The regulatory frame
Singapore financial institutions should start with MAS technology risk expectations, outsourcing and third-party risk management, and the institution's own critical-system classification. A data centre certificate can support due diligence, but it does not transfer accountability away from the financial institution.
MAS guidance and notices focus on governance, reliability, availability, recoverability, cyber resilience, incident management and third-party controls. For critical systems, MAS FAQs explain that recovery time objectives are expected to be no more than four hours, and recovery testing evidence should be documented.
Common certifications and what they prove
| Evidence | What it helps show | Limits |
|---|---|---|
| Uptime Tier Certification | Topology, maintainability, fault tolerance and operational sustainability depending on scope. | Check whether it covers design, constructed facility, operations or all three. |
| TIA-942 Rated certification | Telecommunications, architectural, electrical and mechanical infrastructure conformance. | Scope and rating level matter; do not rely on marketing wording alone. |
| ISO/IEC 27001 | Information security management system and risk control framework. | Certificate scope must include the relevant data centre operations. |
| ISO 22301 | Business continuity management system. | It shows a management system, not that your exact workload meets RTO. |
| SOC 1 / SOC 2 or ISAE 3402 reports | Independent assurance over controls, often with test results. | Read exceptions, carve-outs, user-entity controls and report period. |
| PCI DSS | Cardholder-data environment controls where payment data is in scope. | Only relevant to scoped payment environments. |
| Green Mark / SS 564 / SS 697 / SS 715 | Sustainability and energy-efficiency evidence for Singapore facilities. | Important for ESG and capacity planning, but not a security certificate. |
Due diligence for a data centre provider
A bank should request a certification pack, but also operating evidence. Ask for the certificate scope, latest audit reports, incident history, maintenance windows, change-management process, physical security design, visitor controls, media handling, subcontractor controls, network cross-connect process and environmental monitoring.
For material outsourcing or cloud-linked arrangements, align the review with ABS cloud guidance and the FI's internal vendor-risk framework. If a provider cannot explain how responsibilities split between landlord, colocation operator, cloud provider, managed service provider and the FI, the risk is not understood.
Contract and SLA clauses to scrutinise
- Availability targets and service credits, but also root-cause and remediation obligations.
- Notification timelines for outages, cyber incidents, physical-security incidents and regulatory requests.
- Rights to audit, receive assurance reports and review material subcontractors.
- Evidence for annual recovery testing and participation in joint exercises.
- Data location, access controls, cross-connect approval and media disposal requirements.
- Exit support, migration windows and emergency access procedures.
A practical procurement stance
For most financial-services workloads, a sensible baseline is a concurrently maintainable facility, strong physical security, ISO/IEC 27001 in scope, independent assurance reports, documented business continuity, proven incident notification, and clear operational responsibilities. For critical systems, require evidence that the architecture and operating model can meet the FI's recovery requirements, not just the provider's generic uptime claim.
The strongest evidence combines three layers: facility resilience certification, security and continuity management certification, and workload-specific testing by the financial institution.
Sources and further reading
- MAS FAQ on Notice on Technology Risk Management
- ABS Cloud Computing Implementation Guide 3.0
- Uptime Institute Tier Certification
- TIA-942 data centre standard one-pager
- ISO/IEC 27001 overview