service for regulated-FI customers.